From c0917c8a4c36e21045de51ba5166f7c1ae9ed81dbb285bf2dbad9ebc9faf7e5f Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Wed, 4 Sep 2024 08:00:14 +0000
Subject: [PATCH] - fail2ban-fix-openssh98.patch: fix to work with openssh 9.8
 (bsc#1230101)

OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=120
---
 .gitattributes                               |   23 +
 .gitignore                                   |    1 +
 f2b-restart.conf                             |    5 +
 fail2ban-0.10.4-env-script-interpreter.patch |    9 +
 fail2ban-1.0.2.tar.gz                        |    3 +
 fail2ban-1.0.2.tar.gz.asc                    |   11 +
 fail2ban-disable-iptables-w-option.patch     |   14 +
 fail2ban-fix-openssh98.patch                 |   13 +
 fail2ban-opensuse-locations.patch            |   32 +
 fail2ban-opensuse-service-sfw.patch          |   14 +
 fail2ban-opensuse-service.patch              |   27 +
 fail2ban.changes                             | 1450 ++++++++++++++++++
 fail2ban.keyring                             |   29 +
 fail2ban.logrotate                           |   13 +
 fail2ban.spec                                |  351 +++++
 fail2ban.sysconfig                           |   10 +
 fail2ban.tmpfiles                            |    1 +
 harden_fail2ban.service.patch                |   23 +
 paths-opensuse.conf                          |   50 +
 sfw-fail2ban.conf                            |    7 +
 20 files changed, 2086 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 f2b-restart.conf
 create mode 100644 fail2ban-0.10.4-env-script-interpreter.patch
 create mode 100644 fail2ban-1.0.2.tar.gz
 create mode 100644 fail2ban-1.0.2.tar.gz.asc
 create mode 100644 fail2ban-disable-iptables-w-option.patch
 create mode 100644 fail2ban-fix-openssh98.patch
 create mode 100644 fail2ban-opensuse-locations.patch
 create mode 100644 fail2ban-opensuse-service-sfw.patch
 create mode 100644 fail2ban-opensuse-service.patch
 create mode 100644 fail2ban.changes
 create mode 100644 fail2ban.keyring
 create mode 100644 fail2ban.logrotate
 create mode 100644 fail2ban.spec
 create mode 100644 fail2ban.sysconfig
 create mode 100644 fail2ban.tmpfiles
 create mode 100644 harden_fail2ban.service.patch
 create mode 100644 paths-opensuse.conf
 create mode 100644 sfw-fail2ban.conf

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9b03811
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..57affb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
diff --git a/f2b-restart.conf b/f2b-restart.conf
new file mode 100644
index 0000000..5b1b2e0
--- /dev/null
+++ b/f2b-restart.conf
@@ -0,0 +1,5 @@
+# When a restart is issued for SuSEfirewall2, fail2ban.service too must be
+# restarted, which is what this drop-in file does.
+
+[Unit]
+PartOf=SuSEfirewall2.service
diff --git a/fail2ban-0.10.4-env-script-interpreter.patch b/fail2ban-0.10.4-env-script-interpreter.patch
new file mode 100644
index 0000000..4dc43fe
--- /dev/null
+++ b/fail2ban-0.10.4-env-script-interpreter.patch
@@ -0,0 +1,9 @@
+diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot
+--- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot	2018-10-04 11:26:22.000000000 +0200
++++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot	2019-08-12 10:46:05.067842214 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env fail2ban-python
++#!/usr/bin/fail2ban-python
+ # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
+ #
+ # Written in Python to reuse built-in Python batteries and not depend on
diff --git a/fail2ban-1.0.2.tar.gz b/fail2ban-1.0.2.tar.gz
new file mode 100644
index 0000000..2644181
--- /dev/null
+++ b/fail2ban-1.0.2.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ae8b0b41f27a7be12d40488789d6c258029b23a01168e3c0d347ee80b325ac23
+size 583295
diff --git a/fail2ban-1.0.2.tar.gz.asc b/fail2ban-1.0.2.tar.gz.asc
new file mode 100644
index 0000000..d2165cb
--- /dev/null
+++ b/fail2ban-1.0.2.tar.gz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmNr0KgACgkQaDvxvr0K
+iCyG4Af/eP5ZQvTiGjo/f1oOuBH8wOo7ARlFOcQIbdhXy10vk3bqDjYHVWzXh12Q
+EdfyJVMXFI3XnDQkdXulOjnhX6YK3qYruudl0oDE7jyIWbHETFUpY7y00uxjTD+A
+aBk4XqBym67BtBR/5dfnhXOBYZ9EXcbopvEQXq1Lm4jRSurSQCiVpMY44psW60Rb
+dt1fdIg/GTjhsYNWO2L6DCObV1qdJcdk8Zw7rvk9aHe7iZ+PZW7htG8erTzzV9LV
+Lq6Bcwz6tEFInTvDBZXIhBimYrquWp97qwEC3d1cNbv9pjN69czgLtRaq5EiVu4R
+e8+y9LLToHFjKeji436S6985hBQnEA==
+=jGOy
+-----END PGP SIGNATURE-----
diff --git a/fail2ban-disable-iptables-w-option.patch b/fail2ban-disable-iptables-w-option.patch
new file mode 100644
index 0000000..19c65d5
--- /dev/null
+++ b/fail2ban-disable-iptables-w-option.patch
@@ -0,0 +1,14 @@
+--- fail2ban-1.0.1/config/action.d/iptables.conf.orig	2022-10-12 11:35:25.789327341 +0200
++++ fail2ban-1.0.1/config/action.d/iptables.conf	2022-10-12 11:35:40.585449861 +0200
+@@ -138,8 +138,10 @@
+ #          running concurrently and causing irratic behavior.  -w was introduced
+ #          in iptables 1.4.20, so might be absent on older systems
+ #          See https://github.com/fail2ban/fail2ban/issues/1122
++#          The default option "-w" can be used for openSUSE versions 13.2+ and
++#          for updated versions of openSUSE 13.1; SLE 12 supports this option.
+ # Values:  STRING
+-lockingopt = -w
++lockingopt =
+ 
+ # Option:  iptables
+ # Notes.:  Actual command to be executed, including common to all calls options
diff --git a/fail2ban-fix-openssh98.patch b/fail2ban-fix-openssh98.patch
new file mode 100644
index 0000000..e09353e
--- /dev/null
+++ b/fail2ban-fix-openssh98.patch
@@ -0,0 +1,13 @@
+Index: fail2ban-1.0.2/config/filter.d/sshd.conf
+===================================================================
+--- fail2ban-1.0.2.orig/config/filter.d/sshd.conf
++++ fail2ban-1.0.2/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
++_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
diff --git a/fail2ban-opensuse-locations.patch b/fail2ban-opensuse-locations.patch
new file mode 100644
index 0000000..e0dfbd6
--- /dev/null
+++ b/fail2ban-opensuse-locations.patch
@@ -0,0 +1,32 @@
+Index: fail2ban-1.0.1/config/jail.conf
+===================================================================
+--- fail2ban-1.0.1.orig/config/jail.conf
++++ fail2ban-1.0.1/config/jail.conf
+@@ -731,7 +731,7 @@ backend = %(syslog_backend)s
+ # filter   = named-refused
+ # port     = domain,953
+ # protocol = udp
+-# logpath  = /var/log/named/security.log
++# logpath  = /var/lib/named/log/security.log
+ 
+ # IMPORTANT: see filter.d/named-refused for instructions to enable logging
+ # This jail blocks TCP traffic for DNS requests.
+@@ -739,7 +739,7 @@ backend = %(syslog_backend)s
+ [named-refused]
+ 
+ port     = domain,953
+-logpath  = /var/log/named/security.log
++logpath  = /var/lib/named/log/security.log
+ 
+ 
+ [nsd]
+Index: fail2ban-1.0.1/config/paths-common.conf
+===================================================================
+--- fail2ban-1.0.1.orig/config/paths-common.conf
++++ fail2ban-1.0.1/config/paths-common.conf
+@@ -90,4 +90,4 @@ solidpop3d_log = %(syslog_local0)s
+ mysql_log = %(syslog_daemon)s
+ mysql_backend = %(default_backend)s
+ 
+-roundcube_errors_log = /var/log/roundcube/errors
++roundcube_errors_log = /srv/www/roundcubemail/logs/errors
diff --git a/fail2ban-opensuse-service-sfw.patch b/fail2ban-opensuse-service-sfw.patch
new file mode 100644
index 0000000..ac90524
--- /dev/null
+++ b/fail2ban-opensuse-service-sfw.patch
@@ -0,0 +1,14 @@
+diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
+--- fail2ban-0.10.4-orig/files/fail2ban.service.in	2019-08-12 11:27:18.175106400 +0200
++++ fail2ban-0.10.4/files/fail2ban.service.in	2019-08-12 11:28:42.045116215 +0200
+@@ -1,8 +1,8 @@
+ [Unit]
+ Description=Fail2Ban Service
+ Documentation=man:fail2ban(1)
+-After=network.target iptables.service firewalld.service ip6tables.service ipset.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
++After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
++PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+ 
+ [Service]
+ Type=simple
diff --git a/fail2ban-opensuse-service.patch b/fail2ban-opensuse-service.patch
new file mode 100644
index 0000000..089d45f
--- /dev/null
+++ b/fail2ban-opensuse-service.patch
@@ -0,0 +1,27 @@
+diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in fail2ban-0.11.2/files/fail2ban.service.in
+--- fail2ban-0.11.2-orig/files/fail2ban.service.in	2020-11-23 21:43:03.000000000 +0100
++++ fail2ban-0.11.2/files/fail2ban.service.in	2020-12-05 18:22:01.503018894 +0100
+@@ -2,17 +2,18 @@
+ Description=Fail2Ban Service
+ Documentation=man:fail2ban(1)
+ After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
++PartOf=firewalld.service
+ 
+ [Service]
+ Type=simple
++EnvironmentFile=-/etc/sysconfig/fail2ban
+ Environment="PYTHONNOUSERSITE=1"
+ ExecStartPre=/bin/mkdir -p /run/fail2ban
+-ExecStart=@BINDIR@/fail2ban-server -xf start
++ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
+ # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
+-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
+-ExecStop=@BINDIR@/fail2ban-client stop
+-ExecReload=@BINDIR@/fail2ban-client reload
++# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
++ExecStop=/usr/bin/fail2ban-client stop
++ExecReload=/usr/bin/fail2ban-client reload
+ PIDFile=/run/fail2ban/fail2ban.pid
+ Restart=on-failure
+ RestartPreventExitStatus=0 255
diff --git a/fail2ban.changes b/fail2ban.changes
new file mode 100644
index 0000000..6f0e5a2
--- /dev/null
+++ b/fail2ban.changes
@@ -0,0 +1,1450 @@
+-------------------------------------------------------------------
+Wed Sep  4 07:54:06 UTC 2024 - Marcus Meissner <meissner@suse.com>
+
+- fail2ban-fix-openssh98.patch: fix to work with openssh 9.8 (bsc#1230101)
+
+-------------------------------------------------------------------
+Mon Feb 26 08:17:28 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Use %patch -P N instead of deprecated %patchN.
+
+-------------------------------------------------------------------
+Mon Jun  5 16:36:47 UTC 2023 - Lars Vogdt <lars@linux-schulserver.de>
+
+- use nagios-rpm-macros to define the libexecdir for SUSE distributions
+  correctly (defaut here is /usr/lib/nagios/plugins)
+- move conditional for %%pre scripts, to avoid any dependency or other 
+  stuff getting in the way on old distributions
+
+-------------------------------------------------------------------
+Sun Dec  4 21:07:21 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.0.2:
+  * Update of major version of fail2ban with primary target to fix a
+    dovecot-filter regression #3370.
+  * See the ChangeLog for more information.
+
+-------------------------------------------------------------------
+Wed Oct 12 08:11:52 UTC 2022 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 1.0.1:
+  * https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog
+- Remove fail2ban-0.11.2-upstream-patch-python-3.9.patch.
+- Remove fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch.
+- Remove fail2ban-rpmlintrc since it's no longer needed.
+- Add fail2ban.keyring.
+
+-------------------------------------------------------------------
+Sat Jan 22 11:17:48 UTC 2022 - Arjen de Korte <suse+build@de-korte.org>
+
+- Fail2ban can't be PartOf ipset.service and nftables.service that
+  conflict with firewalld.service (as it will prevent restarting the
+  latter and which are not provided anymore)
+  * fail2ban-opensuse-service.patch
+  * harden_fail2ban.service.patch
+
+-------------------------------------------------------------------
+Wed Jan 19 13:05:44 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- add python-rpm-macros buildrequires (bsc#1194752)
+
+-------------------------------------------------------------------
+Fri Nov 12 10:49:20 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Added fail2ban-0.11.2-upstream-patch-python-3.9.patch to allow 
+  fail2ban run under under python 3.9+
+
+- Shifted the order of the patches
+
+-------------------------------------------------------------------
+Tue Sep 14 07:47:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_fail2ban.service.patch
+
+-------------------------------------------------------------------
+Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch 
+  to fixs CVE-2021-32749 - bnc#1188610 to prevent a command injection via mail comand
+
+-------------------------------------------------------------------
+Sat Dec  5 17:25:17 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Integrate change to resolve bnc#1146856 and bnc#1180738
+
+-------------------------------------------------------------------
+Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Update to 0.11.2
+  increased stability, filter and action updates
+  
+- New Features and Enhancements
+  * fail2ban-regex:
+    - speedup formatted output (bypass unneeded stats creation)
+    - extended with prefregex statistic
+    - more informative output for `datepattern` (e. g. set from filter) - pattern : description
+  * parsing of action in jail-configs considers space between action-names as separator also
+  (previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b`
+  * new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689)
+  * new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855)
+  * new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723)
+  * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured 
+    (gh#fail2ban/fail2ban#2631)
+  * `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778)
+  * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
+  * datetemplate: improved anchor detection for capturing groups `(^...)`;
+  * datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
+  as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814):
+    - filter gets mode in-operation, which gets activated if filter starts processing of new messages;
+      in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
+      from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected 
+      bypass of failure (previously exceeding `findtime`);
+    - better interaction with non-matching optional datepattern or invalid timestamps;
+    - implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages,
+    whereas filter will use now as timestamp (gh#fail2ban/fail2ban#2802)
+  * performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template);
+  * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh#fail2ban/fail2ban#2791;
+  * extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
+    prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of `<F-TUPLE_V?_n?>` tags (gh#fail2ban/fail2ban#2755)
+
+- Fixes
+  * [stability] prevent race condition - no ban if filter (backend) is continuously busy if
+    too many messages will be found in log, e. g. initial scan of large log-file or journal (gh#fail2ban/fail2ban#2660)
+  * pyinotify-backend sporadically avoided initial scanning of log-file by start
+  * python 3.9 compatibility (and Travis CI support)
+  * restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
+  * manual ban is written to database, so can be restored by restart (gh#fail2ban/fail2ban#2647)
+  * `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead)
+  * no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
+    per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357
+  * ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686)
+  * don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes), 
+    so would bother the action interpolation
+  * fixed type conversion in config readers (take place after all interpolations get ready), that allows to 
+    specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
+  * `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy
+    between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703)
+  * `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing
+   with `jq`, gh#fail2ban/fail2ban#2140, gh#fail2ban/fail2ban#2656)
+  * `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2763)
+  * `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2821)
+  * `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836)
+  * `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
+    should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650)
+  * `filter.d/dovecot.conf`: 
+    - add managesieve and submission support (gh#fail2ban/fail2ban#2795);
+    - accept messages with more verbose logging (gh#fail2ban/fail2ban#2573);
+  * `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697)
+  * `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle 
+    the match of username differently (gh#fail2ban/fail2ban#2693):
+    - `normal`: matches 401 with supplied username only
+    - `ddos`: matches 401 without supplied username only
+    - `aggressive`: matches 401 and any variant (with and without username)
+  * `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749)
+  
+- Rebased patches
+- Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch
+
+-------------------------------------------------------------------
+Wed Aug 19 09:04:12 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Use %{_tmpfilesdir} consistently throughout the .spec.
+
+-------------------------------------------------------------------
+Thu May 21 07:49:38 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 0.11.1:
+  * Increment ban time (+ observer) functionality introduced.
+  * Database functionality extended with bad ips.
+  * New tags (usable in actions):
+    - `<bancount>` - ban count of this offender if known as bad
+      (started by 1 for unknown)
+    - `<bantime>` - current ban-time of the ticket
+      (prolongation can be retarded up to 10 sec.)
+  * Introduced new action command `actionprolong` to prolong ban-time
+    (e. g. set new timeout if expected);
+  * algorithm of restore current bans after restart changed:
+    update the restored ban-time (and therefore 
+    end of ban) of the ticket with ban-time of jail (as maximum),
+    for all tickets with ban-time greater (or persistent)
+  * added new setup-option `--without-tests` to skip building
+    and installing of tests files (gh-2287).
+  * added new command `fail2ban-client get <JAIL> banip ?sep-char|--with-time?`
+    to get the banned ip addresses (gh-1916).
+  * purge database will be executed now (within observer).
+   restoring currently banned ip after service restart fixed
+    (now < timeofban + bantime), ignore old log failures (already banned)
+  * upgrade database: update new created table `bips` with entries
+    from table `bans` (allows restore current bans after
+    upgrade from version <= 0.10)
+
+-------------------------------------------------------------------
+Thu Jan  9 14:06:14 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Switch to use python3 (upstream supported):
+  + BuildRequire python3-tools instead of python-devel (for the
+    2to3 tool).
+  + Drop the python-gamin dependency.
+  + Replace all python-FOO deps for their python3-FOO counterpart.
+
+-------------------------------------------------------------------
+Mon Aug 12 09:10:37 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Added fail2ban-0.10.4-env-script-interpreter.patch to define interpretor
+- removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2
+  will be removed from Factory (see sr#713247):
+  * fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service
+  * fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for
+    older distributions
+  * Removed installation recommendation of the fail2ban-SuSEfirewall2
+    package for all distributions as it is deprecated.
+- fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file
+  location (boo#1145181, gh#fail2ban/fail2ban#2474)
+
+-------------------------------------------------------------------
+Tue Jun 11 12:42:54 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
+  shortcut the build queues by allowing usage of systemd-mini
+
+-------------------------------------------------------------------
+Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de
+
+- ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four
+  * https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog
+
+- Fixes
+  * `filter.d/dovecot.conf`: 
+    - failregex enhancement to catch sql password mismatch errors (gh-2153);
+    - disconnected with "proxy dest auth failed" (gh-2184);
+  * `filter.d/freeswitch.conf`:
+    - provide compatibility for log-format from gh-2193:
+      * extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
+        `YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
+      * more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
+    - extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
+      (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
+      how to set it to mode `normal`.
+  * `filter.d/domino-smtp.conf`:
+    - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
+    - failregex extended to catch connections rejected for policy reasons (gh-2228);
+  * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected 
+    and don't allowed in command-actions), see gh-2114;
+  * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
+    - fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
+      `UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors;
+    - actions: avoid possible conversion errors on wrong-chars by replace tags;
+    - database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
+      additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
+    - logging in fail2ban is process-wide exception-safe now.
+  * repaired start-time of initial seek to time (as well as other log-parsing related data), 
+    if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
+  * systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
+
+- New Features
+  * new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`, 
+    `ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
+  * `ignorecommand` extended to use actions-similar replacement (capable to interpolate 
+    all possible tags like `<ip-host>`, `<family>`, `<fid>`, `F-USER` etc.)
+
+- Enhancements
+  * `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
+  * since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
+    additionally option `-V` can be used to get version in normalized machine-readable short format.
+
+- rebase patches
+  * fail2ban-opensuse-locations.patch
+  * fail2ban-opensuse-service.patch
+- add signature file
+
+-------------------------------------------------------------------
+Sat Apr 21 06:02:12 UTC 2018 - jweberhofer@weberhofer.at
+
+- Updated to version 0.10.3.1. Changelog:
+  https://github.com/fail2ban/fail2ban/blob/0.10.3.1/ChangeLog
+
+  * fixed JSON serialization for the set-object within dump into database (gh-2103).
+
+- Updated to version 0.10.3. Changelog:
+  https://github.com/fail2ban/fail2ban/blob/0.10.3/ChangeLog
+
+- Fixes
+  * `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
+  * `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
+  * `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069;
+  * `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
+    - fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064);
+  * `filter.d/sshd.conf`:
+    - failregex got an optional space in order to match new log-format (see gh-2061);
+    - fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
+    - fixed root login refused regex (optional port before preauth, gh-2080);
+    - avoid banning of legitimate users when pam_unix used in combination with other password method, so
+      bypass pam_unix failures if accepted available for this user gh-2070;
+    - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly);
+    - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
+      it counts failure on closing connection within preauth-stage (gh-2085);
+  * `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);
+  * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
+  * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
+  * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
+
+- New Features
+  * several stability and performance optimizations, more effective filter parsing, etc;
+  * stable runnable within python versions 3.6 (as well as within 3.7-dev);
+
+- Enhancements
+  * `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);
+  * `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);
+  * date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029);
+  * possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038);
+    the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line,
+    e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line.
+  * badips.py now uses https instead of plain http when requesting badips.com (gh-2057);
+  * add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056);
+  * Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG):
+    Usage `logtarget = target[padding=on|off]`
+
+-------------------------------------------------------------------
+Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at
+
+- Updated to version 0.10.2. Changelog:
+  https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog
+
+- rebased patch
+
+- Incompatibility list (compared to v.0.9):
+  * Filter (or `failregex`) internal capture-groups:
+    - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
+      rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
+      (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
+      Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
+      testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
+      fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
+    - New internal groups (currently reserved for internal usage):
+      `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
+      mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
+  * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
+    user configurations resp. `datepattern`.
+  * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
+    IPv6-capable now.
+
+- Incompatibility:
+  * The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
+    anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
+    just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. 
+
+- Fixes
+  * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid 
+    write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
+  * Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
+  * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely 
+    (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
+  * config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
+    in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
+  * `action.d/pf.conf`: 
+    - fixed syntax error in achnor definition (documentation, see gh-1919);
+    - enclose ports in braces for multiport jails (see gh-1925);
+  * `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
+  * `filter.d/sshd.conf`:
+    - extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
+      forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", 
+      see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
+    - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
+
+- New Features
+  * datedetector: extended default date-patterns (allows extra space between the date and time stamps);
+    introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
+    - %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
+      (corresponds %H, but allows space if not zero-padded).
+    - %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
+      (corresponds %I, but allows space if not zero-padded).
+  * `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
+
+- New Actions:
+  * `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
+     nginx-location with map-file);
+
+  - Enhancements
+    * jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
+    * action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
+    * Introduced new parameters for logging within fail2ban-server (gh-1980).
+      Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
+      - `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
+        for the list of facilities);
+      - `datetime` - add date-time to the message (default on, ignored if `format` specified);
+      - `format` - specify own format how it will be logged, for example for short-log into STDOUT:
+        `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
+    * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 
+     'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
+      if repair fails - recreate new database (gh-1465, gh-2004).
+
+-------------------------------------------------------------------
+Thu Nov 23 13:44:10 UTC 2017 - rbrown@suse.com
+
+- Replace references to /var/adm/fillup-templates with new 
+  %_fillupdir macro (boo#1069468)
+
+-------------------------------------------------------------------
+Sat Oct 21 04:43:44 UTC 2017 - jweberhofer@weberhofer.at
+
+- Updated to version 0.10.1. Changelog:
+  https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog
+
+- Removed 607568f.patch and 1783.patch
+
+- New features: 
+  * IPv6 support
+    - IP addresses are now handled as objects rather than strings capable for 
+      handling both address types IPv4 and IPv6
+    - iptables related actions have been amended to support IPv6 specific actions
+      additionally
+    - hostsdeny and route actions have been tested to be aware of v4 and v6 already
+    - pf action for *BSD systems has been improved and supports now also v4 and v6
+    - name resolution is now working for either address type
+    - new conditional section functionality used in config resp. includes:
+      - [Init?family=inet4] - IPv4 qualified hosts only
+      - [Init?family=inet6] - IPv6 qualified hosts only
+  * Reporting via abuseipdb.com
+    - Bans can now be reported to abuseipdb
+    - Catagories must be set in the config
+    - Relevant log lines included in report
+  * Several commands extended and new commands introduced
+  * Implemented execution of `actionstart` on demand
+  * nftables actions are IPv6-capable now
+  * Introduced new filter option `prefregex` for pre-filtering using single regular expression
+  * Many times faster because of several optimizations
+  * Several filters optimized
+  * Introduced new jail option "ignoreself"
+
+
+- Lots of fixes and internal improvements
+
+- Incompatibitilities:
+  * Filter (or `failregex`) internal capture-groups:
+  - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
+    rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
+    (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
+
+    Of course you can always your own capture-group (like below `_cond_ip_`) to do this.
+    ```
+    testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
+    fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
+    ```
+  - New internal groups (currently reserved for internal usage):
+    `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
+    mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
+
+  * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
+  user configurations resp. `datepattern`.
+
+  * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
+  IPv6-capable now.
+
+-------------------------------------------------------------------
+Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at
+
+- added 1783.patch from upstream: "Updated roundcube authentication filter"
+- use tmpfiles_create macro
+
+-------------------------------------------------------------------
+Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at
+
+- added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP"
+  this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no 
+  action as a result"
+
+- Update to 0.9.7
+  * Fixed a systemd-journal handling in fail2ban-regex 
+    (gh#fail2ban/fail2ban#1657)
+  * filter.d/sshd.conf
+    - Fixed non-anchored part of failregex (misleading match of colon inside
+      IPv6 address instead of `: ` in the reason-part by missing space, 
+      gh#fail2ban/fail2ban#1658)
+      (0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479)
+  * config/pathes-freebsd.conf
+    - Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667)
+  * filter.d/exim.conf
+    - optional part `(...)` after host-name before `[IP]` 
+      (gh#fail2ban/fail2ban#1751)
+    - new reason "Unrouteable address" for "rejected RCPT" regex 
+      (gh#fail2ban/fail2ban#1762)
+    - match of complex time like `D=2m42s` in regex "no MAIL in SMTP 
+      connection" (gh#fail2ban/fail2ban#1766)
+  * filter.d/sshd.conf
+    - new aggressive rules (gh#fail2ban/fail2ban#864):
+      - Connection reset by peer (multi-line rule during authorization process)
+      - No supported authentication methods available
+    - single line and multi-line expression optimized, added optional prefixes
+      and suffix (logged from several ssh versions), according 
+      to gh#fail2ban/fail2ban#1206;
+    - fixed expression received disconnect auth fail (optional space after port
+      part, gh#fail2ban/fail2ban#1652)
+      and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206;
+  * filter.d/suhosin.conf
+    - greedy catch-all before `<HOST>` fixed (potential vulnerability)
+  * filter.d/cyrus-imap.conf
+    - accept entries without login-info resp. hostname before IP address (#fail2ban/fail2ban#707)
+  * Filter tests extended with check of all config-regexp, that contains greedy catch-all
+    before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`
+
+* New Actions:
+  - action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh#fail2ban/fail2ban#1663)
+
+* New Filters:
+  - filter.d/domino-smtp: IBM Domino SMTP task (gh#fail2ban/fail2ban#1603)
+
+* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
+
+-------------------------------------------------------------------
+Sun Mar  5 12:56:10 UTC 2017 - wagner-thomas@gmx.at
+
+- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban 
+
+-------------------------------------------------------------------
+Thu Jan 26 23:16:49 UTC 2017 - chris@computersalat.de
+
+- Update to 0.9.6 (2016/12/10)
+
+### Fixes
+* Misleading add resp. enable of (already available) jail in database, that
+  induced a subsequent error: last position of log file will be never retrieved (gh-795)
+* Fixed a distribution related bug within testReadStockJailConfForceEnabled
+  (e.g. test-cases faults on Fedora, see gh-1353)
+* Fixed pythonic filters and test scripts (running via wrong python version,
+  uses "fail2ban-python" now);
+* Fixed test case "testSetupInstallRoot" for not default python version (also
+  using direct call, out of virtualenv);
+* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
+* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
+* Monit config: scripting is not supported in path (gh-1556)
+* `filter.d/apache-modsecurity.conf`
+    - Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
+      replaced for safer match, unneeded catch-all anchoring removed, non-capturing
+* `filter.d/asterisk.conf`
+    - Fixed to match different asterisk log prefix (source file: method:)
+* `filter.d/dovecot.conf`
+    - Fixed failregex ignores failures through some not relevant info (gh-1623)
+* `filter.d/ignorecommands/apache-fakegooglebot`
+    - Fixed error within apache-fakegooglebot, that will be called
+      with wrong python version (gh-1506)
+* `filter.d/assp.conf`
+    - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
+* `filter.d/postfix-sasl.conf`
+    - Allow for having no trailing space after 'failed:' (gh-1497)
+* `filter.d/vsftpd.conf`
+    - Optional reason part in message after FAIL LOGIN (gh-1543)
+* `filter.d/sendmail-reject.conf`
+    - removed mandatory double space (if dns-host available, gh-1579)
+* filter.d/sshd.conf
+    - recognized "Failed publickey for" (gh-1477);
+    - optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479)
+    - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
+    - optional port part after host (see gh-1533, gh-1581)
+
+### New Features
+* New Actions:
+    - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
+* New Filters:
+    - `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
+      (gh-1586, gh-1606 and gh-1607)
+
+### Enhancements
+* DateTemplate regexp extended with the word-end boundary, additionally to
+  word-start boundary
+* Introduces new command "fail2ban-python", as automatically created symlink to
+  python executable, where fail2ban currently installed (resp. its modules are located):
+    - allows to use the same version, fail2ban currently running, e.g. in
+      external scripts just via replace python with fail2ban-python:
+      ```diff
+      -#!/usr/bin/env python
+      +#!/usr/bin/env fail2ban-python
+      ```
+    - always the same pickle protocol
+    - the same (and also guaranteed available) fail2ban modules
+    - simplified stand-alone install, resp. stand-alone installation possibility
+      via setup (like gh-1487) is getting closer
+* Several test cases rewritten using new methods assertIn, assertNotIn
+* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
+  Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
+  are test covered now
+* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
+  examples:
+    - `backend = systemd[journalpath=/run/log/journal/machine-1]`
+    - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
+    - `backend = systemd[journalflags=2]`
+
+- rebase fail2ban-opensuse-locations.patch, fail2ban-opensuse-service.patch
+
+-------------------------------------------------------------------
+Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at
+
+- Update to version 0.9.5
+
+  New Features
+    * New Actions: action.d/firewallcmd-rich-rules and 
+      action.d/firewallcmd-rich-logging (gh#fail2ban/fail2ban#1367)
+    * New filter: slapd - ban hosts, that were failed to connect with invalid
+      credentials: error code 49 (gh#fail2ban/fail2ban#1478)
+
+  Enhancements
+    * Extreme speedup of all sqlite database operations
+        (gh#fail2ban/fail2ban#1436), by using of following sqlite options:
+      - (synchronous = OFF) write data through OS without syncing
+      - (journal_mode = MEMORY) use memory for the transaction logging
+      - (temp_store = MEMORY) temporary tables and indices are kept in memory
+    * journald journalmatch for pure-ftpd (gh#fail2ban/fail2ban#1362)
+    * Added additional regex filter for dovecot ldap authentication 
+      failures (gh#fail2ban/fail2ban#1370)
+    * filter.d/exim*conf
+      - Added additional regexes (gh#fail2ban/fail2ban#1371)
+      - Made port entry optional
+
+  Fixes
+  * filter.d/monit.conf
+    - Extended failregex with new monit "access denied" version
+      (gh#fail2ban/fail2ban#1355)
+    - failregex of previous monit version merged as single expression
+  * filter.d/postfix.conf, filter.d/postfix-sasl.conf
+    - Extended failregex daemon part, matching also postfix/smtps/smtpd now
+      (gh#fail2ban/fail2ban#1391)
+
+  * Fixed a grave bug within tags substitutions because of incorrect detection
+    of recursion in case of multiple inline substitutions of the same tag
+    (affected actions: bsd-ipfw, etc). Now tracks the actual list of the
+    already substituted tags (per tag instead of single list)
+
+  * filter.d/common.conf
+    - Unexpected extra regex-space in generic __prefix_line
+     (gh#fail2ban/fail2ban#1405)
+    - All optional spaces normalized in common.conf, test covered now
+    - Generic __prefix_line extended with optional brackets for the date ambit
+      (gh#fail2ban/fail2ban#1421), added new parameter __date_ambit 
+
+  * gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon,
+    not argument of fail2ban (see gh#fail2ban/fail2ban#1434)
+
+  * filter.d/asterisk.conf
+    - Fixed security log support for PJSIP and Asterisk 13+
+      (gh#fail2ban/fail2ban#1456)
+    - Improved log support for PJSIP and Asterisk 13+ with different callID
+      (gh#fail2ban/fail2ban#1458)
+
+-------------------------------------------------------------------
+Thu Mar 10 14:09:51 UTC 2016 - jweberhofer@weberhofer.at
+
+- Mark /etc/fail2ban/fail2ban.conf as noreplace.
+
+-------------------------------------------------------------------
+Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at
+
+- Removed patch: fail2ban-exclude-dev-log-tests.patch
+- Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
+- rebased other patches
+- Defined services which per default uses systemd logger
+- Provide /usr/sbin/rcfail2ban also on systemd based distros
+
+- All files in /etc/fail2ban/ except jail.local are now automatically replaced
+  upon installation of fail2ban
+
+- The update to this versions allow to close boo#917818, as the logger-backends for
+  several services are now centrally set in /etc/fail2ban/paths-opensuse.conf
+
+- Update to version 0.9.4
+  New Features:
+   * New interpolation feature for definition config readers - `<known/parameter>`
+     (means last known init definition of filters or actions with name `parameter`).
+     This interpolation makes possible to extend a parameters of stock filter or 
+     action directly in jail inside jail.local file, without creating a separately
+     filter.d/*.local file.
+     As extension to interpolation `%(known/parameter)s`, that does not works for
+     filter and action init parameters
+   * New actions:
+     - nftables-multiport and nftables-allports - filtering using nftables
+       framework. Note: it requires a pre-existing chain for the filtering rule.
+   * New filters:
+     - openhab - domotic software authentication failure with the
+       rest api and web interface (gh-1223)
+     - nginx-limit-req - ban hosts, that were failed through nginx by limit
+       request processing rate (ngx_http_limit_req_module)
+     - murmur - ban hosts that repeatedly attempt to connect to
+       murmur/mumble-server with an invalid server password or certificate.
+     - haproxy-http-auth - filter to match failed HTTP Authentications against a
+       HAProxy server
+   * New jails:
+     - murmur - bans TCP and UDP from the bad host on the default murmur port.
+   * sshd filter got new failregex to match "maximum authentication
+     attempts exceeded" (introduced in openssh 6.8)
+   * Added filter for Mac OS screen sharing (VNC) daemon
+
+  Enhancements:
+   * Do not rotate empty log files
+   * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59)
+     http://bugs.debian.org/798923
+   * Added openSUSE path configuration (Thanks Johannes Weberhofer)
+   * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
+   * Added a timeout (3 sec) to urlopen within badips.py action
+     (Thanks M. Maraun)
+   * Added check against atacker's Googlebot PTR fake records
+     (Thanks Pablo Rodriguez Fernandez)
+   * Enhance filter against atacker's Googlebot PTR fake records
+     (gh-1226)
+   * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
+   * Added filter for openhab domotic software authentication failure with the
+     rest api and web interface (gh-1223)
+   * Add *_backend options for services to allow distros to set the default
+     backend per service, set default to systemd for Fedora as appropriate
+   * Performance improvements while monitoring large number of files (gh-1265).
+     Use associative array (dict) for monitored log files to speed up lookup 
+     operations. Thanks @kshetragia
+   * Specified that fail2ban is PartOf iptables.service firewalld.service in
+     .service file -- would reload fail2ban if those services are restarted
+   * Provides new default `fail2ban_version` and interpolation variable
+     `fail2ban_agent` in jail.conf
+   * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
+     and to support multiple instances of postfix having varying suffix (gh-1331)
+     (Thanks Tom Hendrikx)
+   * files/gentoo-initd to use start-stop-daemon to robustify restarting the service
+
+  Fixes:
+   * roundcube-auth jail typo for logpath
+   * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
+   * filter.d/apache-badbots.conf
+     - Updated useragent string regex adding escape for `+`
+   * filter.d/mysqld-auth.conf
+ gg  - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
+   * filter.d/sshd.conf
+     - Updated "Auth fail" regex for OpenSSH 5.9 and later
+   * Treat failed and killed execution of commands identically (only
+     different log messages), which addresses different behavior on different
+     exit codes of dash and bash (gh-1155)
+   * Fix jail.conf.5 man's section (gh-1226)
+   * Fixed default banaction for allports jails like pam-generic, recidive, etc
+     with new default variable `banaction_allports` (gh-1216)
+   * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
+     for python version < 3.x (gh-1248)
+   * Use postfix_log logpath for postfix-rbl jail
+   * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
+   * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
+   * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
+   * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
+   * Removed compression and rotation count from logrotate (inherit them from
+     the global logrotate config)
+
+-------------------------------------------------------------------
+Thu Feb  4 15:50:38 UTC 2016 - jweberhofer@weberhofer.at
+
+- Require python-systemd for openSUSE 12.3+
+- Cleaned up the spec file
+- Added /run/fail2ban for openSUSE 13.2+
+- Don't fail on test-errors
+
+-------------------------------------------------------------------
+Wed Sep 23 10:10:17 UTC 2015 - jweberhofer@weberhofer.at
+
+- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
+  to fix the former failing test and removed
+  fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
+
+- Do not longer create test-package. Developers should not use the packaged
+  version of fail2ban.
+
+-------------------------------------------------------------------
+Mon Sep  7 09:45:56 UTC 2015 - jweberhofer@weberhofer.at
+
+- patches are no longer included conditionally
+
+-------------------------------------------------------------------
+Mon Sep  7 06:54:33 UTC 2015 - jweberhofer@weberhofer.at
+
+- fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch excludes the
+  ExecuteTimeoutWithNastyChildren test, as it doesn't run correctly on
+  openSUSE.
+
+- fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for
+  older releases. 
+
+- Update to version 0.9.3
+
+- IMPORTANT incompatible changes:
+   * filter.d/roundcube-auth.conf
+     - Changed logpath to 'errors' log (was 'userlogins')
+   * action.d/iptables-common.conf
+     - All calls to iptables command now use -w switch introduced in
+       iptables 1.4.20 (some distribution could have patched their
+       earlier base version as well) to provide this locking mechanism
+       useful under heavy load to avoid contesting on iptables calls.
+       If you need to disable, define 'action.d/iptables-common.local'
+       with empty value for 'lockingopt' in `[Init]` section.
+   * mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
+     actions now include by default only the first 1000 log lines in
+     the emails.  Adjust <grepopts> to augment the behavior.
+
+- Fixes:
+   * reload in interactive mode appends all the jails twice (gh-825)
+   * reload server/jail failed if database used (but was not changed) and
+     some jail active (gh-1072)
+   * filter.d/dovecot.conf - also match unknown user in passwd-file.
+     Thanks Anton Shestakov
+   * Fix fail2ban-regex not parsing journalmatch correctly from filter config
+   * filter.d/asterisk.conf - fix security log support for Asterisk 12+
+   * filter.d/roundcube-auth.conf
+     - Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
+     - Added regex to work with 'userlogins' log
+   * action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
+     locale on systems with customized LC_ALL
+   * performance fix: minimizes connection overhead, close socket only at
+     communication end (gh-1099)
+   * unbanip always deletes ip from database (independent of bantime, also if
+     currently not banned or persistent)
+   * guarantee order of dbfile to be before dbpurgeage (gh-1048)
+   * always set 'dbfile' before other database options (gh-1050)
+   * kill the entire process group of the child process upon timeout (gh-1129).
+     Otherwise could lead to resource exhaustion due to hanging whois
+     processes.
+   * resolve /var/run/fail2ban path in setup.py to help installation
+     on platforms with /var/run -> /run symlink (gh-1142)
+
+- New Features:
+   * RETURN iptables target is now a variable: <returntype>
+   * New type of operation: pass2allow, use fail2ban for "knocking",
+     opening a closed port by swapping blocktype and returntype
+   * New filters:
+     - froxlor-auth - Thanks Joern Muehlencord
+     - apache-pass - filter Apache access log for successful authentication
+   * New actions:
+     - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
+	   manual pre-configuration of the shorewall. See the action file for detail.
+   * New jails:
+     - pass2allow-ftp - allows FTP traffic after successful HTTP authentication
+
+- Enhancements:
+   * action.d/cloudflare.conf - improved documentation on how to allow
+     multiple CF accounts, and jail.conf got new compound action
+     definition action_cf_mwl to submit cloudflare report.
+   * Check access to socket for more detailed logging on error (gh-595)
+   * fail2ban-testcases man page
+   * filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
+     HEAD method verb
+   * Revamp of Travis and coverage automated testing
+   * Added a space between IP address and the following colon
+     in notification emails for easier text selection
+   * Character detection heuristics for whois output via optional setting
+     in mail-whois*.conf. Thanks Thomas Mayer.
+     Not enabled by default, if _whois_command is set to be
+     %(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
+     it
+     - detects character set of whois output (which is undefined by
+       RFC 3912) via heuristics of the file command
+     - converts whois data to UTF-8 character set with iconv
+     - sends the whois output in UTF-8 character set to mail program
+     - avoids that heirloom mailx creates binary attachment for input with
+       unknown character set
+
+-------------------------------------------------------------------
+Thu Jul  2 06:38:00 UTC 2015 - jweberhofer@weberhofer.at
+
+- Note: fail2ban-issue_906-strptime.patch has been removed as it is already
+  integrated in the current version.
+
+-------------------------------------------------------------------
+Mon Jun  8 13:27:00 UTC 2015 - jweberhofer@weberhofer.at
+
+- Removed "backend" setting from paths-opensuse.conf
+
+-------------------------------------------------------------------
+Fri May  8 14:01:31 UTC 2015 - jweberhofer@weberhofer.at
+
+- Update to version 0.9.2 (requested in boo#917818)
+
+  Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog
+
+  Here are some notes to be read when updating existing installations:
+
+  The default log-backend for openssue 13.2+ is now systemd
+
+  * jail.conf was heavily refactored and now is similar to how it looked on
+    Debian systems:
+    - default action could be configured once for all jails
+    - jails definitions only provide customizations (port, logpath)
+    - no need to specify 'filter' if name matches jail name
+
+  * Added fail2ban persistent database
+    - default location at /var/lib/fail2ban/fail2ban.sqlite3
+    - allows active bans to be reinstated on restart
+    - log files read from last position after restart
+
+  * Added systemd journal backend
+    - Dependency on python-systemd
+    - New "journalmatch" option added to filter configs files
+    - New "systemd-journal" option added to fail2ban-regex
+
+  * Support %z (Timezone offset) and %f (sub-seconds) support for datedetector.
+    Enhanced existing date/time have been updated patterns to support these.
+    ISO8601 now defaults to localtime unless specified otherwise.  Some filters
+    have been change as required to capture these elements in the right
+    timezone correctly.
+
+  * Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
+
+  * Optionally can read log files starting from "head" or "tail". See "logpath"
+    option in jail.conf(5) man page.
+
+  * Can now set log encoding for files per jail.Default uses systemd locale.
+
+  * iptables-common.conf replaced iptables-blocktype.conf
+    (iptables-blocktype.local should still be read) and now also provides
+    defaults for the chain, port, protocol and name tags
+
+- Require whois
+
+- Whereever possible, path-definitions have been moved paths-opensuse.conf
+  which has been submittet upstream
+
+- Use default fail2ban.service including fail2ban-opensuse-service.patch
+
+- Use default suse-initd from upstream
+
+- Run test-cases during build
+
+- run fdupes
+
+- Tests have been moved to a seperate page
+
+- Added rpmlintrc file to ignore some hidden files in the test package
+
+- Must build arch-depended packages for SLES 11
+
+- Removed two tests which can't run on the build server with openSUSE
+  before 13.3: fail2ban-exclude-dev-log-tests.patch
+
+-------------------------------------------------------------------
+Tue Apr 14 07:10:43 UTC 2015 - mpluskal@suse.com
+
+- Add missing dependency on ed (boo#926943)
+
+-------------------------------------------------------------------
+Wed Jan 21 21:00:48 UTC 2015 - jweberhofer@weberhofer.at
+
+- Fixed strptime thread safety issue.
+  fail2ban-issue_906-strptime.patch (bnc#914075 gh#fail2ban/fail2ban#906)
+
+-------------------------------------------------------------------
+Tue Nov 25 11:36:13 UTC 2014 - jweberhofer@weberhofer.at
+
+- Added syslog to requirements, as this version of fail2ban does not
+  work with systemd-logging: bnc#905733
+
+-------------------------------------------------------------------
+Fri Oct 17 09:44:12 UTC 2014 - jengelh@inai.de
+
+- Recommend installation of the ordering package when all
+  constituing parts are installed
+
+-------------------------------------------------------------------
+Thu Aug 21 16:50:20 UTC 2014 - jweberhofer@weberhofer.at
+
+- Fixed check for %_unitdir to make fail2ban build under older systems, too.
+- Changed /usr to %{_prefix} in the spec file
+
+-------------------------------------------------------------------
+Wed Aug 20 15:44:54 UTC 2014 - jweberhofer@weberhofer.at
+
+- update to 0.8.14
+  * minor fixes for claimed Python 2.4 and 2.5 compatibility
+  * Handle case when inotify watch is auto deleted on file deletion to stop
+    error messages
+  * tests - fixed few "leaky" file descriptors when files were not closed while
+    being removed physically
+  * grep in mail*-whois-lines.conf now also matches end of line to work with
+    the recidive filter
+- add fail2ban-opensuse-locations.patch to fix default locations as suggested
+  in bnc#878028
+
+-------------------------------------------------------------------
+Wed Jun 25 15:13:37 UTC 2014 - lars@linux-schulserver.de
+
+- update to 0.8.13:
+  + Fixes:
+  - action firewallcmd-ipset had non-working actioncheck. Removed.
+    redhat bug #1046816.
+  - filter pureftpd - added _daemon which got removed. Added
+
+  + New Features:
+  - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
+  - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
+
+  + Enhancements:
+  - filter asterisk now supports syslog format
+  - filter pureftpd - added all translations of "Authentication failed for
+    user"
+  - filter dovecot - lip= was optional and extended TLS errors can occur.
+    Thanks Noel Butler.
+- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed 
+  upstream
+- split out nagios-plugins-fail2ban package
+
+-------------------------------------------------------------------
+Tue Feb 18 00:03:12 UTC 2014 - jengelh@inai.de
+
+- Add a new subpackage to install systemd drop-ins that couple
+  SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf,
+  f2b-restart.conf.
+
+-------------------------------------------------------------------
+Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at
+
+Security note: The update to version 0.8.11 has fixed two additional security
+issues: A remote unauthenticated attacker may cause arbitrary IP addresses to
+be blocked by Fail2ban causing legitimate users to be blocked from accessing
+services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176
+(postfix)
+
+-------------------------------------------------------------------
+Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at
+
+- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816
+
+- lsof was required for fail2ban's SysVinit scripts only. Not longer used for
+  newer versions of openSUSE
+
+-------------------------------------------------------------------
+Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at
+
+- Reviewed and fixed github references in the changelog
+
+-------------------------------------------------------------------
+Wed Jan 22 09:27:43 UTC 2014 - jweberhofer@weberhofer.at
+
+- Use new flushlogs syntax after logrotate
+
+-------------------------------------------------------------------
+Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
+
+- Update to version 0.8.12
+
+  * Log rotation can now occur with the command "flushlogs" rather than
+    reloading fail2ban or keeping the logtarget settings consistent in
+    jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798).
+
+  * Added ignorecommand option for allowing dynamic determination as to ignore
+    and IP or not.
+
+  * Remove indentation of name and loglevel while logging to SYSLOG to resolve
+    syslog(-ng) parsing problems. (dep#730202). Log lines now also
+    report "[PID]" after the name portion too.
+
+  * Epoch dates can now be enclosed within []
+
+  * New actions: badips, firewallcmd-ipset, ufw, blocklist_de
+
+  * New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid,
+    ejabberd, openwebmail, groupoffice
+
+  * Filter improvements:
+    - apache-noscript now includes php cgi scripts
+    - exim-spam filter to match spamassassin log entry for option SAdevnull.
+    - Added to sshd filter expression for 
+      "Received disconnect from : 3: Auth fail"
+    - Improved ACL-handling for Asterisk
+    - Added improper command pipelining to postfix filter.
+
+  * General fixes:
+    - Added lots of jail.conf entries for missing filters that creaped in 
+      over the last year.
+    - synchat changed to use push method which verifies whether all data was
+      send. This ensures that all data is sent before closing the connection.
+    - Fixed python 2.4 compatibility (as sub-second in date patterns weren't 
+      2.4 compatible)
+    - Complain/email actions fixed to only include relevant IPs to reporting
+
+  * Filter fixes:
+    - Added HTTP referrer bit of the apache access log to the apache filters.
+    - Apache 2.4 perfork regexes fixed
+    - Kernel syslog expression can have leading spaces
+    - allow for ",milliseconds" in the custom date format of proftpd.log
+    - recidive jail to block all protocols
+    - smtps not a IANA standard so may be missing from /etc/services. Due to 
+      (still) common use 465 has been used as the explicit port number
+    - Filter dovecot reordered session and TLS items in regex with wider scope
+      for session characters
+
+  * Ugly Fixes (Potentially incompatible changes):
+
+    - Unfortunately at the end of last release when the action
+      firewall-cmd-direct-new was added it was too long and had a broken action
+      check. The action was renamed to firewallcmd-new to fit within jail name
+      name length. (gh#fail2ban/fail2ban#395).
+
+    - Last release added mysqld-syslog-iptables as a jail configuration. This
+      jailname was too long and it has been renamed to mysqld-syslog.
+
+- Fixed formating of github references in changelog
+- reformatted spec-file
+ 
+-------------------------------------------------------------------
+Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at
+
+- Update to version 0.8.11
+
+- In light of CVE-2013-2178 that triggered our last release we have put a
+  significant effort into tightening all of the regexs of our filters to avoid
+  another similar vulnerability. We haven't examined all of these for a potential
+  DoS scenario however it is possible that another DoS vulnerability exists that
+  is fixed by this release. A large number of filters have been updated to
+  include more failure regexs supporting previously unbanned failures and support
+  newer application versions too. We have test cases for most of these now
+  however if you have other examples that demonstrate that a filter is
+  insufficient we welcome your feedback. During the tightening of the regexs to
+  avoid DoS vulnerabilities there is the possibility that we have inadvertently,
+  despite our best intentions, incorrectly allowed a failure to continue.
+
+-------------------------------------------------------------------
+Sat Sep 21 11:38:29 UTC 2013 - schuetzm@gmx.net
+
+- Added systemd service file and systemd-tmpfiles configuration
+
+-------------------------------------------------------------------
+Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at
+
+- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered
+  by "bugs" in apache- filters.  If you are relying on listed below apache-
+  filters, upgrade asap and seek your distributions to patch their fail2ban
+  distribution with [6ccd5781]. The bug's decription can be found in
+  https://vndh.net/note:fail2ban-089-denial-service
+
+- Fixes
+  * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
+    failregex at the beginning (and where applicable at the end).
+    Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710
+  * action.d/{route,shorewall}.conf - blocktype must be defined
+    within [Init].  Closes gh#fail2ban/fail2ban#232
+
+- Enhancements
+  * jail.conf -- assure all jails have actions and remove unused
+    ports specifications
+  * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
+  * files/suse-initd -- update to the copy from stock SUSE
+  * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227,
+    gh#fail2ban/fail2ban#230.
+  * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes 
+    gh#fail2ban/fail2ban#244.
+
+------------------------------------------------------------------
+Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at
+
+- Included logrotate configuration for fail2ban
+
+-------------------------------------------------------------------
+Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
+
+- Init-Script does no longer require $syslog to be started as file-base logging
+  is the default. Synced with Debian script.
+
+- Upgrade to version 0.8.9
+
+- Fixes: Yaroslav Halchenko
+   * [6f4dad46] python-2.4 is the minimal version.
+   * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
+     on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the
+     bug report.
+   * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
+     insight. Closes gh#fail2ban/fail2ban#103.
+   * [ab044b75] delay check for the existence of config directory until read.
+   * [3b4084d4] fixing up for handling of TAI64N timestamps.
+   * [154aa38e] do not shutdown logging until all jails stop.
+   * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes
+     gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and
+     troubleshooting.  Orion Poplawski
+   * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
+     newly created directories.
+  Nicolas Collignon
+   * [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167.
+  Sergey Brester
+   * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
+     sorting template list.
+  Steven Hiscocks
+   * [7a442f07] When changing log target with python2.{4,5} handle KeyError.
+     Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148.
+   * [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124.
+  Daniel Black
+   * [f0610c01] Allow more that a one word command when changing and Action via
+     the fail2ban-client. Closes gh#fail2ban/fail2ban#134.
+   * [945ad3d9] Fix dates on email actions to work in different locals. Closes
+     gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
+  blotus
+   * [96eb8986] ' and " should also be escaped in action tags Closes 
+     gh#fail2ban/fail2ban#109
+  Christoph Theis, Nick Hilliard, Daniel Black
+   * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
+- New features:
+  Yaroslav Halchenko
+   * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
+     to provide additional flexibility to system adminstrators. Thanks to
+     beilber for the idea. Closes gh#fail2ban/fail2ban#114.
+   * [3ce53e87] Add exim filter.
+  Erwan Ben Souiden
+   * [d7d5228] add nagios integration documentation and script to ensure
+     fail2ban is running. Closes gh#fail2ban/fail2ban#166.
+  Artur Penttinen
+   * [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152.
+  ArndRaphael Brandes
+   * [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117.
+  Michael Gebetsriother
+   * [f9b78ba] Add action route to block at routing level.
+  Teodor Micu & Yaroslav Halchenko
+   * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
+  Daniel Black
+   * [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102.
+  Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
+   * [b6d0e8a] Add and enhance the bsd-ipfw action from
+     FreeBSD ports.
+  Soulard Morgan
+   * [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99.
+  Steven Hiscocks
+   * [..746c7d9] bash interactive shell completions for fail2ban-*'s
+  Nick Hilliard
+   * [0c5a9c5] Add pf action.
+- Enhancements:
+  Enrico Labedzki
+   * [24a8d07] Added new date format for ASSP SMTP Proxy.
+  Steven Hiscocks
+   * [3d6791f] Ensure restart of Actions after a check fails occurs
+     consistently. Closes gh#fail2ban/fail2ban#172.
+   * [MANY] Improvements to test cases, travis, and code coverage (coveralls).
+   * [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124.
+   * [ce3ab34] Added ability to specify PID file.
+  Orion Poplawski
+   * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
+     Closes gh#fail2ban/fail2ban#142.
+  Yaroslav Halchenko
+   * [MANY] Lots of improvements to log messages, man pages and test cases.
+   * [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
+     Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger.
+   * [40c5a2d] adding more of diagnostic messages into -client while starting
+     the daemon.
+   * [8e63d4c] Compare against None with 'is' instead of '=='.
+   * [6fef85f] Strip CR and LF while analyzing the log line
+  Daniel Black
+   * [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143.
+   * [MANY] man page edits.
+   * [7cd6dab] Added help command to fail2ban-client.
+   * [c8c7b0b,23bbc60] Better logging of log file read errors.
+   * [3665e6d] Added code coverage to development process.
+   * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
+     source. Also include BSD changes.
+   * [1d9abd1] Action files can have tags in definition that refer to other
+     tags.
+   * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
+     unreachable rather than just a drop of the packet.
+  Pascal Borreli
+   * [a2b29b4] Fixed lots of typos in config files and documentation.
+  hamilton5
+   * [7ede1e8] Update dovecot filter config.
+  Romain Riviere
+   * [0ac8746] Enhance named-refused filter for views.
+  James Stout
+   * [..2143cdf] Solaris support enhancements:
+     - README.Solaris
+     - failregex'es tune ups (sshd.conf)
+     - hostsdeny: do not rely on support of '-i' in sed
+
+-------------------------------------------------------------------
+Thu Dec  6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at
+
+One of the important changes is escaping of the <matches> content -- so if you
+crafted some custom action which uses it -- you must upgrade, or you
+would be at a significant security risk.
+
+- Fixes:
+  Alan Jenkins
+   * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
+     banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64
+  Yaroslav Halchenko
+   * [83109bc] IMPORTANT: escape the content of <matches> (if used in
+     custom action files) since its value could contain arbitrary
+     symbols.  Thanks for discovery go to the NBS System security
+     team
+   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. 
+     Close gh#fail2ban/fail2ban#83
+   * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
+   * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
+     in the console. Close gh#fail2ban/fail2ban#91
+
+- New features:
+  David Engeset
+   * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
+     the log file to take 'banip' or 'unbanip' in effect. 
+     Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86
+
+- Enhancements:
+   * [2d66f31] replaced uninformative "Invalid command" message with warning log
+     exception why command actually failed
+   * [958a1b0] improved failregex to "support" auth.backend = "htdigest"
+   * [9e7a3b7] until we make it proper module -- adjusted sys.path only if
+     system-wide run
+   * [f52ba99] downgraded "already banned" from WARN to INFO level.
+     Closes gh#fail2ban/fail2ban#79
+   * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
+     for this gh#fail2ban/fail2ban#87)
+   * Various others: travis-ci integration, script to run tests
+     against all available Python versions, etc
+
+-------------------------------------------------------------------
+Mon Dec  3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at
+
+- Fixed initscript as discussed in bnc#790557
+
+-------------------------------------------------------------------
+Wed Oct  3 09:53:40 UTC 2012 - meissner@suse.com
+
+- use Source URL pointing to github
+
+-------------------------------------------------------------------
+Tue Oct  2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at
+
+- Do not longer replace main config-files
+- Use variables for directories in spec file
+
+-------------------------------------------------------------------
+Tue Oct  2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at
+
+- Added dependencies to python-pyinotifyi, python-gamin and iptables
+
+-------------------------------------------------------------------
+Tue Oct  2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
+
+- Upgraded to version 0.8.7.1
+
+- Yaroslav Halchenko
+  * [e9762f3] Removed sneaked in comment on sys.path.insert
+    Tom Hendrikx & Jeremy Olexa
+  * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
+    See http://forums.gentoo.org/viewtopic-t-899018.html
+- Chris Reffett
+  * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
+    rather than just one failure.
+- Yaroslav Halchenko
+  * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
+  * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
+  * [ed16ecc] enforce "ip" field returned as str, not unicode so that log
+    message stays non-unicode. Close gh#fail2ban/fail2ban#32
+  * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
+    already present in the pattern
+  * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
+    friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66)
+  * [80b191c] anchor grep regexp in actioncheck to not match partial names
+    of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
+- New features:
+- François Boulogne
+  * [a7cb20e..] add lighttpd-auth filter/jail
+- Lee Clemens & Yaroslav Halchenko
+  * [e442503] pyinotify backend (default if backend='auto' and pyinotify
+    is available)
+  * [d73a71f,3989d24] usedns parameter for the jails to allow disabling
+    use of DNS
+- Tom Hendrikx
+  * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
+    repeated offenders. Close gh#fail2ban/fail2ban#19
+- Xavier Devlamynck
+  * [7d465f9..] Add asterisk support
+- Zbigniew Jedrzejewski-Szmek
+  * [de502cf..] allow running fail2ban as non-root user (disabled by
+    default) via xt_recent. See doc/run-rootless.txt
+- Enhancements
+- Lee Clemens
+  * [47c03a2] files/nagios - spelling/grammar fixes
+  * [b083038] updated Free Software Foundation's address
+  * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
+  * [642d9af,3282f86] reformated printing of jail's name to be consistent
+    with init's info messages
+  * [3282f86] uniform use of capitalized Jail in the messages
+- Leonardo Chiquitto
+  * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
+    to reflect code
+  * [a7d47e8] Update Free Software Foundation's address
+- Petr Voralek
+  * [4007751] catch failed ssh logins due to being listed in DenyUsers.
+    Close gh#fail2ban/fail2ban#47 (Closes: #669063)
+- Yaroslav Halchenko
+  * [MANY]    extended and robustified unittests: test different backends
+  * [d9248a6] refactored Filter's to avoid duplicate functionality
+  * [7821174] direct users to issues on github
+  * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
+    default with -v to control verbosity
+  * [b4099da] adjusted header for config/*.conf to mention .local and way
+    to comment (Thanks Stefano Forli for the note)
+  * [6ad55f6] added failregex for wu-ftpd to match against syslog instead
+    of DoS-prone auth.log's rhost (Closes: #514239)
+  * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
+    sshd filter (Closes: #648020)
+- Yehuda Katz & Yaroslav Halchenko
+  * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
+
+-------------------------------------------------------------------
+Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de
+
+- Adding to fail2ban.init remove of pid and sock files on stop 
+  in case not removed before (prevents start fail)
+
+-------------------------------------------------------------------
+Sun Jun  3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at
+
+- Update to version 0.8.6. containing various fixes and enhancements
+
+-------------------------------------------------------------------
+Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com
+
+- Update to version 0.8.5: many bug fixes, enhancements and, as
+  a bonus, drop two patches that are now upstream
+- Update FSF address to silent rpmlint warnings
+- Drop stale socket files on startup (bnc#537239, bnc#730044)
+
+-------------------------------------------------------------------
+Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de
+
+- Apply packaging guidelines (remove redundant/obsolete
+  tags/sections from specfile, etc.)
+
+-------------------------------------------------------------------
+Thu Sep  1 14:07:28 UTC 2011 - coolo@suse.com
+
+- Use /var/run/fail2ban instead of /tmp for temp files in
+  actions: see bugs.debian.org/544232, bnc#690853,
+  CVE-2009-5023
+
+-------------------------------------------------------------------
+Thu Jan  6 16:56:30 UTC 2011 - lchiquitto@suse.com
+
+- Use $FAIL2BAN_OPTIONS when starting (bnc#662495)
+- Clean up sysconfig file
+
+-------------------------------------------------------------------
+Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org
+
+- Use O_CLOEXEC on fds (patch from Fedora)
+
+-------------------------------------------------------------------
+Wed May  5 16:48:46 UTC 2010 - lchiquitto@suse.com
+
+- Create /var/run/fail2ban during startup to support systems that
+  mount /var/run as tmpfs
+- Build package as noarch
+- Spec file cleanup: fix a couple of rpmlint warnings
+- Init script: look for fail2ban-server when checking if the
+  daemon is running
+
+-------------------------------------------------------------------
+Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com
+
+- Update to version 0.8.4. Important changes:
+  * New "Ban IP" command
+  * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve
+  * Fixed the 'unexpected communication error' problem
+  * Remove socket file on startup if fail2ban crashed (bnc#537239)
+
+-------------------------------------------------------------------
+Wed Feb  4 18:19:39 CET 2009 - kssingvo@suse.de
+
+- Initial version: 0.8.3
+
diff --git a/fail2ban.keyring b/fail2ban.keyring
new file mode 100644
index 0000000..7fcf831
--- /dev/null
+++ b/fail2ban.keyring
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT
+Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV
+lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC
+i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO
+hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3
+BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl
+ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm
+NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h
+RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n
+2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq
+GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ
+3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX
+XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ
+uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh
+Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a
+kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf
+awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6
+7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF
+AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw
+2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs
+IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O
+ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb
+muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c
+6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg==
+=vqSW
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/fail2ban.logrotate b/fail2ban.logrotate
new file mode 100644
index 0000000..cbd0e96
--- /dev/null
+++ b/fail2ban.logrotate
@@ -0,0 +1,13 @@
+/var/log/fail2ban.log {
+    compress
+    dateext
+    maxage 365
+    rotate 99
+    size=+4096k
+    notifempty
+    missingok
+    create 644 root root
+    postrotate
+      fail2ban-client flushlogs  1>/dev/null || true
+    endscript
+}
diff --git a/fail2ban.spec b/fail2ban.spec
new file mode 100644
index 0000000..6200663
--- /dev/null
+++ b/fail2ban.spec
@@ -0,0 +1,351 @@
+#
+# spec file for package fail2ban
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
+Name:           fail2ban
+Version:        1.0.2
+Release:        0
+Summary:        Bans IP addresses that make too many authentication failures
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Security
+URL:            https://www.fail2ban.org/
+Source0:        https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1:        https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+Source2:        %{name}.sysconfig
+Source3:        %{name}.logrotate
+Source5:        %{name}.tmpfiles
+Source6:        sfw-fail2ban.conf
+Source7:        f2b-restart.conf
+# Path definitions have been submitted to upstream
+Source8:        paths-opensuse.conf
+Source200:      fail2ban.keyring
+# PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles
+Patch100:       %{name}-opensuse-locations.patch
+# PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
+Patch101:       %{name}-opensuse-service.patch
+# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
+Patch200:       %{name}-disable-iptables-w-option.patch
+# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
+Patch201:       %{name}-0.10.4-env-script-interpreter.patch
+# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions
+Patch300:       fail2ban-opensuse-service-sfw.patch
+# PATCH-FEATURE-OPENSUSE harden_fail2ban.service.patch jsegitz@suse.com -- Added hardening to systemd service(s) bsc#1181400
+Patch301:       harden_fail2ban.service.patch
+# PATCH-FIX-OPENSUSE fail2ban-fix-openssh98.patch meissner@suse.com -- support openssh9.8 bsc#1230101
+Patch302:       fail2ban-fix-openssh98.patch
+BuildRequires:  fdupes
+BuildRequires:  logrotate
+BuildRequires:  python-rpm-macros
+BuildRequires:  python3-tools
+# timezone package is required to run the tests
+BuildRequires:  timezone
+Requires:       cron
+Requires:       ed
+Requires:       iptables
+Requires:       logrotate
+Requires:       python3 >= 3.2
+Requires:       whois
+%if 0%{?suse_version} != 1110
+BuildArch:      noarch
+%endif
+%if 0%{?suse_version} >= 1230
+# systemd
+BuildRequires:  python3-systemd
+BuildRequires:  pkgconfig(systemd)
+Requires:       python3-systemd
+Requires:       systemd > 204
+%{?systemd_requires}
+%else
+# no systemd (the init-script requires lsof)
+Requires:       lsof
+Requires:       syslog
+%endif
+%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010  && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
+BuildRequires:  python3-pyinotify >= 0.8.3
+Requires:       python3-pyinotify >= 0.8.3
+%endif
+
+%description
+Fail2ban scans log files like %{_localstatedir}/log/messages and bans IP
+addresses that makes too many password failures. It updates firewall rules to
+reject the IP address, can send e-mails, or set host.deny entries.  These rules
+can be defined by the user. Fail2Ban can read multiple log files such as sshd
+or Apache web server ones.
+
+%if !0%{?suse_version} > 1500
+%package -n SuSEfirewall2-%{name}
+Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
+Group:          Productivity/Networking/Security
+Requires:       SuSEfirewall2
+Requires:       fail2ban
+
+%description -n SuSEfirewall2-%{name}
+This package ships systemd files which will cause fail2ban to be ordered in
+relation to SuSEfirewall2 such that the two can be run concurrently within
+reason, i.e. SFW will always run first because it does a table flush.
+%endif
+
+%package -n monitoring-plugins-%{name}
+Summary:        Check fail2ban server and how many IPs are currently banned
+Group:          System/Monitoring
+%if 0%{?suse_version}
+BuildRequires:  nagios-rpm-macros
+%else
+%define         nagios_plugindir %{_libexecdir}/nagios/plugins
+%endif
+Provides:       nagios-plugins-%{name} = %{version}
+Obsoletes:      nagios-plugins-%{name} < %{version}
+
+%description -n monitoring-plugins-%{name}
+This plugin checks if the fail2ban server is running and how many IPs are
+currently banned.  You can use this plugin to monitor all the jails or just a
+specific jail.
+
+How to use
+----------
+Just have to run the following command:
+  $ ./check_fail2ban --help
+
+%prep
+%setup -q
+install -m644 %{SOURCE8} config/paths-opensuse.conf
+
+# Use openSUSE paths
+sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
+
+%patch -P 100 -p1
+%patch -P 101 -p1
+%if 0%{?suse_version} < 1310
+%patch -P 200 -p1
+%endif
+%patch -P 201 -p1
+%if !0%{?suse_version} > 1500
+%patch -P 300 -p1
+%endif
+%patch -P 301 -p1
+%patch -P 302 -p1
+
+rm 	config/paths-arch.conf \
+	config/paths-debian.conf \
+	config/paths-fedora.conf \
+	config/paths-freebsd.conf \
+	config/paths-osx.conf
+
+# correct doc-path
+sed -i -e 's|%{_datadir}/doc/%{name}|%{_docdir}/%{name}|' setup.py
+
+# remove syslogd-logger settings for older distributions
+%if 0%{?suse_version} < 1230
+sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf
+%endif
+
+%build
+export CFLAGS="%{optflags}"
+./fail2ban-2to3
+python3 setup.py build
+gzip man/*.{1,5}
+
+%install
+python3 setup.py install \
+	--root=%{buildroot} \
+	--prefix=%{_prefix}
+
+install -d -m 755 %{buildroot}%{_mandir}/man{1,5}
+install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
+install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
+
+install -d -m 755 %{buildroot}%{_initddir}
+install -d -m 755 %{buildroot}%{_sbindir}
+
+%if 0%{?suse_version} > 1310
+# use /run directory
+install -d -m 755 %{buildroot}/run
+touch %{buildroot}/run/%{name}
+%else
+#use /var/run directory
+install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name}
+%endif
+
+%if 0%{?suse_version} >= 1230
+# systemd
+install -d -m 755 %{buildroot}%{_unitdir}
+install -p -m 644 files/%{name}.service.in %{buildroot}%{_unitdir}/%{name}.service
+
+install -d -m 755 %{buildroot}%{_tmpfilesdir}
+install -p -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+
+ln -sf service %{buildroot}%{_sbindir}/rc%{name}
+
+%else
+# without systemd
+install -d -m 755 %{buildroot}%{_initddir}
+install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name}
+ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name}
+%endif
+
+echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local
+
+install -d -m 0755 %{buildroot}%{_localstatedir}/lib/%{name}/
+
+install -d -m 755 %{buildroot}%{_fillupdir}
+install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
+
+install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
+install -p -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+
+%if !0%{?suse_version} > 1500
+%if 0%{?_unitdir:1}
+install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
+	"%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf"
+install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \
+	"%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf"
+%endif
+%endif
+install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name}
+
+# install docs using the macro
+rm -r %{buildroot}%{_docdir}/%{name}
+
+# remove duplicates
+%fdupes -s %{buildroot}%{python3_sitelib}
+
+%check
+#stat /dev/log
+#python -c "import platform; print(platform.system())"
+# tests require python-pyinotify to be installed, so don't run them on older versions
+%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010  && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
+# Need a UTF-8 locale to work
+export LANG=en_US.UTF-8
+./fail2ban-testcases-all --no-network || true
+%endif
+
+%if 0%{?suse_version} >= 1230
+%pre
+%service_add_pre %{name}.service
+%endif
+
+%post
+%fillup_only
+%if 0%{?suse_version} >= 1230
+%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
+# The next line is not workin in Leap 42.1, so keep the old way
+#%%tmpfiles_create %%{_tmpfilesdir}/%%{name}.conf
+%service_add_post %{name}.service
+%endif
+
+%preun
+%if 0%{?suse_version} >= 1230
+%service_del_preun %{name}.service
+%else
+%stop_on_removal %{name}
+%endif
+
+%postun
+%if 0%{?suse_version} >= 1230
+%service_del_postun %{name}.service
+%else
+%restart_on_update %{name}
+%insserv_cleanup
+%endif
+
+%if !0%{?suse_version} > 1500
+%if 0%{?_unitdir:1}
+%post -n SuSEfirewall2-%{name}
+%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
+
+%postun -n SuSEfirewall2-%{name}
+%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
+%endif
+%endif
+
+%files
+%dir %{_sysconfdir}/%{name}
+%dir %{_sysconfdir}/%{name}/action.d
+%dir %{_sysconfdir}/%{name}/%{name}.d
+%dir %{_sysconfdir}/%{name}/filter.d
+%dir %{_sysconfdir}/%{name}/jail.d
+#
+%config %{_sysconfdir}/%{name}/action.d/*
+%config %{_sysconfdir}/%{name}/filter.d/*
+#
+%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%config %{_sysconfdir}/%{name}/jail.conf
+%config %{_sysconfdir}/%{name}/paths-common.conf
+%config %{_sysconfdir}/%{name}/paths-opensuse.conf
+#
+%config(noreplace) %{_sysconfdir}/%{name}/jail.local
+#
+%config %{_sysconfdir}/logrotate.d/%{name}
+%dir %{_localstatedir}/lib/%{name}/
+%if 0%{?suse_version} > 1310
+# use /run directory
+%ghost /run/%{name}
+%else
+# use /var/run directory
+%dir %ghost %{_localstatedir}/run/%{name}
+%endif
+%if 0%{?suse_version} >= 1230
+# systemd
+%{_unitdir}/%{name}.service
+%{_tmpfilesdir}/%{name}.conf
+%else
+# without-systemd
+%{_initddir}/%{name}
+%endif
+%{_sbindir}/rc%{name}
+%{_bindir}/%{name}-server
+%{_bindir}/%{name}-client
+%{_bindir}/%{name}-python
+%{_bindir}/%{name}-regex
+%{python3_sitelib}/%{name}
+%exclude %{python3_sitelib}/%{name}/tests
+%{python3_sitelib}/%{name}-*
+%{_fillupdir}/sysconfig.%{name}
+%{_mandir}/man1/*
+%{_mandir}/man5/*
+%license COPYING
+%doc README.md TODO ChangeLog doc/*.txt
+
+# do not include tests as they are executed during the build process
+%exclude %{_bindir}/%{name}-testcases
+%exclude %{python3_sitelib}/%{name}/tests
+
+%if !0%{?suse_version} > 1500
+%if 0%{?_unitdir:1}
+%files -n SuSEfirewall2-%{name}
+%{_unitdir}/SuSEfirewall2.service.d
+%{_unitdir}/%{name}.service.d
+%endif
+%endif
+
+%files -n monitoring-plugins-%{name}
+%license COPYING
+%doc files/nagios/README
+%if 0%{?suse_version}
+%dir %{nagios_libdir}
+%else
+%dir %{_libexecdir}/nagios
+%endif
+%dir %{nagios_plugindir}
+%{nagios_plugindir}/check_%{name}
+
+%changelog
diff --git a/fail2ban.sysconfig b/fail2ban.sysconfig
new file mode 100644
index 0000000..c0560e3
--- /dev/null
+++ b/fail2ban.sysconfig
@@ -0,0 +1,10 @@
+## Path:	System/Security/Fail2ban
+## Description:	fail2ban options
+## Type:	string
+## Default:	""
+## ServiceReload: fail2ban
+## ServiceRestart: fail2ban
+#
+# Options for fail2ban
+#
+FAIL2BAN_OPTIONS=""
diff --git a/fail2ban.tmpfiles b/fail2ban.tmpfiles
new file mode 100644
index 0000000..106e114
--- /dev/null
+++ b/fail2ban.tmpfiles
@@ -0,0 +1 @@
+d /run/fail2ban 0755 root root
diff --git a/harden_fail2ban.service.patch b/harden_fail2ban.service.patch
new file mode 100644
index 0000000..515729f
--- /dev/null
+++ b/harden_fail2ban.service.patch
@@ -0,0 +1,23 @@
+Index: fail2ban-0.11.2/files/fail2ban.service.in
+===================================================================
+--- fail2ban-0.11.2.orig/files/fail2ban.service.in
++++ fail2ban-0.11.2/files/fail2ban.service.in
+@@ -5,6 +5,18 @@ After=network.target iptables.service fi
+ PartOf=firewalld.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=simple
+ EnvironmentFile=-/etc/sysconfig/fail2ban
+ Environment="PYTHONNOUSERSITE=1"
diff --git a/paths-opensuse.conf b/paths-opensuse.conf
new file mode 100644
index 0000000..0c029da
--- /dev/null
+++ b/paths-opensuse.conf
@@ -0,0 +1,50 @@
+# openSUSE log-file locations
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_local0  = /var/log/messages
+
+syslog_mail = /var/log/mail
+
+syslog_mail_warn = %(syslog_mail)s
+
+syslog_authpriv = %(syslog_local0)s
+
+syslog_user =  %(syslog_local0)s
+
+syslog_ftp  = %(syslog_local0)s
+
+syslog_daemon  = %(syslog_local0)s
+
+apache_error_log = /var/log/apache2/*error_log
+
+apache_access_log = /var/log/apache2/*access_log
+
+pureftpd_log = %(syslog_local0)s
+
+exim_main_log = /var/log/exim/main.log
+
+mysql_log = /var/log/mysql/mysqld.log
+
+roundcube_errors_log = /srv/www/roundcubemail/logs/errors
+
+solidpop3d_log = %(syslog_mail)s
+
+# These services will log to the journal via syslog, so use the journal by
+# default.
+syslog_backend = systemd
+sshd_backend = systemd
+dropbear_backend = systemd
+proftpd_backend = systemd
+pureftpd_backend = systemd
+wuftpd_backend = systemd
+postfix_backend = systemd
+dovecot_backend = systemd
+mysql_backend = systemd
diff --git a/sfw-fail2ban.conf b/sfw-fail2ban.conf
new file mode 100644
index 0000000..ed7bf17
--- /dev/null
+++ b/sfw-fail2ban.conf
@@ -0,0 +1,7 @@
+# This drop-in file extends SuSEfirewall2.service to also start
+# fail2ban.service, and to make sure that fail2ban is only (re)started after
+# SFW has completed.
+
+[Unit]
+Wants=fail2ban.service
+Before=fail2ban.service