SHA256
1
0
forked from pool/fail2ban
Commit Graph

114 Commits

Author SHA256 Message Date
Dominique Leuenberger
301547b693 Accepting request 931605 from security
OBS-URL: https://build.opensuse.org/request/show/931605
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=63
2021-11-17 00:13:46 +00:00
Johannes Weberhofer
72cc9bc469 Accepting request 931604 from home:weberho:branches:security
Fixed typos

OBS-URL: https://build.opensuse.org/request/show/931604
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=109
2021-11-15 17:07:42 +00:00
Johannes Weberhofer
3e1ea61d18 Accepting request 931135 from home:weberho:branches:security
- Added fail2ban-0.11.2-upstream-patch-python-3.10.patch to allow 
  fail2ban run under under python 3.9+
- Shifted the order of the patches

OBS-URL: https://build.opensuse.org/request/show/931135
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=108
2021-11-15 16:57:14 +00:00
Dominique Leuenberger
f06ef51bbe Accepting request 920602 from security
OBS-URL: https://build.opensuse.org/request/show/920602
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=62
2021-09-21 19:13:16 +00:00
c92a861e40 Accepting request 918942 from home:jsegitz:branches:systemdhardening:security
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/918942
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=107
2021-09-21 08:14:01 +00:00
Dominique Leuenberger
8febc333e8 Accepting request 914046 from security
OBS-URL: https://build.opensuse.org/request/show/914046
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=61
2021-08-25 18:57:59 +00:00
Johannes Weberhofer
861f18c31d Accepting request 914045 from home:weberho:branches:security
- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch to fix CVE-2021-32749 - bnc#1188610 prevent a command injection via mail command
- note bnc#1180738 in changelog

OBS-URL: https://build.opensuse.org/request/show/914045
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=106
2021-08-24 14:14:57 +00:00
Dominique Leuenberger
010def5836 Accepting request 853311 from security
OBS-URL: https://build.opensuse.org/request/show/853311
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=60
2020-12-05 19:51:30 +00:00
Johannes Weberhofer
20c0b48fcb Accepting request 853310 from home:weberho:branches:security
- Integrate change to resolve bnc#1146856
- Update to 0.11.2
  increased stability, filter and action updates
  
- New Features and Enhancements
  * fail2ban-regex:
    - speedup formatted output (bypass unneeded stats creation)
    - extended with prefregex statistic
    - more informative output for `datepattern` (e. g. set from filter) - pattern : description
  * parsing of action in jail-configs considers space between action-names as separator also
  (previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b`
  * new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689)
  * new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855)
  * new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723)
  * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured 
    (gh#fail2ban/fail2ban#2631)
  * `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778)
  * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
  * datetemplate: improved anchor detection for capturing groups `(^...)`;
  * datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
  as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814):
    - filter gets mode in-operation, which gets activated if filter starts processing of new messages;
      in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
      from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected 
      bypass of failure (previously exceeding `findtime`);
    - better interaction with non-matching optional datepattern or invalid timestamps;
    - implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages,
    whereas filter will use now as timestamp (gh#fail2ban/fail2ban#2802)
  * performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template);
  * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh#fail2ban/fail2ban#2791;
  * extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
    prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of `<F-TUPLE_V?_n?>` tags (gh#fail2ban/fail2ban#2755)
- Fixes
  * [stability] prevent race condition - no ban if filter (backend) is continuously busy if
    too many messages will be found in log, e. g. initial scan of large log-file or journal (gh#fail2ban/fail2ban#2660)
  * pyinotify-backend sporadically avoided initial scanning of log-file by start
  * python 3.9 compatibility (and Travis CI support)
  * restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
  * manual ban is written to database, so can be restored by restart (gh#fail2ban/fail2ban#2647)
  * `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead)
  * no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
    per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357
  * ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686)
  * don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes), 
    so would bother the action interpolation
  * fixed type conversion in config readers (take place after all interpolations get ready), that allows to 
    specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
  * `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy
    between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703)
  * `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing
   with `jq`, gh#fail2ban/fail2ban#2140, gh#fail2ban/fail2ban#2656)
  * `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2763)
  * `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2821)
  * `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836)
  * `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
    should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650)
  * `filter.d/dovecot.conf`: 
    - add managesieve and submission support (gh#fail2ban/fail2ban#2795);
    - accept messages with more verbose logging (gh#fail2ban/fail2ban#2573);
  * `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697)
  * `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle 
    the match of username differently (gh#fail2ban/fail2ban#2693):
    - `normal`: matches 401 with supplied username only
    - `ddos`: matches 401 without supplied username only
    - `aggressive`: matches 401 and any variant (with and without username)
  * `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749)
  
- Rebased patches
- Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch

OBS-URL: https://build.opensuse.org/request/show/853310
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=104
2020-12-05 18:25:09 +00:00
Dominique Leuenberger
6738142d69 Accepting request 828242 from security
OBS-URL: https://build.opensuse.org/request/show/828242
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=59
2020-08-20 20:35:29 +00:00
ce385d8cc8 Accepting request 827769 from home:dimstar:Factory
- Use %{_tmpfilesdir} consistently throughout the .spec.

OBS-URL: https://build.opensuse.org/request/show/827769
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=102
2020-08-20 15:49:41 +00:00
Yuchen Lin
921fcf536c Accepting request 808030 from security
OBS-URL: https://build.opensuse.org/request/show/808030
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=58
2020-05-26 15:21:12 +00:00
Johannes Weberhofer
0b091513f7 Accepting request 807912 from home:polslinux:branches:security
- Update to 0.11.1:
  * Increment ban time (+ observer) functionality introduced.
  * Database functionality extended with bad ips.
  * New tags (usable in actions):
    - `<bancount>` - ban count of this offender if known as bad
      (started by 1 for unknown)
    - `<bantime>` - current ban-time of the ticket
      (prolongation can be retarded up to 10 sec.)
  * Introduced new action command `actionprolong` to prolong ban-time
    (e. g. set new timeout if expected);
  * algorithm of restore current bans after restart changed:
    update the restored ban-time (and therefore 
    end of ban) of the ticket with ban-time of jail (as maximum),
    for all tickets with ban-time greater (or persistent)
  * added new setup-option `--without-tests` to skip building
    and installing of tests files (gh-2287).
  * added new command `fail2ban-client get <JAIL> banip ?sep-char|--with-time?`
    to get the banned ip addresses (gh-1916).
  * purge database will be executed now (within observer).
   restoring currently banned ip after service restart fixed
    (now < timeofban + bantime), ignore old log failures (already banned)
  * upgrade database: update new created table `bips` with entries
    from table `bans` (allows restore current bans after
    upgrade from version <= 0.10)

OBS-URL: https://build.opensuse.org/request/show/807912
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=100
2020-05-21 17:06:35 +00:00
Dominique Leuenberger
4cc1a7a611 Accepting request 762815 from security
OBS-URL: https://build.opensuse.org/request/show/762815
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=57
2020-01-10 16:50:16 +00:00
d7376219ea Accepting request 762228 from home:dimstar:Factory
- Switch to use python3 (upstream supported):
  + BuildRequire python3-tools instead of python-devel (for the
    2to3 tool).
  + Drop the python-gamin dependency.
  + Replace all python-FOO deps for their python3-FOO counterpart.

- removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2
- fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file

OBS-URL: https://build.opensuse.org/request/show/762228
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=98
2020-01-10 12:12:35 +00:00
Dominique Leuenberger
3ed19faa60 Accepting request 722644 from security
OBS-URL: https://build.opensuse.org/request/show/722644
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=56
2019-08-13 11:23:13 +00:00
Johannes Weberhofer
2ecebbda26 Accepting request 722640 from home:weberho:branches:security
- Added fail2ban-0.10.4-env-script-interpreter.patch to define interpreter
- removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2
  will be removed from Factory (see sr#713247):
  * fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service
  * fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for
    older distributions
  * Removed installation recommendation of the SuSEfirewall2-fail2ban
    package for all distributions as it is deprecated.
- fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file
  location (boo#1145181, gh#fail2ban/fail2ban#2474)

OBS-URL: https://build.opensuse.org/request/show/722640
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=96
2019-08-12 10:37:17 +00:00
Dominique Leuenberger
9a23360232 Accepting request 709174 from security
OBS-URL: https://build.opensuse.org/request/show/709174
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=55
2019-06-12 11:17:51 +00:00
Johannes Weberhofer
1080a2c48e Accepting request 709167 from home:dimstar:Factory
Allow OBS to pick better candidates to shorten rebuild queues

OBS-URL: https://build.opensuse.org/request/show/709167
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=94
2019-06-11 13:15:31 +00:00
Yuchen Lin
d2dd170e6f Accepting request 677464 from security
- ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four
  * https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog
- Fixes
  * `filter.d/dovecot.conf`: 
    - failregex enhancement to catch sql password mismatch errors (gh-2153);
    - disconnected with "proxy dest auth failed" (gh-2184);
  * `filter.d/freeswitch.conf`:
    - provide compatibility for log-format from gh-2193:
      * extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
        `YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
      * more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
    - extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
      (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
      how to set it to mode `normal`.
  * `filter.d/domino-smtp.conf`:
    - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
    - failregex extended to catch connections rejected for policy reasons (gh-2228);
  * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected 
    and don't allowed in command-actions), see gh-2114;
  * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
    - fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
      `UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors;
    - actions: avoid possible conversion errors on wrong-chars by replace tags;
    - database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
      additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
    - logging in fail2ban is process-wide exception-safe now.
  * repaired start-time of initial seek to time (as well as other log-parsing related data), 
    if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
  * systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
- New Features
  * new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`, 
    `ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
  * `ignorecommand` extended to use actions-similar replacement (capable to interpolate 
    all possible tags like `<ip-host>`, `<family>`, `<fid>`, `F-USER` etc.)
- Enhancements
  * `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
  * since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
    additionally option `-V` can be used to get version in normalized machine-readable short format.
- rebase patches
  * fail2ban-opensuse-locations.patch
  * fail2ban-opensuse-service.patch
- add signature file

OBS-URL: https://build.opensuse.org/request/show/677464
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=54
2019-02-20 13:13:19 +00:00
Johannes Weberhofer
4d4d053410 Accepting request 676713 from home:computersalat:devel:security
Update to 0.10.4

OBS-URL: https://build.opensuse.org/request/show/676713
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=92
2019-02-18 09:31:32 +00:00
Dominique Leuenberger
cdab566a43 Accepting request 599594 from security
OBS-URL: https://build.opensuse.org/request/show/599594
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=53
2018-04-26 11:37:18 +00:00
Johannes Weberhofer
a495133311 Accepting request 599593 from home:weberho:branches:security
- Updated to version 0.10.3.1. Changelog:
  https://github.com/fail2ban/fail2ban/blob/0.10.3.1/ChangeLog
  * fixed JSON serialization for the set-object within dump into database (gh-2103).
- Updated to version 0.10.3. Changelog:
  https://github.com/fail2ban/fail2ban/blob/0.10.3/ChangeLog
- Fixes
  * `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
  * `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
  * `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069;
  * `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
    - fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064);
  * `filter.d/sshd.conf`:
    - failregex got an optional space in order to match new log-format (see gh-2061);
    - fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
    - fixed root login refused regex (optional port before preauth, gh-2080);
    - avoid banning of legitimate users when pam_unix used in combination with other password method, so
      bypass pam_unix failures if accepted available for this user gh-2070;
    - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly);
    - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
      it counts failure on closing connection within preauth-stage (gh-2085);
  * `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);
  * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
  * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
  * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
- New Features
  * several stability and performance optimizations, more effective filter parsing, etc;
  * stable runnable within python versions 3.6 (as well as within 3.7-dev);
- Enhancements
  * `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);
  * `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);
  * date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029);
  * possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038);
    the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line,
    e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line.
  * badips.py now uses https instead of plain http when requesting badips.com (gh-2057);
  * add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056);
  * Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG):
    Usage `logtarget = target[padding=on|off]`

OBS-URL: https://build.opensuse.org/request/show/599593
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=90
2018-04-21 11:24:52 +00:00
Dominique Leuenberger
671fbd787d Accepting request 578362 from security
- Updated to version 0.10.2. Changelog:
  https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog
- rebased patch
- Incompatibility list (compared to v.0.9):
  * Filter (or `failregex`) internal capture-groups:
    - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
      rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
      (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
      Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
      testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
      fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
    - New internal groups (currently reserved for internal usage):
      `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
      mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
  * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
    user configurations resp. `datepattern`.
  * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
    IPv6-capable now.
- Incompatibility:
  * The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
    anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
    just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. 
- Fixes
  * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid 
    write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
  * Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
  * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely 
    (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
  * config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
    in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
  * `action.d/pf.conf`: 
    - fixed syntax error in achnor definition (documentation, see gh-1919);
    - enclose ports in braces for multiport jails (see gh-1925);
  * `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
  * `filter.d/sshd.conf`:
    - extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
      forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", 
      see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
    - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
- New Features
  * datedetector: extended default date-patterns (allows extra space between the date and time stamps);
    introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
    - %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
      (corresponds %H, but allows space if not zero-padded).
    - %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
      (corresponds %I, but allows space if not zero-padded).
  * `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
- New Actions:
  * `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
     nginx-location with map-file);
  - Enhancements
    * jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
    * action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
    * Introduced new parameters for logging within fail2ban-server (gh-1980).
      Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
      - `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
        for the list of facilities);
      - `datetime` - add date-time to the message (default on, ignored if `format` specified);
      - `format` - specify own format how it will be logged, for example for short-log into STDOUT:
        `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
    * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 
     'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
      if repair fails - recreate new database (gh-1465, gh-2004).

OBS-URL: https://build.opensuse.org/request/show/578362
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=52
2018-02-21 13:11:41 +00:00
Johannes Weberhofer
68abb5fa88 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=88 2018-02-20 13:50:34 +00:00
Johannes Weberhofer
552f213926 Accepting request 578297 from home:weberho:branches:security
- Updated to version 0.10.2. Changelog:
  https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog
- rebased patch

OBS-URL: https://build.opensuse.org/request/show/578297
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=87
2018-02-20 09:42:27 +00:00
Dominique Leuenberger
23a18af0bf Accepting request 544894 from security
OBS-URL: https://build.opensuse.org/request/show/544894
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=51
2017-11-24 09:55:37 +00:00
Johannes Weberhofer
fe795d997c Accepting request 544725 from home:RBrownSUSE:branches:security
Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)

OBS-URL: https://build.opensuse.org/request/show/544725
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=85
2017-11-23 15:46:03 +00:00
Dominique Leuenberger
34326b1e39 Accepting request 537301 from security
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/537301
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=50
2017-10-29 19:24:39 +00:00
Johannes Weberhofer
346c68ba29 Accepting request 536273 from home:weberho:branches:security
- Updated to version 0.10.1. Changelog:
  https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog
- Removed 607568f.patch and 1783.patch
- New features: 
  * IPv6 support
    - IP addresses are now handled as objects rather than strings capable for 
      handling both address types IPv4 and IPv6
    - iptables related actions have been amended to support IPv6 specific actions
      additionally
    - hostsdeny and route actions have been tested to be aware of v4 and v6 already
    - pf action for *BSD systems has been improved and supports now also v4 and v6
    - name resolution is now working for either address type
    - new conditional section functionality used in config resp. includes:
      - [Init?family=inet4] - IPv4 qualified hosts only
      - [Init?family=inet6] - IPv6 qualified hosts only
  * Reporting via abuseipdb.com
    - Bans can now be reported to abuseipdb
    - Catagories must be set in the config
    - Relevant log lines included in report
  * Several commands extended and new commands introduced
  * Implemented execution of `actionstart` on demand
  * nftables actions are IPv6-capable now
  * Introduced new filter option `prefregex` for pre-filtering using single regular expression
  * Many times faster because of several optimizations
  * Several filters optimized
  * Introduced new jail option "ignoreself"
- Lots of fixes and internal improvements
- Incompatibitilities:
  * Filter (or `failregex`) internal capture-groups:
  - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
    rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
    (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
    Of course you can always your own capture-group (like below `_cond_ip_`) to do this.
    ```
    testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
    fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
    ```
  - New internal groups (currently reserved for internal usage):
    `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
    mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
  * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
  user configurations resp. `datepattern`.
  * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
  IPv6-capable now.

OBS-URL: https://build.opensuse.org/request/show/536273
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=83
2017-10-24 10:04:00 +00:00
Dominique Leuenberger
a7deeb333c Accepting request 506342 from security
1

OBS-URL: https://build.opensuse.org/request/show/506342
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=49
2017-06-27 08:21:50 +00:00
Johannes Weberhofer
7b7f0beacb Accepting request 506341 from home:weberho:branches:security
- added 1783.patch from upstream: "Updated roundcube authentication filter"
- use tmpfiles_create macro

OBS-URL: https://build.opensuse.org/request/show/506341
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=81
2017-06-27 04:04:17 +00:00
Dominique Leuenberger
e8fc4a600a Accepting request 495374 from security
1

OBS-URL: https://build.opensuse.org/request/show/495374
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=48
2017-05-17 08:54:57 +00:00
Johannes Weberhofer
2109aac4ea Accepting request 495373 from home:weberho:branches:security
- Update to 0.9.7
- fixes for bnc#1036928

OBS-URL: https://build.opensuse.org/request/show/495373
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=79
2017-05-16 14:44:12 +00:00
Dominique Leuenberger
7c32fa4bdb Accepting request 478640 from security
1

OBS-URL: https://build.opensuse.org/request/show/478640
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=47
2017-03-12 19:05:25 +00:00
Johannes Weberhofer
7b81f19e35 Accepting request 478626 from home:Aikhjarto:branches:security
Recently all nagios-plugin-* packages have been renamed to the more general monitoring-plugin-*.
This submit request does this transition for fail2ban and includes Provides/Obsoletes for backwards compatibily its old name.

OBS-URL: https://build.opensuse.org/request/show/478626
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=77
2017-03-11 09:49:32 +00:00
Dominique Leuenberger
873cbbfa82 Accepting request 453007 from security
1

OBS-URL: https://build.opensuse.org/request/show/453007
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=46
2017-01-31 11:42:01 +00:00
Johannes Weberhofer
499398214d Accepting request 452855 from home:computersalat:devel:security
update to 0.9.6

OBS-URL: https://build.opensuse.org/request/show/452855
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=75
2017-01-27 17:09:05 +00:00
Dominique Leuenberger
fff3d95b42 Accepting request 415433 from security
1

OBS-URL: https://build.opensuse.org/request/show/415433
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=45
2016-07-28 21:47:34 +00:00
Johannes Weberhofer
ef72158bf2 Accepting request 415421 from home:weberho:branches:security
Update to version 0.9.5

OBS-URL: https://build.opensuse.org/request/show/415421
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=73
2016-07-27 18:00:37 +00:00
Dominique Leuenberger
7bc1f847c3 Accepting request 378462 from security
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/378462
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=44
2016-03-26 14:27:23 +00:00
Dominique Leuenberger
4d405b4e35 Accepting request 369615 from security
1

OBS-URL: https://build.opensuse.org/request/show/369615
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=43
2016-03-16 09:35:11 +00:00
Johannes Weberhofer
9ffc83a177 Mark /etc/fail2ban/fail2ban.conf as noreplace.
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=70
2016-03-10 14:10:34 +00:00
Johannes Weberhofer
7ac30d5336 Accepting request 369600 from home:weberho:branches:security
- Update to version 0.9.4
- Defined services which per default uses systemd logger
- The update to this versions allow to close boo#917818, as the logger-backends for several services are now centrally set in /etc/fail2ban/paths-opensuse.conf

OBS-URL: https://build.opensuse.org/request/show/369600
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=69
2016-03-10 12:14:45 +00:00
Dominique Leuenberger
30699dddae Accepting request 358896 from security
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/358896
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=42
2016-02-17 09:24:34 +00:00
Johannes Weberhofer
db67cbee5d - Require python-systemd for openSUSE 12.3+
- Cleaned up the spec file
- Added /run/fail2ban for openSUSE 13.2+
- Don't fail on test-errors

OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=67
2016-02-04 15:51:02 +00:00
Stephan Kulow
ca370fae5a Accepting request 333139 from security
1

OBS-URL: https://build.opensuse.org/request/show/333139
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=41
2015-09-24 04:16:01 +00:00
Johannes Weberhofer
c876389bbe Accepting request 333138 from home:weberho:branches:security
- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
  to fix the former failing test and removed
  fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
- Do not longer create test-package. Developers should not use the packaged
  version of fail2ban.

OBS-URL: https://build.opensuse.org/request/show/333138
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=65
2015-09-23 10:21:57 +00:00
Dominique Leuenberger
fbd912c6a2 Accepting request 329472 from security
1

OBS-URL: https://build.opensuse.org/request/show/329472
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=40
2015-09-08 15:44:47 +00:00
Johannes Weberhofer
de2609fc73 Accepting request 329471 from home:weberho:branches:security
patches are no longer included conditionally

OBS-URL: https://build.opensuse.org/request/show/329471
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=63
2015-09-07 09:49:02 +00:00