forked from pool/fail2ban
346c68ba29
- Updated to version 0.10.1. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog - Removed 607568f.patch and 1783.patch - New features: * IPv6 support - IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6 - iptables related actions have been amended to support IPv6 specific actions additionally - hostsdeny and route actions have been tested to be aware of v4 and v6 already - pf action for *BSD systems has been improved and supports now also v4 and v6 - name resolution is now working for either address type - new conditional section functionality used in config resp. includes: - [Init?family=inet4] - IPv4 qualified hosts only - [Init?family=inet6] - IPv6 qualified hosts only * Reporting via abuseipdb.com - Bans can now be reported to abuseipdb - Catagories must be set in the config - Relevant log lines included in report * Several commands extended and new commands introduced * Implemented execution of `actionstart` on demand * nftables actions are IPv6-capable now * Introduced new filter option `prefregex` for pre-filtering using single regular expression * Many times faster because of several optimizations * Several filters optimized * Introduced new jail option "ignoreself" - Lots of fixes and internal improvements - Incompatibitilities: * Filter (or `failregex`) internal capture-groups: - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings). Of course you can always your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$" ``` - New internal groups (currently reserved for internal usage): `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`). * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some user configurations resp. `datepattern`. * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are IPv6-capable now. OBS-URL: https://build.opensuse.org/request/show/536273 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=83
325 lines
10 KiB
RPMSpec
325 lines
10 KiB
RPMSpec
#
|
|
# spec file for package fail2ban
|
|
#
|
|
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
|
|
Name: fail2ban
|
|
Version: 0.10.1
|
|
Release: 0
|
|
Summary: Bans IP addresses that make too many authentication failures
|
|
License: GPL-2.0+
|
|
Group: Productivity/Networking/Security
|
|
Url: http://www.fail2ban.org/
|
|
Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
|
Source2: %{name}.sysconfig
|
|
Source3: %{name}.logrotate
|
|
Source5: %{name}.tmpfiles
|
|
Source6: sfw-fail2ban.conf
|
|
Source7: f2b-restart.conf
|
|
# Path definitions have been submitted to upstream
|
|
Source8: paths-opensuse.conf
|
|
# ignore some rpm-lint messages
|
|
Source200: %{name}-rpmlintrc
|
|
# PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles
|
|
Patch100: %{name}-opensuse-locations.patch
|
|
# PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
|
|
Patch101: %{name}-opensuse-service.patch
|
|
# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
|
|
Patch200: %{name}-disable-iptables-w-option.patch
|
|
BuildRequires: fdupes
|
|
BuildRequires: logrotate
|
|
BuildRequires: python-devel
|
|
# timezone package is required to run the tests
|
|
BuildRequires: timezone
|
|
Requires: cron
|
|
Requires: ed
|
|
Requires: iptables
|
|
Requires: logrotate
|
|
Requires: python >= 2.6
|
|
Requires: whois
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
%if 0%{?suse_version} != 1110
|
|
BuildArch: noarch
|
|
%endif
|
|
%if 0%{?suse_version} >= 1230
|
|
# systemd
|
|
BuildRequires: python-systemd
|
|
BuildRequires: systemd
|
|
Requires: python-systemd
|
|
Requires: systemd > 204
|
|
%{?systemd_requires}
|
|
%else
|
|
# no systemd (the init-script requires lsof)
|
|
Requires: lsof
|
|
Requires: syslog
|
|
%endif
|
|
%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
|
|
BuildRequires: python-pyinotify >= 0.8.3
|
|
Requires: python-pyinotify >= 0.8.3
|
|
%endif
|
|
%if 0%{?suse_version} >= 1220
|
|
Requires: python-gamin >= 0.0.21
|
|
%endif
|
|
|
|
%description
|
|
Fail2ban scans log files like %{_localstatedir}/log/messages and bans IP
|
|
addresses that makes too many password failures. It updates firewall rules to
|
|
reject the IP address, can send e-mails, or set host.deny entries. These rules
|
|
can be defined by the user. Fail2Ban can read multiple log files such as sshd
|
|
or Apache web server ones.
|
|
|
|
%package -n SuSEfirewall2-%{name}
|
|
Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd
|
|
Group: Productivity/Networking/Security
|
|
Requires: SuSEfirewall2
|
|
Requires: fail2ban
|
|
Recommends: packageand(SuSEfirewall2:fail2ban)
|
|
|
|
%description -n SuSEfirewall2-%{name}
|
|
This package ships systemd files which will cause fail2ban to be ordered in
|
|
relation to SuSEfirewall2 such that the two can be run concurrently within
|
|
reason, i.e. SFW will always run first because it does a table flush.
|
|
|
|
%package -n monitoring-plugins-%{name}
|
|
%define nagios_plugindir %{_libexecdir}/nagios/plugins
|
|
Summary: Check fail2ban server and how many IPs are currently banned
|
|
Group: System/Monitoring
|
|
Provides: nagios-plugins-%{name} = %{version}
|
|
Obsoletes: nagios-plugins-%{name} < %{version}
|
|
|
|
%description -n monitoring-plugins-%{name}
|
|
This plugin checks if the fail2ban server is running and how many IPs are
|
|
currently banned. You can use this plugin to monitor all the jails or just a
|
|
specific jail.
|
|
|
|
How to use
|
|
----------
|
|
Just have to run the following command:
|
|
$ ./check_fail2ban --help
|
|
|
|
%prep
|
|
%setup -q
|
|
install -m644 %{SOURCE8} config/paths-opensuse.conf
|
|
|
|
# Use openSUSE paths
|
|
sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
|
|
|
|
# Remove shebang
|
|
sed -i -e '/^#!\/usr\/bin\/python$/d' fail2ban/client/fail2banregex.py
|
|
|
|
%patch100
|
|
%patch101 -p1
|
|
%if 0%{?suse_version} < 1310
|
|
%patch200 -p1
|
|
%endif
|
|
|
|
rm config/paths-arch.conf \
|
|
config/paths-debian.conf \
|
|
config/paths-fedora.conf \
|
|
config/paths-freebsd.conf \
|
|
config/paths-osx.conf
|
|
|
|
# correct doc-path
|
|
sed -i -e 's|%{_datadir}/doc/%{name}|%{_docdir}/%{name}|' setup.py
|
|
|
|
# remove syslogd-logger settings for older distributions
|
|
%if 0%{?suse_version} < 1230
|
|
sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf
|
|
%endif
|
|
|
|
%build
|
|
export CFLAGS="%{optflags}"
|
|
python setup.py build
|
|
gzip man/*.{1,5}
|
|
|
|
%install
|
|
python setup.py install \
|
|
--root=%{buildroot} \
|
|
--prefix=%{_prefix}
|
|
|
|
install -d -m 755 %{buildroot}%{_mandir}/man{1,5}
|
|
install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
|
|
install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
|
|
|
|
install -d -m 755 %{buildroot}%{_initddir}
|
|
install -d -m 755 %{buildroot}%{_sbindir}
|
|
|
|
%if 0%{?suse_version} > 1310
|
|
# use /run directory
|
|
install -d -m 755 %{buildroot}/run
|
|
touch %{buildroot}/run/%{name}
|
|
%else
|
|
#use /var/run directory
|
|
install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name}
|
|
%endif
|
|
|
|
%if 0%{?suse_version} >= 1230
|
|
# systemd
|
|
install -d -m 755 %{buildroot}%{_unitdir}
|
|
install -p -m 644 files/%{name}.service.in %{buildroot}%{_unitdir}/%{name}.service
|
|
|
|
install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/
|
|
install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf
|
|
|
|
ln -sf service %{buildroot}%{_sbindir}/rc%{name}
|
|
|
|
%else
|
|
# without systemd
|
|
install -d -m 755 %{buildroot}%{_initddir}
|
|
install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name}
|
|
ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name}
|
|
%endif
|
|
|
|
echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local
|
|
|
|
install -d -m 0755 %{buildroot}%{_localstatedir}/lib/%{name}/
|
|
|
|
install -d -m 755 %{buildroot}%{_localstatedir}/adm/fillup-templates
|
|
install -p -m 644 %{SOURCE2} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
|
|
|
|
install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
|
|
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
|
|
|
%if 0%{?_unitdir:1}
|
|
install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
|
|
"%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf"
|
|
install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \
|
|
"%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf"
|
|
%endif
|
|
install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name}
|
|
|
|
# install docs using the macro
|
|
rm -r %{buildroot}%{_docdir}/%{name}
|
|
|
|
# remove duplicates
|
|
%fdupes -s %{buildroot}%{python_sitelib}
|
|
|
|
%check
|
|
#stat /dev/log
|
|
#python -c "import platform; print(platform.system())"
|
|
# tests require python-pyinotify to be installed, so don't run them on older versions
|
|
%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
|
|
# Need a UTF-8 locale to work
|
|
export LANG=en_US.UTF-8
|
|
./fail2ban-testcases-all --no-network || true
|
|
%endif
|
|
|
|
%pre
|
|
%if 0%{?suse_version} >= 1230
|
|
%service_add_pre %{name}.service
|
|
%endif
|
|
|
|
%post
|
|
%fillup_only
|
|
%if 0%{?suse_version} >= 1230
|
|
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
|
|
# The next line is not workin in Leap 42.1, so keep the old way
|
|
#%%tmpfiles_create %%{_tmpfilesdir}/%%{name}.conf
|
|
%service_add_post %{name}.service
|
|
%endif
|
|
|
|
%preun
|
|
%if 0%{?suse_version} >= 1230
|
|
%service_del_preun %{name}.service
|
|
%else
|
|
%stop_on_removal %{name}
|
|
%endif
|
|
|
|
%postun
|
|
%if 0%{?suse_version} >= 1230
|
|
%service_del_postun %{name}.service
|
|
%else
|
|
%restart_on_update %{name}
|
|
%insserv_cleanup
|
|
%endif
|
|
|
|
%if 0%{?_unitdir:1}
|
|
%post -n SuSEfirewall2-%{name}
|
|
%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
|
|
|
|
%postun -n SuSEfirewall2-%{name}
|
|
%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
|
|
%endif
|
|
|
|
%files
|
|
%defattr(-, root, root)
|
|
%dir %{_sysconfdir}/%{name}
|
|
%dir %{_sysconfdir}/%{name}/action.d
|
|
%dir %{_sysconfdir}/%{name}/%{name}.d
|
|
%dir %{_sysconfdir}/%{name}/filter.d
|
|
%dir %{_sysconfdir}/%{name}/jail.d
|
|
#
|
|
%config %{_sysconfdir}/%{name}/action.d/*
|
|
%config %{_sysconfdir}/%{name}/filter.d/*
|
|
#
|
|
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
|
|
%config %{_sysconfdir}/%{name}/jail.conf
|
|
%config %{_sysconfdir}/%{name}/paths-common.conf
|
|
%config %{_sysconfdir}/%{name}/paths-opensuse.conf
|
|
#
|
|
%config(noreplace) %{_sysconfdir}/%{name}/jail.local
|
|
#
|
|
%config %{_sysconfdir}/logrotate.d/%{name}
|
|
%dir %{_localstatedir}/lib/%{name}/
|
|
%if 0%{?suse_version} > 1310
|
|
# use /run directory
|
|
%ghost /run/%{name}
|
|
%else
|
|
# use /var/run directory
|
|
%dir %ghost %{_localstatedir}/run/%{name}
|
|
%endif
|
|
%if 0%{?suse_version} >= 1230
|
|
# systemd
|
|
%{_unitdir}/%{name}.service
|
|
%{_tmpfilesdir}/%{name}.conf
|
|
%else
|
|
# without-systemd
|
|
%{_initddir}/%{name}
|
|
%endif
|
|
%{_sbindir}/rc%{name}
|
|
%{_bindir}/%{name}-server
|
|
%{_bindir}/%{name}-client
|
|
%{_bindir}/%{name}-python
|
|
%{_bindir}/%{name}-regex
|
|
%{python_sitelib}/%{name}
|
|
%exclude %{python_sitelib}/%{name}/tests
|
|
%{python_sitelib}/%{name}-*
|
|
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
|
|
%{_mandir}/man1/*
|
|
%{_mandir}/man5/*
|
|
%doc README.md TODO ChangeLog COPYING doc/*.txt
|
|
|
|
# do not include tests as they are executed during the build process
|
|
%exclude %{_bindir}/%{name}-testcases
|
|
%exclude %{python_sitelib}/%{name}/tests
|
|
|
|
%if 0%{?_unitdir:1}
|
|
%files -n SuSEfirewall2-%{name}
|
|
%defattr(-,root,root)
|
|
%{_unitdir}/SuSEfirewall2.service.d
|
|
%{_unitdir}/%{name}.service.d
|
|
%endif
|
|
|
|
%files -n monitoring-plugins-%{name}
|
|
%defattr(-,root,root)
|
|
%doc files/nagios/README COPYING
|
|
%dir %{_libexecdir}/nagios
|
|
%dir %{nagios_plugindir}
|
|
%{nagios_plugindir}/check_%{name}
|
|
|
|
%changelog
|