Merge branch 'master' into epel8
This commit is contained in:
Orion Poplawski
commit
3faffef992
2 changed files with 116 additions and 5 deletions
96
2388.patch
Normal file
96
2388.patch
Normal file
|
|
@ -0,0 +1,96 @@
|
|||
From 9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 Mon Sep 17 00:00:00 2001
|
||||
From: Amir Caspi <cepheid666@users.noreply.github.com>
|
||||
Date: Fri, 29 Mar 2019 17:38:30 -0600
|
||||
Subject: [PATCH 1/7] Update sendmail-reject
|
||||
|
||||
Added loglines to show TLSMTA and MSA port IDs (RHEL/CentOS sendmail default for ports 465 and 587, respectively)
|
||||
---
|
||||
fail2ban/tests/files/logs/sendmail-reject | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject
|
||||
index 44f8eb92f..a76cbf4b6 100644
|
||||
--- a/fail2ban/tests/files/logs/sendmail-reject
|
||||
+++ b/fail2ban/tests/files/logs/sendmail-reject
|
||||
@@ -95,3 +95,8 @@ Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=<anton@domain.co
|
||||
Mar 6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example.org [192.0.2.194] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
|
||||
# failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" }
|
||||
Mar 7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4
|
||||
+
|
||||
+# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
|
||||
+Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
|
||||
+# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
|
||||
+Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
|
||||
|
||||
From ffd5d0db78af01afcdf7a2c615dc26b8558ad8f1 Mon Sep 17 00:00:00 2001
|
||||
From: Amir Caspi <cepheid666@users.noreply.github.com>
|
||||
Date: Fri, 29 Mar 2019 17:39:27 -0600
|
||||
Subject: [PATCH 2/7] Update sendmail-reject.conf
|
||||
|
||||
On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in https://github.com/fail2ban/fail2ban/commit/9e1fa4ff73a1566ae0c381930b6eaae9880b0f29
|
||||
---
|
||||
config/filter.d/sendmail-reject.conf | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf
|
||||
index 985eac8b1..dd58f3e75 100644
|
||||
--- a/config/filter.d/sendmail-reject.conf
|
||||
+++ b/config/filter.d/sendmail-reject.conf
|
||||
@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[(?:IP
|
||||
|
||||
mdre-normal =
|
||||
|
||||
-mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to M(?:TA|SP)(?:-\w+)?$
|
||||
+mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$
|
||||
|
||||
mdre-aggressive = %(mdre-extra)s
|
||||
|
||||
|
||||
From 76816285e886eee0a53ba5c64c50101fbd87a760 Mon Sep 17 00:00:00 2001
|
||||
From: Amir Caspi <cepheid666@users.noreply.github.com>
|
||||
Date: Fri, 29 Mar 2019 18:21:47 -0600
|
||||
Subject: [PATCH 5/7] Update sendmail-reject
|
||||
|
||||
Fixing timestamps to 2005 (oops)
|
||||
---
|
||||
fail2ban/tests/files/logs/sendmail-reject | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject
|
||||
index a76cbf4b6..b6911c4df 100644
|
||||
--- a/fail2ban/tests/files/logs/sendmail-reject
|
||||
+++ b/fail2ban/tests/files/logs/sendmail-reject
|
||||
@@ -96,7 +96,7 @@ Mar 6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example
|
||||
# failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" }
|
||||
Mar 7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4
|
||||
|
||||
-# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
|
||||
+# failJSON: { "time": "2005-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
|
||||
Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
|
||||
-# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
|
||||
+# failJSON: { "time": "2005-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
|
||||
Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
|
||||
|
||||
From 6c7093c66dce9f695cde24149a78650868083617 Mon Sep 17 00:00:00 2001
|
||||
From: "Sergey G. Brester" <github@sebres.de>
|
||||
Date: Thu, 4 Apr 2019 02:28:50 +0200
|
||||
Subject: [PATCH 6/7] minor amend, refolding branches (SP|SA -> S[PA])
|
||||
|
||||
---
|
||||
config/filter.d/sendmail-reject.conf | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf
|
||||
index dd58f3e75..e6814a00c 100644
|
||||
--- a/config/filter.d/sendmail-reject.conf
|
||||
+++ b/config/filter.d/sendmail-reject.conf
|
||||
@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[(?:IP
|
||||
|
||||
mdre-normal =
|
||||
|
||||
-mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$
|
||||
+mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-\w+)?$
|
||||
|
||||
mdre-aggressive = %(mdre-extra)s
|
||||
|
||||
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Daemon to ban hosts that cause multiple authentication errors
|
||||
Name: fail2ban
|
||||
Version: 0.10.4
|
||||
Release: 5%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: GPLv2+
|
||||
URL: http://fail2ban.sourceforge.net/
|
||||
Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||
|
|
@ -9,7 +9,10 @@ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%
|
|||
# Give up being PartOf iptables and ipset for now
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1379141
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1573185
|
||||
Patch2: fail2ban-partof.patch
|
||||
Patch0: fail2ban-partof.patch
|
||||
# Update sendmail-reject with TLSMTA & MSA port IDs
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1722625
|
||||
Patch1: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2388.patch
|
||||
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: /usr/bin/2to3
|
||||
|
|
@ -153,8 +156,7 @@ by default.
|
|||
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch2 -p1 -b .partof
|
||||
%autosetup -p1
|
||||
# Use Fedora paths
|
||||
sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
|
||||
2to3 --write --nobackups .
|
||||
|
|
@ -187,13 +189,16 @@ install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail
|
|||
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
|
||||
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf
|
||||
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf
|
||||
# Remove config files for other distros
|
||||
rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf
|
||||
# firewalld configuration
|
||||
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <<EOF
|
||||
# This file is part of the fail2ban-firewalld package to configure the use of
|
||||
# the firewalld actions as the default actions. You can remove this package
|
||||
# (along with the empty fail2ban meta-package) if you do not use firewalld
|
||||
[DEFAULT]
|
||||
banaction = firewallcmd-ipset
|
||||
banaction = firewallcmd-ipset[actiontype=<multiport>]
|
||||
banaction_allports = firewallcmd-ipset[actiontype=<allports>]
|
||||
EOF
|
||||
# systemd journal configuration
|
||||
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
|
||||
|
|
@ -294,6 +299,16 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Nov 21 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-8
|
||||
- Define banaction_allports for firewalld, update banaction (bz#1775175)
|
||||
- Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625)
|
||||
|
||||
* Thu Oct 31 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-7
|
||||
- Remove config files for other distros (bz#1533113)
|
||||
|
||||
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.10.4-6
|
||||
- Rebuilt for Python 3.8.0rc1 (#1748018)
|
||||
|
||||
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.10.4-5
|
||||
- Rebuilt for Python 3.8
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue