From 9d196c3abdf8d200f5553e3cfbd3f88103fffde3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Thu, 3 Oct 2019 13:53:06 +0200 Subject: [PATCH 1/3] Rebuilt for Python 3.8.0rc1 (#1748018) --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index ab7a668..9603820 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.10.4 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -294,6 +294,9 @@ fi %changelog +* Thu Oct 03 2019 Miro Hrončok - 0.10.4-6 +- Rebuilt for Python 3.8.0rc1 (#1748018) + * Mon Aug 19 2019 Miro Hrončok - 0.10.4-5 - Rebuilt for Python 3.8 From 965cbc4d23b52b73d3d0b4767b3805138e686618 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Thu, 31 Oct 2019 19:12:07 -0600 Subject: [PATCH 2/3] Remove config files for other distros (bz#1533113) --- fail2ban.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 9603820..56dce2d 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.10.4 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -187,6 +187,8 @@ install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf +# Remove config files for other distros +rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf # firewalld configuration cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf < - 0.10.4-7 +- Remove config files for other distros (bz#1533113) + * Thu Oct 03 2019 Miro Hrončok - 0.10.4-6 - Rebuilt for Python 3.8.0rc1 (#1748018) From b9fa37fab61b8b9407a4ccc9731a565a1784408e Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Thu, 21 Nov 2019 23:03:55 -0700 Subject: [PATCH 3/3] Define banaction_allports for firewalld, update banaction (bz#1775175) Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625) --- 2388.patch | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++ fail2ban.spec | 17 ++++++--- 2 files changed, 108 insertions(+), 5 deletions(-) create mode 100644 2388.patch diff --git a/2388.patch b/2388.patch new file mode 100644 index 0000000..d391969 --- /dev/null +++ b/2388.patch @@ -0,0 +1,96 @@ +From 9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 Mon Sep 17 00:00:00 2001 +From: Amir Caspi +Date: Fri, 29 Mar 2019 17:38:30 -0600 +Subject: [PATCH 1/7] Update sendmail-reject + +Added loglines to show TLSMTA and MSA port IDs (RHEL/CentOS sendmail default for ports 465 and 587, respectively) +--- + fail2ban/tests/files/logs/sendmail-reject | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject +index 44f8eb92f..a76cbf4b6 100644 +--- a/fail2ban/tests/files/logs/sendmail-reject ++++ b/fail2ban/tests/files/logs/sendmail-reject +@@ -95,3 +95,8 @@ Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from= +Date: Fri, 29 Mar 2019 17:39:27 -0600 +Subject: [PATCH 2/7] Update sendmail-reject.conf + +On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in https://github.com/fail2ban/fail2ban/commit/9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 +--- + config/filter.d/sendmail-reject.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf +index 985eac8b1..dd58f3e75 100644 +--- a/config/filter.d/sendmail-reject.conf ++++ b/config/filter.d/sendmail-reject.conf +@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[(?:IP + + mdre-normal = + +-mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to M(?:TA|SP)(?:-\w+)?$ ++mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$ + + mdre-aggressive = %(mdre-extra)s + + +From 76816285e886eee0a53ba5c64c50101fbd87a760 Mon Sep 17 00:00:00 2001 +From: Amir Caspi +Date: Fri, 29 Mar 2019 18:21:47 -0600 +Subject: [PATCH 5/7] Update sendmail-reject + +Fixing timestamps to 2005 (oops) +--- + fail2ban/tests/files/logs/sendmail-reject | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject +index a76cbf4b6..b6911c4df 100644 +--- a/fail2ban/tests/files/logs/sendmail-reject ++++ b/fail2ban/tests/files/logs/sendmail-reject +@@ -96,7 +96,7 @@ Mar 6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example + # failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" } + Mar 7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4 + +-# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" } ++# failJSON: { "time": "2005-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" } + Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA +-# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" } ++# failJSON: { "time": "2005-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" } + Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA + +From 6c7093c66dce9f695cde24149a78650868083617 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Thu, 4 Apr 2019 02:28:50 +0200 +Subject: [PATCH 6/7] minor amend, refolding branches (SP|SA -> S[PA]) + +--- + config/filter.d/sendmail-reject.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf +index dd58f3e75..e6814a00c 100644 +--- a/config/filter.d/sendmail-reject.conf ++++ b/config/filter.d/sendmail-reject.conf +@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[(?:IP + + mdre-normal = + +-mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$ ++mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-\w+)?$ + + mdre-aggressive = %(mdre-extra)s + + diff --git a/fail2ban.spec b/fail2ban.spec index 56dce2d..eeb11ec 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.10.4 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -9,7 +9,10 @@ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-% # Give up being PartOf iptables and ipset for now # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 -Patch2: fail2ban-partof.patch +Patch0: fail2ban-partof.patch +# Update sendmail-reject with TLSMTA & MSA port IDs +# https://bugzilla.redhat.com/show_bug.cgi?id=1722625 +Patch1: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2388.patch BuildRequires: python3-devel BuildRequires: /usr/bin/2to3 @@ -153,8 +156,7 @@ by default. %prep -%setup -q -%patch2 -p1 -b .partof +%autosetup -p1 # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf 2to3 --write --nobackups . @@ -195,7 +197,8 @@ cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <] +banaction_allports = firewallcmd-ipset[actiontype=] EOF # systemd journal configuration cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf < - 0.10.4-8 +- Define banaction_allports for firewalld, update banaction (bz#1775175) +- Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625) + * Thu Oct 31 2019 Orion Poplawski - 0.10.4-7 - Remove config files for other distros (bz#1533113)