Fail2Ban 0.8.3-18 rebuild for EPEL

.cvsignore

@@ -1 +1 @@
-fail2ban-0.6.2.tar.bz2
+fail2ban-0.8.3.tar.bz2

0001-BF-anchoring-regex-for-IP-with-at-the-end.patch

@@ -0,0 +1,30 @@
+From a8f963a2803acef984c66cd1910631eb06363ac1 Mon Sep 17 00:00:00 2001
+From: Yaroslav Halchenko <debian@onerussian.com>
+Date: Wed, 4 Feb 2009 15:38:11 -0500
+Subject: [PATCH] BF: anchoring regex for IP with " *$" at the end
+
+to forbid matching IP encoded in the hostname prior doing actual DNS
+lookup.
+
+It is quite important and actually security hazard: DoS is easy to
+perform...
+---
+ server/filter.py |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/server/filter.py b/server/filter.py
+index 457bb03..77042ad 100644
+--- a/server/filter.py
++++ b/server/filter.py
+@@ -492,7 +492,7 @@ import socket, struct
+ 
+ class DNSUtils:
+ 	
+-	IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
++	IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3} *$")
+ 	
+ 	#@staticmethod
+ 	def dnsToIp(dns):
+-- 
+1.5.6.5
+

fail2ban-0.6.2-init.patch

@@ -1,34 +0,0 @@
---- fail2ban-0.6.2/config/redhat-initd.init	2006-12-29 00:46:19.000000000 +0100
-+++ fail2ban-0.6.2/config/redhat-initd	2006-12-29 00:46:54.000000000 +0100
-@@ -2,7 +2,7 @@
- #
- # fail2ban
- #
--# chkconfig: 345 91 9
-+# chkconfig: - 91 9
- # description: if many unsuccessfull login attempts from some ip address \
- #              during a short period happen, this address is banned \
- #              by the firewall
-@@ -31,14 +31,17 @@
-     "${FAIL2BAN}" -b > /dev/null
-     RETVAL=$?
-     echo
-+    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/fail2ban
-+    return $RETVAL
- }
- 
- stop() {
--    if [ -f "${PIDFILE}" ]; then
--	echo -n $"Stopping fail2ban: "
--	"${FAIL2BAN}" -k > /dev/null
--	echo
--    fi
-+    echo -n $"Stopping fail2ban: "
-+    "${FAIL2BAN}" -k > /dev/null
-+    RETVAL=$?
-+    echo
-+    [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/fail2ban
-+    return $RETVAL
- }
- 
- restart() {

fail2ban-0.8.1-sshd.patch

@@ -0,0 +1,17 @@
+--- fail2ban-0.8.1/config/jail.conf.sshd	2007-08-09 00:49:59.000000000 +0200
++++ fail2ban-0.8.1/config/jail.conf	2007-08-15 21:41:33.000000000 +0200
+@@ -42,11 +42,11 @@
+ 
+ [ssh-iptables]
+ 
+-enabled  = false
++enabled  = true
+ filter   = sshd
+ action   = iptables[name=SSH, port=ssh, protocol=tcp]
+-           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
+-logpath  = /var/log/sshd.log
++           sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com]
++logpath  = /var/log/secure
+ maxretry = 5
+ 
+ [proftpd-iptables]

fail2ban-0.8.2-fd_cloexec.patch

@@ -0,0 +1,22 @@
+--- fail2ban-0.8.2/server/filter.py.orig	2008-03-27 16:26:59.000000000 +0000
++++ fail2ban-0.8.2/server/filter.py	2008-03-27 15:29:48.000000000 +0000
+@@ -428,6 +428,7 @@
+ # is computed and compared to the previous hash of this line.
+ 
+ import md5
++import fcntl
+ 
+ class FileContainer:
+ 	
+@@ -455,6 +456,11 @@
+ 	
+ 	def open(self):
+ 		self.__handler = open(self.__filename)
++
++		# Set the file descriptor to be FD_CLOEXEC
++		fd = self.__handler.fileno()
++		fcntl.fcntl (self.__handler.fileno(), fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)
++
+ 		firstLine = self.__handler.readline()
+ 		# Computes the MD5 of the first line.
+ 		myHash = md5.new(firstLine).digest()

fail2ban-0.8.3-init.patch

@@ -0,0 +1,20 @@
+--- fail2ban-0.8.3/files/redhat-initd.init	2008-03-10 23:36:22.000000000 +0100
++++ fail2ban-0.8.3/files/redhat-initd	2008-08-24 20:46:01.000000000 +0200
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ #
+-# chkconfig: 345 92 08
++# chkconfig: - 92 08
+ # description: Fail2ban daemon
+ #              http://fail2ban.sourceforge.net/wiki/index.php/Main_Page
+ # process name: fail2ban-server
+@@ -27,8 +27,7 @@
+     echo -n $"Starting fail2ban: "
+     getpid
+     if [ -z "$pid" ]; then
+-	rm -rf /var/run/fail2ban/fail2ban.sock # in case of unclean shutdown
+-        $FAIL2BAN start > /dev/null
++        $FAIL2BAN -x start > /dev/null
+         RETVAL=$?
+     fi
+     if [ $RETVAL -eq 0 ]; then

fail2ban-logrotate

@@ -0,0 +1,9 @@
+/var/log/fail2ban.log {
+    missingok
+    notifempty
+    size 30k
+    create 0600 root root
+    postrotate
+        /usr/bin/fail2ban-client reload 2> /dev/null || true
+    endscript
+}

fail2ban.spec

@@ -1,16 +1,24 @@
+# Not defined in Fedora's buildsystem
+%global _initdir %{_sysconfdir}/rc.d/init.d
+
 Summary: Ban IPs that make too many password failures
 Name: fail2ban
-Version: 0.6.2
-Release: 3%{?dist}
-License: GPL
+Version: 0.8.3
+Release: 18%{?dist}
+License: GPLv2+
 Group: System Environment/Daemons
 URL: http://fail2ban.sourceforge.net/
 Source0: http://prdownloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
-Patch0: fail2ban-0.6.2-init.patch
+Source1: fail2ban-logrotate
+Patch0: fail2ban-0.8.3-init.patch
+Patch1: fail2ban-0.8.1-sshd.patch
+#Patch2: fail2ban-0.8.1-sock.patch
+Patch3: fail2ban-0.8.2-fd_cloexec.patch
+Patch4: 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-BuildRequires: python-devel >= 2.3, dos2unix
+BuildRequires: python-devel >= 2.3
 BuildArch: noarch
-Requires: iptables, tcp_wrappers, shorewall
+Requires: iptables, tcp_wrappers, shorewall, gamin-python
 Requires(post): /sbin/chkconfig
 Requires(preun): /sbin/chkconfig
 Requires(preun): /sbin/service
@@ -22,10 +30,11 @@ failures. It updates firewall rules to reject the IP address.
 
 %prep
 %setup -q
-grep -rl /usr/lib/fail2ban . \
-  | xargs sed -i -e's,/usr/lib/fail2ban,%{_datadir}/fail2ban,g'
-dos2unix config/redhat-initd
 %patch0 -p1 -b .init
+%patch1 -p1 -b .sshd
+#patch2 -p1 -b .sock
+%patch3 -p1 -b .fd_cloexec
+%patch4 -p1 -b .CVE-2009-0362
 
 %build
 python setup.py build
@@ -33,13 +42,14 @@ python setup.py build
 %install
 rm -rf %{buildroot}
 python setup.py install -O1 --root %{buildroot}
-mkdir -p %{buildroot}%{_initrddir}
-install -p -m 755 config/redhat-initd %{buildroot}%{_initrddir}/fail2ban
-mkdir -p %{buildroot}%{_sysconfdir}
-install -p -m 644 config/fail2ban.conf.iptables %{buildroot}%{_sysconfdir}/fail2ban.conf
-mkdir -p %{buildroot}%{_mandir}/man{8,5}
-install -p -m 644 man/fail2ban.8 %{buildroot}%{_mandir}/man8
-install -p -m 644 man/fail2ban.conf.5 %{buildroot}%{_mandir}/man5
+mkdir -p %{buildroot}%{_initdir}
+install -p -m 755 files/redhat-initd %{buildroot}%{_initdir}/fail2ban
+mkdir -p %{buildroot}%{_mandir}/man1
+install -p -m 644 man/fail2ban*.1 %{buildroot}%{_mandir}/man1
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
+mkdir -p %{buildroot}%{_localstatedir}/run/fail2ban
+chmod 0755 %{buildroot}%{_localstatedir}/run/fail2ban
 
 %clean
 rm -rf %{buildroot}
@@ -55,18 +65,77 @@ fi
 
 %files
 %defattr(-,root,root,-)
-%doc README TODO CHANGELOG
-%doc config/fail2ban.conf*
-%config(noreplace) %{_sysconfdir}/fail2ban.conf
-%{_bindir}/fail2ban
+%doc README TODO ChangeLog COPYING
+#doc config/fail2ban.conf*
+%{_bindir}/fail2ban-server
+%{_bindir}/fail2ban-client
+%{_bindir}/fail2ban-regex
 %{_datadir}/fail2ban
-%{_initrddir}/fail2ban
-%{_mandir}/man8/fail2ban.8*
-%{_mandir}/man5/fail2ban.conf.5*
+%{_initdir}/fail2ban
+%{_mandir}/man1/fail2ban-*.1*
+%dir %{_sysconfdir}/fail2ban
+%dir %{_sysconfdir}/fail2ban/action.d
+%dir %{_sysconfdir}/fail2ban/filter.d
+%config(noreplace) %{_sysconfdir}/fail2ban/fail2ban.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/jail.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/*.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf
+%config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
+%dir %{_localstatedir}/run/fail2ban
 
 %changelog
-* Thu Jan 29 2009 Adam Miller <maxamillion [AT] gmail.com - 0.6.2-3
-- Rebuild for EPEL - EL5
+* Mon Mar 04 2009 Adam Miller <maxamillion [AT] gmail.com> - 0.8.3-18
+- Rebuild For EPEL
+
+* Sat Feb 14 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-18
+- Fix CVE-2009-0362 (Fedora bugs #485461, #485464, #485465, #485466).
+
+* Mon Dec 01 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 0.8.3-17
+- Rebuild for Python 2.6
+
+* Sun Aug 24 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-16
+- Update to 0.8.3.
+
+* Wed May 21 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.8.2-15
+- fix license tag
+
+* Thu Mar 27 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-14
+- Close on exec fixes by Jonathan Underwood.
+
+* Sun Mar 16 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-13
+- Add %%{_localstatedir}/run/fail2ban (David Rees).
+
+* Fri Mar 14 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-12
+- Update to 0.8.2.
+
+* Thu Jan 31 2008 Jonathan G. Underwood <jonathan.underwood@gmail.com> - 0.8.1-11
+- Move socket file from /tmp to /var/run to prevent SElinux from stopping
+  fail2ban from starting (BZ #429281)
+- Change logic in init file to start with -x to remove the socket file in case
+  of unclean shutdown
+
+* Wed Aug 15 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.1-10
+- Update to 0.8.1.
+- Remove patch fixing CVE-2007-4321 (upstream).
+- Remove AllowUsers patch (upstream).
+- Add dependency to gamin-python.
+
+* Thu Jun 21 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-9
+- Fix remote log injection (no CVE assignment yet).
+
+* Sun Jun  3 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-8
+- Also trigger on non-AllowUsers failures (Jonathan Underwood
+  <jonathan.underwood@gmail.com>).
+
+* Wed May 23 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-7
+- logrotate should restart fail2ban (Zing <zing@fastmail.fm>).
+- send mail to root; logrotate (Jonathan Underwood
+  <jonathan.underwood@gmail.com>)
+
+* Sat May 19 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-4
+- Update to 0.8.0.
+- enable ssh by default, fix log file for ssh scanning, adjust python
+  dependency (Jonathan Underwood <jonathan.underwood@gmail.com>)
 
 * Sat Dec 30 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-3
 - Remove forgotten condrestart.

import.log

@@ -0,0 +1 @@
+fail2ban-0_8_3-18:EL-5:fail2ban-0.8.3-18.src.rpm:1241465071

sources

@@ -1 +1 @@
-7c686e610f0ad7678688a1bb2cd913da  fail2ban-0.6.2.tar.bz2
+b438d7e2ce77a469fb0cca2a5cc0b81c  fail2ban-0.8.3.tar.bz2