From 4bf9d50abba95c0763f89b41f66ea1ad689f8bac Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Mon, 4 May 2009 19:25:06 +0000 Subject: [PATCH] Fail2Ban 0.8.3-18 rebuild for EPEL --- .cvsignore | 2 +- ...choring-regex-for-IP-with-at-the-end.patch | 30 +++++ fail2ban-0.6.2-init.patch | 34 ----- fail2ban-0.8.1-sshd.patch | 17 +++ fail2ban-0.8.2-fd_cloexec.patch | 22 ++++ fail2ban-0.8.3-init.patch | 20 +++ fail2ban-logrotate | 9 ++ fail2ban.spec | 119 ++++++++++++++---- import.log | 1 + sources | 2 +- 10 files changed, 195 insertions(+), 61 deletions(-) create mode 100644 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch delete mode 100644 fail2ban-0.6.2-init.patch create mode 100644 fail2ban-0.8.1-sshd.patch create mode 100644 fail2ban-0.8.2-fd_cloexec.patch create mode 100644 fail2ban-0.8.3-init.patch create mode 100644 fail2ban-logrotate create mode 100644 import.log diff --git a/.cvsignore b/.cvsignore index a075c08..11d4817 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -fail2ban-0.6.2.tar.bz2 +fail2ban-0.8.3.tar.bz2 diff --git a/0001-BF-anchoring-regex-for-IP-with-at-the-end.patch b/0001-BF-anchoring-regex-for-IP-with-at-the-end.patch new file mode 100644 index 0000000..5097acb --- /dev/null +++ b/0001-BF-anchoring-regex-for-IP-with-at-the-end.patch @@ -0,0 +1,30 @@ +From a8f963a2803acef984c66cd1910631eb06363ac1 Mon Sep 17 00:00:00 2001 +From: Yaroslav Halchenko +Date: Wed, 4 Feb 2009 15:38:11 -0500 +Subject: [PATCH] BF: anchoring regex for IP with " *$" at the end + +to forbid matching IP encoded in the hostname prior doing actual DNS +lookup. + +It is quite important and actually security hazard: DoS is easy to +perform... +--- + server/filter.py | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/server/filter.py b/server/filter.py +index 457bb03..77042ad 100644 +--- a/server/filter.py ++++ b/server/filter.py +@@ -492,7 +492,7 @@ import socket, struct + + class DNSUtils: + +- IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}") ++ IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3} *$") + + #@staticmethod + def dnsToIp(dns): +-- +1.5.6.5 + diff --git a/fail2ban-0.6.2-init.patch b/fail2ban-0.6.2-init.patch deleted file mode 100644 index 5caaa2e..0000000 --- a/fail2ban-0.6.2-init.patch +++ /dev/null @@ -1,34 +0,0 @@ ---- fail2ban-0.6.2/config/redhat-initd.init 2006-12-29 00:46:19.000000000 +0100 -+++ fail2ban-0.6.2/config/redhat-initd 2006-12-29 00:46:54.000000000 +0100 -@@ -2,7 +2,7 @@ - # - # fail2ban - # --# chkconfig: 345 91 9 -+# chkconfig: - 91 9 - # description: if many unsuccessfull login attempts from some ip address \ - # during a short period happen, this address is banned \ - # by the firewall -@@ -31,14 +31,17 @@ - "${FAIL2BAN}" -b > /dev/null - RETVAL=$? - echo -+ [ $RETVAL -eq 0 ] && touch /var/lock/subsys/fail2ban -+ return $RETVAL - } - - stop() { -- if [ -f "${PIDFILE}" ]; then -- echo -n $"Stopping fail2ban: " -- "${FAIL2BAN}" -k > /dev/null -- echo -- fi -+ echo -n $"Stopping fail2ban: " -+ "${FAIL2BAN}" -k > /dev/null -+ RETVAL=$? -+ echo -+ [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/fail2ban -+ return $RETVAL - } - - restart() { diff --git a/fail2ban-0.8.1-sshd.patch b/fail2ban-0.8.1-sshd.patch new file mode 100644 index 0000000..29a768e --- /dev/null +++ b/fail2ban-0.8.1-sshd.patch @@ -0,0 +1,17 @@ +--- fail2ban-0.8.1/config/jail.conf.sshd 2007-08-09 00:49:59.000000000 +0200 ++++ fail2ban-0.8.1/config/jail.conf 2007-08-15 21:41:33.000000000 +0200 +@@ -42,11 +42,11 @@ + + [ssh-iptables] + +-enabled = false ++enabled = true + filter = sshd + action = iptables[name=SSH, port=ssh, protocol=tcp] +- sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com] +-logpath = /var/log/sshd.log ++ sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com] ++logpath = /var/log/secure + maxretry = 5 + + [proftpd-iptables] diff --git a/fail2ban-0.8.2-fd_cloexec.patch b/fail2ban-0.8.2-fd_cloexec.patch new file mode 100644 index 0000000..5c89f7f --- /dev/null +++ b/fail2ban-0.8.2-fd_cloexec.patch @@ -0,0 +1,22 @@ +--- fail2ban-0.8.2/server/filter.py.orig 2008-03-27 16:26:59.000000000 +0000 ++++ fail2ban-0.8.2/server/filter.py 2008-03-27 15:29:48.000000000 +0000 +@@ -428,6 +428,7 @@ + # is computed and compared to the previous hash of this line. + + import md5 ++import fcntl + + class FileContainer: + +@@ -455,6 +456,11 @@ + + def open(self): + self.__handler = open(self.__filename) ++ ++ # Set the file descriptor to be FD_CLOEXEC ++ fd = self.__handler.fileno() ++ fcntl.fcntl (self.__handler.fileno(), fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC) ++ + firstLine = self.__handler.readline() + # Computes the MD5 of the first line. + myHash = md5.new(firstLine).digest() diff --git a/fail2ban-0.8.3-init.patch b/fail2ban-0.8.3-init.patch new file mode 100644 index 0000000..3ed8609 --- /dev/null +++ b/fail2ban-0.8.3-init.patch @@ -0,0 +1,20 @@ +--- fail2ban-0.8.3/files/redhat-initd.init 2008-03-10 23:36:22.000000000 +0100 ++++ fail2ban-0.8.3/files/redhat-initd 2008-08-24 20:46:01.000000000 +0200 +@@ -1,6 +1,6 @@ + #!/bin/bash + # +-# chkconfig: 345 92 08 ++# chkconfig: - 92 08 + # description: Fail2ban daemon + # http://fail2ban.sourceforge.net/wiki/index.php/Main_Page + # process name: fail2ban-server +@@ -27,8 +27,7 @@ + echo -n $"Starting fail2ban: " + getpid + if [ -z "$pid" ]; then +- rm -rf /var/run/fail2ban/fail2ban.sock # in case of unclean shutdown +- $FAIL2BAN start > /dev/null ++ $FAIL2BAN -x start > /dev/null + RETVAL=$? + fi + if [ $RETVAL -eq 0 ]; then diff --git a/fail2ban-logrotate b/fail2ban-logrotate new file mode 100644 index 0000000..851f514 --- /dev/null +++ b/fail2ban-logrotate @@ -0,0 +1,9 @@ +/var/log/fail2ban.log { + missingok + notifempty + size 30k + create 0600 root root + postrotate + /usr/bin/fail2ban-client reload 2> /dev/null || true + endscript +} diff --git a/fail2ban.spec b/fail2ban.spec index 7982c11..d0d6fb2 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,16 +1,24 @@ +# Not defined in Fedora's buildsystem +%global _initdir %{_sysconfdir}/rc.d/init.d + Summary: Ban IPs that make too many password failures Name: fail2ban -Version: 0.6.2 -Release: 3%{?dist} -License: GPL +Version: 0.8.3 +Release: 18%{?dist} +License: GPLv2+ Group: System Environment/Daemons URL: http://fail2ban.sourceforge.net/ Source0: http://prdownloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2 -Patch0: fail2ban-0.6.2-init.patch +Source1: fail2ban-logrotate +Patch0: fail2ban-0.8.3-init.patch +Patch1: fail2ban-0.8.1-sshd.patch +#Patch2: fail2ban-0.8.1-sock.patch +Patch3: fail2ban-0.8.2-fd_cloexec.patch +Patch4: 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root -BuildRequires: python-devel >= 2.3, dos2unix +BuildRequires: python-devel >= 2.3 BuildArch: noarch -Requires: iptables, tcp_wrappers, shorewall +Requires: iptables, tcp_wrappers, shorewall, gamin-python Requires(post): /sbin/chkconfig Requires(preun): /sbin/chkconfig Requires(preun): /sbin/service @@ -22,10 +30,11 @@ failures. It updates firewall rules to reject the IP address. %prep %setup -q -grep -rl /usr/lib/fail2ban . \ - | xargs sed -i -e's,/usr/lib/fail2ban,%{_datadir}/fail2ban,g' -dos2unix config/redhat-initd %patch0 -p1 -b .init +%patch1 -p1 -b .sshd +#patch2 -p1 -b .sock +%patch3 -p1 -b .fd_cloexec +%patch4 -p1 -b .CVE-2009-0362 %build python setup.py build @@ -33,13 +42,14 @@ python setup.py build %install rm -rf %{buildroot} python setup.py install -O1 --root %{buildroot} -mkdir -p %{buildroot}%{_initrddir} -install -p -m 755 config/redhat-initd %{buildroot}%{_initrddir}/fail2ban -mkdir -p %{buildroot}%{_sysconfdir} -install -p -m 644 config/fail2ban.conf.iptables %{buildroot}%{_sysconfdir}/fail2ban.conf -mkdir -p %{buildroot}%{_mandir}/man{8,5} -install -p -m 644 man/fail2ban.8 %{buildroot}%{_mandir}/man8 -install -p -m 644 man/fail2ban.conf.5 %{buildroot}%{_mandir}/man5 +mkdir -p %{buildroot}%{_initdir} +install -p -m 755 files/redhat-initd %{buildroot}%{_initdir}/fail2ban +mkdir -p %{buildroot}%{_mandir}/man1 +install -p -m 644 man/fail2ban*.1 %{buildroot}%{_mandir}/man1 +mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d +install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban +mkdir -p %{buildroot}%{_localstatedir}/run/fail2ban +chmod 0755 %{buildroot}%{_localstatedir}/run/fail2ban %clean rm -rf %{buildroot} @@ -55,18 +65,77 @@ fi %files %defattr(-,root,root,-) -%doc README TODO CHANGELOG -%doc config/fail2ban.conf* -%config(noreplace) %{_sysconfdir}/fail2ban.conf -%{_bindir}/fail2ban +%doc README TODO ChangeLog COPYING +#doc config/fail2ban.conf* +%{_bindir}/fail2ban-server +%{_bindir}/fail2ban-client +%{_bindir}/fail2ban-regex %{_datadir}/fail2ban -%{_initrddir}/fail2ban -%{_mandir}/man8/fail2ban.8* -%{_mandir}/man5/fail2ban.conf.5* +%{_initdir}/fail2ban +%{_mandir}/man1/fail2ban-*.1* +%dir %{_sysconfdir}/fail2ban +%dir %{_sysconfdir}/fail2ban/action.d +%dir %{_sysconfdir}/fail2ban/filter.d +%config(noreplace) %{_sysconfdir}/fail2ban/fail2ban.conf +%config(noreplace) %{_sysconfdir}/fail2ban/jail.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/*.conf +%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban +%dir %{_localstatedir}/run/fail2ban %changelog -* Thu Jan 29 2009 Adam Miller - 0.8.3-18 +- Rebuild For EPEL + +* Sat Feb 14 2009 Axel Thimm - 0.8.3-18 +- Fix CVE-2009-0362 (Fedora bugs #485461, #485464, #485465, #485466). + +* Mon Dec 01 2008 Ignacio Vazquez-Abrams - 0.8.3-17 +- Rebuild for Python 2.6 + +* Sun Aug 24 2008 Axel Thimm - 0.8.3-16 +- Update to 0.8.3. + +* Wed May 21 2008 Tom "spot" Callaway - 0.8.2-15 +- fix license tag + +* Thu Mar 27 2008 Axel Thimm - 0.8.2-14 +- Close on exec fixes by Jonathan Underwood. + +* Sun Mar 16 2008 Axel Thimm - 0.8.2-13 +- Add %%{_localstatedir}/run/fail2ban (David Rees). + +* Fri Mar 14 2008 Axel Thimm - 0.8.2-12 +- Update to 0.8.2. + +* Thu Jan 31 2008 Jonathan G. Underwood - 0.8.1-11 +- Move socket file from /tmp to /var/run to prevent SElinux from stopping + fail2ban from starting (BZ #429281) +- Change logic in init file to start with -x to remove the socket file in case + of unclean shutdown + +* Wed Aug 15 2007 Axel Thimm - 0.8.1-10 +- Update to 0.8.1. +- Remove patch fixing CVE-2007-4321 (upstream). +- Remove AllowUsers patch (upstream). +- Add dependency to gamin-python. + +* Thu Jun 21 2007 Axel Thimm - 0.8.0-9 +- Fix remote log injection (no CVE assignment yet). + +* Sun Jun 3 2007 Axel Thimm - 0.8.0-8 +- Also trigger on non-AllowUsers failures (Jonathan Underwood + ). + +* Wed May 23 2007 Axel Thimm - 0.8.0-7 +- logrotate should restart fail2ban (Zing ). +- send mail to root; logrotate (Jonathan Underwood + ) + +* Sat May 19 2007 Axel Thimm - 0.8.0-4 +- Update to 0.8.0. +- enable ssh by default, fix log file for ssh scanning, adjust python + dependency (Jonathan Underwood ) * Sat Dec 30 2006 Axel Thimm - 0.6.2-3 - Remove forgotten condrestart. diff --git a/import.log b/import.log new file mode 100644 index 0000000..82cc212 --- /dev/null +++ b/import.log @@ -0,0 +1 @@ +fail2ban-0_8_3-18:EL-5:fail2ban-0.8.3-18.src.rpm:1241465071 diff --git a/sources b/sources index 0f3defb..6a75478 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7c686e610f0ad7678688a1bb2cd913da fail2ban-0.6.2.tar.bz2 +b438d7e2ce77a469fb0cca2a5cc0b81c fail2ban-0.8.3.tar.bz2