diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 082f70a..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/fail2ban-*/ diff --git a/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch b/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch deleted file mode 100644 index cb6d5c2..0000000 --- a/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001 -From: Nic Boet -Date: Fri, 13 Jun 2025 16:44:57 -0500 -Subject: [PATCH] Dovecot 2.4 filter support - -Dovecot 2.4 release is a major upgrade -Logger event structure has changed, all messages are now -prefixed with: - - "Login aborted: " "auth failed" - -Maintain 2.3 support as many folks have yet to migrate, -community edition is still receiving cretial security patches - -Dovecot 2.4.1 -Python 3.12.10 - -Signed-off-by: Nic Boet ---- - config/filter.d/dovecot.conf | 2 ++ - fail2ban/tests/files/logs/dovecot | 6 ++++++ - 2 files changed, 8 insertions(+) - -diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf -index dc3ebbcd42..f49eebe726 100644 ---- a/config/filter.d/dovecot.conf -+++ b/config/filter.d/dovecot.conf -@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a - - failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ - ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ -+ ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<[^>]*>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ - ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$ - ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch) - > -@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N - # DEV Notes: - # * the first regex is essentially a copy of pam-generic.conf - # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) -+# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support - # - # Author: Martin Waschbuesch - # Daniel Black (rewrote with begin and end anchors) -diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot -index 0e33296129..4f5a0b7867 100644 ---- a/fail2ban/tests/files/logs/dovecot -+++ b/fail2ban/tests/files/logs/dovecot -@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem - # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" } - Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210 - -+# Dovecot version 2.4 -+# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" } -+Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan> -+# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" } -+Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session= -+ - # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" } - Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session= - diff --git a/3728.patch b/3728.patch deleted file mode 100644 index b25c4a9..0000000 --- a/3728.patch +++ /dev/null @@ -1,160 +0,0 @@ -From a763fbbdfd6486e372965b4009eb3fe5db346718 Mon Sep 17 00:00:00 2001 -From: Branch Vincent -Date: Sat, 27 Apr 2024 10:24:01 -0700 -Subject: [PATCH 1/3] replace distutils for python 3.12 - ---- - doc/conf.py | 5 +---- - fail2ban/server/filterpyinotify.py | 3 +-- - fail2ban/server/filtersystemd.py | 3 +-- - 3 files changed, 3 insertions(+), 8 deletions(-) - -diff --git a/doc/conf.py b/doc/conf.py -index 20845a5a0e..48d27f7062 100644 ---- a/doc/conf.py -+++ b/doc/conf.py -@@ -47,12 +47,9 @@ - # - - from fail2ban.version import version as fail2ban_version --from distutils.version import LooseVersion -- --fail2ban_loose_version = LooseVersion(fail2ban_version) - - # The short X.Y version. --version = ".".join(str(_) for _ in fail2ban_loose_version.version[:2]) -+version = ".".join(str(_) for _ in fail2ban_version.split(".")[:2]) - # The full version, including alpha/beta/rc tags. - release = fail2ban_version - -diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py -index 81bc7de393..c6972ced3f 100644 ---- a/fail2ban/server/filterpyinotify.py -+++ b/fail2ban/server/filterpyinotify.py -@@ -24,7 +24,6 @@ - __license__ = "GPL" - - import logging --from distutils.version import LooseVersion - import os - from os.path import dirname, sep as pathsep - -@@ -38,7 +37,7 @@ - - - if not hasattr(pyinotify, '__version__') \ -- or LooseVersion(pyinotify.__version__) < '0.8.3': # pragma: no cover -+ or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover - raise ImportError("Fail2Ban requires pyinotify >= 0.8.3") - - # Verify that pyinotify is functional on this system -diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py -index 5aea9fdadc..2d4f862b97 100644 ---- a/fail2ban/server/filtersystemd.py -+++ b/fail2ban/server/filtersystemd.py -@@ -24,10 +24,9 @@ - - import os - import time --from distutils.version import LooseVersion - - from systemd import journal --if LooseVersion(getattr(journal, '__version__', "0")) < '204': -+if getattr(journal, "__version__", "0").split(".") < "204".split("."): - raise ImportError("Fail2Ban requires systemd >= 204") - - from .failmanager import FailManagerEmpty - -From ed20a9a5b9039319dd8913dfecf640e6eafee28b Mon Sep 17 00:00:00 2001 -From: sebres -Date: Tue, 7 May 2024 12:51:14 +0200 -Subject: [PATCH 2/3] there is no systemd < 204 and pyinotify < 0.8.3 for - supported python3 versions anymore - ---- - fail2ban/server/filterpyinotify.py | 4 ---- - fail2ban/server/filtersystemd.py | 2 -- - 2 files changed, 6 deletions(-) - -diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py -index c6972ced3f..f2f31e6fb5 100644 ---- a/fail2ban/server/filterpyinotify.py -+++ b/fail2ban/server/filterpyinotify.py -@@ -36,10 +36,6 @@ - from ..helpers import getLogger - - --if not hasattr(pyinotify, '__version__') \ -- or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover -- raise ImportError("Fail2Ban requires pyinotify >= 0.8.3") -- - # Verify that pyinotify is functional on this system - # Even though imports -- might be dysfunctional, e.g. as on kfreebsd - try: -diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py -index 2d4f862b97..abd66e1f76 100644 ---- a/fail2ban/server/filtersystemd.py -+++ b/fail2ban/server/filtersystemd.py -@@ -26,8 +26,6 @@ - import time - - from systemd import journal --if getattr(journal, "__version__", "0").split(".") < "204".split("."): -- raise ImportError("Fail2Ban requires systemd >= 204") - - from .failmanager import FailManagerEmpty - from .filter import JournalFilter, Filter - -From 0185e1c7d5e6534ab212462dd2aeab6f89e2fb50 Mon Sep 17 00:00:00 2001 -From: sebres -Date: Tue, 7 May 2024 13:06:50 +0200 -Subject: [PATCH 3/3] setup.py: no distutils anymore - ---- - setup.py | 25 ++++++------------------- - 1 file changed, 6 insertions(+), 19 deletions(-) - -diff --git a/setup.py b/setup.py -index 9f7bd8fb59..ee9ea4df82 100755 ---- a/setup.py -+++ b/setup.py -@@ -24,23 +24,10 @@ - - import platform - --try: -- import setuptools -- from setuptools import setup -- from setuptools.command.install import install -- from setuptools.command.install_scripts import install_scripts -- from setuptools.command.build_py import build_py -- build_scripts = None --except ImportError: -- setuptools = None -- from distutils.core import setup -- --# older versions --if setuptools is None: -- from distutils.command.build_py import build_py -- from distutils.command.build_scripts import build_scripts -- from distutils.command.install import install -- from distutils.command.install_scripts import install_scripts -+import setuptools -+from setuptools import setup -+from setuptools.command.install import install -+from setuptools.command.install_scripts import install_scripts - - import os - from os.path import isfile, join, isdir, realpath -@@ -207,9 +194,9 @@ def run(self): - url = "http://www.fail2ban.org", - license = "GPL", - platforms = "Posix", -- cmdclass = dict({'build_py': build_py, 'build_scripts': build_scripts} if build_scripts else {}, **{ -+ cmdclass = { - 'install_scripts': install_scripts_f2b, 'install': install_command_f2b -- }), -+ }, - scripts = [ - 'bin/fail2ban-client', - 'bin/fail2ban-server', diff --git a/3782.patch b/3782.patch deleted file mode 100644 index 764db01..0000000 --- a/3782.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001 -From: Fabian Dellwing -Date: Tue, 2 Jul 2024 07:54:15 +0200 -Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name - ---- - config/filter.d/sshd.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf -index 1c8a02deb5..a1fd749aed 100644 ---- a/config/filter.d/sshd.conf -+++ b/config/filter.d/sshd.conf -@@ -16,7 +16,7 @@ before = common.conf - - [DEFAULT] - --_daemon = sshd -+_daemon = (?:sshd(?:-session)?) - - # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " - __pref = (?:(?:error|fatal): (?:PAM: )?)? - -From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Wed, 3 Jul 2024 19:09:28 +0200 -Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782 - ---- - fail2ban/tests/files/logs/sshd | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd -index ed54ded4d4..7d3948ed80 100644 ---- a/fail2ban/tests/files/logs/sshd -+++ b/fail2ban/tests/files/logs/sshd -@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for invalid user ROOT from aa - # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "aaaa:bbbb:cccc:1234::1:1" } - Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from aaaa:bbbb:cccc:1234::1:1 - -+# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host": "192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" } -+Jul 3 14:59:17 host sshd-session[1571]: Failed password for root from 192.0.2.1 port 56502 ssh2 -+ - #3 - # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" } - Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4 - -From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Wed, 3 Jul 2024 19:33:39 +0200 -Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new - sshd-session log format - ---- - fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf -index ad8adeb69f..14256ba68c 100644 ---- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf -+++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf -@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf - - [DEFAULT] - --_daemon = sshd -+_daemon = sshd(?:-session)? - - # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " - __pref = (?:(?:error|fatal): (?:PAM: )?)? - -From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Wed, 3 Jul 2024 19:35:28 +0200 -Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon) - ---- - config/filter.d/sshd.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf -index a1fd749aed..3a84b1ba52 100644 ---- a/config/filter.d/sshd.conf -+++ b/config/filter.d/sshd.conf -@@ -16,7 +16,7 @@ before = common.conf - - [DEFAULT] - --_daemon = (?:sshd(?:-session)?) -+_daemon = sshd(?:-session)? - - # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " - __pref = (?:(?:error|fatal): (?:PAM: )?)? - diff --git a/54c0effceb998b73545073ac59c479d9d9bf19a4.patch b/54c0effceb998b73545073ac59c479d9d9bf19a4.patch deleted file mode 100644 index e606591..0000000 --- a/54c0effceb998b73545073ac59c479d9d9bf19a4.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001 -From: sebres -Date: Sun, 11 Aug 2024 12:10:12 +0200 -Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version - would log with `_COMM=sshd-session`) - ---- - config/filter.d/sshd.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf -index 206b913a78..595e957f0b 100644 ---- a/config/filter.d/sshd.conf -+++ b/config/filter.d/sshd.conf -@@ -126,7 +126,7 @@ ignoreregex = - - maxlines = 1 - --journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd -+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session - - # DEV Notes: - # diff --git a/Makefile b/Makefile deleted file mode 100644 index 70b552a..0000000 --- a/Makefile +++ /dev/null @@ -1,26 +0,0 @@ -TARGET?=fail2ban -MODULES?=${TARGET:=.pp.bz2} -SHAREDIR?=/usr/share - -all: ${TARGET:=.pp.bz2} - -%.pp.bz2: %.pp - @echo Compressing $^ -\> $@ - bzip2 -9 $^ - -%.pp: %.te - make -f ${SHAREDIR}/selinux/devel/Makefile $@ - -clean: - rm -f *~ *.tc *.pp *.pp.bz2 - rm -rf tmp *.tar.gz - -man: install-policy - sepolicy manpage --path . --domain ${TARGET}_t - -install-policy: all - semodule -i ${TARGET}.pp.bz2 - -install: man - install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2 - install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/ diff --git a/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch b/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch deleted file mode 100644 index 3dc9890..0000000 --- a/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch +++ /dev/null @@ -1,148 +0,0 @@ -From ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b Mon Sep 17 00:00:00 2001 -From: sebres -Date: Fri, 14 Jun 2024 14:31:21 +0200 -Subject: [PATCH] beautifier detect whether it can use unicode chars in stats - table; asciified output of beautifier in test suite; closes gh-3750 - ---- - fail2ban/client/beautifier.py | 51 ++++++++++++++-------- - fail2ban/tests/clientbeautifiertestcase.py | 22 ++++++---- - 2 files changed, 45 insertions(+), 28 deletions(-) - -diff --git a/fail2ban/client/beautifier.py b/fail2ban/client/beautifier.py -index 7ef173a655..21c49b9483 100644 ---- a/fail2ban/client/beautifier.py -+++ b/fail2ban/client/beautifier.py -@@ -21,8 +21,10 @@ - __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko" - __license__ = "GPL" - -+import sys -+ - from ..exceptions import UnknownJailException, DuplicateJailException --from ..helpers import getLogger, logging -+from ..helpers import getLogger, logging, PREFER_ENC - - # Gets the instance of the logger. - logSys = getLogger(__name__) -@@ -36,6 +38,11 @@ - - class Beautifier: - -+ stdoutEnc = PREFER_ENC -+ if sys.stdout and sys.stdout.encoding is not None: -+ stdoutEnc = sys.stdout.encoding -+ encUtf = 1 if stdoutEnc.lower() == 'utf-8' else 0 -+ - def __init__(self, cmd = None): - self.__inputCmd = cmd - -@@ -104,7 +111,11 @@ def jail_stat(response, pref=""): - jail_stat(j, " " if i == len(jstat) else " | ") - msg = "\n".join(msg) - elif inC[0:1] == ['stats'] or inC[0:1] == ['statistics']: -- def _statstable(response): -+ chrTable = [ -+ ['|', '-', '|', 'x', 'x', '-', '|', '-'], ## ascii -+ ["\u2551", "\u2550", "\u255F", "\u256B", "\u256C", "\u2569", "\u2502", "\u2500"] ## utf-8 -+ ]; -+ def _statstable(response, ct): - tophead = ["Jail", "Backend", "Filter", "Actions"] - headers = ["", "", "cur", "tot", "cur", "tot"] - minlens = [8, 8, 3, 3, 3, 3] -@@ -120,29 +131,31 @@ def _statstable(response): - f = "%%%ds" if ralign[i] else "%%-%ds" - rfmt.append(f % lens[i]) - hfmt.append(f % lens[i]) -- rfmt = [rfmt[0], rfmt[1], "%s \u2502 %s" % (rfmt[2], rfmt[3]), "%s \u2502 %s" % (rfmt[4], rfmt[5])] -- hfmt = [hfmt[0], hfmt[1], "%s \u2502 %s" % (hfmt[2], hfmt[3]), "%s \u2502 %s" % (hfmt[4], hfmt[5])] -+ rfmt = [rfmt[0], rfmt[1], "%s %s %s" % (rfmt[2], ct[6], rfmt[3]), "%s %s %s" % (rfmt[4], ct[6], rfmt[5])] -+ hfmt = [hfmt[0], hfmt[1], "%s %s %s" % (hfmt[2], ct[6], hfmt[3]), "%s %s %s" % (hfmt[4], ct[6], hfmt[5])] - tlens = [lens[0], lens[1], 3 + lens[2] + lens[3], 3 + lens[4] + lens[5]] - tfmt = [hfmt[0], hfmt[1], "%%-%ds" % (tlens[2],), "%%-%ds" % (tlens[3],)] - tsep = tfmt[0:2] -- rfmt = " \u2551 ".join(rfmt) -- hfmt = " \u2551 ".join(hfmt) -- tfmt = " \u2551 ".join(tfmt) -- tsep = " \u2551 ".join(tsep) -- separator = ((tsep % tuple(tophead[0:2])) + " \u255F\u2500" + -- ("\u2500\u256B\u2500".join(['\u2500' * n for n in tlens[2:]])) + '\u2500') -+ rfmt = (" "+ct[0]+" ").join(rfmt) -+ hfmt = (" "+ct[0]+" ").join(hfmt) -+ tfmt = (" "+ct[0]+" ").join(tfmt) -+ tsep = (" "+ct[0]+" ").join(tsep) -+ separator = ((tsep % tuple(tophead[0:2])) + " "+ct[2]+ct[7] + -+ ((ct[7]+ct[3]+ct[7]).join([ct[7] * n for n in tlens[2:]])) + ct[7]) - ret = [] -- ret.append(tfmt % tuple(["", ""]+tophead[2:])) -- ret.append(separator) -- ret.append(hfmt % tuple(headers)) -- separator = "\u2550\u256C\u2550".join(['\u2550' * n for n in tlens]) + '\u2550' -- ret.append(separator) -+ ret.append(" "+tfmt % tuple(["", ""]+tophead[2:])) -+ ret.append(" "+separator) -+ ret.append(" "+hfmt % tuple(headers)) -+ separator = (ct[1]+ct[4]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1] -+ ret.append(ct[1]+separator) - for row in rows: -- ret.append(rfmt % tuple(row)) -- separator = "\u2550\u2569\u2550".join(['\u2550' * n for n in tlens]) + '\u2550' -- ret.append(separator) -+ ret.append(" "+rfmt % tuple(row)) -+ separator = (ct[1]+ct[5]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1] -+ ret.append(ct[1]+separator) - return ret -- msg = "\n".join(_statstable(response)) -+ if not response: -+ return "No jails found." -+ msg = "\n".join(_statstable(response, chrTable[self.encUtf])) - elif len(inC) < 2: - pass # to few cmd args for below - elif inC[1] == "syslogsocket": -diff --git a/fail2ban/tests/clientbeautifiertestcase.py b/fail2ban/tests/clientbeautifiertestcase.py -index defedbe1bf..5fcb240479 100644 ---- a/fail2ban/tests/clientbeautifiertestcase.py -+++ b/fail2ban/tests/clientbeautifiertestcase.py -@@ -34,6 +34,7 @@ def setUp(self): - """ Call before every test case """ - super(BeautifierTest, self).setUp() - self.b = Beautifier() -+ self.b.encUtf = 0; ## we prefer ascii in test suite (see #3750) - - def tearDown(self): - """ Call after every test case """ -@@ -170,22 +171,25 @@ def testStatus(self): - - def testStatusStats(self): - self.b.setInputCmd(["stats"]) -+ ## no jails: -+ self.assertEqual(self.b.beautify({}), "No jails found.") -+ ## 3 jails: - response = { - "ssh": ["systemd", (3, 6), (12, 24)], - "exim4": ["pyinotify", (6, 12), (20, 20)], - "jail-with-long-name": ["polling", (0, 0), (0, 0)] - } - output = ("" -- + " ? ? Filter ? Actions \n" -- + "Jail ? Backend ????????????????????????\n" -- + " ? ? cur ? tot ? cur ? tot\n" -- + "????????????????????????????????????????????????????????\n" -- + "ssh ? systemd ? 3 ? 6 ? 12 ? 24\n" -- + "exim4 ? pyinotify ? 6 ? 12 ? 20 ? 20\n" -- + "jail-with-long-name ? polling ? 0 ? 0 ? 0 ? 0\n" -- + "????????????????????????????????????????????????????????" -+ + " | | Filter | Actions \n" -+ + " Jail | Backend |-----------x-----------\n" -+ + " | | cur | tot | cur | tot\n" -+ + "---------------------x-----------x-----------x-----------\n" -+ + " ssh | systemd | 3 | 6 | 12 | 24\n" -+ + " exim4 | pyinotify | 6 | 12 | 20 | 20\n" -+ + " jail-with-long-name | polling | 0 | 0 | 0 | 0\n" -+ + "---------------------------------------------------------" - ) -- response = self.b.beautify(response).encode('ascii', 'replace').decode('ascii') -+ response = self.b.beautify(response) - self.assertEqual(response, output) - - diff --git a/dead.package b/dead.package new file mode 100644 index 0000000..a72aec0 --- /dev/null +++ b/dead.package @@ -0,0 +1 @@ +epel8-playground decommissioned : https://pagure.io/epel/issue/136 diff --git a/fail2ban-1.1.0.tar.gz.asc b/fail2ban-1.1.0.tar.gz.asc deleted file mode 100644 index f764f97..0000000 --- a/fail2ban-1.1.0.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K -iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc -yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu -ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf -9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr -jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH -MTZipOHHYPx/7IyKJJvB1p1gvmOxyg== -=qvry ------END PGP SIGNATURE----- diff --git a/fail2ban-nftables.patch b/fail2ban-nftables.patch deleted file mode 100644 index 1124e85..0000000 --- a/fail2ban-nftables.patch +++ /dev/null @@ -1,62 +0,0 @@ -Index: fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf -=================================================================== ---- fail2ban-1.0.2.orig/config/action.d/firewallcmd-rich-rules.conf -+++ fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf -@@ -37,8 +37,8 @@ actioncheck = - - fwcmd_rich_rule = rule family='' source address='' port port='$p' protocol='' %(rich-suffix)s - --actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done -+actionban = ports=""; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done - --actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done -+actionunban = ports=""; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done - --rich-suffix = -\ No newline at end of file -+rich-suffix = -Index: fail2ban-1.0.2/fail2ban/tests/servertestcase.py -=================================================================== ---- fail2ban-1.0.2.orig/fail2ban/tests/servertestcase.py -+++ fail2ban-1.0.2/fail2ban/tests/servertestcase.py -@@ -2051,32 +2051,32 @@ class ServerConfigReaderTests(LogCapture - ('j-fwcmd-rr', 'firewallcmd-rich-rules[port="22:24", protocol="tcp"]', { - 'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',), - 'ip4-ban': ( -- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""", -+ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""", - ), - 'ip4-unban': ( -- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""", -+ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""", - ), - 'ip6-ban': ( -- """ `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""", -+ """ `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""", - ), - 'ip6-unban': ( -- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""", -+ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""", - ), - }), - # firewallcmd-rich-logging -- - ('j-fwcmd-rl', 'firewallcmd-rich-logging[port="22:24", protocol="tcp"]', { - 'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',), - 'ip4-ban': ( -- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""", -+ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""", - ), - 'ip4-unban': ( -- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""", -+ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""", - ), - 'ip6-ban': ( -- """ `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""", -+ """ `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""", - ), - 'ip6-unban': ( -- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""", -+ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""", - ), - }), - ) diff --git a/fail2ban-partof.patch b/fail2ban-partof.patch deleted file mode 100644 index ddb39e8..0000000 --- a/fail2ban-partof.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up fail2ban-0.10.5/files/fail2ban.service.in.partof fail2ban-0.10.5/files/fail2ban.service.in ---- fail2ban-0.10.5/files/fail2ban.service.in.partof 2020-01-10 05:34:46.000000000 -0700 -+++ fail2ban-0.10.5/files/fail2ban.service.in 2020-01-11 16:13:53.372316861 -0700 -@@ -2,7 +2,7 @@ - Description=Fail2Ban Service - Documentation=man:fail2ban(1) - After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service --PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service -+PartOf=firewalld.service - - [Service] - Type=simple diff --git a/fail2ban.fc b/fail2ban.fc deleted file mode 100644 index f481c4a..0000000 --- a/fail2ban.fc +++ /dev/null @@ -1,10 +0,0 @@ -#/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) - -/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) -/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0) -/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) - -/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) -/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) - -/run/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/fail2ban.if b/fail2ban.if deleted file mode 100644 index 82c627f..0000000 --- a/fail2ban.if +++ /dev/null @@ -1,313 +0,0 @@ -## Update firewall filtering to ban IP addresses with too many password failures. - -######################################## -## -## Execute a domain transition to run fail2ban. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`fail2ban_domtrans',` - gen_require(` - type fail2ban_t, fail2ban_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) -') - -####################################### -## -## Execute the fail2ban client in -## the fail2ban client domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`fail2ban_domtrans_client',` - gen_require(` - type fail2ban_client_t, fail2ban_client_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) -') - -####################################### -## -## Execute fail2ban client in the -## fail2ban client domain, and allow -## the specified role the fail2ban -## client domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# -interface(`fail2ban_run_client',` - gen_require(` - attribute_role fail2ban_client_roles; - ') - - fail2ban_domtrans_client($1) - roleattribute $2 fail2ban_client_roles; -') - -##################################### -## -## Connect to fail2ban over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_stream_connect',` - gen_require(` - type fail2ban_t, fail2ban_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) -') - -######################################## -## -## Read and write inherited temporary files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_rw_inherited_tmp_files',` - gen_require(` - type fail2ban_tmp_t; - ') - - files_search_tmp($1) - allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; -') - -######################################## -## -## Read and write to an fail2ba unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_rw_stream_sockets',` - gen_require(` - type fail2ban_t; - ') - - allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; -') - -####################################### -## -## Do not audit attempts to use -## fail2ban file descriptors. -## -## -## -## Domain to not audit. -## -## -# -interface(`fail2ban_dontaudit_use_fds',` - gen_require(` - type fail2ban_t; - ') - - dontaudit $1 fail2ban_t:fd use; -') - -####################################### -## -## Do not audit attempts to read and -## write fail2ban unix stream sockets -## -## -## -## Domain to not audit. -## -## -# -interface(`fail2ban_dontaudit_rw_stream_sockets',` - gen_require(` - type fail2ban_t; - ') - - dontaudit $1 fail2ban_t:unix_stream_socket { read write }; -') - -######################################## -## -## Read fail2ban lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_read_lib_files',` - gen_require(` - type fail2ban_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) -') - -######################################## -## -## Allow the specified domain to read fail2ban's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`fail2ban_read_log',` - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file read_file_perms; -') - -######################################## -## -## Allow the specified domain to append -## fail2ban log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_append_log',` - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file append_file_perms; -') - -######################################## -## -## Read fail2ban PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fail2ban_read_pid_files',` - gen_require(` - type fail2ban_var_run_t; - ') - - files_search_pids($1) - allow $1 fail2ban_var_run_t:file read_file_perms; -') - -######################################## -## -## dontaudit read and write leaked file descriptors -## -## -## -## Domain to not audit. -## -## -# -interface(`fail2ban_dontaudit_leaks',` - gen_require(` - type fail2ban_t; - ') - - dontaudit $1 fail2ban_t:tcp_socket { read write }; - dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; - dontaudit $1 fail2ban_t:unix_stream_socket { read write }; -') - -######################################## -## -## All of the rules required to administrate -## a fail2ban environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the fail2ban domain. -## -## -## -# -interface(`fail2ban_admin',` - gen_require(` - type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; - type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; - type fail2ban_client_t; - ') - - allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; - ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) - - tunable_policy(`deny_ptrace',`',` - allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; - ') - - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fail2ban_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) - admin_pattern($1, fail2ban_log_t) - - files_list_pids($1) - admin_pattern($1, fail2ban_var_run_t) - - files_list_var_lib($1) - admin_pattern($1, fail2ban_var_lib_t) - - files_list_tmp($1) - admin_pattern($1, fail2ban_tmp_t) - - fail2ban_run_client($1, $2) -') diff --git a/fail2ban.rpmlintrc b/fail2ban.rpmlintrc deleted file mode 100644 index 05ddcce..0000000 --- a/fail2ban.rpmlintrc +++ /dev/null @@ -1,8 +0,0 @@ -from Config import * -addFilter("incoherent-logrotate-file /etc/logrotate.d/fail2ban"); -addFilter("macro-in-comment %{(name|version|release)}"); -addFilter("spelling-error .* (tcp|sendmail|shorewall|sshd)"); -# Tests -addFilter("hidden-file-or-dir .*fail2ban/tests/files/config/apache.*/\.htpasswd"); -addFilter("htaccess-file-error .*fail2ban/tests/files/config/apache.*/\.htaccess"); -addFilter("zero-length .*fail2ban/tests/files/files/"); diff --git a/fail2ban.spec b/fail2ban.spec deleted file mode 100644 index 6ca56b5..0000000 --- a/fail2ban.spec +++ /dev/null @@ -1,929 +0,0 @@ -%if 0%{?rhel} >= 9 -%bcond_with shorewall -%else -%bcond_without shorewall -%endif - -# RHEL < 10 and Fedora < 40 use file context entries in /var/run -%if %{defined rhel} && 0%{?rhel} < 10 -%define legacy_var_run 1 -%endif - -Name: fail2ban -Version: 1.1.0 -Release: 15%{?dist} -Summary: Daemon to ban hosts that cause multiple authentication errors - -License: GPL-2.0-or-later -URL: https://www.fail2ban.org -Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz -Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc -# Releases are signed by Serg G. Brester (sebres) . The -# fingerprint can be found in a signature file: -# gpg --list-packets fail2ban-1.0.2.tar.gz.asc | grep 'issuer fpr' -# -# The following commands can be used to fetch the signing key via fingerprint -# and extract it: -# fpr=8738559E26F671DF9E2C6D9E683BF1BEBD0A882C -# gpg --receive-keys $fpr -# gpg -a --export-options export-minimal --export $fpr >gpgkey-$fpr.asc -Source2: gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc -# SELinux policy -Source3: fail2ban.fc -Source4: fail2ban.if -Source5: fail2ban.te -Source6: Makefile - -# Give up being PartOf iptables and ipset for now -# https://bugzilla.redhat.com/show_bug.cgi?id=1379141 -# https://bugzilla.redhat.com/show_bug.cgi?id=1573185 -Patch0: fail2ban-partof.patch -# default port in jail.conf is not compatible with firewalld-cmd syntax -# https://bugzilla.redhat.com/show_bug.cgi?id=1850164 -Patch1: fail2ban-nftables.patch -# Work around encoding issues during tests -Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2315252 -Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2295265 -Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch -# Upstream fix to also catch sshd-session logs -# https://bugzilla.redhat.com/show_bug.cgi?id=2332945 -Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch -# Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1. -# https://bugzilla.redhat.com/show_bug.cgi?id=2426440 -Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch - - -BuildArch: noarch - -BuildRequires: python3-devel -BuildRequires: python3-setuptools -# For testcases -BuildRequires: python3-inotify -# using a python3_version-based conditional does not work here, so -# this is a proxy for "Python version greater than 3.12". asyncore -# and asynchat were dropped from cpython core in 3.12, these modules -# make them available again. See: -# https://github.com/fail2ban/fail2ban/issues/3487 -# https://bugzilla.redhat.com/show_bug.cgi?id=2219991 -%if 0%{?fedora} || 0%{?rhel} >= 10 -BuildRequires: python3-pyasyncore -BuildRequires: python3-pyasynchat -%endif -BuildRequires: sqlite -BuildRequires: systemd -BuildRequires: selinux-policy-devel -BuildRequires: make -%if 0%{?fedora} || 0%{?rhel} >= 11 -BuildRequires: bash-completion-devel -%else -BuildRequires: bash-completion -%endif -BuildRequires: gnupg2 - -# Default components -Requires: %{name}-firewalld = %{version}-%{release} -Requires: %{name}-sendmail = %{version}-%{release} -Requires: %{name}-server = %{version}-%{release} - - -%description -Fail2Ban scans log files and bans IP addresses that makes too many password -failures. It updates firewall rules to reject the IP address. These rules can -be defined by the user. Fail2Ban can read multiple log files such as sshd or -Apache web server ones. - -Fail2Ban is able to reduce the rate of incorrect authentications attempts -however it cannot eliminate the risk that weak authentication presents. -Configure services to use only two factor or public/private authentication -mechanisms if you really want to protect services. - -This is a meta-package that will install the default configuration. Other -sub-packages are available to install support for other actions and -configurations. - - -%package selinux -Summary: SELinux policies for Fail2Ban -%{?selinux_requires} -%global modulename fail2ban -%global selinuxtype targeted - -%description selinux -SELinux policies for Fail2Ban. - - -%package server -Summary: Core server component for Fail2Ban -Requires: python3-systemd -Requires: nftables -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd -Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -# see note above in BuildRequires section -%if 0%{?fedora} || 0%{?rhel} >= 10 -Requires: python3-pyasyncore -Requires: python3-pyasynchat -%endif - -%description server -This package contains the core server components for Fail2Ban with minimal -dependencies. You can install this directly if you want to have a small -installation and know what you are doing. - - -%package all -Summary: Install all Fail2Ban packages and dependencies -Requires: %{name}-firewalld = %{version}-%{release} -Requires: %{name}-hostsdeny = %{version}-%{release} -Requires: %{name}-mail = %{version}-%{release} -Requires: %{name}-sendmail = %{version}-%{release} -Requires: %{name}-server = %{version}-%{release} -%if %{with shorewall} -Requires: %{name}-shorewall = %{version}-%{release} -%endif -Requires: perl-interpreter -Requires: python3-inotify -Requires: /usr/bin/whois - -%description all -This package installs all of the Fail2Ban packages and dependencies. - - -%package firewalld -Summary: Firewalld support for Fail2Ban -Requires: %{name}-server = %{version}-%{release} -Requires: firewalld - -%description firewalld -This package enables support for manipulating firewalld rules. This is the -default firewall service in Fedora. - - -%package hostsdeny -Summary: Hostsdeny (tcp_wrappers) support for Fail2Ban -Requires: %{name}-server = %{version}-%{release} -Requires: ed -Requires: tcp_wrappers - -%description hostsdeny -This package enables support for manipulating tcp_wrapper's /etc/hosts.deny -files. - - -%package tests -Summary: Fail2Ban testcases -Requires: %{name}-server = %{version}-%{release} - -%description tests -This package contains Fail2Ban's testscases and scripts. - - -%package mail -Summary: Mail actions for Fail2Ban -Requires: %{name}-server = %{version}-%{release} -Requires: /usr/bin/mail - -%description mail -This package installs Fail2Ban's mail actions. These are an alternative -to the default sendmail actions. - - -%package sendmail -Summary: Sendmail actions for Fail2Ban -Requires: %{name}-server = %{version}-%{release} -Requires: /usr/sbin/sendmail - -%description sendmail -This package installs Fail2Ban's sendmail actions. This is the default -mail actions for Fail2Ban. - - -%if %{with shorewall} -%package shorewall -Summary: Shorewall support for Fail2Ban -Requires: %{name}-server = %{version}-%{release} -Requires: shorewall -Conflicts: %{name}-shorewall-lite - -%description shorewall -This package enables support for manipulating shorewall rules. - - -%package shorewall-lite -Summary: Shorewall lite support for Fail2Ban -Requires: %{name}-server = %{version}-%{release} -Requires: shorewall-lite -Conflicts: %{name}-shorewall - -%description shorewall-lite -This package enables support for manipulating shorewall rules. -%endif - - -%package systemd -Summary: Systemd journal configuration for Fail2Ban -Requires: %{name}-server = %{version}-%{release} - -%description systemd -This package configures Fail2Ban to use the systemd journal for its log input -by default. - - -%prep -%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -p1 - -# Use Fedora paths -sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf - -# SELinux sources -cp -p %SOURCE3 %SOURCE4 %SOURCE5 . - -%if %{defined legacy_var_run} -sed -i 's|^/run/|/var/run/|' %{name}.fc -%endif - -# 2to3 has been removed from setuptools and we already use the binary in -# %%prep. -sed -i "/use_2to3/d" setup.py - - -%generate_buildrequires -%pyproject_buildrequires - - -%build -%pyproject_wheel -make -f %SOURCE6 - - -%install -%pyproject_install -ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python -mv %{buildroot}%{python3_sitelib}/etc %{buildroot} -mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir} -rmdir %{buildroot}%{python3_sitelib}%{_prefix} - -mkdir -p %{buildroot}%{_unitdir} -# Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite -# so we will do our own modification -sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service -mkdir -p %{buildroot}%{_mandir}/man{1,5} -install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1 -install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5 -mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d -install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban -install -d -m 0755 %{buildroot}/run/fail2ban/ -install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid -install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ -mkdir -p %{buildroot}%{_tmpfilesdir} -install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf -mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d - -# Remove non-Linux actions -rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf -rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf -rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf - -# Remove config files for other distros -rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf - -# firewalld configuration -cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf < %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf < - 1.1.0-15 -- Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. - -* Sat Oct 11 2025 Orion Poplawski - 1.1.0-14 -- Cleanup old conditionals - -* Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 -- Fix paths in fail2ban.service (rhbz#2399981) - -* Fri Sep 19 2025 Python Maint - 1.1.0-12 -- Rebuilt for Python 3.14.0rc3 bytecode - -* Thu Aug 21 2025 Richard Shaw - 1.1.0-11 -- Move from setup.py to wheels per - https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros. - -* Fri Aug 15 2025 Python Maint - 1.1.0-10 -- Rebuilt for Python 3.14.0rc2 bytecode - -* Wed Jul 23 2025 Fedora Release Engineering - 1.1.0-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Tue Jun 03 2025 Python Maint - 1.1.0-8 -- Rebuilt for Python 3.14 - -* Thu Jan 16 2025 Fedora Release Engineering - 1.1.0-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Thu Dec 19 2024 Orion Poplawski - 1.1.0-6 -- Add upstream fix for sshd filter (rhbz#2332945) - -* Wed Oct 16 2024 Richard Shaw - 1.1.0-5 -- Add upstream patch for python distutils removal. - -* Sat Sep 28 2024 Richard Shaw - 1.1.0-4 -- Add patch to deal with changes to OpenSSL log output. - -* Wed Jul 17 2024 Fedora Release Engineering - 1.1.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Fri Jul 12 2024 Nils Philippsen - 1.1.0-2 -- Use SPDX license identifier -- Use https upstream URL - -* Wed Jun 12 2024 Richard Shaw - 1.1.0-1 -- Update to 1.1.0 for Python 3.13 support. - -* Fri Jun 07 2024 Python Maint - 1.0.2-16 -- Rebuilt for Python 3.13 - -* Sat May 11 2024 Todd Zullinger - 1.0.2-15 -- Handle /var/run->/run transition in older Fedora and EPEL (RHBZ#2279054) - -* Sun May 05 2024 Richard Shaw - 1.0.2-14 -- Increment SELinux module version. -- Tweak selinux regex for /run/fail2ban. - -* Thu Apr 25 2024 Richard Shaw - 1.0.2-13 -- Add nftables patch and fix selinux /var/run->/run issue, fixes RHBZ#1850164 - and RHBZ#2272476. - -* Thu Feb 22 2024 Orion Poplawski - 1.0.2-12 -- Allow watch on more logfiles - -* Wed Jan 24 2024 Fedora Release Engineering - 1.0.2-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 1.0.2-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Wed Sep 27 2023 Adam Williamson - 1.0.2-9 -- Require pyasynchat and pyasyncore with Python 3.12+ -- Disable smtp tests on F39+ due to removal of smtpd from Python 3.12 -- Disable db repair test on F39+ as it's broken with sqlite 3.42.0+ - -* Wed Jul 19 2023 Fedora Release Engineering - 1.0.2-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Mon Jun 26 2023 Todd Zullinger - 1.0.2-7 -- exclude shorewall subpackage on epel9 (rhbz#2217649) - -* Wed Jun 14 2023 Python Maint - 1.0.2-6 -- Rebuilt for Python 3.12 - -* Tue Apr 04 2023 Orion Poplawski - 1.0.2-5 -- Drop downstream python3.11 patch, upstream went with a different fix - -* Sun Apr 02 2023 Todd Zullinger - 1.0.2-4 -- verify upstream source signature - -* Thu Mar 30 2023 Orion Poplawski - 1.0.2-3 -- Add upstream patch to remove warning about allowipv6 (bz#2160781) - -* Thu Jan 19 2023 Fedora Release Engineering - 1.0.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Sat Dec 17 2022 Richard Shaw - 1.0.2-1 -- Update to 1.0.2. - -* Wed Nov 02 2022 Richard Shaw - 1.0.1-2 -- Add patch for dovecot eating 100% CPU. - -* Sun Oct 02 2022 Richard Shaw - 1.0.1-1 -- Update to 1.0.1. - -* Thu Jul 21 2022 Fedora Release Engineering - 0.11.2-14 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Wed Jun 15 2022 Python Maint - 0.11.2-13 -- Rebuilt for Python 3.11 - -* Wed May 18 2022 Orion Poplawski - 0.11.2-12 -- Fix SELinux policy to allow watch on var_log_t (bz#2083923) - -* Fri Jan 28 2022 Orion Poplawski - 0.11.2-11 -- Require /usr/bin/mail instead of mailx - -* Thu Jan 20 2022 Fedora Release Engineering - 0.11.2-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Sun Sep 26 2021 Mikel Olasagasti Uranga - 0.11.2-9 -- Fix CVE-2021-32749 RHBZ#1983223 - -* Wed Jul 21 2021 Fedora Release Engineering - 0.11.2-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Mon Jun 07 2021 Python Maint - 0.11.2-7 -- Rebuilt for Python 3.10 - -* Sun Jun 06 2021 Richard Shaw - 0.11.2-6 -- Update selinux policy for Fedora 34+ - -* Fri Jun 04 2021 Python Maint - 0.11.2-5 -- Rebuilt for Python 3.10 - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 0.11.2-4 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - -* Tue Jan 26 2021 Fedora Release Engineering - 0.11.2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Wed Jan 06 2021 Richard Shaw - 0.11.2-2 -- Add patch to deal with a new century in tests (2021). - -* Tue Nov 24 2020 Richard Shaw - 0.11.2-1 -- Update to 0.11.2. - -* Fri Aug 28 2020 Richard Shaw - 0.11.1-10.2 -- Create shorewall-lite subpackage package which conflicts with shorewall - subpackage. Fixes RHBZ#1872759. - -* Tue Jul 28 2020 Richard Shaw - 0.11.1-9.2 -- Fix python2 requires for EPEL 7. - -* Mon Jul 27 2020 Richard Shaw - 0.11.1-9 -- Add conditonals back for EL 7 as it's being brought up to date. -- Add patch to deal with nftables not accepting ":" as a port separator. - -* Mon Jul 27 2020 Fedora Release Engineering - 0.11.1-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue May 26 2020 Miro Hrončok - 0.11.1-7 -- Rebuilt for Python 3.9 - -* Thu Apr 16 2020 Richard Shaw - 0.11.1-6 -- Change default firewalld backend from ipset to rich-rules as ipset causes - firewalld to use legacy iptables. Fixes RHBZ#1823746. -- Remove conditionals for EL versions less than 7. - -* Thu Mar 19 2020 Richard Shaw - 0.11.1-5 -- Update for Python 3.9. - -* Wed Feb 26 2020 Orion Poplawski - 0.11.1-4 -- Add SELinux policy - -* Tue Jan 28 2020 Fedora Release Engineering - 0.11.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Tue Jan 21 2020 Orion Poplawski - 0.11.1-2 -- Move action.d/mail-whois-common.conf into fail2ban-server - -* Tue Jan 14 2020 Orion Poplawski - 0.11.1-1 -- Update to 0.11.1 - -* Tue Jan 14 2020 Orion Poplawski - 0.10.5-1 -- Update to 0.10.5 - -* Thu Nov 21 2019 Orion Poplawski - 0.10.4-8 -- Define banaction_allports for firewalld, update banaction (bz#1775175) -- Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625) - -* Thu Oct 31 2019 Orion Poplawski - 0.10.4-7 -- Remove config files for other distros (bz#1533113) - -* Thu Oct 03 2019 Miro Hrončok - 0.10.4-6 -- Rebuilt for Python 3.8.0rc1 (#1748018) - -* Mon Aug 19 2019 Miro Hrončok - 0.10.4-5 -- Rebuilt for Python 3.8 - -* Thu Jul 25 2019 Fedora Release Engineering - 0.10.4-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Jan 31 2019 Fedora Release Engineering - 0.10.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Sun Nov 18 2018 Zbigniew Jędrzejewski-Szmek - 0.10.4-2 -- Drop explicit locale setting - See https://fedoraproject.org/wiki/Changes/Remove_glibc-langpacks-all_from_buildroot - -* Fri Oct 5 2018 Orion Poplawski - 0.10.4-1 -- Update to 0.10.4 - -* Fri Jul 13 2018 Fedora Release Engineering - 0.10.3.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Jun 19 2018 Orion Poplawski - 0.10.3.1-2 -- Remove PartOf ipset.service (bug #1573185) - -* Tue Jun 19 2018 Orion Poplawski - 0.10.3.1-1 -- Update to 0.10.3.1 - -* Tue Jun 19 2018 Miro Hrončok - 0.10.2-2 -- Rebuilt for Python 3.7 - -* Wed Mar 28 2018 Orion Poplawski - 0.10.2-1 -- Update to 0.10.2 - -* Wed Feb 07 2018 Fedora Release Engineering - 0.10.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Sat Dec 30 2017 Orion Poplawski - 0.10.1-3 -- Add upstream patch to fix ipset issue (bug #1525134) - -* Sat Dec 30 2017 Orion Poplawski - 0.10.1-2 -- Add upstream patch to fix buildroot issue - -* Tue Nov 14 2017 Orion Poplawski - 0.10.1-1 -- Update to 0.10.1 - -* Wed Sep 20 2017 Orion Poplawski - 0.10.0-1 -- Update to 0.10.0 - -* Wed Aug 16 2017 Orion Poplawski - 0.9.7-4 -- Use BR /usr/bin/2to3 - -* Wed Jul 26 2017 Fedora Release Engineering - 0.9.7-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Thu Jul 13 2017 Petr Pisar - 0.9.7-2 -- perl dependency renamed to perl-interpreter - - -* Wed Jul 12 2017 Orion Poplawski - 0.9.7-1 -- Update to 0.9.7 - -* Wed Feb 15 2017 Orion Poplawski - 0.9.6-4 -- Properly handle /run/fail2ban (bug #1422500) - -* Fri Feb 10 2017 Fedora Release Engineering - 0.9.6-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Tue Jan 10 2017 Orion Poplawski - 0.9.6-2 -- Add upstream patch to fix fail2ban-regex with journal - -* Fri Jan 6 2017 Orion Poplawski - 0.9.6-1 -- Update to 0.9.6 -- Fix sendmail-auth filter (bug #1329919) - -* Mon Dec 19 2016 Miro Hrončok - 0.9.5-5 -- Rebuild for Python 3.6 - -* Fri Oct 7 2016 Orion Poplawski - 0.9.5-4 -- %%ghost /run/fail2ban -- Fix typo in shorewall description -- Move tests to -tests sub-package - -* Mon Oct 3 2016 Orion Poplawski - 0.9.5-3 -- Add journalmatch entries for sendmail (bug #1329919) - -* Mon Oct 3 2016 Orion Poplawski - 0.9.5-2 -- Give up being PartOf iptables to allow firewalld restarts to work - (bug #1379141) - -* Mon Oct 3 2016 Orion Poplawski - 0.9.5-1 -- Add patch to fix failing test - -* Sun Sep 25 2016 Orion Poplawski - 0.9.5-1 -- Update to 0.9.5 -- Drop mysql patch applied upstream - -* Tue Jul 19 2016 Fedora Release Engineering - 0.9.4-6 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Tue Apr 5 2016 Orion Poplawski - 0.9.4-5 -- Fix python3 usage (bug #1324113) - -* Sun Mar 27 2016 Orion Poplawski - 0.9.4-4 -- Use %%{_tmpfilesdir} for systemd tmpfile config - -* Wed Mar 9 2016 Orion Poplawski - 0.9.4-3 -- No longer need to add After=firewalld.service (bug #1301910) - -* Wed Mar 9 2016 Orion Poplawski - 0.9.4-2 -- Fix mariadb/mysql log handling - -* Wed Mar 9 2016 Orion Poplawski - 0.9.4-1 -- Update to 0.9.4 -- Use mariadb log path by default - -* Tue Feb 23 2016 Orion Poplawski - 0.9.3-3 -- Use python3 (bug #1282498) - -* Wed Feb 03 2016 Fedora Release Engineering - 0.9.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Sat Sep 12 2015 Orion Poplawski - 0.9.3-1 -- Update to 0.9.3 -- Cleanup spec, use new python macros - -* Wed Jun 17 2015 Fedora Release Engineering - 0.9.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Thu Apr 30 2015 Orion Poplawski - 0.9.2-1 -- Update to 0.9.2 - -* Mon Mar 16 2015 Orion Poplawski - 0.9.1-4 -- Do not load user paths for fail2ban-{client,server} (bug #1202151) - -* Sun Feb 22 2015 Orion Poplawski - 0.9.1-3 -- Do not use systemd by default - -* Fri Nov 28 2014 Orion Poplawski - 0.9.1-2 -- Fix php-url-fopen logpath (bug #1169026) - -* Tue Oct 28 2014 Orion Poplawski - 0.9.1-1 -- Update to 0.9.1 - -* Fri Aug 15 2014 Orion Poplawski - 0.9-8 -- Add patch to fix tests - -* Fri Aug 8 2014 Orion Poplawski - 0.9-8 -- Fix log paths for some jails (bug #1128152) - -* Mon Jul 21 2014 Orion Poplawski - 0.9-7 -- Use systemd for EL7 - -* Sat Jun 07 2014 Fedora Release Engineering - 0.9-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Thu Mar 20 2014 Orion Poplawski - 0.9-5 -- Require mailx for /usr/bin/mail - -* Thu Mar 20 2014 Orion Poplawski - 0.9-4 -- Need empty %%files to produce main and -all package - -* Wed Mar 19 2014 Orion Poplawski - 0.9-3 -- Split into sub-packages for different components -- Enable journal filter by default (bug #985567) -- Enable firewalld action by default (bug #1046816) -- Add upstream patch to fix setting loglevel in fail2ban.conf -- Add upstream patches to fix tests in mock, run tests - -* Tue Mar 18 2014 Orion Poplawski - 0.9-2 -- Use Fedora paths -- Start after firewalld (bug #1067147) - -* Mon Mar 17 2014 Orion Poplawski - 0.9-1 -- Update to 0.9 - -* Tue Sep 24 2013 Orion Poplawski - 0.9-0.3.git1f1a561 -- Update to current 0.9 git branch -- Rebase init patch, drop jail.d and notmp patch applied upstream - -* Fri Aug 9 2013 Orion Poplawski - 0.9-0.2.gitd529151 -- Ship jail.conf(5) man page -- Ship empty /etc/fail2ban/jail.d directory - -* Thu Aug 8 2013 Orion Poplawski - 0.9-0.1.gitd529151 -- Update to 0.9 git branch -- Rebase patches -- Require systemd-python for journal support - -* Sat Aug 03 2013 Fedora Release Engineering - 0.8.10-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Wed Jun 12 2013 Orion Poplawski - 0.8.10-1 -- Update to 0.8.10 security release -- Use upstream provided systemd files -- Drop upstreamed patches, rebase log2syslog and notmp patches - -* Fri Mar 15 2013 Orion Poplawski - 0.8.8-4 -- Use systemd init for Fedora 19+ (bug #883158) - -* Thu Feb 14 2013 Orion Poplawski - 0.8.8-3 -- Add patch from upstream to fix module imports (Bug #892365) -- Add patch from upstream to UTF-8 characters in syslog (Bug #905097) -- Drop Requires: tcp_wrappers and shorewall (Bug #781341) - -* Fri Jan 18 2013 Orion Poplawski - 0.8.8-2 -- Add patch to prevent sshd blocks of successful logins for systems that use - sssd or ldap - -* Mon Dec 17 2012 Orion Poplawski - 0.8.8-1 -- Update to 0.8.8 (CVE-2012-5642 Bug #887914) - -* Thu Oct 11 2012 Orion Poplawski - 0.8.7.1-1 -- Update to 0.8.7.1 -- Drop fd_cloexec, pyinotify, and examplemail patches fixed upstream -- Rebase sshd and notmp patches -- Use _initddir macro - -* Thu Jul 19 2012 Fedora Release Engineering - 0.8.4-29 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Fri Jan 13 2012 Fedora Release Engineering - 0.8.4-28 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Sat Apr 9 2011 Axel Thimm - 0.8.4-27 -- Move tmp files to /var/lib (suggested by Phil Anderson). -- Enable inotify support (by Jonathan Underwood). -- Fixes RH bugs #669966, #669965, #551895, #552947, #658849, #656584. - -* Sun Feb 14 2010 Axel Thimm - 0.8.4-24 -- Patch by Jonathan G. Underwood to - cloexec another fd leak. - -* Fri Sep 11 2009 Axel Thimm - 0.8.4-23 -- update to 0.8.4. - -* Wed Sep 2 2009 Axel Thimm - 0.8.3-22 -- Update to a newer svn snapshot to fix python 2.6 issue. - -* Thu Aug 27 2009 Axel Thimm - 0.8.3-21 -- Log to syslog (RH bug #491983). Also deals with RH bug #515116. -- Check inodes of log files (RH bug #503852). - -* Sat Feb 14 2009 Axel Thimm - 0.8.3-18 -- Fix CVE-2009-0362 (Fedora bugs #485461, #485464, #485465, #485466). - -* Mon Dec 01 2008 Ignacio Vazquez-Abrams - 0.8.3-17 -- Rebuild for Python 2.6 - -* Sun Aug 24 2008 Axel Thimm - 0.8.3-16 -- Update to 0.8.3. - -* Wed May 21 2008 Tom "spot" Callaway - 0.8.2-15 -- fix license tag - -* Thu Mar 27 2008 Axel Thimm - 0.8.2-14 -- Close on exec fixes by Jonathan Underwood. - -* Sun Mar 16 2008 Axel Thimm - 0.8.2-13 -- Add %%{_localstatedir}/run/fail2ban (David Rees). - -* Fri Mar 14 2008 Axel Thimm - 0.8.2-12 -- Update to 0.8.2. - -* Thu Jan 31 2008 Jonathan G. Underwood - 0.8.1-11 -- Move socket file from /tmp to /var/run to prevent SElinux from stopping - fail2ban from starting (BZ #429281) -- Change logic in init file to start with -x to remove the socket file in case - of unclean shutdown - -* Wed Aug 15 2007 Axel Thimm - 0.8.1-10 -- Update to 0.8.1. -- Remove patch fixing CVE-2007-4321 (upstream). -- Remove AllowUsers patch (upstream). -- Add dependency to gamin-python. - -* Thu Jun 21 2007 Axel Thimm - 0.8.0-9 -- Fix remote log injection (no CVE assignment yet). - -* Sun Jun 3 2007 Axel Thimm - 0.8.0-8 -- Also trigger on non-AllowUsers failures (Jonathan Underwood - ). - -* Wed May 23 2007 Axel Thimm - 0.8.0-7 -- logrotate should restart fail2ban (Zing ). -- send mail to root; logrotate (Jonathan Underwood - ) - -* Sat May 19 2007 Axel Thimm - 0.8.0-4 -- Update to 0.8.0. -- enable ssh by default, fix log file for ssh scanning, adjust python - dependency (Jonathan Underwood ) - -* Sat Dec 30 2006 Axel Thimm - 0.6.2-3 -- Remove forgotten condrestart. - -* Fri Dec 29 2006 Axel Thimm - 0.6.2-2 -- Move /usr/lib/fail2ban to %%{_datadir}/fail2ban. -- Don't default chkconfig to enabled. -- Add dependencies on service/chkconfig. -- Use example iptables/ssh config as default config. - -* Mon Dec 25 2006 Axel Thimm - 0.6.2-1 -- Initial build. diff --git a/fail2ban.te b/fail2ban.te deleted file mode 100644 index 5bc2394..0000000 --- a/fail2ban.te +++ /dev/null @@ -1,197 +0,0 @@ -policy_module(fail2ban, 1.5.1) - -######################################## -# -# Declarations -# - -attribute_role fail2ban_client_roles; - -type fail2ban_t; -type fail2ban_exec_t; -init_daemon_domain(fail2ban_t, fail2ban_exec_t) - -type fail2ban_initrc_exec_t; -init_script_file(fail2ban_initrc_exec_t) - -type fail2ban_log_t; -logging_log_file(fail2ban_log_t) - -type fail2ban_var_lib_t; -files_type(fail2ban_var_lib_t) - -type fail2ban_var_run_t; -files_pid_file(fail2ban_var_run_t) - -type fail2ban_tmp_t; -files_tmp_file(fail2ban_tmp_t) - -type fail2ban_client_t; -type fail2ban_client_exec_t; -init_system_domain(fail2ban_client_t, fail2ban_client_exec_t) -role fail2ban_client_roles types fail2ban_client_t; - -######################################## -# -# Server Local policy -# - -allow fail2ban_t self:capability { dac_read_search sys_tty_config }; -allow fail2ban_t self:process { getpgid setsched signal }; -allow fail2ban_t self:fifo_file rw_fifo_file_perms; -allow fail2ban_t self:unix_stream_socket { accept connectto listen }; -allow fail2ban_t self:tcp_socket { accept listen }; -allow fail2ban_t self:netlink_netfilter_socket create_socket_perms; - -read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) - -append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) - -manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) -manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) -exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) -files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) - -manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) -manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) - -manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) - -kernel_read_system_state(fail2ban_t) -kernel_read_network_state(fail2ban_t) -kernel_read_net_sysctls(fail2ban_t) - -corecmd_exec_bin(fail2ban_t) -corecmd_exec_shell(fail2ban_t) - -corenet_all_recvfrom_netlabel(fail2ban_t) -corenet_tcp_sendrecv_generic_if(fail2ban_t) -corenet_tcp_sendrecv_generic_node(fail2ban_t) - -corenet_sendrecv_whois_client_packets(fail2ban_t) -corenet_tcp_connect_whois_port(fail2ban_t) -corenet_tcp_sendrecv_whois_port(fail2ban_t) - -dev_read_urand(fail2ban_t) -dev_read_sysfs(fail2ban_t) - -domain_use_interactive_fds(fail2ban_t) -domain_dontaudit_read_all_domains_state(fail2ban_t) - -files_read_etc_runtime_files(fail2ban_t) -files_list_var(fail2ban_t) -files_dontaudit_list_tmp(fail2ban_t) - -fs_getattr_all_fs(fail2ban_t) - -auth_use_nsswitch(fail2ban_t) - -logging_read_all_logs(fail2ban_t) -logging_read_audit_log(fail2ban_t) -logging_send_syslog_msg(fail2ban_t) -logging_read_syslog_pid(fail2ban_t) -logging_dontaudit_search_audit_logs(fail2ban_t) -logging_mmap_generic_logs(fail2ban_t) -logging_mmap_journal(fail2ban_t) -# Not in EL9 yet -#logging_watch_audit_log_files(fail2ban_t) -logging_watch_all_log_files(fail2ban_t) -logging_watch_all_log_dirs(fail2ban_t) -logging_watch_audit_log_files(fail2ban_t) -logging_watch_audit_log_dirs(fail2ban_t) -logging_watch_journal_dir(fail2ban_t) - -mta_send_mail(fail2ban_t) - -sysnet_manage_config(fail2ban_t) - -optional_policy(` - apache_read_log(fail2ban_t) -') - -optional_policy(` - dbus_system_bus_client(fail2ban_t) - dbus_connect_system_bus(fail2ban_t) - - optional_policy(` - firewalld_dbus_chat(fail2ban_t) - ') -') - -optional_policy(` - ftp_read_log(fail2ban_t) -') - -optional_policy(` - gnome_dontaudit_search_config(fail2ban_t) -') - -optional_policy(` - iptables_domtrans(fail2ban_t) -') - -optional_policy(` - allow fail2ban_t self:capability sys_resource; - allow fail2ban_t self:process setrlimit; - journalctl_exec(fail2ban_t) -') - -optional_policy(` - libs_exec_ldconfig(fail2ban_t) -') - -optional_policy(` - rpm_exec(fail2ban_t) -') - -optional_policy(` - shorewall_domtrans(fail2ban_t) -') - -######################################## -# -# Client Local policy -# - -allow fail2ban_client_t self:capability { dac_read_search }; -allow fail2ban_client_t self:unix_stream_socket { create connect write read }; - -domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) - -allow fail2ban_client_t fail2ban_t:process { rlimitinh }; - -dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access; -allow fail2ban_client_t fail2ban_var_run_t:dir write; -stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) - -kernel_read_system_state(fail2ban_client_t) - -corecmd_exec_bin(fail2ban_client_t) - -dev_read_urand(fail2ban_client_t) -dev_read_rand(fail2ban_client_t) - -domain_use_interactive_fds(fail2ban_client_t) - -files_search_pids(fail2ban_client_t) - -auth_use_nsswitch(fail2ban_client_t) - -libs_exec_ldconfig(fail2ban_client_t) - -logging_getattr_all_logs(fail2ban_client_t) -logging_search_all_logs(fail2ban_client_t) -logging_read_audit_log(fail2ban_client_t) - -userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) -userdom_use_user_terminals(fail2ban_client_t) - -optional_policy(` - apache_read_log(fail2ban_client_t) -') diff --git a/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc b/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc deleted file mode 100644 index 14da565..0000000 --- a/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc +++ /dev/null @@ -1,29 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT -Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV -lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC -i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO -hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3 -BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl -ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ -CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm -NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h -RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n -2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq -GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ -3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX -XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ -uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh -Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a -kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf -awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6 -7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF -AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw -2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs -IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O -ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb -muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c -6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg== -=vqSW ------END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources deleted file mode 100644 index 934b139..0000000 --- a/sources +++ /dev/null @@ -1 +0,0 @@ -SHA512 (fail2ban-1.1.0.tar.gz) = 9bff7b9c41e58a953901800468e5c4153c9db6af01c7eb18111ad8620b40d03a0771020472fb759b2809d250e2bb45471e6c7e8283e72ea48290ecf7bf921821