From 3f49a1709f7b21b5361a191533a2307e2a1b21d2 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Sat, 25 Dec 2021 10:35:01 -0600 Subject: [PATCH 01/55] Add patches / updates for various fixes: * Add patch for Python 3.11 compatibilitys, fixes RHBZ#2034205. * Comment out a few lines in the selinux files that broke building on EPEL and don't seem to be needed. Fixes RHBZ#2029193. * Work around 2to3 being removed from Python setuptools. --- fail2ban-python311.patch | 21 +++++++++++++++++++++ fail2ban.spec | 12 ++++++++++-- fail2ban.te | 10 +++++----- 3 files changed, 36 insertions(+), 7 deletions(-) create mode 100644 fail2ban-python311.patch diff --git a/fail2ban-python311.patch b/fail2ban-python311.patch new file mode 100644 index 0000000..bd5d050 --- /dev/null +++ b/fail2ban-python311.patch @@ -0,0 +1,21 @@ +Index: fail2ban-0.11.2/fail2ban/tests/actiontestcase.py +=================================================================== +--- fail2ban-0.11.2.orig/fail2ban/tests/actiontestcase.py ++++ fail2ban-0.11.2/fail2ban/tests/actiontestcase.py +@@ -244,14 +244,14 @@ class CommandActionTest(LogCaptureTestCa + setattr(self.__action, 'ab', "") + setattr(self.__action, 'x?family=inet6', "") + # produce self-referencing properties except: +- self.assertRaisesRegexp(ValueError, r"properties contain self referencing definitions", ++ self.assertRaisesRegex(ValueError, r"properties contain self referencing definitions", + lambda: self.__action.replaceTag("", + self.__action._properties, conditional="family=inet4") + ) + # remore self-referencing in props: + delattr(self.__action, 'ac') + # produce self-referencing query except: +- self.assertRaisesRegexp(ValueError, r"possible self referencing definitions in query", ++ self.assertRaisesRegex(ValueError, r"possible self referencing definitions in query", + lambda: self.__action.replaceTag(""*30, + self.__action._properties, conditional="family=inet6") + ) diff --git a/fail2ban.spec b/fail2ban.spec index 93ad3d9..fc96869 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -23,6 +23,10 @@ Patch1: https://github.com/fail2ban/fail2ban/commit/f259dac74721c00f0184bf452771 Patch2: https://github.com/fail2ban/fail2ban/compare/ea26509594a3220b012071604d73bb42d0ecae2c...py-3-10-alpha-5.patch # CVE-2021-32749 https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm Patch3: https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844.patch +# https://github.com/fail2ban/fail2ban/issues/2882 +#Patch4: https://github.com/fail2ban/fail2ban/commit/ebf5784b8cd4b7c52d0f328b780833b8594f5567.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2034205 +Patch5: fail2ban-python311.patch BuildArch: noarch @@ -217,6 +221,10 @@ find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3 # SELinux sources cp -p %SOURCE1 %SOURCE2 %SOURCE3 . +# 2to3 has been removed from setuptools and we already use the binary in +# %%prep. +sed -i "/use_2to3/d" setup.py + %build %if 0%{?rhel} && 0%{?rhel} < 8 @@ -263,8 +271,8 @@ cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <] -banaction_allports = firewallcmd-rich-rules[actiontype=] +banaction = firewallcmd-rich-rules +banaction_allports = firewallcmd-rich-rules EOF # systemd journal configuration diff --git a/fail2ban.te b/fail2ban.te index 92615ca..8cbf7b3 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -45,7 +45,7 @@ allow fail2ban_t self:netlink_netfilter_socket create_socket_perms; read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) -allow fail2ban_t fail2ban_log_t:file watch; +#allow fail2ban_t fail2ban_log_t:file watch; append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) @@ -100,10 +100,10 @@ logging_read_syslog_pid(fail2ban_t) logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) -logging_watch_audit_log_files(fail2ban_t) -logging_watch_audit_log_dirs(fail2ban_t) -logging_watch_generic_log_dirs(fail2ban_t) -logging_watch_journal_dir(fail2ban_t) +#logging_watch_audit_log_files(fail2ban_t) +#logging_watch_audit_log_dirs(fail2ban_t) +#logging_watch_generic_log_dirs(fail2ban_t) +#logging_watch_journal_dir(fail2ban_t) mta_send_mail(fail2ban_t) From 796f2eb44ee179b54528625884038f7c34bc42d8 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jan 2022 02:37:32 +0000 Subject: [PATCH 02/55] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index fc96869..224a893 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 0.11.2 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -407,6 +407,9 @@ fi %changelog +* Thu Jan 20 2022 Fedora Release Engineering - 0.11.2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Sun Sep 26 2021 Mikel Olasagasti Uranga - 0.11.2-9 - Fix CVE-2021-32749 RHBZ#1983223 From cc4f0a773da4af30f0e0e3bbbedd2fa0f2301347 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Thu, 27 Jan 2022 20:45:23 -0700 Subject: [PATCH 03/55] Require /usr/bin/mail instead of mailx --- fail2ban.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 224a893..79c2608 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 0.11.2 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -162,7 +162,7 @@ This package contains Fail2Ban's testscases and scripts. %package mail Summary: Mail actions for Fail2Ban Requires: %{name}-server = %{version}-%{release} -Requires: mailx +Requires: /usr/bin/mail %description mail This package installs Fail2Ban's mail actions. These are an alternative @@ -407,6 +407,9 @@ fi %changelog +* Fri Jan 28 2022 Orion Poplawski - 0.11.2-11 +- Require /usr/bin/mail instead of mailx + * Thu Jan 20 2022 Fedora Release Engineering - 0.11.2-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From ec52ec24716b4d6e820431dbe7b33aceb20112d0 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Tue, 17 May 2022 21:46:41 -0600 Subject: [PATCH 04/55] Fix SELinux policy to allow watch on var_log_t (bz#2083923) --- fail2ban.spec | 5 ++++- fail2ban.te | 13 ++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 79c2608..9603304 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 0.11.2 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -407,6 +407,9 @@ fi %changelog +* Wed May 18 2022 Orion Poplawski - 0.11.2-12 +- Fix SELinux policy to allow watch on var_log_t (bz#2083923) + * Fri Jan 28 2022 Orion Poplawski - 0.11.2-11 - Require /usr/bin/mail instead of mailx diff --git a/fail2ban.te b/fail2ban.te index 8cbf7b3..6d36a70 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -45,7 +45,6 @@ allow fail2ban_t self:netlink_netfilter_socket create_socket_perms; read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) -#allow fail2ban_t fail2ban_log_t:file watch; append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) @@ -100,10 +99,18 @@ logging_read_syslog_pid(fail2ban_t) logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) +allow fail2ban_t fail2ban_log_t:file watch; +# Not in EL9 yet #logging_watch_audit_log_files(fail2ban_t) +gen_require(` + type var_log_t, auditd_log_t; +') +watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t) #logging_watch_audit_log_dirs(fail2ban_t) -#logging_watch_generic_log_dirs(fail2ban_t) -#logging_watch_journal_dir(fail2ban_t) +allow fail2ban_t var_log_t:dir search_dir_perms; +watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t) +logging_watch_generic_log_dirs(fail2ban_t) +logging_watch_journal_dir(fail2ban_t) mta_send_mail(fail2ban_t) From 3673f99947ab3587437fe955102c8cd93b06c4af Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 15 Jun 2022 18:15:35 +0200 Subject: [PATCH 05/55] Rebuilt for Python 3.11 --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 9603304..a0a6a11 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 0.11.2 -Release: 12%{?dist} +Release: 13%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -407,6 +407,9 @@ fi %changelog +* Wed Jun 15 2022 Python Maint - 0.11.2-13 +- Rebuilt for Python 3.11 + * Wed May 18 2022 Orion Poplawski - 0.11.2-12 - Fix SELinux policy to allow watch on var_log_t (bz#2083923) From 872dd6642c5bfd153f4704c97f49d8db9ab22015 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 21 Jul 2022 02:43:48 +0000 Subject: [PATCH 06/55] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index a0a6a11..6d7b302 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 0.11.2 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -407,6 +407,9 @@ fi %changelog +* Thu Jul 21 2022 Fedora Release Engineering - 0.11.2-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Wed Jun 15 2022 Python Maint - 0.11.2-13 - Rebuilt for Python 3.11 From fb9a87495ac4dc2cbbae4ad703824bd6b3dd5a02 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Mon, 25 Jul 2022 21:29:30 -0500 Subject: [PATCH 07/55] Add patch for python 3.11. --- 3267.patch | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++ fail2ban.spec | 1 + 2 files changed, 87 insertions(+) create mode 100644 3267.patch diff --git a/3267.patch b/3267.patch new file mode 100644 index 0000000..9fa335e --- /dev/null +++ b/3267.patch @@ -0,0 +1,86 @@ +From 500895dcfa31f11c81b3c9128781a49a05e3bd05 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Mon, 25 Apr 2022 18:53:19 +0200 +Subject: [PATCH 1/5] GHA: update python 3.11 version + +--- + .github/workflows/main.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: fail2ban-0.11.2/fail2ban/server/datetemplate.py +=================================================================== +--- fail2ban-0.11.2.orig/fail2ban/server/datetemplate.py ++++ fail2ban-0.11.2/fail2ban/server/datetemplate.py +@@ -35,6 +35,7 @@ logSys = getLogger(__name__) + # check already grouped contains "(", but ignores char "\(" and conditional "(?(id)...)": + RE_GROUPED = re.compile(r'(? Date: Wed, 23 Feb 2022 19:19:22 +0100 Subject: [PATCH 08/55] Add bash completion file --- fail2ban.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fail2ban.spec b/fail2ban.spec index d03608d..15154d5 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -48,6 +48,7 @@ BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make +BuildRequires: bash-completion # Default components Requires: %{name}-firewalld = %{version}-%{release} @@ -294,6 +295,10 @@ rm -r %{buildroot}%{_docdir}/%{name} install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +#BASH completion +COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion) +%__mkdir_p $COMPLETIONDIR +%__install -p -m 644 files/bash-completion $COMPLETIONDIR/fail2ban %check %if 0%{?rhel} && 0%{?rhel} < 8 @@ -348,6 +353,7 @@ fi %exclude %{python3_sitelib}/fail2ban/tests %endif %{_unitdir}/fail2ban.service +%{_datadir}/bash-completion/ %{_mandir}/man1/fail2ban.1* %{_mandir}/man1/fail2ban-client.1* %{_mandir}/man1/fail2ban-python.1* From c29152aa29767f9a52f76e89f2df6e9995234f3d Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Sun, 2 Oct 2022 21:26:37 -0500 Subject: [PATCH 09/55] Update to 1.0.1. --- .gitignore | 1 + fail2ban.spec | 20 ++++++-------------- sources | 2 +- 3 files changed, 8 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index 0df6ce0..79e39c8 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ fail2ban-0.8.4.tar.bz2 /fail2ban-0.10.5.tar.gz /fail2ban-0.11.1.tar.gz /fail2ban-0.11.2.tar.gz +/fail2ban-1.0.1.tar.gz diff --git a/fail2ban.spec b/fail2ban.spec index 15154d5..ab21ecf 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban -Version: 0.11.2 -Release: 14%{?dist} +Version: 1.0.1 +Release: 1%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -15,19 +15,8 @@ Source4: Makefile # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 Patch0: fail2ban-partof.patch -# Fixes century selector for tests -# https://bugzilla.redhat.com/show_bug.cgi?id=1912472 -Patch1: https://github.com/fail2ban/fail2ban/commit/f259dac74721c00f0184bf45277137771fc747fe.patch -# Python 3.10a5 compatibility -# https://bugzilla.redhat.com/show_bug.cgi?id=1926201 -Patch2: https://github.com/fail2ban/fail2ban/compare/ea26509594a3220b012071604d73bb42d0ecae2c...py-3-10-alpha-5.patch -# CVE-2021-32749 https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm -Patch3: https://github.com/fail2ban/fail2ban/commit/410a6ce5c80dd981c22752da034f2529b5eee844.patch -# https://github.com/fail2ban/fail2ban/issues/2882 -#Patch4: https://github.com/fail2ban/fail2ban/commit/ebf5784b8cd4b7c52d0f328b780833b8594f5567.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2034205 -Patch5: fail2ban-python311.patch -Patch6: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3267.patch +Patch1: fail2ban-python311.patch BuildArch: noarch @@ -414,6 +403,9 @@ fi %changelog +* Sun Oct 02 2022 Richard Shaw - 1.0.1-1 +- Update to 1.0.1. + * Thu Jul 21 2022 Fedora Release Engineering - 0.11.2-14 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild diff --git a/sources b/sources index d48c0ea..90ff00d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (fail2ban-0.11.2.tar.gz) = 46b27abd947b00ea64106dbac563ef8afef38eec86684024d47d9a0e8c1969ff864ad6df7f4f8de2aa3eb1af6d769fb6796592d9f0e35521d5f95f17b8cade97 +SHA512 (fail2ban-1.0.1.tar.gz) = a4d0ee5405225b1ec950f3209bc304c1168c644d06309a187d77119f6bea12c382db046130a86411aad4210b458a16ee092269dc7953400950969a34550c6da5 From 97585e18cb8ac4eab074108bba221293ba3a2e9d Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 2 Nov 2022 09:28:22 -0500 Subject: [PATCH 10/55] Add patch for dovecot eating 100% CPU. --- ...94c5229bd474f612b57b67d796252a4aab7a.patch | 99 +++++++++++++++++++ fail2ban.spec | 7 +- 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 ca2b94c5229bd474f612b57b67d796252a4aab7a.patch diff --git a/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch b/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch new file mode 100644 index 0000000..a00358f --- /dev/null +++ b/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch @@ -0,0 +1,99 @@ +From ca2b94c5229bd474f612b57b67d796252a4aab7a Mon Sep 17 00:00:00 2001 +From: sebres +Date: Tue, 4 Oct 2022 14:03:07 +0200 +Subject: [PATCH] fixes gh-3370: resolve extremely long search by repeated + apply of non-greedy RE `(?:: (?:[^\(]+|\w+\([^\)]*\))+)?` with following + branches (it may be extremely slow up to infinite search depending on + message); added new regression tests amend to gh-3210: fixes regression and + matches new format in aggressive mode too + +--- + ChangeLog | 4 ++++ + config/filter.d/dovecot.conf | 8 +++++--- + fail2ban/tests/files/logs/dovecot | 22 ++++++++++++++++++++++ + 3 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index fc4beade6e..04401ea866 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -11,6 +11,10 @@ ver. 1.0.2-dev-1 (20??/??/??) - development nightly edition + ----------- + + ### Fixes ++* `filter.d/dovecot.conf`: ++ - fixes regression introduced in gh-3210: resolve extremely long search by repeated apply of non-greedy RE-part ++ with following branches (it may be extremely slow up to infinite search depending on message), gh-3370 ++ - fixes regression and matches new format in aggressive mode too (amend to gh-3210) + + ### New Features and Enhancements + +diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf +index 0415ecb40a..dc3ebbcd42 100644 +--- a/config/filter.d/dovecot.conf ++++ b/config/filter.d/dovecot.conf +@@ -7,19 +7,21 @@ before = common.conf + + [Definition] + ++_daemon = (?:dovecot(?:-auth)?|auth) ++ + _auth_worker = (?:dovecot: )?auth(?:-worker)? + _auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )? +-_daemon = (?:dovecot(?:-auth)?|auth) ++_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))* + + prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?%(_auth_worker_info)s.+$ + + failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ +- ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?:: (?:[^\(]+|\w+\([^\)]*\))+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ ++ ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$ + ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch) + > + +-mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ ++mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + + mdre-normal = + +diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot +index 75934c37bb..0e33296129 100644 +--- a/fail2ban/tests/files/logs/dovecot ++++ b/fail2ban/tests/files/logs/dovecot +@@ -115,6 +115,17 @@ Aug 28 06:38:51 s166-62-100-187 dovecot: imap-login: Disconnected (auth failed, + # failJSON: { "time": "2004-08-28T06:38:52", "match": true , "host": "192.0.2.4", "desc": "open parenthesis in optional part between Disconnected and (auth failed ...), gh-3210" } + Aug 28 06:38:52 s166-62-100-187 dovecot: imap-login: Disconnected: Connection closed: read(size=1003) failed: Connection reset by peer (auth failed, 1 attempts in 0 secs): user=, rip=192.0.2.4, lip=127.0.0.19, session= + ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol ++ + # failJSON: { "time": "2004-08-29T03:17:18", "match": true , "host": "192.0.2.133" } + Aug 29 03:17:18 server dovecot: submission-login: Client has quit the connection (auth failed, 1 attempts in 2 secs): user=, method=LOGIN, rip=192.0.2.133, lip=0.0.0.0 + # failJSON: { "time": "2004-08-29T03:53:52", "match": true , "host": "192.0.2.169" } +@@ -128,6 +139,17 @@ Aug 29 15:33:53 server dovecot: managesieve-login: Disconnected: Too many invali + + # filterOptions: [{"mode": "aggressive"}] + ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol ++ + # failJSON: { "time": "2004-08-29T16:06:58", "match": true , "host": "192.0.2.5" } + Aug 29 16:06:58 s166-62-100-187 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.0.2.5, lip=192.168.1.2, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer + # failJSON: { "time": "2004-08-31T16:15:10", "match": true , "host": "192.0.2.6" } diff --git a/fail2ban.spec b/fail2ban.spec index ab21ecf..8bada15 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 1.0.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -17,6 +17,8 @@ Source4: Makefile Patch0: fail2ban-partof.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2034205 Patch1: fail2ban-python311.patch +# Patch for dovecot jail eating 100% CPU +Patch2: https://github.com/fail2ban/fail2ban/commit/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch BuildArch: noarch @@ -403,6 +405,9 @@ fi %changelog +* Wed Nov 02 2022 Richard Shaw - 1.0.1-2 +- Add patch for dovecot eating 100% CPU. + * Sun Oct 02 2022 Richard Shaw - 1.0.1-1 - Update to 1.0.1. From b0713d488e7d9d82d87e570ea82e2e4be441e5df Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 2 Nov 2022 12:30:15 -0500 Subject: [PATCH 11/55] Refresh patch to apply to archive. --- ...94c5229bd474f612b57b67d796252a4aab7a.patch | 35 ++++++------------- fail2ban-python311.patch | 8 ++--- 2 files changed, 14 insertions(+), 29 deletions(-) diff --git a/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch b/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch index a00358f..02a9ae5 100644 --- a/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch +++ b/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch @@ -13,25 +13,10 @@ Subject: [PATCH] fixes gh-3370: resolve extremely long search by repeated fail2ban/tests/files/logs/dovecot | 22 ++++++++++++++++++++++ 3 files changed, 31 insertions(+), 3 deletions(-) -diff --git a/ChangeLog b/ChangeLog -index fc4beade6e..04401ea866 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -11,6 +11,10 @@ ver. 1.0.2-dev-1 (20??/??/??) - development nightly edition - ----------- - - ### Fixes -+* `filter.d/dovecot.conf`: -+ - fixes regression introduced in gh-3210: resolve extremely long search by repeated apply of non-greedy RE-part -+ with following branches (it may be extremely slow up to infinite search depending on message), gh-3370 -+ - fixes regression and matches new format in aggressive mode too (amend to gh-3210) - - ### New Features and Enhancements - -diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf -index 0415ecb40a..dc3ebbcd42 100644 ---- a/config/filter.d/dovecot.conf -+++ b/config/filter.d/dovecot.conf +Index: fail2ban-1.0.1/config/filter.d/dovecot.conf +=================================================================== +--- fail2ban-1.0.1.orig/config/filter.d/dovecot.conf ++++ fail2ban-1.0.1/config/filter.d/dovecot.conf @@ -7,19 +7,21 @@ before = common.conf [Definition] @@ -57,11 +42,11 @@ index 0415ecb40a..dc3ebbcd42 100644 mdre-normal = -diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot -index 75934c37bb..0e33296129 100644 ---- a/fail2ban/tests/files/logs/dovecot -+++ b/fail2ban/tests/files/logs/dovecot -@@ -115,6 +115,17 @@ Aug 28 06:38:51 s166-62-100-187 dovecot: imap-login: Disconnected (auth failed, +Index: fail2ban-1.0.1/fail2ban/tests/files/logs/dovecot +=================================================================== +--- fail2ban-1.0.1.orig/fail2ban/tests/files/logs/dovecot ++++ fail2ban-1.0.1/fail2ban/tests/files/logs/dovecot +@@ -115,6 +115,17 @@ Aug 28 06:38:51 s166-62-100-187 dovecot: # failJSON: { "time": "2004-08-28T06:38:52", "match": true , "host": "192.0.2.4", "desc": "open parenthesis in optional part between Disconnected and (auth failed ...), gh-3210" } Aug 28 06:38:52 s166-62-100-187 dovecot: imap-login: Disconnected: Connection closed: read(size=1003) failed: Connection reset by peer (auth failed, 1 attempts in 0 secs): user=, rip=192.0.2.4, lip=127.0.0.19, session= @@ -79,7 +64,7 @@ index 75934c37bb..0e33296129 100644 # failJSON: { "time": "2004-08-29T03:17:18", "match": true , "host": "192.0.2.133" } Aug 29 03:17:18 server dovecot: submission-login: Client has quit the connection (auth failed, 1 attempts in 2 secs): user=, method=LOGIN, rip=192.0.2.133, lip=0.0.0.0 # failJSON: { "time": "2004-08-29T03:53:52", "match": true , "host": "192.0.2.169" } -@@ -128,6 +139,17 @@ Aug 29 15:33:53 server dovecot: managesieve-login: Disconnected: Too many invali +@@ -128,6 +139,17 @@ Aug 29 15:33:53 server dovecot: managesi # filterOptions: [{"mode": "aggressive"}] diff --git a/fail2ban-python311.patch b/fail2ban-python311.patch index bd5d050..8a89af7 100644 --- a/fail2ban-python311.patch +++ b/fail2ban-python311.patch @@ -1,8 +1,8 @@ -Index: fail2ban-0.11.2/fail2ban/tests/actiontestcase.py +Index: fail2ban-1.0.1/fail2ban/tests/actiontestcase.py =================================================================== ---- fail2ban-0.11.2.orig/fail2ban/tests/actiontestcase.py -+++ fail2ban-0.11.2/fail2ban/tests/actiontestcase.py -@@ -244,14 +244,14 @@ class CommandActionTest(LogCaptureTestCa +--- fail2ban-1.0.1.orig/fail2ban/tests/actiontestcase.py ++++ fail2ban-1.0.1/fail2ban/tests/actiontestcase.py +@@ -242,14 +242,14 @@ class CommandActionTest(LogCaptureTestCa setattr(self.__action, 'ab', "") setattr(self.__action, 'x?family=inet6', "") # produce self-referencing properties except: From e0082e942bbd887e00f95d4399033ebfab7cfbe7 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Fri, 4 Nov 2022 07:17:37 -0500 Subject: [PATCH 12/55] Add Requires for selinux subpackage for EL 9. --- fail2ban.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 8bada15..74e8a11 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -89,7 +89,7 @@ Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -%if 0%{?fedora} +%if 0%{?fedora} || 0%{?rhel} >= 9 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) %endif From 74ee613b996728c1e890b542c70c22f4196d523d Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Sat, 17 Dec 2022 17:14:39 -0600 Subject: [PATCH 13/55] Update to 1.0.2. --- .gitignore | 1 + 3267.patch | 86 ---------- ...6ce5c80dd981c22752da034f2529b5eee844.patch | 155 ------------------ ...604d73bb42d0ecae2c...py-3-10-alpha-5.patch | 80 --------- ...dac74721c00f0184bf45277137771fc747fe.patch | 48 ------ fail2ban.spec | 14 +- sources | 2 +- 7 files changed, 12 insertions(+), 374 deletions(-) delete mode 100644 3267.patch delete mode 100644 410a6ce5c80dd981c22752da034f2529b5eee844.patch delete mode 100644 ea26509594a3220b012071604d73bb42d0ecae2c...py-3-10-alpha-5.patch delete mode 100644 f259dac74721c00f0184bf45277137771fc747fe.patch diff --git a/.gitignore b/.gitignore index 79e39c8..7fbd936 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ fail2ban-0.8.4.tar.bz2 /fail2ban-0.11.1.tar.gz /fail2ban-0.11.2.tar.gz /fail2ban-1.0.1.tar.gz +/fail2ban-1.0.2.tar.gz diff --git a/3267.patch b/3267.patch deleted file mode 100644 index 9fa335e..0000000 --- a/3267.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 500895dcfa31f11c81b3c9128781a49a05e3bd05 Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Mon, 25 Apr 2022 18:53:19 +0200 -Subject: [PATCH 1/5] GHA: update python 3.11 version - ---- - .github/workflows/main.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: fail2ban-0.11.2/fail2ban/server/datetemplate.py -=================================================================== ---- fail2ban-0.11.2.orig/fail2ban/server/datetemplate.py -+++ fail2ban-0.11.2/fail2ban/server/datetemplate.py -@@ -35,6 +35,7 @@ logSys = getLogger(__name__) - # check already grouped contains "(", but ignores char "\(" and conditional "(?(id)...)": - RE_GROUPED = re.compile(r'(? -Date: Mon, 21 Jun 2021 17:12:53 +0200 -Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable - (default tilde) stops consider "~" char after new-line as composing escape - sequence - ---- - config/action.d/complain.conf | 2 +- - config/action.d/dshield.conf | 2 +- - config/action.d/mail-buffered.conf | 8 ++++---- - config/action.d/mail-whois-lines.conf | 2 +- - config/action.d/mail-whois.conf | 6 +++--- - config/action.d/mail.conf | 6 +++--- - 6 files changed, 13 insertions(+), 13 deletions(-) - -diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf -index 3a5f882c9f..4d73b05859 100644 ---- a/config/action.d/complain.conf -+++ b/config/action.d/complain.conf -@@ -102,7 +102,7 @@ logpath = /dev/null - # Notes.: Your system mail command. Is passed 2 args: subject and recipient - # Values: CMD - # --mailcmd = mail -s -+mailcmd = mail -E 'set escape' -s - - # Option: mailargs - # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: -diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf -index c128bef348..3d5a7a53a9 100644 ---- a/config/action.d/dshield.conf -+++ b/config/action.d/dshield.conf -@@ -179,7 +179,7 @@ tcpflags = - # Notes.: Your system mail command. Is passed 2 args: subject and recipient - # Values: CMD - # --mailcmd = mail -s -+mailcmd = mail -E 'set escape' -s - - # Option: mailargs - # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: -diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf -index 325f185b2f..79b841049c 100644 ---- a/config/action.d/mail-buffered.conf -+++ b/config/action.d/mail-buffered.conf -@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n - The jail has been started successfully.\n - Output will be buffered until lines are available.\n - Regards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : started on " -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " - - # Option: actionstop - # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) -@@ -28,13 +28,13 @@ actionstop = if [ -f ]; then - These hosts have been banned by Fail2Ban.\n - `cat ` - Regards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : Summary from " -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary from " - rm - fi - printf %%b "Hi,\n - The jail has been stopped.\n - Regards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " - - # Option: actioncheck - # Notes.: command executed once before each actionban command -@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: ( failures)\n" >> - These hosts have been banned by Fail2Ban.\n - `cat ` - \nRegards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : Summary" -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary" - rm - fi - -diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf -index 3a3e56b2c7..d2818cb9b9 100644 ---- a/config/action.d/mail-whois-lines.conf -+++ b/config/action.d/mail-whois-lines.conf -@@ -72,7 +72,7 @@ actionunban = - # Notes.: Your system mail command. Is passed 2 args: subject and recipient - # Values: CMD - # --mailcmd = mail -s -+mailcmd = mail -E 'set escape' -s - - # Default name of the chain - # -diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf -index 7fea34c40d..ab33b616dc 100644 ---- a/config/action.d/mail-whois.conf -+++ b/config/action.d/mail-whois.conf -@@ -20,7 +20,7 @@ norestored = 1 - actionstart = printf %%b "Hi,\n - The jail has been started successfully.\n - Regards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : started on " -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " - - # Option: actionstop - # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) -@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n - actionstop = printf %%b "Hi,\n - The jail has been stopped.\n - Regards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " - - # Option: actioncheck - # Notes.: command executed once before each actionban command -@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n - Here is more information about :\n - `%(_whois_command)s`\n - Regards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : banned from " -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " - - # Option: actionunban - # Notes.: command executed when unbanning an IP. Take care that the -diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf -index 5d8c0e154c..f4838ddcb6 100644 ---- a/config/action.d/mail.conf -+++ b/config/action.d/mail.conf -@@ -16,7 +16,7 @@ norestored = 1 - actionstart = printf %%b "Hi,\n - The jail has been started successfully.\n - Regards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : started on " -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " - - # Option: actionstop - # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) -@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n - actionstop = printf %%b "Hi,\n - The jail has been stopped.\n - Regards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : stopped on " -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " - - # Option: actioncheck - # Notes.: command executed once before each actionban command -@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n - The IP has just been banned by Fail2Ban after - attempts against .\n - Regards,\n -- Fail2Ban"|mail -s "[Fail2Ban] : banned from " -+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " - - # Option: actionunban - # Notes.: command executed when unbanning an IP. Take care that the diff --git a/ea26509594a3220b012071604d73bb42d0ecae2c...py-3-10-alpha-5.patch b/ea26509594a3220b012071604d73bb42d0ecae2c...py-3-10-alpha-5.patch deleted file mode 100644 index c7f2c0f..0000000 --- a/ea26509594a3220b012071604d73bb42d0ecae2c...py-3-10-alpha-5.patch +++ /dev/null @@ -1,80 +0,0 @@ -From ad74e1c628b4fa2f67d8f7e342138e6e103832ea Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Mon, 8 Feb 2021 17:19:24 +0100 -Subject: [PATCH 2/4] follow bpo-37324: - :ref:`collections-abstract-base-classes` moved to the :mod:`collections.abc` - module - -(since 3.10-alpha.5 `MutableMapping` is missing in collections module) ---- - fail2ban/server/action.py | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py -index 4615401ed..16ff66212 100644 ---- a/fail2ban/server/action.py -+++ b/fail2ban/server/action.py -@@ -30,7 +30,10 @@ - import threading - import time - from abc import ABCMeta --from collections import MutableMapping -+try: -+ from collections.abc import MutableMapping -+except ImportError: -+ from collections import MutableMapping - - from .failregex import mapTag2Opt - from .ipdns import DNSUtils - -From a785aab392d8de2ecb685d8bdd9266a0c7f8edf8 Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Mon, 8 Feb 2021 17:25:45 +0100 -Subject: [PATCH 3/4] amend for `Mapping` - ---- - fail2ban/server/actions.py | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py -index 967908af6..91e1ebaf3 100644 ---- a/fail2ban/server/actions.py -+++ b/fail2ban/server/actions.py -@@ -28,7 +28,10 @@ - import os - import sys - import time --from collections import Mapping -+try: -+ from collections.abc import Mapping -+except ImportError: -+ from collections import Mapping - try: - from collections import OrderedDict - except ImportError: - -From 0e2e2bf37da59649a1c3392b04b9480f84dac446 Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Mon, 8 Feb 2021 17:35:59 +0100 -Subject: [PATCH 4/4] amend for `Mapping` (jails) - ---- - fail2ban/server/jails.py | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/fail2ban/server/jails.py b/fail2ban/server/jails.py -index 972a8c4bd..27e12ddf6 100644 ---- a/fail2ban/server/jails.py -+++ b/fail2ban/server/jails.py -@@ -22,7 +22,10 @@ - __license__ = "GPL" - - from threading import Lock --from collections import Mapping -+try: -+ from collections.abc import Mapping -+except ImportError: -+ from collections import Mapping - - from ..exceptions import DuplicateJailException, UnknownJailException - from .jail import Jail diff --git a/f259dac74721c00f0184bf45277137771fc747fe.patch b/f259dac74721c00f0184bf45277137771fc747fe.patch deleted file mode 100644 index ba399ae..0000000 --- a/f259dac74721c00f0184bf45277137771fc747fe.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 747d4683221b5584f9663695fb48145689b42ceb Mon Sep 17 00:00:00 2001 -From: sebres -Date: Mon, 4 Jan 2021 02:42:38 +0100 -Subject: [PATCH] fixes century selector of %ExY and %Exy in datepattern for - tests, considering interval from 2005 (alternate now) to now; + better - grouping algorithm for resulting century RE - ---- - fail2ban/server/strptime.py | 24 ++++++++++++++++++++++-- - 1 file changed, 22 insertions(+), 2 deletions(-) - -diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py -index 1464a96d1..39fc79586 100644 ---- a/fail2ban/server/strptime.py -+++ b/fail2ban/server/strptime.py -@@ -36,10 +36,30 @@ def _getYearCentRE(cent=(0,3), distance=3, now=(MyTime.now(), MyTime.alternateNo - Thereby respect possible run in the test-cases (alternate date used there) - """ - cent = lambda year, f=cent[0], t=cent[1]: str(year)[f:t] -+ def grp(exprset): -+ c = None -+ if len(exprset) > 1: -+ for i in exprset: -+ if c is None or i[0:-1] == c: -+ c = i[0:-1] -+ else: -+ c = None -+ break -+ if not c: -+ for i in exprset: -+ if c is None or i[0] == c: -+ c = i[0] -+ else: -+ c = None -+ break -+ if c: -+ return "%s%s" % (c, grp([i[len(c):] for i in exprset])) -+ return ("(?:%s)" % "|".join(exprset) if len(exprset[0]) > 1 else "[%s]" % "".join(exprset)) \ -+ if len(exprset) > 1 else "".join(exprset) - exprset = set( cent(now[0].year + i) for i in (-1, distance) ) - if len(now) and now[1]: -- exprset |= set( cent(now[1].year + i) for i in (-1, distance) ) -- return "(?:%s)" % "|".join(exprset) if len(exprset) > 1 else "".join(exprset) -+ exprset |= set( cent(now[1].year + i) for i in xrange(-1, now[0].year-now[1].year+1, distance) ) -+ return grp(sorted(list(exprset))) - - timeRE = TimeRE() - diff --git a/fail2ban.spec b/fail2ban.spec index 74e8a11..f11ef8c 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban -Version: 1.0.1 -Release: 2%{?dist} +Version: 1.0.2 +Release: 1%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -11,6 +11,7 @@ Source1: fail2ban.fc Source2: fail2ban.if Source3: fail2ban.te Source4: Makefile + # Give up being PartOf iptables and ipset for now # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 @@ -18,7 +19,7 @@ Patch0: fail2ban-partof.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2034205 Patch1: fail2ban-python311.patch # Patch for dovecot jail eating 100% CPU -Patch2: https://github.com/fail2ban/fail2ban/commit/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch +#Patch2: https://github.com/fail2ban/fail2ban/commit/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch BuildArch: noarch @@ -227,6 +228,7 @@ sed -i "/use_2to3/d" setup.py %endif make -f %SOURCE4 + %install %if 0%{?rhel} && 0%{?rhel} < 8 %py2_install @@ -291,6 +293,7 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion %__mkdir_p $COMPLETIONDIR %__install -p -m 644 files/bash-completion $COMPLETIONDIR/fail2ban + %check %if 0%{?rhel} && 0%{?rhel} < 8 %python2 bin/fail2ban-testcases --verbosity=2 --no-network @@ -351,7 +354,7 @@ fi %{_mandir}/man1/fail2ban-regex.1* %{_mandir}/man1/fail2ban-server.1* %{_mandir}/man5/*.5* -%config(noreplace) %{_sysconfdir}/fail2ban +%config(noreplace) %{_sysconfdir}/fail2ban/ %exclude %{_sysconfdir}/fail2ban/action.d/complain.conf %exclude %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf %exclude %{_sysconfdir}/fail2ban/action.d/mail.conf @@ -405,6 +408,9 @@ fi %changelog +* Sat Dec 17 2022 Richard Shaw - 1.0.2-1 +- Update to 1.0.2. + * Wed Nov 02 2022 Richard Shaw - 1.0.1-2 - Add patch for dovecot eating 100% CPU. diff --git a/sources b/sources index 90ff00d..6655594 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (fail2ban-1.0.1.tar.gz) = a4d0ee5405225b1ec950f3209bc304c1168c644d06309a187d77119f6bea12c382db046130a86411aad4210b458a16ee092269dc7953400950969a34550c6da5 +SHA512 (fail2ban-1.0.2.tar.gz) = 688a84361b5794e1658f53d2d200ce752fe1e3320ddb1742c32c4b4b82a79ace16ae464e7ea3eeb94a0e862bcac73c2d3a0e61dd7b28e179a4c857f950d74dbb From 5388f7c3d4ad9036688d2ac3319ca85266ffd0c6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 19 Jan 2023 03:01:08 +0000 Subject: [PATCH 14/55] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index f11ef8c..108f1c9 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 1.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -408,6 +408,9 @@ fi %changelog +* Thu Jan 19 2023 Fedora Release Engineering - 1.0.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Sat Dec 17 2022 Richard Shaw - 1.0.2-1 - Update to 1.0.2. From d94388bb16212d9063fdb4fcfc0ec3e05cfd8f6b Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 29 Mar 2023 18:17:35 -0600 Subject: [PATCH 15/55] Fix selinux requires for EPEL7/8 --- fail2ban.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 108f1c9..4814fb2 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -89,9 +89,10 @@ Requires: nftables Requires(post): systemd Requires(preun): systemd Requires(postun): systemd - -%if 0%{?fedora} || 0%{?rhel} >= 9 +%if 0%{?fedora} || 0%{?rhel} >= 8 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%else +Requires: %{name}-selinux %endif %description server From af8f467d8f11ec0f313acf6978cd72d81b899d70 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Thu, 30 Mar 2023 10:24:26 -0600 Subject: [PATCH 16/55] Add upstream patch to remove warning about allowipv6 (bz#2160781) --- 28473.patch | 214 ++++++++++++++++++++++++++++++++++++++++++++++++++ fail2ban.spec | 7 +- 2 files changed, 220 insertions(+), 1 deletion(-) create mode 100644 28473.patch diff --git a/28473.patch b/28473.patch new file mode 100644 index 0000000..3b315cf --- /dev/null +++ b/28473.patch @@ -0,0 +1,214 @@ +From 659cd9223bb9a04cc50986a3b371e22e2bac9a91 Mon Sep 17 00:00:00 2001 +From: hsk17 +Date: Tue, 29 Nov 2022 12:11:59 +0100 +Subject: [PATCH 1/3] upstream configreader patch + +Signed-off-by: hsk17 +--- + .../fail2ban-1.0.2-configreader-warning.patch | 23 +++++++++++++++++++ + 1 file changed, 23 insertions(+) + create mode 100644 net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch + +diff --git a/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch b/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch +new file mode 100644 +index 0000000000000..74f2739708ae7 +--- /dev/null ++++ b/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch +@@ -0,0 +1,23 @@ ++From 432e7e1e93936f09e349e80d94254e5f43d0cc8a Mon Sep 17 00:00:00 2001 ++From: "Sergey G. Brester" ++Date: Mon, 28 Nov 2022 13:21:15 +0100 ++Subject: [PATCH] no warning if no config value but default (debug message now) ++ ++closes #3420 ++--- ++ fail2ban/client/configreader.py | 2 +- ++ 1 file changed, 1 insertion(+), 1 deletion(-) ++ ++diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py ++index 1b5a56a27c..c7f965ce52 100644 ++--- a/fail2ban/client/configreader.py +++++ b/fail2ban/client/configreader.py ++@@ -277,7 +277,7 @@ def getOptions(self, sec, options, pOptions=None, shouldExist=False, convert=Tru ++ # TODO: validate error handling here. ++ except NoOptionError: ++ if not optvalue is None: ++- logSys.warning("'%s' not defined in '%s'. Using default one: %r" +++ logSys.debug("'%s' not defined in '%s'. Using default one: %r" ++ % (optname, sec, optvalue)) ++ values[optname] = optvalue ++ # elif logSys.getEffectiveLevel() <= logLevel: + +From 79a59ae91ece23711370af79dc820a801b05e56b Mon Sep 17 00:00:00 2001 +From: hsk17 +Date: Tue, 29 Nov 2022 12:13:05 +0100 +Subject: [PATCH 2/3] rev bump to add upstream configreader patch + +Signed-off-by: hsk17 +--- + .../fail2ban/fail2ban-1.0.2-r1.ebuild | 134 ++++++++++++++++++ + 1 file changed, 134 insertions(+) + create mode 100644 net-analyzer/fail2ban/fail2ban-1.0.2-r1.ebuild + +diff --git a/net-analyzer/fail2ban/fail2ban-1.0.2-r1.ebuild b/net-analyzer/fail2ban/fail2ban-1.0.2-r1.ebuild +new file mode 100644 +index 0000000000000..64532f55baf31 +--- /dev/null ++++ b/net-analyzer/fail2ban/fail2ban-1.0.2-r1.ebuild +@@ -0,0 +1,134 @@ ++# Copyright 1999-2022 Gentoo Authors ++# Distributed under the terms of the GNU General Public License v2 ++ ++EAPI=8 ++ ++DISTUTILS_SINGLE_IMPL=1 ++PYTHON_COMPAT=( python3_{8..11} ) ++ ++inherit bash-completion-r1 distutils-r1 systemd tmpfiles ++ ++DESCRIPTION="Scans log files and bans IPs that show malicious signs" ++HOMEPAGE="https://www.fail2ban.org/" ++ ++if [[ ${PV} == *9999 ]] ; then ++ EGIT_REPO_URI="https://github.com/fail2ban/fail2ban" ++ inherit git-r3 ++else ++ SRC_URI="https://github.com/fail2ban/fail2ban/archive/${PV}.tar.gz -> ${P}.tar.gz" ++ KEYWORDS="~alpha amd64 arm arm64 hppa ppc ppc64 sparc x86" ++fi ++ ++LICENSE="GPL-2" ++SLOT="0" ++IUSE="selinux systemd" ++ ++RDEPEND=" ++ virtual/logger ++ virtual/mta ++ selinux? ( sec-policy/selinux-fail2ban ) ++ systemd? ( ++ $(python_gen_cond_dep ' ++ || ( ++ dev-python/python-systemd[${PYTHON_USEDEP}] ++ sys-apps/systemd[python(-),${PYTHON_USEDEP}] ++ )' 'python*' ) ++ ) ++" ++ ++DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt ) ++ ++PATCHES=( ++ "${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch ++ "${FILESDIR}"/${P}-configreader-warning.patch ++) ++ ++python_prepare_all() { ++ distutils-r1_python_prepare_all ++ ++ # Replace /var/run with /run, but not in the top source directory ++ find . -mindepth 2 -type f -exec \ ++ sed -i -e 's|/var\(/run/fail2ban\)|\1|g' {} + || die ++} ++ ++python_compile() { ++ ./fail2ban-2to3 || die ++ distutils-r1_python_compile ++} ++ ++python_test() { ++ bin/fail2ban-testcases \ ++ --no-network \ ++ --no-gamin \ ++ --verbosity=4 || die "Tests failed with ${EPYTHON}" ++ ++ # Workaround for bug #790251 ++ rm -r fail2ban.egg-info || die ++} ++ ++python_install_all() { ++ distutils-r1_python_install_all ++ ++ rm -rf "${ED}"/usr/share/doc/${PN} "${ED}"/run || die ++ ++ newconfd files/fail2ban-openrc.conf ${PN} ++ ++ # These two are placed in the ${BUILD_DIR} after being "built" ++ # in install_scripts(). ++ newinitd "${BUILD_DIR}/fail2ban-openrc.init" "${PN}" ++ systemd_dounit "${BUILD_DIR}/${PN}.service" ++ ++ dotmpfiles files/${PN}-tmpfiles.conf ++ ++ doman man/*.{1,5} ++ ++ # Use INSTALL_MASK if you do not want to touch /etc/logrotate.d. ++ # See http://thread.gmane.org/gmane.linux.gentoo.devel/35675 ++ insinto /etc/logrotate.d ++ newins files/${PN}-logrotate ${PN} ++ ++ keepdir /var/lib/${PN} ++ ++ newbashcomp files/bash-completion ${PN}-client ++ bashcomp_alias ${PN}-client ${PN}-server ${PN}-regex ++} ++ ++pkg_preinst() { ++ has_version "<${CATEGORY}/${PN}-0.7" ++ previous_less_than_0_7=$? ++} ++ ++pkg_postinst() { ++ tmpfiles_process ${PN}-tmpfiles.conf ++ ++ if [[ ${previous_less_than_0_7} = 0 ]] ; then ++ elog ++ elog "Configuration files are now in /etc/fail2ban/" ++ elog "You probably have to manually update your configuration" ++ elog "files before restarting Fail2Ban!" ++ elog ++ elog "Fail2Ban is not installed under /usr/lib anymore. The" ++ elog "new location is under /usr/share." ++ elog ++ elog "You are upgrading from version 0.6.x, please see:" ++ elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8" ++ fi ++ ++ if ! has_version dev-python/pyinotify && ! has_version app-admin/gamin ; then ++ elog "For most jail.conf configurations, it is recommended you install either" ++ elog "dev-python/pyinotify or app-admin/gamin (in order of preference)" ++ elog "to control how log file modifications are detected" ++ fi ++ ++ if ! has_version dev-lang/python[sqlite] ; then ++ elog "If you want to use ${PN}'s persistent database, then reinstall" ++ elog "dev-lang/python with USE=sqlite. If you do not use the" ++ elog "persistent database feature, then you should set" ++ elog "dbfile = :memory: in fail2ban.conf accordingly." ++ fi ++ ++ if has_version sys-apps/systemd[-python] ; then ++ elog "If you want to track logins through sys-apps/systemd's" ++ elog "journal backend, then reinstall sys-apps/systemd with USE=python" ++ fi ++} + +From ab30bb72cf1cdb0ccd717c417c10eae82381d6d7 Mon Sep 17 00:00:00 2001 +From: hsk17 +Date: Tue, 27 Dec 2022 16:08:43 +0100 +Subject: [PATCH 3/3] Update fail2ban-1.0.2-configreader-warning.patch + +Signed-off-by: hsk17 +--- + .../fail2ban/files/fail2ban-1.0.2-configreader-warning.patch | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch b/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch +index 74f2739708ae7..b53e604572cfd 100644 +--- a/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch ++++ b/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch +@@ -1,3 +1,6 @@ ++ ++https://github.com/fail2ban/fail2ban/commit/432e7e1 ++ + From 432e7e1e93936f09e349e80d94254e5f43d0cc8a Mon Sep 17 00:00:00 2001 + From: "Sergey G. Brester" + Date: Mon, 28 Nov 2022 13:21:15 +0100 diff --git a/fail2ban.spec b/fail2ban.spec index 4814fb2..759fb73 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 1.0.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -20,6 +20,8 @@ Patch0: fail2ban-partof.patch Patch1: fail2ban-python311.patch # Patch for dovecot jail eating 100% CPU #Patch2: https://github.com/fail2ban/fail2ban/commit/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch +# Remove warning about allowipv6 from startup +Patch2: https://patch-diff.githubusercontent.com/raw/gentoo/gentoo/pull/28473.patch BuildArch: noarch @@ -409,6 +411,9 @@ fi %changelog +* Thu Mar 30 2023 Orion Poplawski - 1.0.2-3 +- Add upstream patch to remove warning about allowipv6 (bz#2160781) + * Thu Jan 19 2023 Fedora Release Engineering - 1.0.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From bbf821b2c08ce258874d24cf16de616aba3cdfd6 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Thu, 30 Mar 2023 10:35:16 -0600 Subject: [PATCH 17/55] Use the proper patch --- 28473.patch | 214 ------------------ ...7e1e93936f09e349e80d94254e5f43d0cc8a.patch | 23 ++ fail2ban.spec | 2 +- 3 files changed, 24 insertions(+), 215 deletions(-) delete mode 100644 28473.patch create mode 100644 432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch diff --git a/28473.patch b/28473.patch deleted file mode 100644 index 3b315cf..0000000 --- a/28473.patch +++ /dev/null @@ -1,214 +0,0 @@ -From 659cd9223bb9a04cc50986a3b371e22e2bac9a91 Mon Sep 17 00:00:00 2001 -From: hsk17 -Date: Tue, 29 Nov 2022 12:11:59 +0100 -Subject: [PATCH 1/3] upstream configreader patch - -Signed-off-by: hsk17 ---- - .../fail2ban-1.0.2-configreader-warning.patch | 23 +++++++++++++++++++ - 1 file changed, 23 insertions(+) - create mode 100644 net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch - -diff --git a/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch b/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch -new file mode 100644 -index 0000000000000..74f2739708ae7 ---- /dev/null -+++ b/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch -@@ -0,0 +1,23 @@ -+From 432e7e1e93936f09e349e80d94254e5f43d0cc8a Mon Sep 17 00:00:00 2001 -+From: "Sergey G. Brester" -+Date: Mon, 28 Nov 2022 13:21:15 +0100 -+Subject: [PATCH] no warning if no config value but default (debug message now) -+ -+closes #3420 -+--- -+ fail2ban/client/configreader.py | 2 +- -+ 1 file changed, 1 insertion(+), 1 deletion(-) -+ -+diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py -+index 1b5a56a27c..c7f965ce52 100644 -+--- a/fail2ban/client/configreader.py -++++ b/fail2ban/client/configreader.py -+@@ -277,7 +277,7 @@ def getOptions(self, sec, options, pOptions=None, shouldExist=False, convert=Tru -+ # TODO: validate error handling here. -+ except NoOptionError: -+ if not optvalue is None: -+- logSys.warning("'%s' not defined in '%s'. Using default one: %r" -++ logSys.debug("'%s' not defined in '%s'. Using default one: %r" -+ % (optname, sec, optvalue)) -+ values[optname] = optvalue -+ # elif logSys.getEffectiveLevel() <= logLevel: - -From 79a59ae91ece23711370af79dc820a801b05e56b Mon Sep 17 00:00:00 2001 -From: hsk17 -Date: Tue, 29 Nov 2022 12:13:05 +0100 -Subject: [PATCH 2/3] rev bump to add upstream configreader patch - -Signed-off-by: hsk17 ---- - .../fail2ban/fail2ban-1.0.2-r1.ebuild | 134 ++++++++++++++++++ - 1 file changed, 134 insertions(+) - create mode 100644 net-analyzer/fail2ban/fail2ban-1.0.2-r1.ebuild - -diff --git a/net-analyzer/fail2ban/fail2ban-1.0.2-r1.ebuild b/net-analyzer/fail2ban/fail2ban-1.0.2-r1.ebuild -new file mode 100644 -index 0000000000000..64532f55baf31 ---- /dev/null -+++ b/net-analyzer/fail2ban/fail2ban-1.0.2-r1.ebuild -@@ -0,0 +1,134 @@ -+# Copyright 1999-2022 Gentoo Authors -+# Distributed under the terms of the GNU General Public License v2 -+ -+EAPI=8 -+ -+DISTUTILS_SINGLE_IMPL=1 -+PYTHON_COMPAT=( python3_{8..11} ) -+ -+inherit bash-completion-r1 distutils-r1 systemd tmpfiles -+ -+DESCRIPTION="Scans log files and bans IPs that show malicious signs" -+HOMEPAGE="https://www.fail2ban.org/" -+ -+if [[ ${PV} == *9999 ]] ; then -+ EGIT_REPO_URI="https://github.com/fail2ban/fail2ban" -+ inherit git-r3 -+else -+ SRC_URI="https://github.com/fail2ban/fail2ban/archive/${PV}.tar.gz -> ${P}.tar.gz" -+ KEYWORDS="~alpha amd64 arm arm64 hppa ppc ppc64 sparc x86" -+fi -+ -+LICENSE="GPL-2" -+SLOT="0" -+IUSE="selinux systemd" -+ -+RDEPEND=" -+ virtual/logger -+ virtual/mta -+ selinux? ( sec-policy/selinux-fail2ban ) -+ systemd? ( -+ $(python_gen_cond_dep ' -+ || ( -+ dev-python/python-systemd[${PYTHON_USEDEP}] -+ sys-apps/systemd[python(-),${PYTHON_USEDEP}] -+ )' 'python*' ) -+ ) -+" -+ -+DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt ) -+ -+PATCHES=( -+ "${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch -+ "${FILESDIR}"/${P}-configreader-warning.patch -+) -+ -+python_prepare_all() { -+ distutils-r1_python_prepare_all -+ -+ # Replace /var/run with /run, but not in the top source directory -+ find . -mindepth 2 -type f -exec \ -+ sed -i -e 's|/var\(/run/fail2ban\)|\1|g' {} + || die -+} -+ -+python_compile() { -+ ./fail2ban-2to3 || die -+ distutils-r1_python_compile -+} -+ -+python_test() { -+ bin/fail2ban-testcases \ -+ --no-network \ -+ --no-gamin \ -+ --verbosity=4 || die "Tests failed with ${EPYTHON}" -+ -+ # Workaround for bug #790251 -+ rm -r fail2ban.egg-info || die -+} -+ -+python_install_all() { -+ distutils-r1_python_install_all -+ -+ rm -rf "${ED}"/usr/share/doc/${PN} "${ED}"/run || die -+ -+ newconfd files/fail2ban-openrc.conf ${PN} -+ -+ # These two are placed in the ${BUILD_DIR} after being "built" -+ # in install_scripts(). -+ newinitd "${BUILD_DIR}/fail2ban-openrc.init" "${PN}" -+ systemd_dounit "${BUILD_DIR}/${PN}.service" -+ -+ dotmpfiles files/${PN}-tmpfiles.conf -+ -+ doman man/*.{1,5} -+ -+ # Use INSTALL_MASK if you do not want to touch /etc/logrotate.d. -+ # See http://thread.gmane.org/gmane.linux.gentoo.devel/35675 -+ insinto /etc/logrotate.d -+ newins files/${PN}-logrotate ${PN} -+ -+ keepdir /var/lib/${PN} -+ -+ newbashcomp files/bash-completion ${PN}-client -+ bashcomp_alias ${PN}-client ${PN}-server ${PN}-regex -+} -+ -+pkg_preinst() { -+ has_version "<${CATEGORY}/${PN}-0.7" -+ previous_less_than_0_7=$? -+} -+ -+pkg_postinst() { -+ tmpfiles_process ${PN}-tmpfiles.conf -+ -+ if [[ ${previous_less_than_0_7} = 0 ]] ; then -+ elog -+ elog "Configuration files are now in /etc/fail2ban/" -+ elog "You probably have to manually update your configuration" -+ elog "files before restarting Fail2Ban!" -+ elog -+ elog "Fail2Ban is not installed under /usr/lib anymore. The" -+ elog "new location is under /usr/share." -+ elog -+ elog "You are upgrading from version 0.6.x, please see:" -+ elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8" -+ fi -+ -+ if ! has_version dev-python/pyinotify && ! has_version app-admin/gamin ; then -+ elog "For most jail.conf configurations, it is recommended you install either" -+ elog "dev-python/pyinotify or app-admin/gamin (in order of preference)" -+ elog "to control how log file modifications are detected" -+ fi -+ -+ if ! has_version dev-lang/python[sqlite] ; then -+ elog "If you want to use ${PN}'s persistent database, then reinstall" -+ elog "dev-lang/python with USE=sqlite. If you do not use the" -+ elog "persistent database feature, then you should set" -+ elog "dbfile = :memory: in fail2ban.conf accordingly." -+ fi -+ -+ if has_version sys-apps/systemd[-python] ; then -+ elog "If you want to track logins through sys-apps/systemd's" -+ elog "journal backend, then reinstall sys-apps/systemd with USE=python" -+ fi -+} - -From ab30bb72cf1cdb0ccd717c417c10eae82381d6d7 Mon Sep 17 00:00:00 2001 -From: hsk17 -Date: Tue, 27 Dec 2022 16:08:43 +0100 -Subject: [PATCH 3/3] Update fail2ban-1.0.2-configreader-warning.patch - -Signed-off-by: hsk17 ---- - .../fail2ban/files/fail2ban-1.0.2-configreader-warning.patch | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch b/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch -index 74f2739708ae7..b53e604572cfd 100644 ---- a/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch -+++ b/net-analyzer/fail2ban/files/fail2ban-1.0.2-configreader-warning.patch -@@ -1,3 +1,6 @@ -+ -+https://github.com/fail2ban/fail2ban/commit/432e7e1 -+ - From 432e7e1e93936f09e349e80d94254e5f43d0cc8a Mon Sep 17 00:00:00 2001 - From: "Sergey G. Brester" - Date: Mon, 28 Nov 2022 13:21:15 +0100 diff --git a/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch b/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch new file mode 100644 index 0000000..74f2739 --- /dev/null +++ b/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch @@ -0,0 +1,23 @@ +From 432e7e1e93936f09e349e80d94254e5f43d0cc8a Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Mon, 28 Nov 2022 13:21:15 +0100 +Subject: [PATCH] no warning if no config value but default (debug message now) + +closes #3420 +--- + fail2ban/client/configreader.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py +index 1b5a56a27c..c7f965ce52 100644 +--- a/fail2ban/client/configreader.py ++++ b/fail2ban/client/configreader.py +@@ -277,7 +277,7 @@ def getOptions(self, sec, options, pOptions=None, shouldExist=False, convert=Tru + # TODO: validate error handling here. + except NoOptionError: + if not optvalue is None: +- logSys.warning("'%s' not defined in '%s'. Using default one: %r" ++ logSys.debug("'%s' not defined in '%s'. Using default one: %r" + % (optname, sec, optvalue)) + values[optname] = optvalue + # elif logSys.getEffectiveLevel() <= logLevel: diff --git a/fail2ban.spec b/fail2ban.spec index 759fb73..266ad11 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -21,7 +21,7 @@ Patch1: fail2ban-python311.patch # Patch for dovecot jail eating 100% CPU #Patch2: https://github.com/fail2ban/fail2ban/commit/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch # Remove warning about allowipv6 from startup -Patch2: https://patch-diff.githubusercontent.com/raw/gentoo/gentoo/pull/28473.patch +Patch2: https://github.com/fail2ban/fail2ban/commit/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch BuildArch: noarch From 1c3fb523165bfc188b1496c11b2dbc4a0c380884 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Sun, 2 Apr 2023 00:12:52 -0400 Subject: [PATCH 18/55] verify upstream source signature MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per the packaging guidelines¹. While adjusting the git ignore rules for the signature file, replace many older tarball entries with a simple glob. Ignore expanded source directories as well. ¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures --- .gitignore | 28 ++--------------- fail2ban.spec | 30 ++++++++++++++----- ...38559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc | 29 ++++++++++++++++++ sources | 1 + 4 files changed, 55 insertions(+), 33 deletions(-) create mode 100644 gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc diff --git a/.gitignore b/.gitignore index 7fbd936..e633b53 100644 --- a/.gitignore +++ b/.gitignore @@ -1,26 +1,2 @@ -fail2ban-FAIL2BAN-0_8.tar.bz2 -fail2ban-0.8.4.tar.bz2 -/fail2ban_0.8.7.1.orig.tar.gz -/fail2ban_0.8.8.orig.tar.gz -/fail2ban-0.8.10.tar.gz -/fail2ban-0.8.11.tar.gz -/fail2ban-0.9-d529151.tar.xz -/fail2ban-0.9-1f1a561.tar.xz -/fail2ban-0.9.tar.gz -/fail2ban-0.9.1.tar.gz -/fail2ban-0.9.2.tar.gz -/fail2ban-0.9.3.tar.gz -/fail2ban-0.9.4.tar.gz -/fail2ban-0.9.5.tar.gz -/fail2ban-0.9.6.tar.gz -/fail2ban-0.9.7.tar.gz -/fail2ban-0.10.0.tar.gz -/fail2ban-0.10.1.tar.gz -/fail2ban-0.10.2.tar.gz -/fail2ban-0.10.3.1.tar.gz -/fail2ban-0.10.4.tar.gz -/fail2ban-0.10.5.tar.gz -/fail2ban-0.11.1.tar.gz -/fail2ban-0.11.2.tar.gz -/fail2ban-1.0.1.tar.gz -/fail2ban-1.0.2.tar.gz +/fail2ban-*/ +/fail2ban-*.tar.gz* diff --git a/fail2ban.spec b/fail2ban.spec index 266ad11..51b8f91 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,16 +1,27 @@ Name: fail2ban Version: 1.0.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc +# Releases are signed by Serg G. Brester (sebres) . The +# fingerprint can be found in a signature file: +# gpg --list-packets fail2ban-1.0.2.tar.gz.asc | grep 'issuer fpr' +# +# The following commands can be used to fetch the signing key via fingerprint +# and extract it: +# fpr=8738559E26F671DF9E2C6D9E683BF1BEBD0A882C +# gpg --receive-keys $fpr +# gpg -a --export-options export-minimal --export $fpr >gpgkey-$fpr.asc +Source2: gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc # SELinux policy -Source1: fail2ban.fc -Source2: fail2ban.if -Source3: fail2ban.te -Source4: Makefile +Source3: fail2ban.fc +Source4: fail2ban.if +Source5: fail2ban.te +Source6: Makefile # Give up being PartOf iptables and ipset for now # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 @@ -43,6 +54,7 @@ BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make BuildRequires: bash-completion +BuildRequires: gnupg2 # Default components Requires: %{name}-firewalld = %{version}-%{release} @@ -206,6 +218,7 @@ by default. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 # Use Fedora paths @@ -216,7 +229,7 @@ find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3 %endif # SELinux sources -cp -p %SOURCE1 %SOURCE2 %SOURCE3 . +cp -p %SOURCE3 %SOURCE4 %SOURCE5 . # 2to3 has been removed from setuptools and we already use the binary in # %%prep. @@ -229,7 +242,7 @@ sed -i "/use_2to3/d" setup.py %else %py3_build %endif -make -f %SOURCE4 +make -f %SOURCE6 %install @@ -411,6 +424,9 @@ fi %changelog +* Sun Apr 02 2023 Todd Zullinger - 1.0.2-4 +- verify upstream source signature + * Thu Mar 30 2023 Orion Poplawski - 1.0.2-3 - Add upstream patch to remove warning about allowipv6 (bz#2160781) diff --git a/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc b/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc new file mode 100644 index 0000000..14da565 --- /dev/null +++ b/gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT +Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV +lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC +i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO +hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3 +BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl +ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ +CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm +NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h +RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n +2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq +GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ +3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX +XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ +uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh +Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a +kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf +awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6 +7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF +AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw +2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs +IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O +ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb +muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c +6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg== +=vqSW +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 6655594..0300c30 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (fail2ban-1.0.2.tar.gz) = 688a84361b5794e1658f53d2d200ce752fe1e3320ddb1742c32c4b4b82a79ace16ae464e7ea3eeb94a0e862bcac73c2d3a0e61dd7b28e179a4c857f950d74dbb +SHA512 (fail2ban-1.0.2.tar.gz.asc) = 1c0af7e454d52879788d9728010a68159a94668d93799da5533999e8c821db87f651b3606347af16fd92a4540a7a343dc682f72bb3bab14e3666f848883d8644 From 1cb769fd250156cc41f10638f29d340e1e232453 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Tue, 4 Apr 2023 10:47:49 -0600 Subject: [PATCH 19/55] Drop downstream python3.11 patch, upstream went with a different fix --- fail2ban-python311.patch | 21 --------------------- fail2ban.spec | 7 ++++--- 2 files changed, 4 insertions(+), 24 deletions(-) delete mode 100644 fail2ban-python311.patch diff --git a/fail2ban-python311.patch b/fail2ban-python311.patch deleted file mode 100644 index 8a89af7..0000000 --- a/fail2ban-python311.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: fail2ban-1.0.1/fail2ban/tests/actiontestcase.py -=================================================================== ---- fail2ban-1.0.1.orig/fail2ban/tests/actiontestcase.py -+++ fail2ban-1.0.1/fail2ban/tests/actiontestcase.py -@@ -242,14 +242,14 @@ class CommandActionTest(LogCaptureTestCa - setattr(self.__action, 'ab', "") - setattr(self.__action, 'x?family=inet6', "") - # produce self-referencing properties except: -- self.assertRaisesRegexp(ValueError, r"properties contain self referencing definitions", -+ self.assertRaisesRegex(ValueError, r"properties contain self referencing definitions", - lambda: self.__action.replaceTag("", - self.__action._properties, conditional="family=inet4") - ) - # remore self-referencing in props: - delattr(self.__action, 'ac') - # produce self-referencing query except: -- self.assertRaisesRegexp(ValueError, r"possible self referencing definitions in query", -+ self.assertRaisesRegex(ValueError, r"possible self referencing definitions in query", - lambda: self.__action.replaceTag(""*30, - self.__action._properties, conditional="family=inet6") - ) diff --git a/fail2ban.spec b/fail2ban.spec index 51b8f91..795222b 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 1.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -27,8 +27,6 @@ Source6: Makefile # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 Patch0: fail2ban-partof.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2034205 -Patch1: fail2ban-python311.patch # Patch for dovecot jail eating 100% CPU #Patch2: https://github.com/fail2ban/fail2ban/commit/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch # Remove warning about allowipv6 from startup @@ -424,6 +422,9 @@ fi %changelog +* Tue Apr 04 2023 Orion Poplawski - 1.0.2-5 +- Drop downstream python3.11 patch, upstream went with a different fix + * Sun Apr 02 2023 Todd Zullinger - 1.0.2-4 - verify upstream source signature From aeb9ac0019debbfeaa65fae716aa0bb1537cc3cf Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 14 Jun 2023 23:08:01 +0200 Subject: [PATCH 20/55] Rebuilt for Python 3.12 --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 795222b..c4d8573 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 1.0.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -422,6 +422,9 @@ fi %changelog +* Wed Jun 14 2023 Python Maint - 1.0.2-6 +- Rebuilt for Python 3.12 + * Tue Apr 04 2023 Orion Poplawski - 1.0.2-5 - Drop downstream python3.11 patch, upstream went with a different fix From 808902b9a9743b075b7e9553dc5c447ba04fe709 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Mon, 26 Jun 2023 16:14:49 -0400 Subject: [PATCH 21/55] exclude shorewall subpackage on epel9 (rhbz#2217649) The shorewall package is not present in epel9. --- fail2ban.spec | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index c4d8573..d5ae29d 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,12 @@ +%if 0%{?rhel} >= 9 +%bcond_with shorewall +%else +%bcond_without shorewall +%endif + Name: fail2ban Version: 1.0.2 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -120,7 +126,9 @@ Requires: %{name}-hostsdeny = %{version}-%{release} Requires: %{name}-mail = %{version}-%{release} Requires: %{name}-sendmail = %{version}-%{release} Requires: %{name}-server = %{version}-%{release} +%if %{with shorewall} Requires: %{name}-shorewall = %{version}-%{release} +%endif # Currently this breaks jails that don't log to the journal #Requires: %{name}-systemd = %{version}-%{release} Requires: perl-interpreter @@ -186,6 +194,7 @@ This package installs Fail2Ban's sendmail actions. This is the default mail actions for Fail2Ban. +%if %{with shorewall} %package shorewall Summary: Shorewall support for Fail2Ban Requires: %{name}-server = %{version}-%{release} @@ -204,6 +213,7 @@ Conflicts: %{name}-shorewall %description shorewall-lite This package enables support for manipulating shorewall rules. +%endif %package systemd @@ -411,17 +421,22 @@ fi %files sendmail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf +%if %{with shorewall} %files shorewall %config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf %files shorewall-lite %config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf +%endif %files systemd %config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-systemd.conf %changelog +* Mon Jun 26 2023 Todd Zullinger - 1.0.2-7 +- exclude shorewall subpackage on epel9 (rhbz#2217649) + * Wed Jun 14 2023 Python Maint - 1.0.2-6 - Rebuilt for Python 3.12 From 658e0113bc63cbeb5e34ec64a112f0902d1bff42 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Mon, 26 Jun 2023 16:23:12 -0400 Subject: [PATCH 22/55] remove commented systemd subpackage deps Avoid 'Macro expanded in comment' warnings from rpmbuild. While we could escape the macros, removing them makes more sense as they've been commented since 4fa088d (Do not use systemd by default, 2015-02-22). --- fail2ban.spec | 4 ---- 1 file changed, 4 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index d5ae29d..2518b11 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -64,8 +64,6 @@ BuildRequires: gnupg2 Requires: %{name}-firewalld = %{version}-%{release} Requires: %{name}-sendmail = %{version}-%{release} Requires: %{name}-server = %{version}-%{release} -# Currently this breaks jails that don't log to the journal -#Requires: %{name}-systemd = %{version}-%{release} %description @@ -129,8 +127,6 @@ Requires: %{name}-server = %{version}-%{release} %if %{with shorewall} Requires: %{name}-shorewall = %{version}-%{release} %endif -# Currently this breaks jails that don't log to the journal -#Requires: %{name}-systemd = %{version}-%{release} Requires: perl-interpreter %if 0%{?rhel} && 0%{?rhel} < 8 Requires: python-inotify From 9385a54f44016f787a12bae4d3784693a26a2307 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 19 Jul 2023 19:14:24 +0000 Subject: [PATCH 23/55] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 2518b11..abb603b 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -6,7 +6,7 @@ Name: fail2ban Version: 1.0.2 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -430,6 +430,9 @@ fi %changelog +* Wed Jul 19 2023 Fedora Release Engineering - 1.0.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Mon Jun 26 2023 Todd Zullinger - 1.0.2-7 - exclude shorewall subpackage on epel9 (rhbz#2217649) From 24c973f252f6d1b4231ee49ee4d5efac785a2fe8 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Wed, 27 Sep 2023 11:17:14 -0700 Subject: [PATCH 24/55] Fix build for F39+ (Python 3.12 and sqlite 3.42.0 fixes) Depend on pyasynchat and pyasyncore, as these are removed from Python 3.12 but fail2ban is so heavily built on them we cannot rewrite it in time for the Fedora 39 release. Drop the smtp tests as they require the Python smptd module that was removed from Python 3.12 and there's no drop-in replacement. Disable the database repair test as it cannot work with sqlite 3.42.0. Upstream references: https://github.com/fail2ban/fail2ban/issues/3487 https://github.com/fail2ban/fail2ban/issues/3586 Signed-off-by: Adam Williamson --- fail2ban.spec | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index abb603b..ab3b304 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -6,7 +6,7 @@ Name: fail2ban Version: 1.0.2 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -53,6 +53,16 @@ BuildRequires: /usr/bin/2to3 # For testcases BuildRequires: python3-inotify %endif +# using a python3_version-based conditional does not work here, so +# this is a proxy for "Python version greater than 3.12". asyncore +# and asynchat were dropped from cpython core in 3.12, these modules +# make them available again. See: +# https://github.com/fail2ban/fail2ban/issues/3487 +# https://bugzilla.redhat.com/show_bug.cgi?id=2219991 +%if 0%{?fedora} > 38 +BuildRequires: python3-pyasyncore +BuildRequires: python3-pyasynchat +%endif BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel @@ -110,6 +120,11 @@ Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) %else Requires: %{name}-selinux %endif +# see note above in BuildRequires section +%if v"0%{?python3_version}" >= v"3.12" +Requires: python3-pyasyncore +Requires: python3-pyasynchat +%endif %description server This package contains the core server components for Fail2Ban with minimal @@ -224,6 +239,11 @@ by default. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 +# this test uses smtpd which is removed in Python 3.12, rewriting it +# isn't trivial +%if v"0%{?python3_version}" >= v"3.12" +rm -f fail2ban/tests/action_d/test_smtp.py +%endif # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -318,8 +338,14 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion %if 0%{?rhel} && 0%{?rhel} < 8 %python2 bin/fail2ban-testcases --verbosity=2 --no-network %else +%if 0%{?fedora} > 38 +# testRepairDb does not work with sqlite 3.42.0+ +# https://github.com/fail2ban/fail2ban/issues/3586 +%python3 bin/fail2ban-testcases --verbosity=2 --no-network -i testRepairDb +%else %python3 bin/fail2ban-testcases --verbosity=2 --no-network %endif +%endif %pre selinux @@ -430,6 +456,11 @@ fi %changelog +* Wed Sep 27 2023 Adam Williamson - 1.0.2-9 +- Require pyasynchat and pyasyncore with Python 3.12+ +- Disable smtp tests on F39+ due to removal of smtpd from Python 3.12 +- Disable db repair test on F39+ as it's broken with sqlite 3.42.0+ + * Wed Jul 19 2023 Fedora Release Engineering - 1.0.2-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From eea4f1a800b6544ef97fa9b9bcbde651a3923752 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 18:50:22 +0000 Subject: [PATCH 25/55] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index ab3b304..7c703f6 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -6,7 +6,7 @@ Name: fail2ban Version: 1.0.2 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -456,6 +456,9 @@ fi %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 1.0.2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Sep 27 2023 Adam Williamson - 1.0.2-9 - Require pyasynchat and pyasyncore with Python 3.12+ - Disable smtp tests on F39+ due to removal of smtpd from Python 3.12 From bdb628d410217ba78fbed891660d65134c7a520e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 24 Jan 2024 11:09:24 +0000 Subject: [PATCH 26/55] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 7c703f6..0242655 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -6,7 +6,7 @@ Name: fail2ban Version: 1.0.2 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -456,6 +456,9 @@ fi %changelog +* Wed Jan 24 2024 Fedora Release Engineering - 1.0.2-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Jan 19 2024 Fedora Release Engineering - 1.0.2-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From f04bf03ceaf7f4a407c189b2732354e729fede52 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Fri, 23 Feb 2024 13:31:03 -0700 Subject: [PATCH 27/55] Allow watch on more logfiles --- fail2ban.spec | 13 ++++++++++--- fail2ban.te | 5 +++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 0242655..aea220e 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -6,7 +6,7 @@ Name: fail2ban Version: 1.0.2 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -67,7 +67,11 @@ BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make +%if 0%{?fedora} >= 41 +BuildRequires: bash-completion-devel +%else BuildRequires: bash-completion +%endif BuildRequires: gnupg2 # Default components @@ -121,7 +125,7 @@ Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) Requires: %{name}-selinux %endif # see note above in BuildRequires section -%if v"0%{?python3_version}" >= v"3.12" +%if 0%{?fedora} > 38 Requires: python3-pyasyncore Requires: python3-pyasynchat %endif @@ -241,7 +245,7 @@ by default. %autosetup -p1 # this test uses smtpd which is removed in Python 3.12, rewriting it # isn't trivial -%if v"0%{?python3_version}" >= v"3.12" +%if 0%{?fedora} > 38 rm -f fail2ban/tests/action_d/test_smtp.py %endif @@ -456,6 +460,9 @@ fi %changelog +* Thu Feb 22 2024 Orion Poplawski - 1.0.2-12 +- Allow watch on more logfiles + * Wed Jan 24 2024 Fedora Release Engineering - 1.0.2-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/fail2ban.te b/fail2ban.te index 6d36a70..1c02960 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -100,6 +100,11 @@ logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) allow fail2ban_t fail2ban_log_t:file watch; +gen_require(` + attribute logfile; +') +allow fail2ban_t logfile:dir { watch_dir_perms }; +allow fail2ban_t logfile:file { watch_file_perms }; # Not in EL9 yet #logging_watch_audit_log_files(fail2ban_t) gen_require(` From 7a1cec5b814149d44e00ac443246d81ac86a3aea Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Thu, 25 Apr 2024 06:34:59 -0500 Subject: [PATCH 28/55] Add nftables patch and fix selinux /var/run->/run issue, fixes RHBZ#1850164 and RHBZ#2272476. --- ...94c5229bd474f612b57b67d796252a4aab7a.patch | 84 ------------------- fail2ban-nftables.patch | 62 ++++++++++++++ fail2ban.fc | 2 +- fail2ban.spec | 11 ++- 4 files changed, 71 insertions(+), 88 deletions(-) delete mode 100644 ca2b94c5229bd474f612b57b67d796252a4aab7a.patch create mode 100644 fail2ban-nftables.patch diff --git a/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch b/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch deleted file mode 100644 index 02a9ae5..0000000 --- a/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch +++ /dev/null @@ -1,84 +0,0 @@ -From ca2b94c5229bd474f612b57b67d796252a4aab7a Mon Sep 17 00:00:00 2001 -From: sebres -Date: Tue, 4 Oct 2022 14:03:07 +0200 -Subject: [PATCH] fixes gh-3370: resolve extremely long search by repeated - apply of non-greedy RE `(?:: (?:[^\(]+|\w+\([^\)]*\))+)?` with following - branches (it may be extremely slow up to infinite search depending on - message); added new regression tests amend to gh-3210: fixes regression and - matches new format in aggressive mode too - ---- - ChangeLog | 4 ++++ - config/filter.d/dovecot.conf | 8 +++++--- - fail2ban/tests/files/logs/dovecot | 22 ++++++++++++++++++++++ - 3 files changed, 31 insertions(+), 3 deletions(-) - -Index: fail2ban-1.0.1/config/filter.d/dovecot.conf -=================================================================== ---- fail2ban-1.0.1.orig/config/filter.d/dovecot.conf -+++ fail2ban-1.0.1/config/filter.d/dovecot.conf -@@ -7,19 +7,21 @@ before = common.conf - - [Definition] - -+_daemon = (?:dovecot(?:-auth)?|auth) -+ - _auth_worker = (?:dovecot: )?auth(?:-worker)? - _auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )? --_daemon = (?:dovecot(?:-auth)?|auth) -+_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))* - - prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?%(_auth_worker_info)s.+$ - - failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ -- ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?:: (?:[^\(]+|\w+\([^\)]*\))+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ -+ ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ - ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$ - ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch) - > - --mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ -+mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ - - mdre-normal = - -Index: fail2ban-1.0.1/fail2ban/tests/files/logs/dovecot -=================================================================== ---- fail2ban-1.0.1.orig/fail2ban/tests/files/logs/dovecot -+++ fail2ban-1.0.1/fail2ban/tests/files/logs/dovecot -@@ -115,6 +115,17 @@ Aug 28 06:38:51 s166-62-100-187 dovecot: - # failJSON: { "time": "2004-08-28T06:38:52", "match": true , "host": "192.0.2.4", "desc": "open parenthesis in optional part between Disconnected and (auth failed ...), gh-3210" } - Aug 28 06:38:52 s166-62-100-187 dovecot: imap-login: Disconnected: Connection closed: read(size=1003) failed: Connection reset by peer (auth failed, 1 attempts in 0 secs): user=, rip=192.0.2.4, lip=127.0.0.19, session= - -+# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer -+# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number -+# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 -+# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 -+# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol -+ - # failJSON: { "time": "2004-08-29T03:17:18", "match": true , "host": "192.0.2.133" } - Aug 29 03:17:18 server dovecot: submission-login: Client has quit the connection (auth failed, 1 attempts in 2 secs): user=, method=LOGIN, rip=192.0.2.133, lip=0.0.0.0 - # failJSON: { "time": "2004-08-29T03:53:52", "match": true , "host": "192.0.2.169" } -@@ -128,6 +139,17 @@ Aug 29 15:33:53 server dovecot: managesi - - # filterOptions: [{"mode": "aggressive"}] - -+# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer -+# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number -+# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 -+# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 -+# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } -+Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol -+ - # failJSON: { "time": "2004-08-29T16:06:58", "match": true , "host": "192.0.2.5" } - Aug 29 16:06:58 s166-62-100-187 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.0.2.5, lip=192.168.1.2, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer - # failJSON: { "time": "2004-08-31T16:15:10", "match": true , "host": "192.0.2.6" } diff --git a/fail2ban-nftables.patch b/fail2ban-nftables.patch new file mode 100644 index 0000000..1124e85 --- /dev/null +++ b/fail2ban-nftables.patch @@ -0,0 +1,62 @@ +Index: fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf +=================================================================== +--- fail2ban-1.0.2.orig/config/action.d/firewallcmd-rich-rules.conf ++++ fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf +@@ -37,8 +37,8 @@ actioncheck = + + fwcmd_rich_rule = rule family='' source address='' port port='$p' protocol='' %(rich-suffix)s + +-actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done ++actionban = ports=""; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done + +-actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done ++actionunban = ports=""; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done + +-rich-suffix = +\ No newline at end of file ++rich-suffix = +Index: fail2ban-1.0.2/fail2ban/tests/servertestcase.py +=================================================================== +--- fail2ban-1.0.2.orig/fail2ban/tests/servertestcase.py ++++ fail2ban-1.0.2/fail2ban/tests/servertestcase.py +@@ -2051,32 +2051,32 @@ class ServerConfigReaderTests(LogCapture + ('j-fwcmd-rr', 'firewallcmd-rich-rules[port="22:24", protocol="tcp"]', { + 'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',), + 'ip4-ban': ( +- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""", ++ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""", + ), + 'ip4-unban': ( +- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""", ++ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""", + ), + 'ip6-ban': ( +- """ `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""", ++ """ `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""", + ), + 'ip6-unban': ( +- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""", ++ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""", + ), + }), + # firewallcmd-rich-logging -- + ('j-fwcmd-rl', 'firewallcmd-rich-logging[port="22:24", protocol="tcp"]', { + 'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',), + 'ip4-ban': ( +- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""", ++ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""", + ), + 'ip4-unban': ( +- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""", ++ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""", + ), + 'ip6-ban': ( +- """ `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""", ++ """ `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""", + ), + 'ip6-unban': ( +- """`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""", ++ """`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""", + ), + }), + ) diff --git a/fail2ban.fc b/fail2ban.fc index 4da938f..1379b6e 100644 --- a/fail2ban.fc +++ b/fail2ban.fc @@ -6,4 +6,4 @@ /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) /var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) -/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/fail2ban.spec b/fail2ban.spec index aea220e..45feacd 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -6,7 +6,7 @@ Name: fail2ban Version: 1.0.2 -Release: 12%{?dist} +Release: 13%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -33,10 +33,11 @@ Source6: Makefile # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 Patch0: fail2ban-partof.patch -# Patch for dovecot jail eating 100% CPU -#Patch2: https://github.com/fail2ban/fail2ban/commit/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch # Remove warning about allowipv6 from startup Patch2: https://github.com/fail2ban/fail2ban/commit/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch +# default port in jail.conf is not compatible with firewalld-cmd syntax +# https://bugzilla.redhat.com/show_bug.cgi?id=1850164 +Patch3: fail2ban-nftables.patch BuildArch: noarch @@ -460,6 +461,10 @@ fi %changelog +* Thu Apr 25 2024 Richard Shaw - 1.0.2-13 +- Add nftables patch and fix selinux /var/run->/run issue, fixes RHBZ#1850164 + and RHBZ#2272476. + * Thu Feb 22 2024 Orion Poplawski - 1.0.2-12 - Allow watch on more logfiles From f982d901c25a62264833bf6d7e0bb4d705b6aea6 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Mon, 6 May 2024 21:01:00 -0500 Subject: [PATCH 29/55] Increment SELinux module version. Tweak selinux regex for /run/fail2ban. --- fail2ban.fc | 5 +++-- fail2ban.if | 4 ++-- fail2ban.spec | 6 +++++- fail2ban.te | 2 +- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/fail2ban.fc b/fail2ban.fc index 1379b6e..f481c4a 100644 --- a/fail2ban.fc +++ b/fail2ban.fc @@ -1,4 +1,4 @@ -/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) +#/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0) @@ -6,4 +6,5 @@ /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) /var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) -/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) + +/run/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/fail2ban.if b/fail2ban.if index 94e1936..82c627f 100644 --- a/fail2ban.if +++ b/fail2ban.if @@ -243,7 +243,7 @@ interface(`fail2ban_read_pid_files',` ######################################## ## -## dontaudit read and write an leaked file descriptors +## dontaudit read and write leaked file descriptors ## ## ## @@ -264,7 +264,7 @@ interface(`fail2ban_dontaudit_leaks',` ######################################## ## ## All of the rules required to administrate -## an fail2ban environment +## a fail2ban environment ## ## ## diff --git a/fail2ban.spec b/fail2ban.spec index 45feacd..eaab4d4 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -6,7 +6,7 @@ Name: fail2ban Version: 1.0.2 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -461,6 +461,10 @@ fi %changelog +* Sun May 05 2024 Richard Shaw - 1.0.2-14 +- Increment SELinux module version. +- Tweak selinux regex for /run/fail2ban. + * Thu Apr 25 2024 Richard Shaw - 1.0.2-13 - Add nftables patch and fix selinux /var/run->/run issue, fixes RHBZ#1850164 and RHBZ#2272476. diff --git a/fail2ban.te b/fail2ban.te index 1c02960..b19bdaa 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -1,4 +1,4 @@ -policy_module(fail2ban, 1.5.0) +policy_module(fail2ban, 1.5.1) ######################################## # From 43888bfadea10e094e2053f9921a66d556cbdd6a Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Sun, 12 May 2024 00:01:23 -0400 Subject: [PATCH 30/55] Handle /var/run->/run transition in older Fedora and EPEL (RHBZ#2279054) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In Fedora 40 and RHEL 10, SELinux rules for /var/run have moved to /run. Previous commits have adjusted for this but we need to gracefully handle the differences in file context equivalence for older releases. Borrow similar code from the container-selinux package, upstream 6200ed9 (Rename all /var/run file context entries to /run (#298), 2024-03-11)¹ to revert the /var/run -> /run changes in the SElinux file contexts for older releases. ¹ https://github.com/containers/container-selinux/commit/6200ed9 --- fail2ban.spec | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index eaab4d4..5754b2c 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -4,9 +4,17 @@ %bcond_without shorewall %endif +# RHEL < 10 and Fedora < 40 use file context entries in /var/run +%if %{defined rhel} && 0%{?rhel} < 10 +%define legacy_var_run 1 +%endif +%if %{defined fedora} && 0%{?fedora} < 40 +%define legacy_var_run 1 +%endif + Name: fail2ban Version: 1.0.2 -Release: 14%{?dist} +Release: 15%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -260,6 +268,10 @@ find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3 # SELinux sources cp -p %SOURCE3 %SOURCE4 %SOURCE5 . +%if %{defined legacy_var_run} +sed -i 's|^/run/|/var/run/|' %{name}.fc +%endif + # 2to3 has been removed from setuptools and we already use the binary in # %%prep. sed -i "/use_2to3/d" setup.py @@ -461,6 +473,9 @@ fi %changelog +* Sat May 11 2024 Todd Zullinger - 1.0.2-15 +- Handle /var/run->/run transition in older Fedora and EPEL (RHBZ#2279054) + * Sun May 05 2024 Richard Shaw - 1.0.2-14 - Increment SELinux module version. - Tweak selinux regex for /run/fail2ban. From 349c5c98fa6358e7d23e71356500e92f17fb8508 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 18:57:17 +0200 Subject: [PATCH 31/55] Rebuilt for Python 3.13 --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 5754b2c..7211057 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.0.2 -Release: 15%{?dist} +Release: 16%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -473,6 +473,9 @@ fi %changelog +* Fri Jun 07 2024 Python Maint - 1.0.2-16 +- Rebuilt for Python 3.13 + * Sat May 11 2024 Todd Zullinger - 1.0.2-15 - Handle /var/run->/run transition in older Fedora and EPEL (RHBZ#2279054) From a5fe885227924681832861ebb50c620d472ba943 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Fri, 14 Jun 2024 19:39:10 -0500 Subject: [PATCH 32/55] Update to 1.1.0 for Python 3.13 support. --- ...7e1e93936f09e349e80d94254e5f43d0cc8a.patch | 23 --- ...41e5309b417a3c7a84fa8f03cf4f93831f1b.patch | 148 ++++++++++++++++++ fail2ban.spec | 18 +-- sources | 3 +- 4 files changed, 157 insertions(+), 35 deletions(-) delete mode 100644 432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch create mode 100644 ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch diff --git a/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch b/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch deleted file mode 100644 index 74f2739..0000000 --- a/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 432e7e1e93936f09e349e80d94254e5f43d0cc8a Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Mon, 28 Nov 2022 13:21:15 +0100 -Subject: [PATCH] no warning if no config value but default (debug message now) - -closes #3420 ---- - fail2ban/client/configreader.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py -index 1b5a56a27c..c7f965ce52 100644 ---- a/fail2ban/client/configreader.py -+++ b/fail2ban/client/configreader.py -@@ -277,7 +277,7 @@ def getOptions(self, sec, options, pOptions=None, shouldExist=False, convert=Tru - # TODO: validate error handling here. - except NoOptionError: - if not optvalue is None: -- logSys.warning("'%s' not defined in '%s'. Using default one: %r" -+ logSys.debug("'%s' not defined in '%s'. Using default one: %r" - % (optname, sec, optvalue)) - values[optname] = optvalue - # elif logSys.getEffectiveLevel() <= logLevel: diff --git a/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch b/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch new file mode 100644 index 0000000..3dc9890 --- /dev/null +++ b/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch @@ -0,0 +1,148 @@ +From ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b Mon Sep 17 00:00:00 2001 +From: sebres +Date: Fri, 14 Jun 2024 14:31:21 +0200 +Subject: [PATCH] beautifier detect whether it can use unicode chars in stats + table; asciified output of beautifier in test suite; closes gh-3750 + +--- + fail2ban/client/beautifier.py | 51 ++++++++++++++-------- + fail2ban/tests/clientbeautifiertestcase.py | 22 ++++++---- + 2 files changed, 45 insertions(+), 28 deletions(-) + +diff --git a/fail2ban/client/beautifier.py b/fail2ban/client/beautifier.py +index 7ef173a655..21c49b9483 100644 +--- a/fail2ban/client/beautifier.py ++++ b/fail2ban/client/beautifier.py +@@ -21,8 +21,10 @@ + __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko" + __license__ = "GPL" + ++import sys ++ + from ..exceptions import UnknownJailException, DuplicateJailException +-from ..helpers import getLogger, logging ++from ..helpers import getLogger, logging, PREFER_ENC + + # Gets the instance of the logger. + logSys = getLogger(__name__) +@@ -36,6 +38,11 @@ + + class Beautifier: + ++ stdoutEnc = PREFER_ENC ++ if sys.stdout and sys.stdout.encoding is not None: ++ stdoutEnc = sys.stdout.encoding ++ encUtf = 1 if stdoutEnc.lower() == 'utf-8' else 0 ++ + def __init__(self, cmd = None): + self.__inputCmd = cmd + +@@ -104,7 +111,11 @@ def jail_stat(response, pref=""): + jail_stat(j, " " if i == len(jstat) else " | ") + msg = "\n".join(msg) + elif inC[0:1] == ['stats'] or inC[0:1] == ['statistics']: +- def _statstable(response): ++ chrTable = [ ++ ['|', '-', '|', 'x', 'x', '-', '|', '-'], ## ascii ++ ["\u2551", "\u2550", "\u255F", "\u256B", "\u256C", "\u2569", "\u2502", "\u2500"] ## utf-8 ++ ]; ++ def _statstable(response, ct): + tophead = ["Jail", "Backend", "Filter", "Actions"] + headers = ["", "", "cur", "tot", "cur", "tot"] + minlens = [8, 8, 3, 3, 3, 3] +@@ -120,29 +131,31 @@ def _statstable(response): + f = "%%%ds" if ralign[i] else "%%-%ds" + rfmt.append(f % lens[i]) + hfmt.append(f % lens[i]) +- rfmt = [rfmt[0], rfmt[1], "%s \u2502 %s" % (rfmt[2], rfmt[3]), "%s \u2502 %s" % (rfmt[4], rfmt[5])] +- hfmt = [hfmt[0], hfmt[1], "%s \u2502 %s" % (hfmt[2], hfmt[3]), "%s \u2502 %s" % (hfmt[4], hfmt[5])] ++ rfmt = [rfmt[0], rfmt[1], "%s %s %s" % (rfmt[2], ct[6], rfmt[3]), "%s %s %s" % (rfmt[4], ct[6], rfmt[5])] ++ hfmt = [hfmt[0], hfmt[1], "%s %s %s" % (hfmt[2], ct[6], hfmt[3]), "%s %s %s" % (hfmt[4], ct[6], hfmt[5])] + tlens = [lens[0], lens[1], 3 + lens[2] + lens[3], 3 + lens[4] + lens[5]] + tfmt = [hfmt[0], hfmt[1], "%%-%ds" % (tlens[2],), "%%-%ds" % (tlens[3],)] + tsep = tfmt[0:2] +- rfmt = " \u2551 ".join(rfmt) +- hfmt = " \u2551 ".join(hfmt) +- tfmt = " \u2551 ".join(tfmt) +- tsep = " \u2551 ".join(tsep) +- separator = ((tsep % tuple(tophead[0:2])) + " \u255F\u2500" + +- ("\u2500\u256B\u2500".join(['\u2500' * n for n in tlens[2:]])) + '\u2500') ++ rfmt = (" "+ct[0]+" ").join(rfmt) ++ hfmt = (" "+ct[0]+" ").join(hfmt) ++ tfmt = (" "+ct[0]+" ").join(tfmt) ++ tsep = (" "+ct[0]+" ").join(tsep) ++ separator = ((tsep % tuple(tophead[0:2])) + " "+ct[2]+ct[7] + ++ ((ct[7]+ct[3]+ct[7]).join([ct[7] * n for n in tlens[2:]])) + ct[7]) + ret = [] +- ret.append(tfmt % tuple(["", ""]+tophead[2:])) +- ret.append(separator) +- ret.append(hfmt % tuple(headers)) +- separator = "\u2550\u256C\u2550".join(['\u2550' * n for n in tlens]) + '\u2550' +- ret.append(separator) ++ ret.append(" "+tfmt % tuple(["", ""]+tophead[2:])) ++ ret.append(" "+separator) ++ ret.append(" "+hfmt % tuple(headers)) ++ separator = (ct[1]+ct[4]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1] ++ ret.append(ct[1]+separator) + for row in rows: +- ret.append(rfmt % tuple(row)) +- separator = "\u2550\u2569\u2550".join(['\u2550' * n for n in tlens]) + '\u2550' +- ret.append(separator) ++ ret.append(" "+rfmt % tuple(row)) ++ separator = (ct[1]+ct[5]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1] ++ ret.append(ct[1]+separator) + return ret +- msg = "\n".join(_statstable(response)) ++ if not response: ++ return "No jails found." ++ msg = "\n".join(_statstable(response, chrTable[self.encUtf])) + elif len(inC) < 2: + pass # to few cmd args for below + elif inC[1] == "syslogsocket": +diff --git a/fail2ban/tests/clientbeautifiertestcase.py b/fail2ban/tests/clientbeautifiertestcase.py +index defedbe1bf..5fcb240479 100644 +--- a/fail2ban/tests/clientbeautifiertestcase.py ++++ b/fail2ban/tests/clientbeautifiertestcase.py +@@ -34,6 +34,7 @@ def setUp(self): + """ Call before every test case """ + super(BeautifierTest, self).setUp() + self.b = Beautifier() ++ self.b.encUtf = 0; ## we prefer ascii in test suite (see #3750) + + def tearDown(self): + """ Call after every test case """ +@@ -170,22 +171,25 @@ def testStatus(self): + + def testStatusStats(self): + self.b.setInputCmd(["stats"]) ++ ## no jails: ++ self.assertEqual(self.b.beautify({}), "No jails found.") ++ ## 3 jails: + response = { + "ssh": ["systemd", (3, 6), (12, 24)], + "exim4": ["pyinotify", (6, 12), (20, 20)], + "jail-with-long-name": ["polling", (0, 0), (0, 0)] + } + output = ("" +- + " ? ? Filter ? Actions \n" +- + "Jail ? Backend ????????????????????????\n" +- + " ? ? cur ? tot ? cur ? tot\n" +- + "????????????????????????????????????????????????????????\n" +- + "ssh ? systemd ? 3 ? 6 ? 12 ? 24\n" +- + "exim4 ? pyinotify ? 6 ? 12 ? 20 ? 20\n" +- + "jail-with-long-name ? polling ? 0 ? 0 ? 0 ? 0\n" +- + "????????????????????????????????????????????????????????" ++ + " | | Filter | Actions \n" ++ + " Jail | Backend |-----------x-----------\n" ++ + " | | cur | tot | cur | tot\n" ++ + "---------------------x-----------x-----------x-----------\n" ++ + " ssh | systemd | 3 | 6 | 12 | 24\n" ++ + " exim4 | pyinotify | 6 | 12 | 20 | 20\n" ++ + " jail-with-long-name | polling | 0 | 0 | 0 | 0\n" ++ + "---------------------------------------------------------" + ) +- response = self.b.beautify(response).encode('ascii', 'replace').decode('ascii') ++ response = self.b.beautify(response) + self.assertEqual(response, output) + + diff --git a/fail2ban.spec b/fail2ban.spec index 7211057..bfda77b 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -13,8 +13,8 @@ %endif Name: fail2ban -Version: 1.0.2 -Release: 16%{?dist} +Version: 1.1.0 +Release: 1%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -41,11 +41,11 @@ Source6: Makefile # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 Patch0: fail2ban-partof.patch -# Remove warning about allowipv6 from startup -Patch2: https://github.com/fail2ban/fail2ban/commit/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch # default port in jail.conf is not compatible with firewalld-cmd syntax # https://bugzilla.redhat.com/show_bug.cgi?id=1850164 -Patch3: fail2ban-nftables.patch +Patch1: fail2ban-nftables.patch +# Work around encoding issues during tests +Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch BuildArch: noarch @@ -58,7 +58,6 @@ BuildRequires: python-inotify %else BuildRequires: python3-devel BuildRequires: python3-setuptools -BuildRequires: /usr/bin/2to3 # For testcases BuildRequires: python3-inotify %endif @@ -260,10 +259,6 @@ rm -f fail2ban/tests/action_d/test_smtp.py # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf -%if 0%{?fedora} || 0%{?rhel} >= 8 -2to3 --write --nobackups . -find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} + -%endif # SELinux sources cp -p %SOURCE3 %SOURCE4 %SOURCE5 . @@ -473,6 +468,9 @@ fi %changelog +* Wed Jun 12 2024 Richard Shaw - 1.1.0-1 +- Update to 1.1.0 for Python 3.13 support. + * Fri Jun 07 2024 Python Maint - 1.0.2-16 - Rebuilt for Python 3.13 diff --git a/sources b/sources index 0300c30..934b139 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (fail2ban-1.0.2.tar.gz) = 688a84361b5794e1658f53d2d200ce752fe1e3320ddb1742c32c4b4b82a79ace16ae464e7ea3eeb94a0e862bcac73c2d3a0e61dd7b28e179a4c857f950d74dbb -SHA512 (fail2ban-1.0.2.tar.gz.asc) = 1c0af7e454d52879788d9728010a68159a94668d93799da5533999e8c821db87f651b3606347af16fd92a4540a7a343dc682f72bb3bab14e3666f848883d8644 +SHA512 (fail2ban-1.1.0.tar.gz) = 9bff7b9c41e58a953901800468e5c4153c9db6af01c7eb18111ad8620b40d03a0771020472fb759b2809d250e2bb45471e6c7e8283e72ea48290ecf7bf921821 From a9e460f2e2eb080b8435d52130406721fec7a17c Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Fri, 14 Jun 2024 19:53:30 -0500 Subject: [PATCH 33/55] Upload checksum file. --- .gitignore | 1 - fail2ban-1.1.0.tar.gz.asc | 11 +++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 fail2ban-1.1.0.tar.gz.asc diff --git a/.gitignore b/.gitignore index e633b53..082f70a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ /fail2ban-*/ -/fail2ban-*.tar.gz* diff --git a/fail2ban-1.1.0.tar.gz.asc b/fail2ban-1.1.0.tar.gz.asc new file mode 100644 index 0000000..f764f97 --- /dev/null +++ b/fail2ban-1.1.0.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K +iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc +yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu +ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf +9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr +jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH +MTZipOHHYPx/7IyKJJvB1p1gvmOxyg== +=qvry +-----END PGP SIGNATURE----- From ee0aa3906976fbbe49516aa0ff3aa4529fd2e763 Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Fri, 12 Jul 2024 11:06:05 +0200 Subject: [PATCH 34/55] Use SPDX license identifier Signed-off-by: Nils Philippsen --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index bfda77b..0c46fbb 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -17,7 +17,7 @@ Version: 1.1.0 Release: 1%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors -License: GPLv2+ +License: GPL-2.0-or-later URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc @@ -468,6 +468,9 @@ fi %changelog +* Fri Jul 12 2024 Nils Philippsen +- Use SPDX license identifier + * Wed Jun 12 2024 Richard Shaw - 1.1.0-1 - Update to 1.1.0 for Python 3.13 support. From 2620a99049a9008a6b32ddafd83845c594dff74e Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Fri, 12 Jul 2024 11:07:15 +0200 Subject: [PATCH 35/55] Use https upstream URL Signed-off-by: Nils Philippsen --- fail2ban.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 0c46fbb..b28b250 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -18,7 +18,7 @@ Release: 1%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later -URL: http://fail2ban.sourceforge.net/ +URL: https://fail2ban.sourceforge.net Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc # Releases are signed by Serg G. Brester (sebres) . The @@ -470,6 +470,7 @@ fi %changelog * Fri Jul 12 2024 Nils Philippsen - Use SPDX license identifier +- Use https upstream URL * Wed Jun 12 2024 Richard Shaw - 1.1.0-1 - Update to 1.1.0 for Python 3.13 support. From a549d7607bfebe1f34e4da1097a5cebd370812aa Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Fri, 12 Jul 2024 11:07:31 +0200 Subject: [PATCH 36/55] Bump release Signed-off-by: Nils Philippsen --- fail2ban.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index b28b250..6bbcde7 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -468,7 +468,7 @@ fi %changelog -* Fri Jul 12 2024 Nils Philippsen +* Fri Jul 12 2024 Nils Philippsen - 1.1.0-2 - Use SPDX license identifier - Use https upstream URL From 6d7a157679b87ebd5e2a7d6b2af816f563299687 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 22:41:28 +0000 Subject: [PATCH 37/55] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 6bbcde7..5045b2e 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -468,6 +468,9 @@ fi %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 1.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Fri Jul 12 2024 Nils Philippsen - 1.1.0-2 - Use SPDX license identifier - Use https upstream URL From f5c4652fbf39e280dc9332057fe6c8ef67003b3e Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Sat, 28 Sep 2024 15:00:29 -0500 Subject: [PATCH 38/55] Add patch to deal with changes to OpenSSL log output. --- 3782.patch | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++ fail2ban.spec | 7 +++- 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 3782.patch diff --git a/3782.patch b/3782.patch new file mode 100644 index 0000000..764db01 --- /dev/null +++ b/3782.patch @@ -0,0 +1,94 @@ +From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001 +From: Fabian Dellwing +Date: Tue, 2 Jul 2024 07:54:15 +0200 +Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name + +--- + config/filter.d/sshd.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf +index 1c8a02deb5..a1fd749aed 100644 +--- a/config/filter.d/sshd.conf ++++ b/config/filter.d/sshd.conf +@@ -16,7 +16,7 @@ before = common.conf + + [DEFAULT] + +-_daemon = sshd ++_daemon = (?:sshd(?:-session)?) + + # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " + __pref = (?:(?:error|fatal): (?:PAM: )?)? + +From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Wed, 3 Jul 2024 19:09:28 +0200 +Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782 + +--- + fail2ban/tests/files/logs/sshd | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd +index ed54ded4d4..7d3948ed80 100644 +--- a/fail2ban/tests/files/logs/sshd ++++ b/fail2ban/tests/files/logs/sshd +@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for invalid user ROOT from aa + # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "aaaa:bbbb:cccc:1234::1:1" } + Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from aaaa:bbbb:cccc:1234::1:1 + ++# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host": "192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" } ++Jul 3 14:59:17 host sshd-session[1571]: Failed password for root from 192.0.2.1 port 56502 ssh2 ++ + #3 + # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" } + Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4 + +From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Wed, 3 Jul 2024 19:33:39 +0200 +Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new + sshd-session log format + +--- + fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf +index ad8adeb69f..14256ba68c 100644 +--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf ++++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf +@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf + + [DEFAULT] + +-_daemon = sshd ++_daemon = sshd(?:-session)? + + # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " + __pref = (?:(?:error|fatal): (?:PAM: )?)? + +From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Wed, 3 Jul 2024 19:35:28 +0200 +Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon) + +--- + config/filter.d/sshd.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf +index a1fd749aed..3a84b1ba52 100644 +--- a/config/filter.d/sshd.conf ++++ b/config/filter.d/sshd.conf +@@ -16,7 +16,7 @@ before = common.conf + + [DEFAULT] + +-_daemon = (?:sshd(?:-session)?) ++_daemon = sshd(?:-session)? + + # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " + __pref = (?:(?:error|fatal): (?:PAM: )?)? + diff --git a/fail2ban.spec b/fail2ban.spec index 5045b2e..796cec2 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -46,6 +46,8 @@ Patch0: fail2ban-partof.patch Patch1: fail2ban-nftables.patch # Work around encoding issues during tests Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2315252 +Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch BuildArch: noarch @@ -468,6 +470,9 @@ fi %changelog +* Sat Sep 28 2024 Richard Shaw - 1.1.0-4 +- Add patch to deal with changes to OpenSSL log output. + * Wed Jul 17 2024 Fedora Release Engineering - 1.1.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From aeb6d90f3c4097da942e35b359b8645e283b0c3d Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Tue, 15 Oct 2024 21:07:36 -0500 Subject: [PATCH 39/55] Add upstream patch for python distutils removal. --- fail2ban.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 796cec2..bd0cde2 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -48,6 +48,8 @@ Patch1: fail2ban-nftables.patch Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2315252 Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2295265 +Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch BuildArch: noarch @@ -470,6 +472,9 @@ fi %changelog +* Wed Oct 16 2024 Richard Shaw - 1.1.0-5 +- Add upstream patch for python distutils removal. + * Sat Sep 28 2024 Richard Shaw - 1.1.0-4 - Add patch to deal with changes to OpenSSL log output. From 086c68ba34b53602d7b8dbc56ba7637f5fa83d8f Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Tue, 15 Oct 2024 21:11:32 -0500 Subject: [PATCH 40/55] Add patch. --- 3728.patch | 160 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100644 3728.patch diff --git a/3728.patch b/3728.patch new file mode 100644 index 0000000..b25c4a9 --- /dev/null +++ b/3728.patch @@ -0,0 +1,160 @@ +From a763fbbdfd6486e372965b4009eb3fe5db346718 Mon Sep 17 00:00:00 2001 +From: Branch Vincent +Date: Sat, 27 Apr 2024 10:24:01 -0700 +Subject: [PATCH 1/3] replace distutils for python 3.12 + +--- + doc/conf.py | 5 +---- + fail2ban/server/filterpyinotify.py | 3 +-- + fail2ban/server/filtersystemd.py | 3 +-- + 3 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/doc/conf.py b/doc/conf.py +index 20845a5a0e..48d27f7062 100644 +--- a/doc/conf.py ++++ b/doc/conf.py +@@ -47,12 +47,9 @@ + # + + from fail2ban.version import version as fail2ban_version +-from distutils.version import LooseVersion +- +-fail2ban_loose_version = LooseVersion(fail2ban_version) + + # The short X.Y version. +-version = ".".join(str(_) for _ in fail2ban_loose_version.version[:2]) ++version = ".".join(str(_) for _ in fail2ban_version.split(".")[:2]) + # The full version, including alpha/beta/rc tags. + release = fail2ban_version + +diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py +index 81bc7de393..c6972ced3f 100644 +--- a/fail2ban/server/filterpyinotify.py ++++ b/fail2ban/server/filterpyinotify.py +@@ -24,7 +24,6 @@ + __license__ = "GPL" + + import logging +-from distutils.version import LooseVersion + import os + from os.path import dirname, sep as pathsep + +@@ -38,7 +37,7 @@ + + + if not hasattr(pyinotify, '__version__') \ +- or LooseVersion(pyinotify.__version__) < '0.8.3': # pragma: no cover ++ or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover + raise ImportError("Fail2Ban requires pyinotify >= 0.8.3") + + # Verify that pyinotify is functional on this system +diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py +index 5aea9fdadc..2d4f862b97 100644 +--- a/fail2ban/server/filtersystemd.py ++++ b/fail2ban/server/filtersystemd.py +@@ -24,10 +24,9 @@ + + import os + import time +-from distutils.version import LooseVersion + + from systemd import journal +-if LooseVersion(getattr(journal, '__version__', "0")) < '204': ++if getattr(journal, "__version__", "0").split(".") < "204".split("."): + raise ImportError("Fail2Ban requires systemd >= 204") + + from .failmanager import FailManagerEmpty + +From ed20a9a5b9039319dd8913dfecf640e6eafee28b Mon Sep 17 00:00:00 2001 +From: sebres +Date: Tue, 7 May 2024 12:51:14 +0200 +Subject: [PATCH 2/3] there is no systemd < 204 and pyinotify < 0.8.3 for + supported python3 versions anymore + +--- + fail2ban/server/filterpyinotify.py | 4 ---- + fail2ban/server/filtersystemd.py | 2 -- + 2 files changed, 6 deletions(-) + +diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py +index c6972ced3f..f2f31e6fb5 100644 +--- a/fail2ban/server/filterpyinotify.py ++++ b/fail2ban/server/filterpyinotify.py +@@ -36,10 +36,6 @@ + from ..helpers import getLogger + + +-if not hasattr(pyinotify, '__version__') \ +- or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover +- raise ImportError("Fail2Ban requires pyinotify >= 0.8.3") +- + # Verify that pyinotify is functional on this system + # Even though imports -- might be dysfunctional, e.g. as on kfreebsd + try: +diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py +index 2d4f862b97..abd66e1f76 100644 +--- a/fail2ban/server/filtersystemd.py ++++ b/fail2ban/server/filtersystemd.py +@@ -26,8 +26,6 @@ + import time + + from systemd import journal +-if getattr(journal, "__version__", "0").split(".") < "204".split("."): +- raise ImportError("Fail2Ban requires systemd >= 204") + + from .failmanager import FailManagerEmpty + from .filter import JournalFilter, Filter + +From 0185e1c7d5e6534ab212462dd2aeab6f89e2fb50 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Tue, 7 May 2024 13:06:50 +0200 +Subject: [PATCH 3/3] setup.py: no distutils anymore + +--- + setup.py | 25 ++++++------------------- + 1 file changed, 6 insertions(+), 19 deletions(-) + +diff --git a/setup.py b/setup.py +index 9f7bd8fb59..ee9ea4df82 100755 +--- a/setup.py ++++ b/setup.py +@@ -24,23 +24,10 @@ + + import platform + +-try: +- import setuptools +- from setuptools import setup +- from setuptools.command.install import install +- from setuptools.command.install_scripts import install_scripts +- from setuptools.command.build_py import build_py +- build_scripts = None +-except ImportError: +- setuptools = None +- from distutils.core import setup +- +-# older versions +-if setuptools is None: +- from distutils.command.build_py import build_py +- from distutils.command.build_scripts import build_scripts +- from distutils.command.install import install +- from distutils.command.install_scripts import install_scripts ++import setuptools ++from setuptools import setup ++from setuptools.command.install import install ++from setuptools.command.install_scripts import install_scripts + + import os + from os.path import isfile, join, isdir, realpath +@@ -207,9 +194,9 @@ def run(self): + url = "http://www.fail2ban.org", + license = "GPL", + platforms = "Posix", +- cmdclass = dict({'build_py': build_py, 'build_scripts': build_scripts} if build_scripts else {}, **{ ++ cmdclass = { + 'install_scripts': install_scripts_f2b, 'install': install_command_f2b +- }), ++ }, + scripts = [ + 'bin/fail2ban-client', + 'bin/fail2ban-server', From ffd8fd89f46b7ccae21928d275de989807a29c82 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 18 Dec 2024 21:57:34 -0700 Subject: [PATCH 41/55] Update URL to www.fail2ban.org --- fail2ban.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index bd0cde2..0db84f9 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -18,7 +18,7 @@ Release: 5%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later -URL: https://fail2ban.sourceforge.net +URL: https://www.fail2ban.org Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc # Releases are signed by Serg G. Brester (sebres) . The From f82f7572438d40d2bb803bd772944ea8074b8d46 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 18 Dec 2024 22:06:26 -0700 Subject: [PATCH 42/55] Add upstream fix for sshd filter (rhbz#2332945) --- ...effceb998b73545073ac59c479d9d9bf19a4.patch | 23 +++++++++++++++++++ fail2ban.spec | 8 ++++++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 54c0effceb998b73545073ac59c479d9d9bf19a4.patch diff --git a/54c0effceb998b73545073ac59c479d9d9bf19a4.patch b/54c0effceb998b73545073ac59c479d9d9bf19a4.patch new file mode 100644 index 0000000..e606591 --- /dev/null +++ b/54c0effceb998b73545073ac59c479d9d9bf19a4.patch @@ -0,0 +1,23 @@ +From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Sun, 11 Aug 2024 12:10:12 +0200 +Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version + would log with `_COMM=sshd-session`) + +--- + config/filter.d/sshd.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf +index 206b913a78..595e957f0b 100644 +--- a/config/filter.d/sshd.conf ++++ b/config/filter.d/sshd.conf +@@ -126,7 +126,7 @@ ignoreregex = + + maxlines = 1 + +-journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd ++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session + + # DEV Notes: + # diff --git a/fail2ban.spec b/fail2ban.spec index 0db84f9..d9176f1 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -50,6 +50,9 @@ Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03 Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295265 Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch +# Upstream fix to also catch sshd-session logs +# https://bugzilla.redhat.com/show_bug.cgi?id=2332945 +Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch BuildArch: noarch @@ -472,6 +475,9 @@ fi %changelog +* Thu Dec 19 2024 Orion Poplawski - 1.1.0-6 +- Add upstream fix for sshd filter (rhbz#2332945) + * Wed Oct 16 2024 Richard Shaw - 1.1.0-5 - Add upstream patch for python distutils removal. From 427d59c82c26c01625dd7ce55fcd392b61177785 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 17:46:20 +0000 Subject: [PATCH 43/55] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index d9176f1..4c25528 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -475,6 +475,9 @@ fi %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 1.1.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Thu Dec 19 2024 Orion Poplawski - 1.1.0-6 - Add upstream fix for sshd filter (rhbz#2332945) From e05e420f1136e7e279af42e8fb87ada5ea61c7f3 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 3 Jun 2025 12:20:18 +0200 Subject: [PATCH 44/55] Rebuilt for Python 3.14 --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 4c25528..3c8abf9 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -475,6 +475,9 @@ fi %changelog +* Tue Jun 03 2025 Python Maint - 1.1.0-8 +- Rebuilt for Python 3.14 + * Thu Jan 16 2025 Fedora Release Engineering - 1.1.0-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 8ca2e0c0934f7780584cca2fff51ff66c918c5f1 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 20:16:38 +0000 Subject: [PATCH 45/55] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 3c8abf9..fa917b6 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -475,6 +475,9 @@ fi %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 1.1.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Tue Jun 03 2025 Python Maint - 1.1.0-8 - Rebuilt for Python 3.14 From 787d2fc9453d827e9e4d4e15b83cd9773bc1c4ff Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 12:46:21 +0200 Subject: [PATCH 46/55] Rebuilt for Python 3.14.0rc2 bytecode --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index fa917b6..018f5d0 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -475,6 +475,9 @@ fi %changelog +* Fri Aug 15 2025 Python Maint - 1.1.0-10 +- Rebuilt for Python 3.14.0rc2 bytecode + * Wed Jul 23 2025 Fedora Release Engineering - 1.1.0-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 96f951a7b46e32315c0018a874e2634dcf6154f8 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 20 Aug 2025 21:01:27 -0500 Subject: [PATCH 47/55] Migrate from from Python setup.py to Wheels. --- fail2ban.spec | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 3c8abf9..64847f0 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -279,11 +279,15 @@ sed -i 's|^/run/|/var/run/|' %{name}.fc sed -i "/use_2to3/d" setup.py +%generate_buildrequires +%pyproject_buildrequires + + %build %if 0%{?rhel} && 0%{?rhel} < 8 %py2_build %else -%py3_build +%pyproject_wheel %endif make -f %SOURCE6 @@ -294,8 +298,11 @@ make -f %SOURCE6 # Make symbolic link relative ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python %else -%py3_install +%pyproject_install ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python +mv %{buildroot}%{python3_sitelib}/etc %{buildroot} +mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir} +rmdir %{buildroot}%{python3_sitelib}%{_prefix} %endif mkdir -p %{buildroot}%{_unitdir} @@ -310,6 +317,7 @@ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ mkdir -p %{buildroot}%{_tmpfilesdir} install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d # Remove non-Linux actions rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf From 1e81dc17a061fe1481bc42c4a0a02886e5081805 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 20 Aug 2025 21:05:46 -0500 Subject: [PATCH 48/55] Move from setup.py to wheels per https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros. --- fail2ban.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index c30c794..1747ec4 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -483,6 +483,10 @@ fi %changelog +* Thu Aug 21 2025 Richard Shaw - 1.1.0-11 +- Move from setup.py to wheels per + https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros. + * Fri Aug 15 2025 Python Maint - 1.1.0-10 - Rebuilt for Python 3.14.0rc2 bytecode From 3534afe23c6cb3eaa5af4845e27755761737a9c8 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 12:15:56 +0200 Subject: [PATCH 49/55] Rebuilt for Python 3.14.0rc3 bytecode --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 1747ec4..a0850e3 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -483,6 +483,9 @@ fi %changelog +* Fri Sep 19 2025 Python Maint - 1.1.0-12 +- Rebuilt for Python 3.14.0rc3 bytecode + * Thu Aug 21 2025 Richard Shaw - 1.1.0-11 - Move from setup.py to wheels per https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros. From 497c1cf25ac0e6fa9b5fb6e183728df50e2fcf05 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Thu, 9 Oct 2025 21:36:47 -0600 Subject: [PATCH 50/55] Fix paths in fail2ban.service (rhbz#2399981) --- fail2ban.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index a0850e3..44bf5d9 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 12%{?dist} +Release: 13%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -306,7 +306,9 @@ rmdir %{buildroot}%{python3_sitelib}%{_prefix} %endif mkdir -p %{buildroot}%{_unitdir} -cp -p build/fail2ban.service %{buildroot}%{_unitdir}/ +# Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite +# so we will do our own modification +sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service mkdir -p %{buildroot}%{_mandir}/man{1,5} install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5 @@ -483,6 +485,9 @@ fi %changelog +* Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 +- Fix paths in fail2ban.service (rhbz#2399981) + * Fri Sep 19 2025 Python Maint - 1.1.0-12 - Rebuilt for Python 3.14.0rc3 bytecode From cef4e690dbfee185c71854313a257ede2c103bae Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Sat, 11 Oct 2025 17:24:44 -0600 Subject: [PATCH 51/55] Cleanup old confitionals --- fail2ban.spec | 71 +++++---------------------------------------------- 1 file changed, 7 insertions(+), 64 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 44bf5d9..59c39ca 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -8,13 +8,10 @@ %if %{defined rhel} && 0%{?rhel} < 10 %define legacy_var_run 1 %endif -%if %{defined fedora} && 0%{?fedora} < 40 -%define legacy_var_run 1 -%endif Name: fail2ban Version: 1.1.0 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -57,24 +54,17 @@ Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c4 BuildArch: noarch -%if 0%{?rhel} && 0%{?rhel} < 8 -BuildRequires: python-devel -BuildRequires: python-setuptools -# For testcases -BuildRequires: python-inotify -%else BuildRequires: python3-devel BuildRequires: python3-setuptools # For testcases BuildRequires: python3-inotify -%endif # using a python3_version-based conditional does not work here, so # this is a proxy for "Python version greater than 3.12". asyncore # and asynchat were dropped from cpython core in 3.12, these modules # make them available again. See: # https://github.com/fail2ban/fail2ban/issues/3487 # https://bugzilla.redhat.com/show_bug.cgi?id=2219991 -%if 0%{?fedora} > 38 +%if 0%{?fedora} || 0%{?rhel} >= 10 BuildRequires: python3-pyasyncore BuildRequires: python3-pyasynchat %endif @@ -82,7 +72,7 @@ BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make -%if 0%{?fedora} >= 41 +%if 0%{?fedora} || 0%{?rhel} >= 11 BuildRequires: bash-completion-devel %else BuildRequires: bash-completion @@ -123,24 +113,14 @@ SELinux policies for Fail2Ban. %package server Summary: Core server component for Fail2Ban -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: systemd-python -Requires: ipset -Requires: iptables -%else Requires: python3-systemd Requires: nftables -%endif Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -%if 0%{?fedora} || 0%{?rhel} >= 8 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -%else -Requires: %{name}-selinux -%endif # see note above in BuildRequires section -%if 0%{?fedora} > 38 +%if 0%{?fedora} || 0%{?rhel} >= 10 Requires: python3-pyasyncore Requires: python3-pyasynchat %endif @@ -162,13 +142,7 @@ Requires: %{name}-server = %{version}-%{release} Requires: %{name}-shorewall = %{version}-%{release} %endif Requires: perl-interpreter -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: python-inotify -# No python3 support for gamin so epel only -Requires: gamin-python -%else Requires: python3-inotify -%endif Requires: /usr/bin/whois %description all @@ -258,11 +232,6 @@ by default. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# this test uses smtpd which is removed in Python 3.12, rewriting it -# isn't trivial -%if 0%{?fedora} > 38 -rm -f fail2ban/tests/action_d/test_smtp.py -%endif # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -284,26 +253,16 @@ sed -i "/use_2to3/d" setup.py %build -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_build -%else %pyproject_wheel -%endif make -f %SOURCE6 %install -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_install -# Make symbolic link relative -ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python -%else %pyproject_install ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python mv %{buildroot}%{python3_sitelib}/etc %{buildroot} mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir} rmdir %{buildroot}%{python3_sitelib}%{_prefix} -%endif mkdir -p %{buildroot}%{_unitdir} # Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite @@ -364,17 +323,7 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion %check -%if 0%{?rhel} && 0%{?rhel} < 8 -%python2 bin/fail2ban-testcases --verbosity=2 --no-network -%else -%if 0%{?fedora} > 38 -# testRepairDb does not work with sqlite 3.42.0+ -# https://github.com/fail2ban/fail2ban/issues/3586 -%python3 bin/fail2ban-testcases --verbosity=2 --no-network -i testRepairDb -%else %python3 bin/fail2ban-testcases --verbosity=2 --no-network -%endif -%endif %pre selinux @@ -414,13 +363,8 @@ fi %{_bindir}/fail2ban-python %{_bindir}/fail2ban-regex %{_bindir}/fail2ban-server -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/* -%exclude %{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/* %exclude %{python3_sitelib}/fail2ban/tests -%endif %{_unitdir}/fail2ban.service %{_datadir}/bash-completion/ %{_mandir}/man1/fail2ban.1* @@ -456,11 +400,7 @@ fi %files tests %{_bindir}/fail2ban-testcases %{_mandir}/man1/fail2ban-testcases.1* -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/fail2ban/tests -%endif %files mail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf @@ -485,6 +425,9 @@ fi %changelog +* Sat Oct 11 2025 Orion Poplawski - 1.1.0-14 +- Cleanup old conditionals + * Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 - Fix paths in fail2ban.service (rhbz#2399981) From 283bb7f670f399e08fc7624d42e3d9e24f75d255 Mon Sep 17 00:00:00 2001 From: Filippo Bonazzi Date: Wed, 15 Oct 2025 12:27:20 +0200 Subject: [PATCH 52/55] fail2ban: allow fail2ban to watch all log files and dirs (bsc#1251952) --- fail2ban.te | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/fail2ban.te b/fail2ban.te index b19bdaa..5bc2394 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -99,22 +99,12 @@ logging_read_syslog_pid(fail2ban_t) logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) -allow fail2ban_t fail2ban_log_t:file watch; -gen_require(` - attribute logfile; -') -allow fail2ban_t logfile:dir { watch_dir_perms }; -allow fail2ban_t logfile:file { watch_file_perms }; # Not in EL9 yet #logging_watch_audit_log_files(fail2ban_t) -gen_require(` - type var_log_t, auditd_log_t; -') -watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t) -#logging_watch_audit_log_dirs(fail2ban_t) -allow fail2ban_t var_log_t:dir search_dir_perms; -watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t) -logging_watch_generic_log_dirs(fail2ban_t) +logging_watch_all_log_files(fail2ban_t) +logging_watch_all_log_dirs(fail2ban_t) +logging_watch_audit_log_files(fail2ban_t) +logging_watch_audit_log_dirs(fail2ban_t) logging_watch_journal_dir(fail2ban_t) mta_send_mail(fail2ban_t) From 1243b0dcffbaa69d475a2f5c6e340cee73d34cf9 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 31 Dec 2025 09:07:24 -0600 Subject: [PATCH 53/55] Remove obsolete distro version related conditionals. --- fail2ban.spec | 68 --------------------------------------------------- 1 file changed, 68 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 44bf5d9..d7945ec 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -57,36 +57,17 @@ Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c4 BuildArch: noarch -%if 0%{?rhel} && 0%{?rhel} < 8 -BuildRequires: python-devel -BuildRequires: python-setuptools -# For testcases -BuildRequires: python-inotify -%else BuildRequires: python3-devel BuildRequires: python3-setuptools # For testcases BuildRequires: python3-inotify -%endif -# using a python3_version-based conditional does not work here, so -# this is a proxy for "Python version greater than 3.12". asyncore -# and asynchat were dropped from cpython core in 3.12, these modules -# make them available again. See: -# https://github.com/fail2ban/fail2ban/issues/3487 -# https://bugzilla.redhat.com/show_bug.cgi?id=2219991 -%if 0%{?fedora} > 38 BuildRequires: python3-pyasyncore BuildRequires: python3-pyasynchat -%endif BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make -%if 0%{?fedora} >= 41 BuildRequires: bash-completion-devel -%else -BuildRequires: bash-completion -%endif BuildRequires: gnupg2 # Default components @@ -123,27 +104,15 @@ SELinux policies for Fail2Ban. %package server Summary: Core server component for Fail2Ban -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: systemd-python -Requires: ipset -Requires: iptables -%else Requires: python3-systemd Requires: nftables -%endif Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -%if 0%{?fedora} || 0%{?rhel} >= 8 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -%else -Requires: %{name}-selinux -%endif # see note above in BuildRequires section -%if 0%{?fedora} > 38 Requires: python3-pyasyncore Requires: python3-pyasynchat -%endif %description server This package contains the core server components for Fail2Ban with minimal @@ -162,13 +131,7 @@ Requires: %{name}-server = %{version}-%{release} Requires: %{name}-shorewall = %{version}-%{release} %endif Requires: perl-interpreter -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: python-inotify -# No python3 support for gamin so epel only -Requires: gamin-python -%else Requires: python3-inotify -%endif Requires: /usr/bin/whois %description all @@ -260,9 +223,7 @@ by default. %autosetup -p1 # this test uses smtpd which is removed in Python 3.12, rewriting it # isn't trivial -%if 0%{?fedora} > 38 rm -f fail2ban/tests/action_d/test_smtp.py -%endif # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -284,26 +245,16 @@ sed -i "/use_2to3/d" setup.py %build -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_build -%else %pyproject_wheel -%endif make -f %SOURCE6 %install -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_install -# Make symbolic link relative -ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python -%else %pyproject_install ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python mv %{buildroot}%{python3_sitelib}/etc %{buildroot} mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir} rmdir %{buildroot}%{python3_sitelib}%{_prefix} -%endif mkdir -p %{buildroot}%{_unitdir} # Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite @@ -364,17 +315,7 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion %check -%if 0%{?rhel} && 0%{?rhel} < 8 -%python2 bin/fail2ban-testcases --verbosity=2 --no-network -%else -%if 0%{?fedora} > 38 -# testRepairDb does not work with sqlite 3.42.0+ -# https://github.com/fail2ban/fail2ban/issues/3586 -%python3 bin/fail2ban-testcases --verbosity=2 --no-network -i testRepairDb -%else %python3 bin/fail2ban-testcases --verbosity=2 --no-network -%endif -%endif %pre selinux @@ -414,13 +355,8 @@ fi %{_bindir}/fail2ban-python %{_bindir}/fail2ban-regex %{_bindir}/fail2ban-server -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/* -%exclude %{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/* %exclude %{python3_sitelib}/fail2ban/tests -%endif %{_unitdir}/fail2ban.service %{_datadir}/bash-completion/ %{_mandir}/man1/fail2ban.1* @@ -456,11 +392,7 @@ fi %files tests %{_bindir}/fail2ban-testcases %{_mandir}/man1/fail2ban-testcases.1* -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/fail2ban/tests -%endif %files mail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf From 6d5ba5175848a0110fc723eca675f51401a6bfff Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 31 Dec 2025 11:56:31 -0600 Subject: [PATCH 54/55] Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. --- ...4c060cdc233af9a6deeb85a6523da0416f31.patch | 60 +++++++++++++++++++ fail2ban.spec | 8 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 04ff4c060cdc233af9a6deeb85a6523da0416f31.patch diff --git a/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch b/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch new file mode 100644 index 0000000..cb6d5c2 --- /dev/null +++ b/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch @@ -0,0 +1,60 @@ +From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001 +From: Nic Boet +Date: Fri, 13 Jun 2025 16:44:57 -0500 +Subject: [PATCH] Dovecot 2.4 filter support + +Dovecot 2.4 release is a major upgrade +Logger event structure has changed, all messages are now +prefixed with: + + "Login aborted: " "auth failed" + +Maintain 2.3 support as many folks have yet to migrate, +community edition is still receiving cretial security patches + +Dovecot 2.4.1 +Python 3.12.10 + +Signed-off-by: Nic Boet +--- + config/filter.d/dovecot.conf | 2 ++ + fail2ban/tests/files/logs/dovecot | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf +index dc3ebbcd42..f49eebe726 100644 +--- a/config/filter.d/dovecot.conf ++++ b/config/filter.d/dovecot.conf +@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a + + failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ + ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ ++ ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<[^>]*>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$ + ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch) + > +@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N + # DEV Notes: + # * the first regex is essentially a copy of pam-generic.conf + # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) ++# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support + # + # Author: Martin Waschbuesch + # Daniel Black (rewrote with begin and end anchors) +diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot +index 0e33296129..4f5a0b7867 100644 +--- a/fail2ban/tests/files/logs/dovecot ++++ b/fail2ban/tests/files/logs/dovecot +@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem + # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" } + Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210 + ++# Dovecot version 2.4 ++# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" } ++Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan> ++# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" } ++Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session= ++ + # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" } + Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session= + diff --git a/fail2ban.spec b/fail2ban.spec index d7945ec..6ca2a95 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -53,6 +53,9 @@ Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728 # Upstream fix to also catch sshd-session logs # https://bugzilla.redhat.com/show_bug.cgi?id=2332945 Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch +# Needed for Dovecot change to loging format in 2.4 but has not fail2ban version 1.1.0 +# https://bugzilla.redhat.com/show_bug.cgi?id=2426440 +Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch BuildArch: noarch @@ -417,6 +420,9 @@ fi %changelog +* Wed Dec 31 2025 Richard Shaw - 1.1.0-14 +- Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. + * Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 - Fix paths in fail2ban.service (rhbz#2399981) From 800dd5db0fa0fd497dcd325d2cb628606b327a03 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 31 Dec 2025 12:04:38 -0600 Subject: [PATCH 55/55] Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. --- fail2ban.spec | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 6ca2a95..6ca56b5 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -8,13 +8,10 @@ %if %{defined rhel} && 0%{?rhel} < 10 %define legacy_var_run 1 %endif -%if %{defined fedora} && 0%{?fedora} < 40 -%define legacy_var_run 1 -%endif Name: fail2ban Version: 1.1.0 -Release: 14%{?dist} +Release: 15%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -53,7 +50,7 @@ Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728 # Upstream fix to also catch sshd-session logs # https://bugzilla.redhat.com/show_bug.cgi?id=2332945 Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch -# Needed for Dovecot change to loging format in 2.4 but has not fail2ban version 1.1.0 +# Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1. # https://bugzilla.redhat.com/show_bug.cgi?id=2426440 Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch @@ -64,13 +61,25 @@ BuildRequires: python3-devel BuildRequires: python3-setuptools # For testcases BuildRequires: python3-inotify +# using a python3_version-based conditional does not work here, so +# this is a proxy for "Python version greater than 3.12". asyncore +# and asynchat were dropped from cpython core in 3.12, these modules +# make them available again. See: +# https://github.com/fail2ban/fail2ban/issues/3487 +# https://bugzilla.redhat.com/show_bug.cgi?id=2219991 +%if 0%{?fedora} || 0%{?rhel} >= 10 BuildRequires: python3-pyasyncore BuildRequires: python3-pyasynchat +%endif BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make +%if 0%{?fedora} || 0%{?rhel} >= 11 BuildRequires: bash-completion-devel +%else +BuildRequires: bash-completion +%endif BuildRequires: gnupg2 # Default components @@ -114,8 +123,10 @@ Requires(preun): systemd Requires(postun): systemd Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) # see note above in BuildRequires section +%if 0%{?fedora} || 0%{?rhel} >= 10 Requires: python3-pyasyncore Requires: python3-pyasynchat +%endif %description server This package contains the core server components for Fail2Ban with minimal @@ -224,9 +235,6 @@ by default. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# this test uses smtpd which is removed in Python 3.12, rewriting it -# isn't trivial -rm -f fail2ban/tests/action_d/test_smtp.py # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -420,9 +428,12 @@ fi %changelog -* Wed Dec 31 2025 Richard Shaw - 1.1.0-14 +* Wed Dec 31 2025 Richard Shaw - 1.1.0-15 - Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. +* Sat Oct 11 2025 Orion Poplawski - 1.1.0-14 +- Cleanup old conditionals + * Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 - Fix paths in fail2ban.service (rhbz#2399981)