From 349c5c98fa6358e7d23e71356500e92f17fb8508 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 18:57:17 +0200 Subject: [PATCH 01/25] Rebuilt for Python 3.13 --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 5754b2c..7211057 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.0.2 -Release: 15%{?dist} +Release: 16%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -473,6 +473,9 @@ fi %changelog +* Fri Jun 07 2024 Python Maint - 1.0.2-16 +- Rebuilt for Python 3.13 + * Sat May 11 2024 Todd Zullinger - 1.0.2-15 - Handle /var/run->/run transition in older Fedora and EPEL (RHBZ#2279054) From a5fe885227924681832861ebb50c620d472ba943 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Fri, 14 Jun 2024 19:39:10 -0500 Subject: [PATCH 02/25] Update to 1.1.0 for Python 3.13 support. --- ...7e1e93936f09e349e80d94254e5f43d0cc8a.patch | 23 --- ...41e5309b417a3c7a84fa8f03cf4f93831f1b.patch | 148 ++++++++++++++++++ fail2ban.spec | 18 +-- sources | 3 +- 4 files changed, 157 insertions(+), 35 deletions(-) delete mode 100644 432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch create mode 100644 ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch diff --git a/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch b/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch deleted file mode 100644 index 74f2739..0000000 --- a/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 432e7e1e93936f09e349e80d94254e5f43d0cc8a Mon Sep 17 00:00:00 2001 -From: "Sergey G. Brester" -Date: Mon, 28 Nov 2022 13:21:15 +0100 -Subject: [PATCH] no warning if no config value but default (debug message now) - -closes #3420 ---- - fail2ban/client/configreader.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py -index 1b5a56a27c..c7f965ce52 100644 ---- a/fail2ban/client/configreader.py -+++ b/fail2ban/client/configreader.py -@@ -277,7 +277,7 @@ def getOptions(self, sec, options, pOptions=None, shouldExist=False, convert=Tru - # TODO: validate error handling here. - except NoOptionError: - if not optvalue is None: -- logSys.warning("'%s' not defined in '%s'. Using default one: %r" -+ logSys.debug("'%s' not defined in '%s'. Using default one: %r" - % (optname, sec, optvalue)) - values[optname] = optvalue - # elif logSys.getEffectiveLevel() <= logLevel: diff --git a/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch b/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch new file mode 100644 index 0000000..3dc9890 --- /dev/null +++ b/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch @@ -0,0 +1,148 @@ +From ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b Mon Sep 17 00:00:00 2001 +From: sebres +Date: Fri, 14 Jun 2024 14:31:21 +0200 +Subject: [PATCH] beautifier detect whether it can use unicode chars in stats + table; asciified output of beautifier in test suite; closes gh-3750 + +--- + fail2ban/client/beautifier.py | 51 ++++++++++++++-------- + fail2ban/tests/clientbeautifiertestcase.py | 22 ++++++---- + 2 files changed, 45 insertions(+), 28 deletions(-) + +diff --git a/fail2ban/client/beautifier.py b/fail2ban/client/beautifier.py +index 7ef173a655..21c49b9483 100644 +--- a/fail2ban/client/beautifier.py ++++ b/fail2ban/client/beautifier.py +@@ -21,8 +21,10 @@ + __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko" + __license__ = "GPL" + ++import sys ++ + from ..exceptions import UnknownJailException, DuplicateJailException +-from ..helpers import getLogger, logging ++from ..helpers import getLogger, logging, PREFER_ENC + + # Gets the instance of the logger. + logSys = getLogger(__name__) +@@ -36,6 +38,11 @@ + + class Beautifier: + ++ stdoutEnc = PREFER_ENC ++ if sys.stdout and sys.stdout.encoding is not None: ++ stdoutEnc = sys.stdout.encoding ++ encUtf = 1 if stdoutEnc.lower() == 'utf-8' else 0 ++ + def __init__(self, cmd = None): + self.__inputCmd = cmd + +@@ -104,7 +111,11 @@ def jail_stat(response, pref=""): + jail_stat(j, " " if i == len(jstat) else " | ") + msg = "\n".join(msg) + elif inC[0:1] == ['stats'] or inC[0:1] == ['statistics']: +- def _statstable(response): ++ chrTable = [ ++ ['|', '-', '|', 'x', 'x', '-', '|', '-'], ## ascii ++ ["\u2551", "\u2550", "\u255F", "\u256B", "\u256C", "\u2569", "\u2502", "\u2500"] ## utf-8 ++ ]; ++ def _statstable(response, ct): + tophead = ["Jail", "Backend", "Filter", "Actions"] + headers = ["", "", "cur", "tot", "cur", "tot"] + minlens = [8, 8, 3, 3, 3, 3] +@@ -120,29 +131,31 @@ def _statstable(response): + f = "%%%ds" if ralign[i] else "%%-%ds" + rfmt.append(f % lens[i]) + hfmt.append(f % lens[i]) +- rfmt = [rfmt[0], rfmt[1], "%s \u2502 %s" % (rfmt[2], rfmt[3]), "%s \u2502 %s" % (rfmt[4], rfmt[5])] +- hfmt = [hfmt[0], hfmt[1], "%s \u2502 %s" % (hfmt[2], hfmt[3]), "%s \u2502 %s" % (hfmt[4], hfmt[5])] ++ rfmt = [rfmt[0], rfmt[1], "%s %s %s" % (rfmt[2], ct[6], rfmt[3]), "%s %s %s" % (rfmt[4], ct[6], rfmt[5])] ++ hfmt = [hfmt[0], hfmt[1], "%s %s %s" % (hfmt[2], ct[6], hfmt[3]), "%s %s %s" % (hfmt[4], ct[6], hfmt[5])] + tlens = [lens[0], lens[1], 3 + lens[2] + lens[3], 3 + lens[4] + lens[5]] + tfmt = [hfmt[0], hfmt[1], "%%-%ds" % (tlens[2],), "%%-%ds" % (tlens[3],)] + tsep = tfmt[0:2] +- rfmt = " \u2551 ".join(rfmt) +- hfmt = " \u2551 ".join(hfmt) +- tfmt = " \u2551 ".join(tfmt) +- tsep = " \u2551 ".join(tsep) +- separator = ((tsep % tuple(tophead[0:2])) + " \u255F\u2500" + +- ("\u2500\u256B\u2500".join(['\u2500' * n for n in tlens[2:]])) + '\u2500') ++ rfmt = (" "+ct[0]+" ").join(rfmt) ++ hfmt = (" "+ct[0]+" ").join(hfmt) ++ tfmt = (" "+ct[0]+" ").join(tfmt) ++ tsep = (" "+ct[0]+" ").join(tsep) ++ separator = ((tsep % tuple(tophead[0:2])) + " "+ct[2]+ct[7] + ++ ((ct[7]+ct[3]+ct[7]).join([ct[7] * n for n in tlens[2:]])) + ct[7]) + ret = [] +- ret.append(tfmt % tuple(["", ""]+tophead[2:])) +- ret.append(separator) +- ret.append(hfmt % tuple(headers)) +- separator = "\u2550\u256C\u2550".join(['\u2550' * n for n in tlens]) + '\u2550' +- ret.append(separator) ++ ret.append(" "+tfmt % tuple(["", ""]+tophead[2:])) ++ ret.append(" "+separator) ++ ret.append(" "+hfmt % tuple(headers)) ++ separator = (ct[1]+ct[4]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1] ++ ret.append(ct[1]+separator) + for row in rows: +- ret.append(rfmt % tuple(row)) +- separator = "\u2550\u2569\u2550".join(['\u2550' * n for n in tlens]) + '\u2550' +- ret.append(separator) ++ ret.append(" "+rfmt % tuple(row)) ++ separator = (ct[1]+ct[5]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1] ++ ret.append(ct[1]+separator) + return ret +- msg = "\n".join(_statstable(response)) ++ if not response: ++ return "No jails found." ++ msg = "\n".join(_statstable(response, chrTable[self.encUtf])) + elif len(inC) < 2: + pass # to few cmd args for below + elif inC[1] == "syslogsocket": +diff --git a/fail2ban/tests/clientbeautifiertestcase.py b/fail2ban/tests/clientbeautifiertestcase.py +index defedbe1bf..5fcb240479 100644 +--- a/fail2ban/tests/clientbeautifiertestcase.py ++++ b/fail2ban/tests/clientbeautifiertestcase.py +@@ -34,6 +34,7 @@ def setUp(self): + """ Call before every test case """ + super(BeautifierTest, self).setUp() + self.b = Beautifier() ++ self.b.encUtf = 0; ## we prefer ascii in test suite (see #3750) + + def tearDown(self): + """ Call after every test case """ +@@ -170,22 +171,25 @@ def testStatus(self): + + def testStatusStats(self): + self.b.setInputCmd(["stats"]) ++ ## no jails: ++ self.assertEqual(self.b.beautify({}), "No jails found.") ++ ## 3 jails: + response = { + "ssh": ["systemd", (3, 6), (12, 24)], + "exim4": ["pyinotify", (6, 12), (20, 20)], + "jail-with-long-name": ["polling", (0, 0), (0, 0)] + } + output = ("" +- + " ? ? Filter ? Actions \n" +- + "Jail ? Backend ????????????????????????\n" +- + " ? ? cur ? tot ? cur ? tot\n" +- + "????????????????????????????????????????????????????????\n" +- + "ssh ? systemd ? 3 ? 6 ? 12 ? 24\n" +- + "exim4 ? pyinotify ? 6 ? 12 ? 20 ? 20\n" +- + "jail-with-long-name ? polling ? 0 ? 0 ? 0 ? 0\n" +- + "????????????????????????????????????????????????????????" ++ + " | | Filter | Actions \n" ++ + " Jail | Backend |-----------x-----------\n" ++ + " | | cur | tot | cur | tot\n" ++ + "---------------------x-----------x-----------x-----------\n" ++ + " ssh | systemd | 3 | 6 | 12 | 24\n" ++ + " exim4 | pyinotify | 6 | 12 | 20 | 20\n" ++ + " jail-with-long-name | polling | 0 | 0 | 0 | 0\n" ++ + "---------------------------------------------------------" + ) +- response = self.b.beautify(response).encode('ascii', 'replace').decode('ascii') ++ response = self.b.beautify(response) + self.assertEqual(response, output) + + diff --git a/fail2ban.spec b/fail2ban.spec index 7211057..bfda77b 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -13,8 +13,8 @@ %endif Name: fail2ban -Version: 1.0.2 -Release: 16%{?dist} +Version: 1.1.0 +Release: 1%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -41,11 +41,11 @@ Source6: Makefile # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 Patch0: fail2ban-partof.patch -# Remove warning about allowipv6 from startup -Patch2: https://github.com/fail2ban/fail2ban/commit/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch # default port in jail.conf is not compatible with firewalld-cmd syntax # https://bugzilla.redhat.com/show_bug.cgi?id=1850164 -Patch3: fail2ban-nftables.patch +Patch1: fail2ban-nftables.patch +# Work around encoding issues during tests +Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch BuildArch: noarch @@ -58,7 +58,6 @@ BuildRequires: python-inotify %else BuildRequires: python3-devel BuildRequires: python3-setuptools -BuildRequires: /usr/bin/2to3 # For testcases BuildRequires: python3-inotify %endif @@ -260,10 +259,6 @@ rm -f fail2ban/tests/action_d/test_smtp.py # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf -%if 0%{?fedora} || 0%{?rhel} >= 8 -2to3 --write --nobackups . -find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} + -%endif # SELinux sources cp -p %SOURCE3 %SOURCE4 %SOURCE5 . @@ -473,6 +468,9 @@ fi %changelog +* Wed Jun 12 2024 Richard Shaw - 1.1.0-1 +- Update to 1.1.0 for Python 3.13 support. + * Fri Jun 07 2024 Python Maint - 1.0.2-16 - Rebuilt for Python 3.13 diff --git a/sources b/sources index 0300c30..934b139 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (fail2ban-1.0.2.tar.gz) = 688a84361b5794e1658f53d2d200ce752fe1e3320ddb1742c32c4b4b82a79ace16ae464e7ea3eeb94a0e862bcac73c2d3a0e61dd7b28e179a4c857f950d74dbb -SHA512 (fail2ban-1.0.2.tar.gz.asc) = 1c0af7e454d52879788d9728010a68159a94668d93799da5533999e8c821db87f651b3606347af16fd92a4540a7a343dc682f72bb3bab14e3666f848883d8644 +SHA512 (fail2ban-1.1.0.tar.gz) = 9bff7b9c41e58a953901800468e5c4153c9db6af01c7eb18111ad8620b40d03a0771020472fb759b2809d250e2bb45471e6c7e8283e72ea48290ecf7bf921821 From a9e460f2e2eb080b8435d52130406721fec7a17c Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Fri, 14 Jun 2024 19:53:30 -0500 Subject: [PATCH 03/25] Upload checksum file. --- .gitignore | 1 - fail2ban-1.1.0.tar.gz.asc | 11 +++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 fail2ban-1.1.0.tar.gz.asc diff --git a/.gitignore b/.gitignore index e633b53..082f70a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ /fail2ban-*/ -/fail2ban-*.tar.gz* diff --git a/fail2ban-1.1.0.tar.gz.asc b/fail2ban-1.1.0.tar.gz.asc new file mode 100644 index 0000000..f764f97 --- /dev/null +++ b/fail2ban-1.1.0.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K +iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc +yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu +ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf +9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr +jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH +MTZipOHHYPx/7IyKJJvB1p1gvmOxyg== +=qvry +-----END PGP SIGNATURE----- From ee0aa3906976fbbe49516aa0ff3aa4529fd2e763 Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Fri, 12 Jul 2024 11:06:05 +0200 Subject: [PATCH 04/25] Use SPDX license identifier Signed-off-by: Nils Philippsen --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index bfda77b..0c46fbb 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -17,7 +17,7 @@ Version: 1.1.0 Release: 1%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors -License: GPLv2+ +License: GPL-2.0-or-later URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc @@ -468,6 +468,9 @@ fi %changelog +* Fri Jul 12 2024 Nils Philippsen +- Use SPDX license identifier + * Wed Jun 12 2024 Richard Shaw - 1.1.0-1 - Update to 1.1.0 for Python 3.13 support. From 2620a99049a9008a6b32ddafd83845c594dff74e Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Fri, 12 Jul 2024 11:07:15 +0200 Subject: [PATCH 05/25] Use https upstream URL Signed-off-by: Nils Philippsen --- fail2ban.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 0c46fbb..b28b250 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -18,7 +18,7 @@ Release: 1%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later -URL: http://fail2ban.sourceforge.net/ +URL: https://fail2ban.sourceforge.net Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc # Releases are signed by Serg G. Brester (sebres) . The @@ -470,6 +470,7 @@ fi %changelog * Fri Jul 12 2024 Nils Philippsen - Use SPDX license identifier +- Use https upstream URL * Wed Jun 12 2024 Richard Shaw - 1.1.0-1 - Update to 1.1.0 for Python 3.13 support. From a549d7607bfebe1f34e4da1097a5cebd370812aa Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Fri, 12 Jul 2024 11:07:31 +0200 Subject: [PATCH 06/25] Bump release Signed-off-by: Nils Philippsen --- fail2ban.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index b28b250..6bbcde7 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -468,7 +468,7 @@ fi %changelog -* Fri Jul 12 2024 Nils Philippsen +* Fri Jul 12 2024 Nils Philippsen - 1.1.0-2 - Use SPDX license identifier - Use https upstream URL From 6d7a157679b87ebd5e2a7d6b2af816f563299687 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 22:41:28 +0000 Subject: [PATCH 07/25] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 6bbcde7..5045b2e 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -468,6 +468,9 @@ fi %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 1.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Fri Jul 12 2024 Nils Philippsen - 1.1.0-2 - Use SPDX license identifier - Use https upstream URL From f5c4652fbf39e280dc9332057fe6c8ef67003b3e Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Sat, 28 Sep 2024 15:00:29 -0500 Subject: [PATCH 08/25] Add patch to deal with changes to OpenSSL log output. --- 3782.patch | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++ fail2ban.spec | 7 +++- 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 3782.patch diff --git a/3782.patch b/3782.patch new file mode 100644 index 0000000..764db01 --- /dev/null +++ b/3782.patch @@ -0,0 +1,94 @@ +From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001 +From: Fabian Dellwing +Date: Tue, 2 Jul 2024 07:54:15 +0200 +Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name + +--- + config/filter.d/sshd.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf +index 1c8a02deb5..a1fd749aed 100644 +--- a/config/filter.d/sshd.conf ++++ b/config/filter.d/sshd.conf +@@ -16,7 +16,7 @@ before = common.conf + + [DEFAULT] + +-_daemon = sshd ++_daemon = (?:sshd(?:-session)?) + + # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " + __pref = (?:(?:error|fatal): (?:PAM: )?)? + +From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Wed, 3 Jul 2024 19:09:28 +0200 +Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782 + +--- + fail2ban/tests/files/logs/sshd | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd +index ed54ded4d4..7d3948ed80 100644 +--- a/fail2ban/tests/files/logs/sshd ++++ b/fail2ban/tests/files/logs/sshd +@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for invalid user ROOT from aa + # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "aaaa:bbbb:cccc:1234::1:1" } + Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from aaaa:bbbb:cccc:1234::1:1 + ++# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host": "192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" } ++Jul 3 14:59:17 host sshd-session[1571]: Failed password for root from 192.0.2.1 port 56502 ssh2 ++ + #3 + # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" } + Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4 + +From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Wed, 3 Jul 2024 19:33:39 +0200 +Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new + sshd-session log format + +--- + fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf +index ad8adeb69f..14256ba68c 100644 +--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf ++++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf +@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf + + [DEFAULT] + +-_daemon = sshd ++_daemon = sshd(?:-session)? + + # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " + __pref = (?:(?:error|fatal): (?:PAM: )?)? + +From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Wed, 3 Jul 2024 19:35:28 +0200 +Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon) + +--- + config/filter.d/sshd.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf +index a1fd749aed..3a84b1ba52 100644 +--- a/config/filter.d/sshd.conf ++++ b/config/filter.d/sshd.conf +@@ -16,7 +16,7 @@ before = common.conf + + [DEFAULT] + +-_daemon = (?:sshd(?:-session)?) ++_daemon = sshd(?:-session)? + + # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " + __pref = (?:(?:error|fatal): (?:PAM: )?)? + diff --git a/fail2ban.spec b/fail2ban.spec index 5045b2e..796cec2 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -46,6 +46,8 @@ Patch0: fail2ban-partof.patch Patch1: fail2ban-nftables.patch # Work around encoding issues during tests Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2315252 +Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch BuildArch: noarch @@ -468,6 +470,9 @@ fi %changelog +* Sat Sep 28 2024 Richard Shaw - 1.1.0-4 +- Add patch to deal with changes to OpenSSL log output. + * Wed Jul 17 2024 Fedora Release Engineering - 1.1.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From aeb6d90f3c4097da942e35b359b8645e283b0c3d Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Tue, 15 Oct 2024 21:07:36 -0500 Subject: [PATCH 09/25] Add upstream patch for python distutils removal. --- fail2ban.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 796cec2..bd0cde2 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -48,6 +48,8 @@ Patch1: fail2ban-nftables.patch Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2315252 Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2295265 +Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch BuildArch: noarch @@ -470,6 +472,9 @@ fi %changelog +* Wed Oct 16 2024 Richard Shaw - 1.1.0-5 +- Add upstream patch for python distutils removal. + * Sat Sep 28 2024 Richard Shaw - 1.1.0-4 - Add patch to deal with changes to OpenSSL log output. From 086c68ba34b53602d7b8dbc56ba7637f5fa83d8f Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Tue, 15 Oct 2024 21:11:32 -0500 Subject: [PATCH 10/25] Add patch. --- 3728.patch | 160 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100644 3728.patch diff --git a/3728.patch b/3728.patch new file mode 100644 index 0000000..b25c4a9 --- /dev/null +++ b/3728.patch @@ -0,0 +1,160 @@ +From a763fbbdfd6486e372965b4009eb3fe5db346718 Mon Sep 17 00:00:00 2001 +From: Branch Vincent +Date: Sat, 27 Apr 2024 10:24:01 -0700 +Subject: [PATCH 1/3] replace distutils for python 3.12 + +--- + doc/conf.py | 5 +---- + fail2ban/server/filterpyinotify.py | 3 +-- + fail2ban/server/filtersystemd.py | 3 +-- + 3 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/doc/conf.py b/doc/conf.py +index 20845a5a0e..48d27f7062 100644 +--- a/doc/conf.py ++++ b/doc/conf.py +@@ -47,12 +47,9 @@ + # + + from fail2ban.version import version as fail2ban_version +-from distutils.version import LooseVersion +- +-fail2ban_loose_version = LooseVersion(fail2ban_version) + + # The short X.Y version. +-version = ".".join(str(_) for _ in fail2ban_loose_version.version[:2]) ++version = ".".join(str(_) for _ in fail2ban_version.split(".")[:2]) + # The full version, including alpha/beta/rc tags. + release = fail2ban_version + +diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py +index 81bc7de393..c6972ced3f 100644 +--- a/fail2ban/server/filterpyinotify.py ++++ b/fail2ban/server/filterpyinotify.py +@@ -24,7 +24,6 @@ + __license__ = "GPL" + + import logging +-from distutils.version import LooseVersion + import os + from os.path import dirname, sep as pathsep + +@@ -38,7 +37,7 @@ + + + if not hasattr(pyinotify, '__version__') \ +- or LooseVersion(pyinotify.__version__) < '0.8.3': # pragma: no cover ++ or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover + raise ImportError("Fail2Ban requires pyinotify >= 0.8.3") + + # Verify that pyinotify is functional on this system +diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py +index 5aea9fdadc..2d4f862b97 100644 +--- a/fail2ban/server/filtersystemd.py ++++ b/fail2ban/server/filtersystemd.py +@@ -24,10 +24,9 @@ + + import os + import time +-from distutils.version import LooseVersion + + from systemd import journal +-if LooseVersion(getattr(journal, '__version__', "0")) < '204': ++if getattr(journal, "__version__", "0").split(".") < "204".split("."): + raise ImportError("Fail2Ban requires systemd >= 204") + + from .failmanager import FailManagerEmpty + +From ed20a9a5b9039319dd8913dfecf640e6eafee28b Mon Sep 17 00:00:00 2001 +From: sebres +Date: Tue, 7 May 2024 12:51:14 +0200 +Subject: [PATCH 2/3] there is no systemd < 204 and pyinotify < 0.8.3 for + supported python3 versions anymore + +--- + fail2ban/server/filterpyinotify.py | 4 ---- + fail2ban/server/filtersystemd.py | 2 -- + 2 files changed, 6 deletions(-) + +diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py +index c6972ced3f..f2f31e6fb5 100644 +--- a/fail2ban/server/filterpyinotify.py ++++ b/fail2ban/server/filterpyinotify.py +@@ -36,10 +36,6 @@ + from ..helpers import getLogger + + +-if not hasattr(pyinotify, '__version__') \ +- or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover +- raise ImportError("Fail2Ban requires pyinotify >= 0.8.3") +- + # Verify that pyinotify is functional on this system + # Even though imports -- might be dysfunctional, e.g. as on kfreebsd + try: +diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py +index 2d4f862b97..abd66e1f76 100644 +--- a/fail2ban/server/filtersystemd.py ++++ b/fail2ban/server/filtersystemd.py +@@ -26,8 +26,6 @@ + import time + + from systemd import journal +-if getattr(journal, "__version__", "0").split(".") < "204".split("."): +- raise ImportError("Fail2Ban requires systemd >= 204") + + from .failmanager import FailManagerEmpty + from .filter import JournalFilter, Filter + +From 0185e1c7d5e6534ab212462dd2aeab6f89e2fb50 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Tue, 7 May 2024 13:06:50 +0200 +Subject: [PATCH 3/3] setup.py: no distutils anymore + +--- + setup.py | 25 ++++++------------------- + 1 file changed, 6 insertions(+), 19 deletions(-) + +diff --git a/setup.py b/setup.py +index 9f7bd8fb59..ee9ea4df82 100755 +--- a/setup.py ++++ b/setup.py +@@ -24,23 +24,10 @@ + + import platform + +-try: +- import setuptools +- from setuptools import setup +- from setuptools.command.install import install +- from setuptools.command.install_scripts import install_scripts +- from setuptools.command.build_py import build_py +- build_scripts = None +-except ImportError: +- setuptools = None +- from distutils.core import setup +- +-# older versions +-if setuptools is None: +- from distutils.command.build_py import build_py +- from distutils.command.build_scripts import build_scripts +- from distutils.command.install import install +- from distutils.command.install_scripts import install_scripts ++import setuptools ++from setuptools import setup ++from setuptools.command.install import install ++from setuptools.command.install_scripts import install_scripts + + import os + from os.path import isfile, join, isdir, realpath +@@ -207,9 +194,9 @@ def run(self): + url = "http://www.fail2ban.org", + license = "GPL", + platforms = "Posix", +- cmdclass = dict({'build_py': build_py, 'build_scripts': build_scripts} if build_scripts else {}, **{ ++ cmdclass = { + 'install_scripts': install_scripts_f2b, 'install': install_command_f2b +- }), ++ }, + scripts = [ + 'bin/fail2ban-client', + 'bin/fail2ban-server', From ffd8fd89f46b7ccae21928d275de989807a29c82 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 18 Dec 2024 21:57:34 -0700 Subject: [PATCH 11/25] Update URL to www.fail2ban.org --- fail2ban.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index bd0cde2..0db84f9 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -18,7 +18,7 @@ Release: 5%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later -URL: https://fail2ban.sourceforge.net +URL: https://www.fail2ban.org Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc # Releases are signed by Serg G. Brester (sebres) . The From f82f7572438d40d2bb803bd772944ea8074b8d46 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 18 Dec 2024 22:06:26 -0700 Subject: [PATCH 12/25] Add upstream fix for sshd filter (rhbz#2332945) --- ...effceb998b73545073ac59c479d9d9bf19a4.patch | 23 +++++++++++++++++++ fail2ban.spec | 8 ++++++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 54c0effceb998b73545073ac59c479d9d9bf19a4.patch diff --git a/54c0effceb998b73545073ac59c479d9d9bf19a4.patch b/54c0effceb998b73545073ac59c479d9d9bf19a4.patch new file mode 100644 index 0000000..e606591 --- /dev/null +++ b/54c0effceb998b73545073ac59c479d9d9bf19a4.patch @@ -0,0 +1,23 @@ +From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Sun, 11 Aug 2024 12:10:12 +0200 +Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version + would log with `_COMM=sshd-session`) + +--- + config/filter.d/sshd.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf +index 206b913a78..595e957f0b 100644 +--- a/config/filter.d/sshd.conf ++++ b/config/filter.d/sshd.conf +@@ -126,7 +126,7 @@ ignoreregex = + + maxlines = 1 + +-journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd ++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session + + # DEV Notes: + # diff --git a/fail2ban.spec b/fail2ban.spec index 0db84f9..d9176f1 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -50,6 +50,9 @@ Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03 Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295265 Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch +# Upstream fix to also catch sshd-session logs +# https://bugzilla.redhat.com/show_bug.cgi?id=2332945 +Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch BuildArch: noarch @@ -472,6 +475,9 @@ fi %changelog +* Thu Dec 19 2024 Orion Poplawski - 1.1.0-6 +- Add upstream fix for sshd filter (rhbz#2332945) + * Wed Oct 16 2024 Richard Shaw - 1.1.0-5 - Add upstream patch for python distutils removal. From 427d59c82c26c01625dd7ce55fcd392b61177785 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 17:46:20 +0000 Subject: [PATCH 13/25] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index d9176f1..4c25528 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -475,6 +475,9 @@ fi %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 1.1.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Thu Dec 19 2024 Orion Poplawski - 1.1.0-6 - Add upstream fix for sshd filter (rhbz#2332945) From e05e420f1136e7e279af42e8fb87ada5ea61c7f3 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 3 Jun 2025 12:20:18 +0200 Subject: [PATCH 14/25] Rebuilt for Python 3.14 --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 4c25528..3c8abf9 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -475,6 +475,9 @@ fi %changelog +* Tue Jun 03 2025 Python Maint - 1.1.0-8 +- Rebuilt for Python 3.14 + * Thu Jan 16 2025 Fedora Release Engineering - 1.1.0-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 8ca2e0c0934f7780584cca2fff51ff66c918c5f1 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 20:16:38 +0000 Subject: [PATCH 15/25] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 3c8abf9..fa917b6 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -475,6 +475,9 @@ fi %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 1.1.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Tue Jun 03 2025 Python Maint - 1.1.0-8 - Rebuilt for Python 3.14 From 787d2fc9453d827e9e4d4e15b83cd9773bc1c4ff Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 12:46:21 +0200 Subject: [PATCH 16/25] Rebuilt for Python 3.14.0rc2 bytecode --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index fa917b6..018f5d0 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -475,6 +475,9 @@ fi %changelog +* Fri Aug 15 2025 Python Maint - 1.1.0-10 +- Rebuilt for Python 3.14.0rc2 bytecode + * Wed Jul 23 2025 Fedora Release Engineering - 1.1.0-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 96f951a7b46e32315c0018a874e2634dcf6154f8 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 20 Aug 2025 21:01:27 -0500 Subject: [PATCH 17/25] Migrate from from Python setup.py to Wheels. --- fail2ban.spec | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 3c8abf9..64847f0 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -279,11 +279,15 @@ sed -i 's|^/run/|/var/run/|' %{name}.fc sed -i "/use_2to3/d" setup.py +%generate_buildrequires +%pyproject_buildrequires + + %build %if 0%{?rhel} && 0%{?rhel} < 8 %py2_build %else -%py3_build +%pyproject_wheel %endif make -f %SOURCE6 @@ -294,8 +298,11 @@ make -f %SOURCE6 # Make symbolic link relative ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python %else -%py3_install +%pyproject_install ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python +mv %{buildroot}%{python3_sitelib}/etc %{buildroot} +mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir} +rmdir %{buildroot}%{python3_sitelib}%{_prefix} %endif mkdir -p %{buildroot}%{_unitdir} @@ -310,6 +317,7 @@ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ mkdir -p %{buildroot}%{_tmpfilesdir} install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d # Remove non-Linux actions rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf From 1e81dc17a061fe1481bc42c4a0a02886e5081805 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 20 Aug 2025 21:05:46 -0500 Subject: [PATCH 18/25] Move from setup.py to wheels per https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros. --- fail2ban.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index c30c794..1747ec4 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -483,6 +483,10 @@ fi %changelog +* Thu Aug 21 2025 Richard Shaw - 1.1.0-11 +- Move from setup.py to wheels per + https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros. + * Fri Aug 15 2025 Python Maint - 1.1.0-10 - Rebuilt for Python 3.14.0rc2 bytecode From 3534afe23c6cb3eaa5af4845e27755761737a9c8 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 12:15:56 +0200 Subject: [PATCH 19/25] Rebuilt for Python 3.14.0rc3 bytecode --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 1747ec4..a0850e3 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -483,6 +483,9 @@ fi %changelog +* Fri Sep 19 2025 Python Maint - 1.1.0-12 +- Rebuilt for Python 3.14.0rc3 bytecode + * Thu Aug 21 2025 Richard Shaw - 1.1.0-11 - Move from setup.py to wheels per https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros. From 497c1cf25ac0e6fa9b5fb6e183728df50e2fcf05 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Thu, 9 Oct 2025 21:36:47 -0600 Subject: [PATCH 20/25] Fix paths in fail2ban.service (rhbz#2399981) --- fail2ban.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index a0850e3..44bf5d9 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 12%{?dist} +Release: 13%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -306,7 +306,9 @@ rmdir %{buildroot}%{python3_sitelib}%{_prefix} %endif mkdir -p %{buildroot}%{_unitdir} -cp -p build/fail2ban.service %{buildroot}%{_unitdir}/ +# Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite +# so we will do our own modification +sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service mkdir -p %{buildroot}%{_mandir}/man{1,5} install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5 @@ -483,6 +485,9 @@ fi %changelog +* Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 +- Fix paths in fail2ban.service (rhbz#2399981) + * Fri Sep 19 2025 Python Maint - 1.1.0-12 - Rebuilt for Python 3.14.0rc3 bytecode From cef4e690dbfee185c71854313a257ede2c103bae Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Sat, 11 Oct 2025 17:24:44 -0600 Subject: [PATCH 21/25] Cleanup old confitionals --- fail2ban.spec | 71 +++++---------------------------------------------- 1 file changed, 7 insertions(+), 64 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 44bf5d9..59c39ca 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -8,13 +8,10 @@ %if %{defined rhel} && 0%{?rhel} < 10 %define legacy_var_run 1 %endif -%if %{defined fedora} && 0%{?fedora} < 40 -%define legacy_var_run 1 -%endif Name: fail2ban Version: 1.1.0 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -57,24 +54,17 @@ Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c4 BuildArch: noarch -%if 0%{?rhel} && 0%{?rhel} < 8 -BuildRequires: python-devel -BuildRequires: python-setuptools -# For testcases -BuildRequires: python-inotify -%else BuildRequires: python3-devel BuildRequires: python3-setuptools # For testcases BuildRequires: python3-inotify -%endif # using a python3_version-based conditional does not work here, so # this is a proxy for "Python version greater than 3.12". asyncore # and asynchat were dropped from cpython core in 3.12, these modules # make them available again. See: # https://github.com/fail2ban/fail2ban/issues/3487 # https://bugzilla.redhat.com/show_bug.cgi?id=2219991 -%if 0%{?fedora} > 38 +%if 0%{?fedora} || 0%{?rhel} >= 10 BuildRequires: python3-pyasyncore BuildRequires: python3-pyasynchat %endif @@ -82,7 +72,7 @@ BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make -%if 0%{?fedora} >= 41 +%if 0%{?fedora} || 0%{?rhel} >= 11 BuildRequires: bash-completion-devel %else BuildRequires: bash-completion @@ -123,24 +113,14 @@ SELinux policies for Fail2Ban. %package server Summary: Core server component for Fail2Ban -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: systemd-python -Requires: ipset -Requires: iptables -%else Requires: python3-systemd Requires: nftables -%endif Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -%if 0%{?fedora} || 0%{?rhel} >= 8 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -%else -Requires: %{name}-selinux -%endif # see note above in BuildRequires section -%if 0%{?fedora} > 38 +%if 0%{?fedora} || 0%{?rhel} >= 10 Requires: python3-pyasyncore Requires: python3-pyasynchat %endif @@ -162,13 +142,7 @@ Requires: %{name}-server = %{version}-%{release} Requires: %{name}-shorewall = %{version}-%{release} %endif Requires: perl-interpreter -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: python-inotify -# No python3 support for gamin so epel only -Requires: gamin-python -%else Requires: python3-inotify -%endif Requires: /usr/bin/whois %description all @@ -258,11 +232,6 @@ by default. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# this test uses smtpd which is removed in Python 3.12, rewriting it -# isn't trivial -%if 0%{?fedora} > 38 -rm -f fail2ban/tests/action_d/test_smtp.py -%endif # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -284,26 +253,16 @@ sed -i "/use_2to3/d" setup.py %build -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_build -%else %pyproject_wheel -%endif make -f %SOURCE6 %install -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_install -# Make symbolic link relative -ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python -%else %pyproject_install ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python mv %{buildroot}%{python3_sitelib}/etc %{buildroot} mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir} rmdir %{buildroot}%{python3_sitelib}%{_prefix} -%endif mkdir -p %{buildroot}%{_unitdir} # Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite @@ -364,17 +323,7 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion %check -%if 0%{?rhel} && 0%{?rhel} < 8 -%python2 bin/fail2ban-testcases --verbosity=2 --no-network -%else -%if 0%{?fedora} > 38 -# testRepairDb does not work with sqlite 3.42.0+ -# https://github.com/fail2ban/fail2ban/issues/3586 -%python3 bin/fail2ban-testcases --verbosity=2 --no-network -i testRepairDb -%else %python3 bin/fail2ban-testcases --verbosity=2 --no-network -%endif -%endif %pre selinux @@ -414,13 +363,8 @@ fi %{_bindir}/fail2ban-python %{_bindir}/fail2ban-regex %{_bindir}/fail2ban-server -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/* -%exclude %{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/* %exclude %{python3_sitelib}/fail2ban/tests -%endif %{_unitdir}/fail2ban.service %{_datadir}/bash-completion/ %{_mandir}/man1/fail2ban.1* @@ -456,11 +400,7 @@ fi %files tests %{_bindir}/fail2ban-testcases %{_mandir}/man1/fail2ban-testcases.1* -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/fail2ban/tests -%endif %files mail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf @@ -485,6 +425,9 @@ fi %changelog +* Sat Oct 11 2025 Orion Poplawski - 1.1.0-14 +- Cleanup old conditionals + * Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 - Fix paths in fail2ban.service (rhbz#2399981) From 283bb7f670f399e08fc7624d42e3d9e24f75d255 Mon Sep 17 00:00:00 2001 From: Filippo Bonazzi Date: Wed, 15 Oct 2025 12:27:20 +0200 Subject: [PATCH 22/25] fail2ban: allow fail2ban to watch all log files and dirs (bsc#1251952) --- fail2ban.te | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/fail2ban.te b/fail2ban.te index b19bdaa..5bc2394 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -99,22 +99,12 @@ logging_read_syslog_pid(fail2ban_t) logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) -allow fail2ban_t fail2ban_log_t:file watch; -gen_require(` - attribute logfile; -') -allow fail2ban_t logfile:dir { watch_dir_perms }; -allow fail2ban_t logfile:file { watch_file_perms }; # Not in EL9 yet #logging_watch_audit_log_files(fail2ban_t) -gen_require(` - type var_log_t, auditd_log_t; -') -watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t) -#logging_watch_audit_log_dirs(fail2ban_t) -allow fail2ban_t var_log_t:dir search_dir_perms; -watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t) -logging_watch_generic_log_dirs(fail2ban_t) +logging_watch_all_log_files(fail2ban_t) +logging_watch_all_log_dirs(fail2ban_t) +logging_watch_audit_log_files(fail2ban_t) +logging_watch_audit_log_dirs(fail2ban_t) logging_watch_journal_dir(fail2ban_t) mta_send_mail(fail2ban_t) From 1243b0dcffbaa69d475a2f5c6e340cee73d34cf9 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 31 Dec 2025 09:07:24 -0600 Subject: [PATCH 23/25] Remove obsolete distro version related conditionals. --- fail2ban.spec | 68 --------------------------------------------------- 1 file changed, 68 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 44bf5d9..d7945ec 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -57,36 +57,17 @@ Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c4 BuildArch: noarch -%if 0%{?rhel} && 0%{?rhel} < 8 -BuildRequires: python-devel -BuildRequires: python-setuptools -# For testcases -BuildRequires: python-inotify -%else BuildRequires: python3-devel BuildRequires: python3-setuptools # For testcases BuildRequires: python3-inotify -%endif -# using a python3_version-based conditional does not work here, so -# this is a proxy for "Python version greater than 3.12". asyncore -# and asynchat were dropped from cpython core in 3.12, these modules -# make them available again. See: -# https://github.com/fail2ban/fail2ban/issues/3487 -# https://bugzilla.redhat.com/show_bug.cgi?id=2219991 -%if 0%{?fedora} > 38 BuildRequires: python3-pyasyncore BuildRequires: python3-pyasynchat -%endif BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make -%if 0%{?fedora} >= 41 BuildRequires: bash-completion-devel -%else -BuildRequires: bash-completion -%endif BuildRequires: gnupg2 # Default components @@ -123,27 +104,15 @@ SELinux policies for Fail2Ban. %package server Summary: Core server component for Fail2Ban -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: systemd-python -Requires: ipset -Requires: iptables -%else Requires: python3-systemd Requires: nftables -%endif Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -%if 0%{?fedora} || 0%{?rhel} >= 8 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -%else -Requires: %{name}-selinux -%endif # see note above in BuildRequires section -%if 0%{?fedora} > 38 Requires: python3-pyasyncore Requires: python3-pyasynchat -%endif %description server This package contains the core server components for Fail2Ban with minimal @@ -162,13 +131,7 @@ Requires: %{name}-server = %{version}-%{release} Requires: %{name}-shorewall = %{version}-%{release} %endif Requires: perl-interpreter -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: python-inotify -# No python3 support for gamin so epel only -Requires: gamin-python -%else Requires: python3-inotify -%endif Requires: /usr/bin/whois %description all @@ -260,9 +223,7 @@ by default. %autosetup -p1 # this test uses smtpd which is removed in Python 3.12, rewriting it # isn't trivial -%if 0%{?fedora} > 38 rm -f fail2ban/tests/action_d/test_smtp.py -%endif # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -284,26 +245,16 @@ sed -i "/use_2to3/d" setup.py %build -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_build -%else %pyproject_wheel -%endif make -f %SOURCE6 %install -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_install -# Make symbolic link relative -ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python -%else %pyproject_install ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python mv %{buildroot}%{python3_sitelib}/etc %{buildroot} mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir} rmdir %{buildroot}%{python3_sitelib}%{_prefix} -%endif mkdir -p %{buildroot}%{_unitdir} # Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite @@ -364,17 +315,7 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion %check -%if 0%{?rhel} && 0%{?rhel} < 8 -%python2 bin/fail2ban-testcases --verbosity=2 --no-network -%else -%if 0%{?fedora} > 38 -# testRepairDb does not work with sqlite 3.42.0+ -# https://github.com/fail2ban/fail2ban/issues/3586 -%python3 bin/fail2ban-testcases --verbosity=2 --no-network -i testRepairDb -%else %python3 bin/fail2ban-testcases --verbosity=2 --no-network -%endif -%endif %pre selinux @@ -414,13 +355,8 @@ fi %{_bindir}/fail2ban-python %{_bindir}/fail2ban-regex %{_bindir}/fail2ban-server -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/* -%exclude %{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/* %exclude %{python3_sitelib}/fail2ban/tests -%endif %{_unitdir}/fail2ban.service %{_datadir}/bash-completion/ %{_mandir}/man1/fail2ban.1* @@ -456,11 +392,7 @@ fi %files tests %{_bindir}/fail2ban-testcases %{_mandir}/man1/fail2ban-testcases.1* -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/fail2ban/tests -%endif %files mail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf From 6d5ba5175848a0110fc723eca675f51401a6bfff Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 31 Dec 2025 11:56:31 -0600 Subject: [PATCH 24/25] Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. --- ...4c060cdc233af9a6deeb85a6523da0416f31.patch | 60 +++++++++++++++++++ fail2ban.spec | 8 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 04ff4c060cdc233af9a6deeb85a6523da0416f31.patch diff --git a/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch b/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch new file mode 100644 index 0000000..cb6d5c2 --- /dev/null +++ b/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch @@ -0,0 +1,60 @@ +From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001 +From: Nic Boet +Date: Fri, 13 Jun 2025 16:44:57 -0500 +Subject: [PATCH] Dovecot 2.4 filter support + +Dovecot 2.4 release is a major upgrade +Logger event structure has changed, all messages are now +prefixed with: + + "Login aborted: " "auth failed" + +Maintain 2.3 support as many folks have yet to migrate, +community edition is still receiving cretial security patches + +Dovecot 2.4.1 +Python 3.12.10 + +Signed-off-by: Nic Boet +--- + config/filter.d/dovecot.conf | 2 ++ + fail2ban/tests/files/logs/dovecot | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf +index dc3ebbcd42..f49eebe726 100644 +--- a/config/filter.d/dovecot.conf ++++ b/config/filter.d/dovecot.conf +@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a + + failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ + ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ ++ ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<[^>]*>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$ + ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch) + > +@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N + # DEV Notes: + # * the first regex is essentially a copy of pam-generic.conf + # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) ++# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support + # + # Author: Martin Waschbuesch + # Daniel Black (rewrote with begin and end anchors) +diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot +index 0e33296129..4f5a0b7867 100644 +--- a/fail2ban/tests/files/logs/dovecot ++++ b/fail2ban/tests/files/logs/dovecot +@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem + # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" } + Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210 + ++# Dovecot version 2.4 ++# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" } ++Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan> ++# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" } ++Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session= ++ + # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" } + Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session= + diff --git a/fail2ban.spec b/fail2ban.spec index d7945ec..6ca2a95 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -14,7 +14,7 @@ Name: fail2ban Version: 1.1.0 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -53,6 +53,9 @@ Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728 # Upstream fix to also catch sshd-session logs # https://bugzilla.redhat.com/show_bug.cgi?id=2332945 Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch +# Needed for Dovecot change to loging format in 2.4 but has not fail2ban version 1.1.0 +# https://bugzilla.redhat.com/show_bug.cgi?id=2426440 +Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch BuildArch: noarch @@ -417,6 +420,9 @@ fi %changelog +* Wed Dec 31 2025 Richard Shaw - 1.1.0-14 +- Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. + * Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 - Fix paths in fail2ban.service (rhbz#2399981) From 800dd5db0fa0fd497dcd325d2cb628606b327a03 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 31 Dec 2025 12:04:38 -0600 Subject: [PATCH 25/25] Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. --- fail2ban.spec | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 6ca2a95..6ca56b5 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -8,13 +8,10 @@ %if %{defined rhel} && 0%{?rhel} < 10 %define legacy_var_run 1 %endif -%if %{defined fedora} && 0%{?fedora} < 40 -%define legacy_var_run 1 -%endif Name: fail2ban Version: 1.1.0 -Release: 14%{?dist} +Release: 15%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -53,7 +50,7 @@ Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728 # Upstream fix to also catch sshd-session logs # https://bugzilla.redhat.com/show_bug.cgi?id=2332945 Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch -# Needed for Dovecot change to loging format in 2.4 but has not fail2ban version 1.1.0 +# Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1. # https://bugzilla.redhat.com/show_bug.cgi?id=2426440 Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch @@ -64,13 +61,25 @@ BuildRequires: python3-devel BuildRequires: python3-setuptools # For testcases BuildRequires: python3-inotify +# using a python3_version-based conditional does not work here, so +# this is a proxy for "Python version greater than 3.12". asyncore +# and asynchat were dropped from cpython core in 3.12, these modules +# make them available again. See: +# https://github.com/fail2ban/fail2ban/issues/3487 +# https://bugzilla.redhat.com/show_bug.cgi?id=2219991 +%if 0%{?fedora} || 0%{?rhel} >= 10 BuildRequires: python3-pyasyncore BuildRequires: python3-pyasynchat +%endif BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make +%if 0%{?fedora} || 0%{?rhel} >= 11 BuildRequires: bash-completion-devel +%else +BuildRequires: bash-completion +%endif BuildRequires: gnupg2 # Default components @@ -114,8 +123,10 @@ Requires(preun): systemd Requires(postun): systemd Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) # see note above in BuildRequires section +%if 0%{?fedora} || 0%{?rhel} >= 10 Requires: python3-pyasyncore Requires: python3-pyasynchat +%endif %description server This package contains the core server components for Fail2Ban with minimal @@ -224,9 +235,6 @@ by default. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# this test uses smtpd which is removed in Python 3.12, rewriting it -# isn't trivial -rm -f fail2ban/tests/action_d/test_smtp.py # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -420,9 +428,12 @@ fi %changelog -* Wed Dec 31 2025 Richard Shaw - 1.1.0-14 +* Wed Dec 31 2025 Richard Shaw - 1.1.0-15 - Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. +* Sat Oct 11 2025 Orion Poplawski - 1.1.0-14 +- Cleanup old conditionals + * Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 - Fix paths in fail2ban.service (rhbz#2399981)