Add patch for Dovecot 2.4 jail. Fixes BZ#2426440.

https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros.

.cvsignore

@@ -1,2 +0,0 @@
-fail2ban-FAIL2BAN-0_8.tar.bz2
-fail2ban-0.8.4.tar.bz2

.gitignore

@@ -0,0 +1 @@
+/fail2ban-*/

0001-BF-anchoring-regex-for-IP-with-at-the-end.patch

@@ -1,30 +0,0 @@
-From a8f963a2803acef984c66cd1910631eb06363ac1 Mon Sep 17 00:00:00 2001
-From: Yaroslav Halchenko <debian@onerussian.com>
-Date: Wed, 4 Feb 2009 15:38:11 -0500
-Subject: [PATCH] BF: anchoring regex for IP with " *$" at the end
-
-to forbid matching IP encoded in the hostname prior doing actual DNS
-lookup.
-
-It is quite important and actually security hazard: DoS is easy to
-perform...
----
- server/filter.py |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/server/filter.py b/server/filter.py
-index 457bb03..77042ad 100644
---- a/server/filter.py
-+++ b/server/filter.py
-@@ -492,7 +492,7 @@ import socket, struct
- 
- class DNSUtils:
- 	
--	IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
-+	IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3} *$")
- 	
- 	#@staticmethod
- 	def dnsToIp(dns):
--- 
-1.5.6.5
-

04ff4c060cdc233af9a6deeb85a6523da0416f31.patch

@@ -0,0 +1,60 @@
+From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001
+From: Nic Boet <nic@boet.cc>
+Date: Fri, 13 Jun 2025 16:44:57 -0500
+Subject: [PATCH] Dovecot 2.4 filter support
+
+Dovecot 2.4 release is a major upgrade
+Logger event structure has changed, all messages are now
+prefixed with:
+
+        "Login aborted: " <reason> "auth failed"
+
+Maintain 2.3 support as many folks have yet to migrate,
+community edition is still receiving cretial security patches
+
+Dovecot 2.4.1
+Python 3.12.10
+
+Signed-off-by: Nic Boet <nic@boet.cc>
+---
+ config/filter.d/dovecot.conf      | 2 ++
+ fail2ban/tests/files/logs/dovecot | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
+index dc3ebbcd42..f49eebe726 100644
+--- a/config/filter.d/dovecot.conf
++++ b/config/filter.d/dovecot.conf
+@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a
+ 
+ failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
+             ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
++            ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<<F-USER>[^>]*</F-USER>>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+             ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
+             ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
+             <mdre-<mode>>
+@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N
+ # DEV Notes:
+ # * the first regex is essentially a copy of pam-generic.conf
+ # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
++# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support
+ #
+ # Author: Martin Waschbuesch
+ #         Daniel Black (rewrote with begin and end anchors)
+diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot
+index 0e33296129..4f5a0b7867 100644
+--- a/fail2ban/tests/files/logs/dovecot
++++ b/fail2ban/tests/files/logs/dovecot
+@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem
+ # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" }
+ Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210
+ 
++# Dovecot version 2.4
++# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" }
++Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=<test>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan>
++# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" }
++Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=<user@domain>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<Dp8j1Ho3suQYdo+k>
++
+ # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" }
+ Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
+ 

3728.patch

@@ -0,0 +1,160 @@
+From a763fbbdfd6486e372965b4009eb3fe5db346718 Mon Sep 17 00:00:00 2001
+From: Branch Vincent <branchevincent@gmail.com>
+Date: Sat, 27 Apr 2024 10:24:01 -0700
+Subject: [PATCH 1/3] replace distutils for python 3.12
+
+---
+ doc/conf.py                        | 5 +----
+ fail2ban/server/filterpyinotify.py | 3 +--
+ fail2ban/server/filtersystemd.py   | 3 +--
+ 3 files changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/doc/conf.py b/doc/conf.py
+index 20845a5a0e..48d27f7062 100644
+--- a/doc/conf.py
++++ b/doc/conf.py
+@@ -47,12 +47,9 @@
+ #
+ 
+ from fail2ban.version import version as fail2ban_version
+-from distutils.version import LooseVersion
+-
+-fail2ban_loose_version = LooseVersion(fail2ban_version)
+ 
+ # The short X.Y version.
+-version = ".".join(str(_) for _ in fail2ban_loose_version.version[:2])
++version = ".".join(str(_) for _ in fail2ban_version.split(".")[:2])
+ # The full version, including alpha/beta/rc tags.
+ release = fail2ban_version
+ 
+diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
+index 81bc7de393..c6972ced3f 100644
+--- a/fail2ban/server/filterpyinotify.py
++++ b/fail2ban/server/filterpyinotify.py
+@@ -24,7 +24,6 @@
+ __license__ = "GPL"
+ 
+ import logging
+-from distutils.version import LooseVersion
+ import os
+ from os.path import dirname, sep as pathsep
+ 
+@@ -38,7 +37,7 @@
+ 
+ 
+ if not hasattr(pyinotify, '__version__') \
+-  or LooseVersion(pyinotify.__version__) < '0.8.3': # pragma: no cover
++  or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover
+   raise ImportError("Fail2Ban requires pyinotify >= 0.8.3")
+ 
+ # Verify that pyinotify is functional on this system
+diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py
+index 5aea9fdadc..2d4f862b97 100644
+--- a/fail2ban/server/filtersystemd.py
++++ b/fail2ban/server/filtersystemd.py
+@@ -24,10 +24,9 @@
+ 
+ import os
+ import time
+-from distutils.version import LooseVersion
+ 
+ from systemd import journal
+-if LooseVersion(getattr(journal, '__version__', "0")) < '204':
++if getattr(journal, "__version__", "0").split(".") < "204".split("."):
+ 	raise ImportError("Fail2Ban requires systemd >= 204")
+ 
+ from .failmanager import FailManagerEmpty
+
+From ed20a9a5b9039319dd8913dfecf640e6eafee28b Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Tue, 7 May 2024 12:51:14 +0200
+Subject: [PATCH 2/3] there is no systemd < 204 and pyinotify < 0.8.3 for
+ supported python3 versions anymore
+
+---
+ fail2ban/server/filterpyinotify.py | 4 ----
+ fail2ban/server/filtersystemd.py   | 2 --
+ 2 files changed, 6 deletions(-)
+
+diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
+index c6972ced3f..f2f31e6fb5 100644
+--- a/fail2ban/server/filterpyinotify.py
++++ b/fail2ban/server/filterpyinotify.py
+@@ -36,10 +36,6 @@
+ from ..helpers import getLogger
+ 
+ 
+-if not hasattr(pyinotify, '__version__') \
+-  or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover
+-  raise ImportError("Fail2Ban requires pyinotify >= 0.8.3")
+-
+ # Verify that pyinotify is functional on this system
+ # Even though imports -- might be dysfunctional, e.g. as on kfreebsd
+ try:
+diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py
+index 2d4f862b97..abd66e1f76 100644
+--- a/fail2ban/server/filtersystemd.py
++++ b/fail2ban/server/filtersystemd.py
+@@ -26,8 +26,6 @@
+ import time
+ 
+ from systemd import journal
+-if getattr(journal, "__version__", "0").split(".") < "204".split("."):
+-	raise ImportError("Fail2Ban requires systemd >= 204")
+ 
+ from .failmanager import FailManagerEmpty
+ from .filter import JournalFilter, Filter
+
+From 0185e1c7d5e6534ab212462dd2aeab6f89e2fb50 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Tue, 7 May 2024 13:06:50 +0200
+Subject: [PATCH 3/3] setup.py: no distutils anymore
+
+---
+ setup.py | 25 ++++++-------------------
+ 1 file changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index 9f7bd8fb59..ee9ea4df82 100755
+--- a/setup.py
++++ b/setup.py
+@@ -24,23 +24,10 @@
+ 
+ import platform
+ 
+-try:
+-	import setuptools
+-	from setuptools import setup
+-	from setuptools.command.install import install
+-	from setuptools.command.install_scripts import install_scripts
+-	from setuptools.command.build_py import build_py
+-	build_scripts = None
+-except ImportError:
+-	setuptools = None
+-	from distutils.core import setup
+-
+-# older versions
+-if setuptools is None:
+-	from distutils.command.build_py import build_py
+-	from distutils.command.build_scripts import build_scripts
+-	from distutils.command.install import install
+-	from distutils.command.install_scripts import install_scripts
++import setuptools
++from setuptools import setup
++from setuptools.command.install import install
++from setuptools.command.install_scripts import install_scripts
+ 
+ import os
+ from os.path import isfile, join, isdir, realpath
+@@ -207,9 +194,9 @@ def run(self):
+ 	url = "http://www.fail2ban.org",
+ 	license = "GPL",
+ 	platforms = "Posix",
+-	cmdclass = dict({'build_py': build_py, 'build_scripts': build_scripts} if build_scripts else {}, **{
++	cmdclass = {
+ 		'install_scripts': install_scripts_f2b, 'install': install_command_f2b
+-	}),
++	},
+ 	scripts = [
+ 		'bin/fail2ban-client',
+ 		'bin/fail2ban-server',

3782.patch

@@ -0,0 +1,94 @@
+From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001
+From: Fabian Dellwing <fabian.dellwing@mbconnectline.de>
+Date: Tue, 2 Jul 2024 07:54:15 +0200
+Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index 1c8a02deb5..a1fd749aed 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
++_daemon = (?:sshd(?:-session)?)
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+
+From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Wed, 3 Jul 2024 19:09:28 +0200
+Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782
+
+---
+ fail2ban/tests/files/logs/sshd | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
+index ed54ded4d4..7d3948ed80 100644
+--- a/fail2ban/tests/files/logs/sshd
++++ b/fail2ban/tests/files/logs/sshd
+@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for invalid user ROOT from aa
+ # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "aaaa:bbbb:cccc:1234::1:1" }
+ Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from aaaa:bbbb:cccc:1234::1:1
+ 
++# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host": "192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" }
++Jul  3 14:59:17 host sshd-session[1571]: Failed password for root from 192.0.2.1 port 56502 ssh2
++
+ #3
+ # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" }
+ Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+
+From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Wed, 3 Jul 2024 19:33:39 +0200
+Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new
+ sshd-session log format
+
+---
+ fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+index ad8adeb69f..14256ba68c 100644
+--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
++++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
++_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+
+From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Wed, 3 Jul 2024 19:35:28 +0200
+Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon)
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index a1fd749aed..3a84b1ba52 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = (?:sshd(?:-session)?)
++_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+

54c0effceb998b73545073ac59c479d9d9bf19a4.patch

@@ -0,0 +1,23 @@
+From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Sun, 11 Aug 2024 12:10:12 +0200
+Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version
+ would log with `_COMM=sshd-session`)
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index 206b913a78..595e957f0b 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -126,7 +126,7 @@ ignoreregex =
+ 
+ maxlines = 1
+ 
+-journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session
+ 
+ # DEV Notes:
+ #

Makefile

@@ -1,21 +1,26 @@
-# Makefile for source rpm: fail2ban
-# $Id$
-NAME := fail2ban
-SPECFILE = $(firstword $(wildcard *.spec))
+TARGET?=fail2ban
+MODULES?=${TARGET:=.pp.bz2}
+SHAREDIR?=/usr/share
 
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
+all: ${TARGET:=.pp.bz2}
 
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
+%.pp.bz2: %.pp
+	@echo Compressing $^ -\> $@
+	bzip2 -9 $^
 
-ifeq ($(MAKEFILE_COMMON),)
-# attept a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
+%.pp: %.te
+	make -f ${SHAREDIR}/selinux/devel/Makefile $@
 
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
+clean:
+	rm -f *~  *.tc *.pp *.pp.bz2
+	rm -rf tmp *.tar.gz
 
-include $(MAKEFILE_COMMON)
+man: install-policy
+	sepolicy manpage --path . --domain ${TARGET}_t
+
+install-policy: all
+	semodule -i ${TARGET}.pp.bz2
+
+install: man
+	install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2
+	install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/

ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch

@@ -0,0 +1,148 @@
+From ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Fri, 14 Jun 2024 14:31:21 +0200
+Subject: [PATCH] beautifier detect whether it can use unicode chars in stats
+ table; asciified output of beautifier in test suite; closes gh-3750
+
+---
+ fail2ban/client/beautifier.py              | 51 ++++++++++++++--------
+ fail2ban/tests/clientbeautifiertestcase.py | 22 ++++++----
+ 2 files changed, 45 insertions(+), 28 deletions(-)
+
+diff --git a/fail2ban/client/beautifier.py b/fail2ban/client/beautifier.py
+index 7ef173a655..21c49b9483 100644
+--- a/fail2ban/client/beautifier.py
++++ b/fail2ban/client/beautifier.py
+@@ -21,8 +21,10 @@
+ __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko"
+ __license__ = "GPL"
+ 
++import sys
++
+ from ..exceptions import UnknownJailException, DuplicateJailException
+-from ..helpers import getLogger, logging
++from ..helpers import getLogger, logging, PREFER_ENC
+ 
+ # Gets the instance of the logger.
+ logSys = getLogger(__name__)
+@@ -36,6 +38,11 @@
+ 
+ class Beautifier:
+ 
++	stdoutEnc = PREFER_ENC
++	if sys.stdout and sys.stdout.encoding is not None:
++		stdoutEnc = sys.stdout.encoding
++	encUtf = 1 if stdoutEnc.lower() == 'utf-8' else 0
++
+ 	def __init__(self, cmd = None):
+ 		self.__inputCmd = cmd
+ 
+@@ -104,7 +111,11 @@ def jail_stat(response, pref=""):
+ 							jail_stat(j, "      " if i == len(jstat) else "   |  ")
+ 				msg = "\n".join(msg)
+ 			elif inC[0:1] == ['stats'] or inC[0:1] == ['statistics']:
+-				def _statstable(response):
++				chrTable = [
++					['|', '-', '|', 'x', 'x', '-', '|', '-'], ## ascii
++					["\u2551", "\u2550", "\u255F", "\u256B", "\u256C", "\u2569", "\u2502", "\u2500"] ## utf-8
++				];
++				def _statstable(response, ct):
+ 					tophead = ["Jail", "Backend", "Filter", "Actions"]
+ 					headers = ["", "", "cur", "tot", "cur", "tot"]
+ 					minlens = [8, 8, 3, 3, 3, 3]
+@@ -120,29 +131,31 @@ def _statstable(response):
+ 						f = "%%%ds" if ralign[i] else "%%-%ds"
+ 						rfmt.append(f % lens[i])
+ 						hfmt.append(f % lens[i])
+-					rfmt = [rfmt[0], rfmt[1], "%s \u2502 %s" % (rfmt[2], rfmt[3]), "%s \u2502 %s" % (rfmt[4], rfmt[5])]
+-					hfmt = [hfmt[0], hfmt[1], "%s \u2502 %s" % (hfmt[2], hfmt[3]), "%s \u2502 %s" % (hfmt[4], hfmt[5])]
++					rfmt = [rfmt[0], rfmt[1], "%s %s %s" % (rfmt[2], ct[6], rfmt[3]), "%s %s %s" % (rfmt[4], ct[6], rfmt[5])]
++					hfmt = [hfmt[0], hfmt[1], "%s %s %s" % (hfmt[2], ct[6], hfmt[3]), "%s %s %s" % (hfmt[4], ct[6], hfmt[5])]
+ 					tlens = [lens[0], lens[1], 3 + lens[2] + lens[3], 3 + lens[4] + lens[5]]
+ 					tfmt = [hfmt[0], hfmt[1], "%%-%ds" % (tlens[2],), "%%-%ds" % (tlens[3],)]
+ 					tsep = tfmt[0:2]
+-					rfmt = " \u2551 ".join(rfmt)
+-					hfmt = " \u2551 ".join(hfmt)
+-					tfmt = " \u2551 ".join(tfmt)
+-					tsep = " \u2551 ".join(tsep)
+-					separator = ((tsep % tuple(tophead[0:2])) + " \u255F\u2500" + 
+-						("\u2500\u256B\u2500".join(['\u2500' * n for n in tlens[2:]])) + '\u2500')
++					rfmt = (" "+ct[0]+" ").join(rfmt)
++					hfmt = (" "+ct[0]+" ").join(hfmt)
++					tfmt = (" "+ct[0]+" ").join(tfmt)
++					tsep = (" "+ct[0]+" ").join(tsep)
++					separator = ((tsep % tuple(tophead[0:2])) + " "+ct[2]+ct[7] + 
++						((ct[7]+ct[3]+ct[7]).join([ct[7] * n for n in tlens[2:]])) + ct[7])
+ 					ret = []
+-					ret.append(tfmt % tuple(["", ""]+tophead[2:]))
+-					ret.append(separator)
+-					ret.append(hfmt % tuple(headers))
+-					separator = "\u2550\u256C\u2550".join(['\u2550' * n for n in tlens]) + '\u2550'
+-					ret.append(separator)
++					ret.append(" "+tfmt % tuple(["", ""]+tophead[2:]))
++					ret.append(" "+separator)
++					ret.append(" "+hfmt % tuple(headers))
++					separator = (ct[1]+ct[4]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1]
++					ret.append(ct[1]+separator)
+ 					for row in rows:
+-						ret.append(rfmt % tuple(row))
+-					separator = "\u2550\u2569\u2550".join(['\u2550' * n for n in tlens]) + '\u2550'
+-					ret.append(separator)
++						ret.append(" "+rfmt % tuple(row))
++					separator = (ct[1]+ct[5]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1]
++					ret.append(ct[1]+separator)
+ 					return ret
+-				msg = "\n".join(_statstable(response))
++				if not response:
++					return "No jails found."
++				msg = "\n".join(_statstable(response, chrTable[self.encUtf]))
+ 			elif len(inC) < 2:
+ 				pass # to few cmd args for below
+ 			elif inC[1] == "syslogsocket":
+diff --git a/fail2ban/tests/clientbeautifiertestcase.py b/fail2ban/tests/clientbeautifiertestcase.py
+index defedbe1bf..5fcb240479 100644
+--- a/fail2ban/tests/clientbeautifiertestcase.py
++++ b/fail2ban/tests/clientbeautifiertestcase.py
+@@ -34,6 +34,7 @@ def setUp(self):
+ 		""" Call before every test case """
+ 		super(BeautifierTest, self).setUp()
+ 		self.b = Beautifier()
++		self.b.encUtf = 0; ## we prefer ascii in test suite (see #3750)
+ 
+ 	def tearDown(self):
+ 		""" Call after every test case """
+@@ -170,22 +171,25 @@ def testStatus(self):
+ 
+ 	def testStatusStats(self):
+ 		self.b.setInputCmd(["stats"])
++		## no jails:
++		self.assertEqual(self.b.beautify({}), "No jails found.")
++		## 3 jails:
+ 		response = {
+ 			"ssh": ["systemd", (3, 6), (12, 24)],
+ 			"exim4": ["pyinotify", (6, 12), (20, 20)],
+ 			"jail-with-long-name": ["polling", (0, 0), (0, 0)]
+ 		}
+ 		output = (""
+-			+ "                    ?           ? Filter    ? Actions  \n"
+-			+ "Jail                ? Backend   ????????????????????????\n"
+-			+ "                    ?           ? cur ? tot ? cur ? tot\n"
+-			+ "????????????????????????????????????????????????????????\n"
+-			+ "ssh                 ? systemd   ?   3 ?   6 ?  12 ?  24\n"
+-			+ "exim4               ? pyinotify ?   6 ?  12 ?  20 ?  20\n"
+-			+ "jail-with-long-name ? polling   ?   0 ?   0 ?   0 ?   0\n"
+-			+ "????????????????????????????????????????????????????????"
++			+ "                     |           | Filter    | Actions  \n"
++			+ " Jail                | Backend   |-----------x-----------\n"
++			+ "                     |           | cur | tot | cur | tot\n"
++			+ "---------------------x-----------x-----------x-----------\n"
++			+ " ssh                 | systemd   |   3 |   6 |  12 |  24\n"
++			+ " exim4               | pyinotify |   6 |  12 |  20 |  20\n"
++			+ " jail-with-long-name | polling   |   0 |   0 |   0 |   0\n"
++			+ "---------------------------------------------------------"
+ 		)
+-		response = self.b.beautify(response).encode('ascii', 'replace').decode('ascii')
++		response = self.b.beautify(response)
+ 		self.assertEqual(response, output)
+ 			
+ 

asyncserver.start_selinux.patch

@@ -1,35 +0,0 @@
-From 20c717c25c5d180b720bec6902475f07b02f8b87 Mon Sep 17 00:00:00 2001
-From: Jonathan G. Underwood <jonathan.underwood@gmail.com>
-Date: Sun, 3 Jan 2010 02:16:09 +0000
-Subject: [PATCH] Set socket file descriptor in AsyncServer.start to be CLOEXEC
-
-https://bugzilla.redhat.com/show_bug.cgi?id=522767
----
- server/asyncserver.py |    4 +++-
- 1 files changed, 3 insertions(+), 1 deletions(-)
-
-diff --git a/server/asyncserver.py b/server/asyncserver.py
-index 35cebf1..96b62d0 100644
---- a/server/asyncserver.py
-+++ b/server/asyncserver.py
-@@ -26,7 +26,7 @@ __license__ = "GPL"
- 
- from pickle import dumps, loads, HIGHEST_PROTOCOL
- from common import helpers
--import asyncore, asynchat, socket, os, logging, sys, traceback
-+import asyncore, asynchat, socket, os, logging, sys, traceback, fcntl
- 
- # Gets the instance of the logger.
- logSys = logging.getLogger("fail2ban.server")
-@@ -126,6 +126,8 @@ class AsyncServer(asyncore.dispatcher):
- 				raise AsyncServerException("Server already running")
- 		# Creates the socket.
- 		self.create_socket(socket.AF_UNIX, socket.SOCK_STREAM)
-+		fd = self.fileno()
-+		fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)
- 		self.set_reuse_addr()
- 		try:
- 			self.bind(sock)
--- 
-1.6.5.2
-

fail2ban-0.8-sshd-filter.diff

@@ -1,18 +0,0 @@
---- fail2ban-0.8.0/config/filter.d/sshd.conf.upstream	2007-06-20 11:56:18.000000000 +0100
-+++ fail2ban-0.8.0/config/filter.d/sshd.conf	2007-06-20 11:53:36.000000000 +0100
-@@ -14,10 +14,11 @@
- #          (?:::f{4,6}:)?(?P<host>\S+)
- # Values:  TEXT
- #
--failregex = Authentication failure for .* from <HOST>
--            Failed [-/\w]+ for .* from <HOST>
--            ROOT LOGIN REFUSED .* FROM <HOST>
--            [iI](?:llegal|nvalid) user .* from <HOST>
-+failregex = Authentication failure for .* from <HOST>$
-+            Failed [-/\w]+ for .* from <HOST>$
-+            ROOT LOGIN REFUSED .* FROM <HOST>$
-+            [iI](?:llegal|nvalid) user .* from <HOST>$
-+            User .* from <HOST> not allowed because not listed in AllowUsers$
- 
- # Option:  ignoreregex
- # Notes.:  regex to ignore. If this regex matches, the line is ignored.

fail2ban-0.8.1-sock.patch

@@ -1,30 +0,0 @@
-diff -up fail2ban-0.8.1/server/ssocket.py.sock fail2ban-0.8.1/server/ssocket.py
---- fail2ban-0.8.1/server/ssocket.py.sock	2008-01-31 22:44:43.000000000 +0000
-+++ fail2ban-0.8.1/server/ssocket.py	2008-01-31 22:45:31.000000000 +0000
-@@ -41,11 +41,11 @@ class SSocket(Thread):
- 		Thread.__init__(self)
- 		self.__transmit = transmitter
- 		self.__isRunning = False
--		self.__socket = "/tmp/fail2ban.sock"
-+		self.__socket = "/var/run/fail2ban.sock"
- 		self.__ssock = None
- 		logSys.debug("Created SSocket")
- 	
--	def initialize(self, sock = "/tmp/fail2ban.sock", force = False):
-+	def initialize(self, sock = "/var/run/fail2ban.sock", force = False):
- 		self.__socket = sock
- 		# Remove socket
- 		if os.path.exists(sock):
-diff -up fail2ban-0.8.1/config/fail2ban.conf.sock fail2ban-0.8.1/config/fail2ban.conf
---- fail2ban-0.8.1/config/fail2ban.conf.sock	2008-01-31 22:46:01.000000000 +0000
-+++ fail2ban-0.8.1/config/fail2ban.conf	2008-01-31 22:46:23.000000000 +0000
-@@ -28,7 +28,7 @@ logtarget = /var/log/fail2ban.log
- # Notes.: Set the socket file. This is used to communicate with the daemon. Do
- #         not remove this file when Fail2ban runs. It will not be possible to
- #         communicate with the server afterwards.
--# Values: FILE  Default:  /tmp/fail2ban.sock
-+# Values: FILE  Default:  /var/run/fail2ban.sock
- #
--socket = /tmp/fail2ban.sock
-+socket = /var/run/fail2ban.sock
- 

fail2ban-0.8.1-sshd.patch

@@ -1,17 +0,0 @@
---- fail2ban-0.8.1/config/jail.conf.sshd	2007-08-09 00:49:59.000000000 +0200
-+++ fail2ban-0.8.1/config/jail.conf	2007-08-15 21:41:33.000000000 +0200
-@@ -42,11 +42,11 @@
- 
- [ssh-iptables]
- 
--enabled  = false
-+enabled  = true
- filter   = sshd
- action   = iptables[name=SSH, port=ssh, protocol=tcp]
--           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
--logpath  = /var/log/sshd.log
-+           sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com]
-+logpath  = /var/log/secure
- maxretry = 5
- 
- [proftpd-iptables]

fail2ban-0.8.2-fd_cloexec.patch

@@ -1,22 +0,0 @@
---- fail2ban-0.8.2/server/filter.py.orig	2008-03-27 16:26:59.000000000 +0000
-+++ fail2ban-0.8.2/server/filter.py	2008-03-27 15:29:48.000000000 +0000
-@@ -428,6 +428,7 @@
- # is computed and compared to the previous hash of this line.
- 
- import md5
-+import fcntl
- 
- class FileContainer:
- 	
-@@ -455,6 +456,11 @@
- 	
- 	def open(self):
- 		self.__handler = open(self.__filename)
-+
-+		# Set the file descriptor to be FD_CLOEXEC
-+		fd = self.__handler.fileno()
-+		fcntl.fcntl (self.__handler.fileno(), fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)
-+
- 		firstLine = self.__handler.readline()
- 		# Computes the MD5 of the first line.
- 		myHash = md5.new(firstLine).digest()

fail2ban-0.8.3-init.patch

@@ -1,20 +0,0 @@
---- fail2ban-0.8.3/files/redhat-initd.init	2008-03-10 23:36:22.000000000 +0100
-+++ fail2ban-0.8.3/files/redhat-initd	2008-08-24 20:46:01.000000000 +0200
-@@ -1,6 +1,6 @@
- #!/bin/bash
- #
--# chkconfig: 345 92 08
-+# chkconfig: - 92 08
- # description: Fail2ban daemon
- #              http://fail2ban.sourceforge.net/wiki/index.php/Main_Page
- # process name: fail2ban-server
-@@ -27,8 +27,7 @@
-     echo -n $"Starting fail2ban: "
-     getpid
-     if [ -z "$pid" ]; then
--	rm -rf /var/run/fail2ban/fail2ban.sock # in case of unclean shutdown
--        $FAIL2BAN start > /dev/null
-+        $FAIL2BAN -x start > /dev/null
-         RETVAL=$?
-     fi
-     if [ $RETVAL -eq 0 ]; then

fail2ban-0.8.3-inodecheck.patch

@@ -1,35 +0,0 @@
---- fail2ban-0.8.3/server/filter.py.inodecheck	2009-08-27 20:50:22.000000000 +0200
-+++ fail2ban-0.8.3/server/filter.py	2009-08-27 20:50:22.000000000 +0200
-@@ -31,7 +31,7 @@
- from mytime import MyTime
- from failregex import FailRegex, Regex, RegexException
- 
--import logging, re
-+import logging, re, os
- 
- # Gets the instance of the logger.
- logSys = logging.getLogger("fail2ban.filter")
-@@ -438,6 +438,8 @@
- 		self.__handler = None
- 		# Try to open the file. Raises an exception if an error occured.
- 		handler = open(filename)
-+		stats = os.fstat(handler.fileno())
-+		self.__ino = stats.st_ino
- 		try:
- 			firstLine = handler.readline()
- 			# Computes the MD5 of the first line.
-@@ -464,10 +466,12 @@
- 		firstLine = self.__handler.readline()
- 		# Computes the MD5 of the first line.
- 		myHash = md5.new(firstLine).digest()
--		# Compare hash.
--		if not self.__hash == myHash:
-+		stats = os.fstat(self.__handler.fileno())
-+		# Compare hash and inode
-+		if self.__hash != myHash or self.__ino != stats.st_ino:
- 			logSys.info("Log rotation detected for %s" % self.__filename)
- 			self.__hash = myHash
-+			self.__ino = stats.st_ino
- 			self.__pos = 0
- 		# Sets the file pointer to the last position.
- 		self.__handler.seek(self.__pos)

fail2ban-0.8.3-log2syslog.patch

@@ -1,11 +0,0 @@
---- fail2ban-0.8.3/config/fail2ban.conf~	2008-02-27 22:44:55.000000000 +0100
-+++ fail2ban-0.8.3/config/fail2ban.conf	2009-08-27 20:48:25.000000000 +0200
-@@ -22,7 +22,7 @@
- #          Only one log target can be specified.
- # Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
- #
--logtarget = /var/log/fail2ban.log
-+logtarget = SYSLOG
- 
- # Option: socket
- # Notes.: Set the socket file. This is used to communicate with the daemon. Do

fail2ban-1.1.0.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K
+iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc
+yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu
+ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf
+9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr
+jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH
+MTZipOHHYPx/7IyKJJvB1p1gvmOxyg==
+=qvry
+-----END PGP SIGNATURE-----

fail2ban-logrotate

@@ -1,9 +0,0 @@
-/var/log/fail2ban.log {
-    missingok
-    notifempty
-    size 30k
-    create 0600 root root
-    postrotate
-        /usr/bin/fail2ban-client set logtarget SYSLOG 2> /dev/null || true
-    endscript
-}

fail2ban-nftables.patch

@@ -0,0 +1,62 @@
+Index: fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf
+===================================================================
+--- fail2ban-1.0.2.orig/config/action.d/firewallcmd-rich-rules.conf
++++ fail2ban-1.0.2/config/action.d/firewallcmd-rich-rules.conf
+@@ -37,8 +37,8 @@ actioncheck =
+ 
+ fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
+ 
+-actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
++actionban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
+ 	   
+-actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
++actionunban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
+ 
+-rich-suffix = <rich-blocktype>
+\ No newline at end of file
++rich-suffix = <rich-blocktype>
+Index: fail2ban-1.0.2/fail2ban/tests/servertestcase.py
+===================================================================
+--- fail2ban-1.0.2.orig/fail2ban/tests/servertestcase.py
++++ fail2ban-1.0.2/fail2ban/tests/servertestcase.py
+@@ -2051,32 +2051,32 @@ class ServerConfigReaderTests(LogCapture
+ 			('j-fwcmd-rr', 'firewallcmd-rich-rules[port="22:24", protocol="tcp"]', {
+ 				'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',),
+ 				'ip4-ban': (
+-					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
++					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
+ 				),
+ 				'ip4-unban': (
+-					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
++					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`""",
+ 				),
+ 				'ip6-ban': (
+-					""" `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
++					""" `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
+ 				),
+ 				'ip6-unban': (
+-					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
++					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`""",
+ 				),					
+ 			}),
+ 			# firewallcmd-rich-logging --
+ 			('j-fwcmd-rl', 'firewallcmd-rich-logging[port="22:24", protocol="tcp"]', {
+ 				'ip4': ("family='ipv4'", "icmp-port-unreachable",), 'ip6': ("family='ipv6'", 'icmp6-port-unreachable',),
+ 				'ip4-ban': (
+-					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
++					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
+ 				),
+ 				'ip4-unban': (
+-					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
++					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`""",
+ 				),
+ 				'ip6-ban': (
+-					""" `ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
++					""" `ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
+ 				),
+ 				'ip6-unban': (
+-					"""`ports="22:24"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
++					"""`ports="22:24"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`""",
+ 				),					
+ 			}),
+ 		)

fail2ban-partof.patch

@@ -0,0 +1,12 @@
+diff -up fail2ban-0.10.5/files/fail2ban.service.in.partof fail2ban-0.10.5/files/fail2ban.service.in
+--- fail2ban-0.10.5/files/fail2ban.service.in.partof	2020-01-10 05:34:46.000000000 -0700
++++ fail2ban-0.10.5/files/fail2ban.service.in	2020-01-11 16:13:53.372316861 -0700
+@@ -2,7 +2,7 @@
+ Description=Fail2Ban Service
+ Documentation=man:fail2ban(1)
+ After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
++PartOf=firewalld.service
+ 
+ [Service]
+ Type=simple

fail2ban.fc

@@ -0,0 +1,10 @@
+#/etc/rc\.d/init\.d/fail2ban	--	gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
+
+/usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-client	--	gen_context(system_u:object_r:fail2ban_client_exec_t,s0)
+/usr/bin/fail2ban-server	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+
+/var/lib/fail2ban(/.*)?	gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
+/var/log/fail2ban\.log.*	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
+
+/run/fail2ban(/.*)?				gen_context(system_u:object_r:fail2ban_var_run_t,s0)

fail2ban.if

@@ -0,0 +1,313 @@
+## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run fail2ban.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fail2ban_domtrans',`
+	gen_require(`
+		type fail2ban_t, fail2ban_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
+')
+
+#######################################
+## <summary>
+##  Execute the fail2ban client in
+##  the fail2ban client domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_domtrans_client',`
+    gen_require(`
+        type fail2ban_client_t, fail2ban_client_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+')
+
+#######################################
+## <summary>
+##  Execute fail2ban client in the
+##  fail2ban client domain, and allow
+##  the specified role the fail2ban
+##  client domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_run_client',`
+    gen_require(`
+        attribute_role fail2ban_client_roles;
+    ')
+
+    fail2ban_domtrans_client($1)
+    roleattribute $2 fail2ban_client_roles;
+')
+
+#####################################
+## <summary>
+##	Connect to fail2ban over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_stream_connect',`
+	gen_require(`
+		type fail2ban_t, fail2ban_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+')
+
+########################################
+## <summary>
+##	Read and write inherited temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_rw_inherited_tmp_files',`
+	gen_require(`
+		type fail2ban_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write to an fail2ba unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+	gen_require(`
+		type fail2ban_t;
+	')
+
+	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to use
+##  fail2ban file descriptors.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_use_fds',`
+    gen_require(`
+        type fail2ban_t;
+    ')
+
+    dontaudit $1 fail2ban_t:fd use;
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to read and
+##  write fail2ban unix stream sockets
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
+    gen_require(`
+        type fail2ban_t;
+    ')
+
+    dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read fail2ban lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_read_lib_files',`
+	gen_require(`
+		type fail2ban_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read fail2ban's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_read_log',`
+	gen_require(`
+		type fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	fail2ban log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`fail2ban_append_log',`
+	gen_require(`
+		type fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Read fail2ban PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_read_pid_files',`
+	gen_require(`
+		type fail2ban_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 fail2ban_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	dontaudit read and write leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+	gen_require(`
+		type fail2ban_t;
+	')
+
+ 	dontaudit $1 fail2ban_t:tcp_socket { read write };
+	dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	a fail2ban environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the fail2ban domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_admin',`
+	gen_require(`
+		type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+		type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+		type fail2ban_client_t;
+	')
+
+	allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
+	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+	')
+
+	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 fail2ban_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, fail2ban_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, fail2ban_var_run_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, fail2ban_var_lib_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, fail2ban_tmp_t)
+
+	fail2ban_run_client($1, $2)
+')

fail2ban.rpmlintrc

@@ -0,0 +1,8 @@
+from Config import *
+addFilter("incoherent-logrotate-file /etc/logrotate.d/fail2ban");
+addFilter("macro-in-comment %{(name|version|release)}");
+addFilter("spelling-error .* (tcp|sendmail|shorewall|sshd)");
+# Tests
+addFilter("hidden-file-or-dir .*fail2ban/tests/files/config/apache.*/\.htpasswd");
+addFilter("htaccess-file-error .*fail2ban/tests/files/config/apache.*/\.htaccess");
+addFilter("zero-length .*fail2ban/tests/files/files/");

fail2ban.spec

@@ -1,89 +1,857 @@
-# Not defined in Fedora's buildsystem
-%global _initdir %{_sysconfdir}/rc.d/init.d
+%if 0%{?rhel} >= 9
+%bcond_with     shorewall
+%else
+%bcond_without  shorewall
+%endif
+
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
+%if %{defined rhel} && 0%{?rhel} < 10
+%define legacy_var_run 1
+%endif
 
-Summary: Ban IPs that make too many password failures
 Name: fail2ban
-Version: 0.8.4
-Release: 24%{?dist}
-License: GPLv2+
-Group: System Environment/Daemons
-URL: http://fail2ban.sourceforge.net/
-Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
-Source1: fail2ban-logrotate
-Patch0: fail2ban-0.8.3-init.patch
-Patch1: fail2ban-0.8.1-sshd.patch
-Patch3: fail2ban-0.8.2-fd_cloexec.patch
-Patch6: fail2ban-0.8.3-log2syslog.patch
-Patch7: asyncserver.start_selinux.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-BuildRequires: python-devel >= 2.3
+Version: 1.1.0
+Release: 15%{?dist}
+Summary: Daemon to ban hosts that cause multiple authentication errors
+
+License: GPL-2.0-or-later
+URL: https://www.fail2ban.org
+Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+# Releases are signed by Serg G. Brester (sebres) <info AT sebres.de>.  The
+# fingerprint can be found in a signature file:
+#   gpg --list-packets fail2ban-1.0.2.tar.gz.asc | grep 'issuer fpr'
+#
+# The following commands can be used to fetch the signing key via fingerprint
+# and extract it:
+#   fpr=8738559E26F671DF9E2C6D9E683BF1BEBD0A882C
+#   gpg --receive-keys $fpr
+#   gpg -a --export-options export-minimal --export $fpr >gpgkey-$fpr.asc
+Source2: gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc
+# SELinux policy
+Source3: fail2ban.fc
+Source4: fail2ban.if
+Source5: fail2ban.te
+Source6: Makefile
+
+# Give up being PartOf iptables and ipset for now
+# https://bugzilla.redhat.com/show_bug.cgi?id=1379141
+# https://bugzilla.redhat.com/show_bug.cgi?id=1573185
+Patch0: fail2ban-partof.patch
+# default port in jail.conf is not compatible with firewalld-cmd syntax
+# https://bugzilla.redhat.com/show_bug.cgi?id=1850164
+Patch1: fail2ban-nftables.patch
+# Work around encoding issues during tests
+Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2315252
+Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2295265
+Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch
+# Upstream fix to also catch sshd-session logs
+# https://bugzilla.redhat.com/show_bug.cgi?id=2332945
+Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch
+# Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1.
+# https://bugzilla.redhat.com/show_bug.cgi?id=2426440
+Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch
+
+
 BuildArch: noarch
-Requires: iptables, tcp_wrappers, shorewall, gamin-python
-Requires(post): /sbin/chkconfig
-Requires(preun): /sbin/chkconfig
-Requires(preun): /sbin/service
+
+BuildRequires: python3-devel
+BuildRequires: python3-setuptools
+# For testcases
+BuildRequires: python3-inotify
+# using a python3_version-based conditional does not work here, so
+# this is a proxy for "Python version greater than 3.12". asyncore
+# and asynchat were dropped from cpython core in 3.12, these modules
+# make them available again. See:
+# https://github.com/fail2ban/fail2ban/issues/3487
+# https://bugzilla.redhat.com/show_bug.cgi?id=2219991
+%if 0%{?fedora} || 0%{?rhel} >= 10
+BuildRequires: python3-pyasyncore
+BuildRequires: python3-pyasynchat
+%endif
+BuildRequires: sqlite
+BuildRequires: systemd
+BuildRequires: selinux-policy-devel
+BuildRequires: make
+%if 0%{?fedora} || 0%{?rhel} >= 11
+BuildRequires: bash-completion-devel
+%else
+BuildRequires: bash-completion
+%endif
+BuildRequires: gnupg2
+
+# Default components
+Requires: %{name}-firewalld = %{version}-%{release}
+Requires: %{name}-sendmail = %{version}-%{release}
+Requires: %{name}-server = %{version}-%{release}
+
 
 %description
-Fail2ban scans log files like /var/log/pwdfail or
-/var/log/apache/error_log and bans IP that makes too many password
-failures. It updates firewall rules to reject the IP address.
+Fail2Ban scans log files and bans IP addresses that makes too many password
+failures. It updates firewall rules to reject the IP address. These rules can
+be defined by the user. Fail2Ban can read multiple log files such as sshd or
+Apache web server ones.
+
+Fail2Ban is able to reduce the rate of incorrect authentications attempts
+however it cannot eliminate the risk that weak authentication presents.
+Configure services to use only two factor or public/private authentication
+mechanisms if you really want to protect services.
+
+This is a meta-package that will install the default configuration.  Other
+sub-packages are available to install support for other actions and
+configurations.
+
+
+%package selinux
+Summary: SELinux policies for Fail2Ban
+%{?selinux_requires}
+%global modulename fail2ban
+%global selinuxtype targeted
+
+%description selinux
+SELinux policies for Fail2Ban.
+
+
+%package server
+Summary: Core server component for Fail2Ban
+Requires: python3-systemd
+Requires: nftables
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+# see note above in BuildRequires section
+%if 0%{?fedora} || 0%{?rhel} >= 10
+Requires: python3-pyasyncore
+Requires: python3-pyasynchat
+%endif
+
+%description server
+This package contains the core server components for Fail2Ban with minimal
+dependencies.  You can install this directly if you want to have a small
+installation and know what you are doing.
+
+
+%package all
+Summary: Install all Fail2Ban packages and dependencies
+Requires: %{name}-firewalld = %{version}-%{release}
+Requires: %{name}-hostsdeny = %{version}-%{release}
+Requires: %{name}-mail = %{version}-%{release}
+Requires: %{name}-sendmail = %{version}-%{release}
+Requires: %{name}-server = %{version}-%{release}
+%if %{with shorewall}
+Requires: %{name}-shorewall = %{version}-%{release}
+%endif
+Requires: perl-interpreter
+Requires: python3-inotify
+Requires: /usr/bin/whois
+
+%description all
+This package installs all of the Fail2Ban packages and dependencies.
+
+
+%package firewalld
+Summary: Firewalld support for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: firewalld
+
+%description firewalld
+This package enables support for manipulating firewalld rules.  This is the
+default firewall service in Fedora.
+
+
+%package hostsdeny
+Summary: Hostsdeny (tcp_wrappers) support for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: ed
+Requires: tcp_wrappers
+
+%description hostsdeny
+This package enables support for manipulating tcp_wrapper's /etc/hosts.deny
+files.
+
+
+%package tests
+Summary: Fail2Ban testcases
+Requires: %{name}-server = %{version}-%{release}
+
+%description tests
+This package contains Fail2Ban's testscases and scripts.
+
+
+%package mail
+Summary: Mail actions for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: /usr/bin/mail
+
+%description mail
+This package installs Fail2Ban's mail actions.  These are an alternative
+to the default sendmail actions.
+
+
+%package sendmail
+Summary: Sendmail actions for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: /usr/sbin/sendmail
+
+%description sendmail
+This package installs Fail2Ban's sendmail actions.  This is the default
+mail actions for Fail2Ban.
+
+
+%if %{with shorewall}
+%package shorewall
+Summary: Shorewall support for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: shorewall
+Conflicts: %{name}-shorewall-lite
+
+%description shorewall
+This package enables support for manipulating shorewall rules.
+
+
+%package shorewall-lite
+Summary: Shorewall lite support for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: shorewall-lite
+Conflicts: %{name}-shorewall
+
+%description shorewall-lite
+This package enables support for manipulating shorewall rules.
+%endif
+
+
+%package systemd
+Summary: Systemd journal configuration for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+
+%description systemd
+This package configures Fail2Ban to use the systemd journal for its log input
+by default.
+
 
 %prep
-%setup -q
-%patch0 -p1 -b .init
-%patch1 -p1 -b .sshd
-%patch3 -p1 -b .fd_cloexec
-%patch6 -p1 -b .log2syslog
-%patch7 -p1 -b .fd_cloexec2
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -p1
+
+# Use Fedora paths
+sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
+
+# SELinux sources
+cp -p %SOURCE3 %SOURCE4 %SOURCE5 .
+
+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' %{name}.fc
+%endif
+
+# 2to3 has been removed from setuptools and we already use the binary in
+# %%prep.
+sed -i "/use_2to3/d" setup.py
+
+
+%generate_buildrequires
+%pyproject_buildrequires
+
 
 %build
-python setup.py build
+%pyproject_wheel
+make -f %SOURCE6
+
 
 %install
-rm -rf %{buildroot}
-python setup.py install -O1 --root %{buildroot}
-mkdir -p %{buildroot}%{_initdir}
-install -p -m 755 files/redhat-initd %{buildroot}%{_initdir}/fail2ban
-mkdir -p %{buildroot}%{_mandir}/man1
-install -p -m 644 man/fail2ban*.1 %{buildroot}%{_mandir}/man1
+%pyproject_install
+ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python
+mv %{buildroot}%{python3_sitelib}/etc %{buildroot}
+mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir}
+rmdir %{buildroot}%{python3_sitelib}%{_prefix}
+
+mkdir -p %{buildroot}%{_unitdir}
+# Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite
+# so we will do our own modification
+sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service
+mkdir -p %{buildroot}%{_mandir}/man{1,5}
+install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
+install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
 mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
-install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
-mkdir -p %{buildroot}%{_localstatedir}/run/fail2ban
-chmod 0755 %{buildroot}%{_localstatedir}/run/fail2ban
+install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
+install -d -m 0755 %{buildroot}/run/fail2ban/
+install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
+install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf
+mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d
 
-%clean
-rm -rf %{buildroot}
+# Remove non-Linux actions
+rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
+rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf
+rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf
 
-%post
-/sbin/chkconfig --add %{name}
+# Remove config files for other distros
+rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf
 
-%preun
-if [ $1 = 0 ]; then
-  /sbin/service %{name} stop > /dev/null 2>&1
-  /sbin/chkconfig --del %{name}
+# firewalld configuration
+cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <<EOF
+# This file is part of the fail2ban-firewalld package to configure the use of
+# the firewalld actions as the default actions.  You can remove this package
+# (along with the empty fail2ban meta-package) if you do not use firewalld
+[DEFAULT]
+banaction = firewallcmd-rich-rules
+banaction_allports = firewallcmd-rich-rules
+EOF
+
+# systemd journal configuration
+cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
+# This file is part of the fail2ban-systemd package to configure the use of
+# the systemd journal as the default backend.  You can remove this package
+# (along with the empty fail2ban meta-package) if you do not want to use the
+# journal backend
+[DEFAULT]
+backend=systemd
+EOF
+
+# Remove installed doc, use doc macro instead
+rm -r %{buildroot}%{_docdir}/%{name}
+
+# SELinux
+# install policy modules
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+
+#BASH completion
+COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion)
+%__mkdir_p $COMPLETIONDIR
+%__install -p -m 644 files/bash-completion $COMPLETIONDIR/fail2ban
+
+
+%check
+%python3 bin/fail2ban-testcases --verbosity=2 --no-network
+
+
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
 fi
 
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+%post server
+%systemd_post fail2ban.service
+
+%preun server
+%systemd_preun fail2ban.service
+
+%postun server
+%systemd_postun_with_restart fail2ban.service
+
+
 %files
-%defattr(-,root,root,-)
-%doc README TODO ChangeLog COPYING
-#doc config/fail2ban.conf*
-%{_bindir}/fail2ban-server
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%license COPYING
+
+%files server
+%doc README.md TODO ChangeLog COPYING doc/*.txt
 %{_bindir}/fail2ban-client
+%{_bindir}/fail2ban-python
 %{_bindir}/fail2ban-regex
-%{_datadir}/fail2ban
-%{_initdir}/fail2ban
-%{_mandir}/man1/fail2ban-*.1*
-%dir %{_sysconfdir}/fail2ban
-%dir %{_sysconfdir}/fail2ban/action.d
-%dir %{_sysconfdir}/fail2ban/filter.d
-%config(noreplace) %{_sysconfdir}/fail2ban/fail2ban.conf
-%config(noreplace) %{_sysconfdir}/fail2ban/jail.conf
-%config(noreplace) %{_sysconfdir}/fail2ban/action.d/*.conf
-%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf
+%{_bindir}/fail2ban-server
+%{python3_sitelib}/*
+%exclude %{python3_sitelib}/fail2ban/tests
+%{_unitdir}/fail2ban.service
+%{_datadir}/bash-completion/
+%{_mandir}/man1/fail2ban.1*
+%{_mandir}/man1/fail2ban-client.1*
+%{_mandir}/man1/fail2ban-python.1*
+%{_mandir}/man1/fail2ban-regex.1*
+%{_mandir}/man1/fail2ban-server.1*
+%{_mandir}/man5/*.5*
+%config(noreplace) %{_sysconfdir}/fail2ban/
+%exclude %{_sysconfdir}/fail2ban/action.d/complain.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/mail.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/mail-whois.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf
+%exclude %{_sysconfdir}/fail2ban/jail.d/*.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
-%dir %{_localstatedir}/run/fail2ban
+%{_tmpfilesdir}/fail2ban.conf
+%dir %{_localstatedir}/lib/fail2ban/
+%dir /run/%{name}/
+%ghost %verify(not size mtime md5) /run/%{name}/%{name}.pid
+
+%files all
+
+%files firewalld
+%config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-firewalld.conf
+
+%files hostsdeny
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf
+
+%files tests
+%{_bindir}/fail2ban-testcases
+%{_mandir}/man1/fail2ban-testcases.1*
+%{python3_sitelib}/fail2ban/tests
+
+%files mail
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf
+
+%files sendmail
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf
+
+%if %{with shorewall}
+%files shorewall
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf
+
+%files shorewall-lite
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf
+%endif
+
+%files systemd
+%config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-systemd.conf
+
 
 %changelog
+* Wed Dec 31 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-15
+- Add patch for Dovecot 2.4 jail. Fixes BZ#2426440.
+
+* Sat Oct 11 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-14
+- Cleanup old conditionals
+
+* Fri Oct 10 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-13
+- Fix paths in fail2ban.service (rhbz#2399981)
+
+* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 1.1.0-12
+- Rebuilt for Python 3.14.0rc3 bytecode
+
+* Thu Aug 21 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-11
+- Move from setup.py to wheels per
+  https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros.
+
+* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 1.1.0-10
+- Rebuilt for Python 3.14.0rc2 bytecode
+
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Tue Jun 03 2025 Python Maint <python-maint@redhat.com> - 1.1.0-8
+- Rebuilt for Python 3.14
+
+* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Thu Dec 19 2024 Orion Poplawski <orion@nwra.com> - 1.1.0-6
+- Add upstream fix for sshd filter (rhbz#2332945)
+
+* Wed Oct 16 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-5
+- Add upstream patch for python distutils removal.
+
+* Sat Sep 28 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-4
+- Add patch to deal with changes to OpenSSL log output.
+
+* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Fri Jul 12 2024 Nils Philippsen <nils@tiptoe.de> - 1.1.0-2
+- Use SPDX license identifier
+- Use https upstream URL
+
+* Wed Jun 12 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-1
+- Update to 1.1.0 for Python 3.13 support.
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 1.0.2-16
+- Rebuilt for Python 3.13
+
+* Sat May 11 2024 Todd Zullinger <tmz@pobox.com> - 1.0.2-15
+- Handle /var/run->/run transition in older Fedora and EPEL (RHBZ#2279054)
+
+* Sun May 05 2024 Richard Shaw <hobbes1069@gmail.com> - 1.0.2-14
+- Increment SELinux module version.
+- Tweak selinux regex for /run/fail2ban.
+
+* Thu Apr 25 2024 Richard Shaw <hobbes1069@gmail.com> - 1.0.2-13
+- Add nftables patch and fix selinux /var/run->/run issue, fixes RHBZ#1850164
+  and RHBZ#2272476.
+
+* Thu Feb 22 2024 Orion Poplawski <orion@nwra.com> - 1.0.2-12
+- Allow watch on more logfiles
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Wed Sep 27 2023 Adam Williamson <awilliam@redhat.com> - 1.0.2-9
+- Require pyasynchat and pyasyncore with Python 3.12+
+- Disable smtp tests on F39+ due to removal of smtpd from Python 3.12
+- Disable db repair test on F39+ as it's broken with sqlite 3.42.0+
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jun 26 2023 Todd Zullinger <tmz@pobox.com> - 1.0.2-7
+- exclude shorewall subpackage on epel9 (rhbz#2217649)
+
+* Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 1.0.2-6
+- Rebuilt for Python 3.12
+
+* Tue Apr 04 2023 Orion Poplawski <orion@nwra.com> - 1.0.2-5
+- Drop downstream python3.11 patch, upstream went with a different fix
+
+* Sun Apr 02 2023 Todd Zullinger <tmz@pobox.com> - 1.0.2-4
+- verify upstream source signature
+
+* Thu Mar 30 2023 Orion Poplawski <orion@nwra.com> - 1.0.2-3
+- Add upstream patch to remove warning about allowipv6 (bz#2160781)
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sat Dec 17 2022 Richard Shaw <hobbes1069@gmail.com> - 1.0.2-1
+- Update to 1.0.2.
+
+* Wed Nov 02 2022 Richard Shaw <hobbes1069@gmail.com> - 1.0.1-2
+- Add patch for dovecot eating 100% CPU.
+
+* Sun Oct 02 2022 Richard Shaw <hobbes1069@gmail.com> - 1.0.1-1
+- Update to 1.0.1.
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jun 15 2022 Python Maint <python-maint@redhat.com> - 0.11.2-13
+- Rebuilt for Python 3.11
+
+* Wed May 18 2022 Orion Poplawski <orion@nwra.com> - 0.11.2-12
+- Fix SELinux policy to allow watch on var_log_t (bz#2083923)
+
+* Fri Jan 28 2022 Orion Poplawski <orion@nwra.com> - 0.11.2-11
+- Require /usr/bin/mail instead of mailx
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Sun Sep 26 2021 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 0.11.2-9
+- Fix CVE-2021-32749 RHBZ#1983223
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Jun 07 2021 Python Maint <python-maint@redhat.com> - 0.11.2-7
+- Rebuilt for Python 3.10
+
+* Sun Jun 06 2021 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-6
+- Update selinux policy for Fedora 34+
+
+* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 0.11.2-5
+- Rebuilt for Python 3.10
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.11.2-4
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 06 2021 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-2
+- Add patch to deal with a new century in tests (2021).
+
+* Tue Nov 24 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.2-1
+- Update to 0.11.2.
+
+* Fri Aug 28 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-10.2
+- Create shorewall-lite subpackage package which conflicts with shorewall
+  subpackage. Fixes RHBZ#1872759.
+
+* Tue Jul 28 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-9.2
+- Fix python2 requires for EPEL 7.
+
+* Mon Jul 27 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-9
+- Add conditonals back for EL 7 as it's being brought up to date.
+- Add patch to deal with nftables not accepting ":" as a port separator.
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.11.1-7
+- Rebuilt for Python 3.9
+
+* Thu Apr 16 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-6
+- Change default firewalld backend from ipset to rich-rules as ipset causes
+  firewalld to use legacy iptables. Fixes RHBZ#1823746.
+- Remove conditionals for EL versions less than 7.
+
+* Thu Mar 19 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-5
+- Update for Python 3.9.
+
+* Wed Feb 26 2020 Orion Poplawski <orion@nwra.com> - 0.11.1-4
+- Add SELinux policy
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Jan 21 2020 Orion Poplawski <orion@nwra.com> - 0.11.1-2
+- Move action.d/mail-whois-common.conf into fail2ban-server
+
+* Tue Jan 14 2020 Orion Poplawski <orion@nwra.com> - 0.11.1-1
+- Update to 0.11.1
+
+* Tue Jan 14 2020 Orion Poplawski <orion@nwra.com> - 0.10.5-1
+- Update to 0.10.5
+
+* Thu Nov 21 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-8
+- Define banaction_allports for firewalld, update banaction (bz#1775175)
+- Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625)
+
+* Thu Oct 31 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-7
+- Remove config files for other distros (bz#1533113)
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.10.4-6
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.10.4-5
+- Rebuilt for Python 3.8
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sun Nov 18 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.10.4-2
+- Drop explicit locale setting
+  See https://fedoraproject.org/wiki/Changes/Remove_glibc-langpacks-all_from_buildroot
+
+* Fri Oct 5 2018 Orion Poplawski <orion@nwra.com> - 0.10.4-1
+- Update to 0.10.4
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 19 2018 Orion Poplawski <orion@nwra.com> - 0.10.3.1-2
+- Remove PartOf ipset.service (bug #1573185)
+
+* Tue Jun 19 2018 Orion Poplawski <orion@nwra.com> - 0.10.3.1-1
+- Update to 0.10.3.1
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.10.2-2
+- Rebuilt for Python 3.7
+
+* Wed Mar 28 2018 Orion Poplawski <orion@nwra.com> - 0.10.2-1
+- Update to 0.10.2
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Dec 30 2017 Orion Poplawski <orion@nwra.com> - 0.10.1-3
+- Add upstream patch to fix ipset issue (bug #1525134)
+
+* Sat Dec 30 2017 Orion Poplawski <orion@nwra.com> - 0.10.1-2
+- Add upstream patch to fix buildroot issue
+
+* Tue Nov 14 2017 Orion Poplawski <orion@cora.nwra.com> - 0.10.1-1
+- Update to 0.10.1
+
+* Wed Sep 20 2017 Orion Poplawski <orion@cora.nwra.com> - 0.10.0-1
+- Update to 0.10.0
+
+* Wed Aug 16 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.7-4
+- Use BR /usr/bin/2to3
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jul 13 2017 Petr Pisar <ppisar@redhat.com> - 0.9.7-2
+- perl dependency renamed to perl-interpreter
+  <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules>
+
+* Wed Jul 12 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.7-1
+- Update to 0.9.7
+
+* Wed Feb 15 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.6-4
+- Properly handle /run/fail2ban (bug #1422500)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Tue Jan 10 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.6-2
+- Add upstream patch to fix fail2ban-regex with journal
+
+* Fri Jan 6 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.6-1
+- Update to 0.9.6
+- Fix sendmail-auth filter (bug #1329919)
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.9.5-5
+- Rebuild for Python 3.6
+
+* Fri Oct 7 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-4
+- %%ghost /run/fail2ban
+- Fix typo in shorewall description
+- Move tests to -tests sub-package
+
+* Mon Oct 3 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-3
+- Add journalmatch entries for sendmail (bug #1329919)
+
+* Mon Oct 3 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-2
+- Give up being PartOf iptables to allow firewalld restarts to work
+  (bug #1379141)
+
+* Mon Oct 3 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-1
+- Add patch to fix failing test
+
+* Sun Sep 25 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.5-1
+- Update to 0.9.5
+- Drop mysql patch applied upstream
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.4-6
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Tue Apr 5 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-5
+- Fix python3 usage (bug #1324113)
+
+* Sun Mar 27 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-4
+- Use %%{_tmpfilesdir} for systemd tmpfile config
+
+* Wed Mar 9 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-3
+- No longer need to add After=firewalld.service (bug #1301910)
+
+* Wed Mar 9 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-2
+- Fix mariadb/mysql log handling
+
+* Wed Mar 9 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-1
+- Update to 0.9.4
+- Use mariadb log path by default
+
+* Tue Feb 23 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.3-3
+- Use python3 (bug #1282498)
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Sat Sep 12 2015 Orion Poplawski <orion@cora.nwra.com> - 0.9.3-1
+- Update to 0.9.3
+- Cleanup spec, use new python macros
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Thu Apr 30 2015 Orion Poplawski <orion@cora.nwra.com> - 0.9.2-1
+- Update to 0.9.2
+
+* Mon Mar 16 2015 Orion Poplawski <orion@cora.nwra.com> - 0.9.1-4
+- Do not load user paths for fail2ban-{client,server} (bug #1202151)
+
+* Sun Feb 22 2015 Orion Poplawski <orion@cora.nwra.com> - 0.9.1-3
+- Do not use systemd by default
+
+* Fri Nov 28 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9.1-2
+- Fix php-url-fopen logpath (bug #1169026)
+
+* Tue Oct 28 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9.1-1
+- Update to 0.9.1
+
+* Fri Aug 15 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-8
+- Add patch to fix tests
+
+* Fri Aug 8 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-8
+- Fix log paths for some jails (bug #1128152)
+
+* Mon Jul 21 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-7
+- Use systemd for EL7
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Mar 20 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-5
+- Require mailx for /usr/bin/mail
+
+* Thu Mar 20 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-4
+- Need empty %%files to produce main and -all package
+
+* Wed Mar 19 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-3
+- Split into sub-packages for different components
+- Enable journal filter by default (bug #985567)
+- Enable firewalld action by default (bug #1046816)
+- Add upstream patch to fix setting loglevel in fail2ban.conf
+- Add upstream patches to fix tests in mock, run tests
+
+* Tue Mar 18 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-2
+- Use Fedora paths
+- Start after firewalld (bug #1067147)
+
+* Mon Mar 17 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-1
+- Update to 0.9
+
+* Tue Sep 24 2013 Orion Poplawski <orion@cora.nwra.com> - 0.9-0.3.git1f1a561
+- Update to current 0.9 git branch
+- Rebase init patch, drop jail.d and notmp patch applied upstream
+
+* Fri Aug 9 2013 Orion Poplawski <orion@cora.nwra.com> - 0.9-0.2.gitd529151
+- Ship jail.conf(5) man page
+- Ship empty /etc/fail2ban/jail.d directory
+
+* Thu Aug 8 2013 Orion Poplawski <orion@cora.nwra.com> - 0.9-0.1.gitd529151
+- Update to 0.9 git branch
+- Rebase patches
+- Require systemd-python for journal support
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Jun 12 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.10-1
+- Update to 0.8.10 security release
+- Use upstream provided systemd files
+- Drop upstreamed patches, rebase log2syslog and notmp patches
+
+* Fri Mar 15 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-4
+- Use systemd init for Fedora 19+ (bug #883158)
+
+* Thu Feb 14 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-3
+- Add patch from upstream to fix module imports (Bug #892365)
+- Add patch from upstream to UTF-8 characters in syslog (Bug #905097)
+- Drop Requires: tcp_wrappers and shorewall (Bug #781341)
+
+* Fri Jan 18 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-2
+- Add patch to prevent sshd blocks of successful logins for systems that use
+  sssd or ldap
+
+* Mon Dec 17 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-1
+- Update to 0.8.8 (CVE-2012-5642 Bug #887914)
+
+* Thu Oct 11 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.7.1-1
+- Update to 0.8.7.1
+- Drop fd_cloexec, pyinotify, and examplemail patches fixed upstream
+- Rebase sshd and notmp patches
+- Use _initddir macro
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-29
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-28
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Sat Apr  9 2011 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-27
+- Move tmp files to /var/lib (suggested by Phil Anderson).
+- Enable inotify support (by Jonathan Underwood).
+- Fixes RH bugs #669966, #669965, #551895, #552947, #658849, #656584.
+
 * Sun Feb 14 2010 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-24
 - Patch by Jonathan G. Underwood <jonathan.underwood@gmail.com> to
   cloexec another fd leak.

fail2ban.te

@@ -0,0 +1,197 @@
+policy_module(fail2ban, 1.5.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role fail2ban_client_roles;
+
+type fail2ban_t;
+type fail2ban_exec_t;
+init_daemon_domain(fail2ban_t, fail2ban_exec_t)
+
+type fail2ban_initrc_exec_t;
+init_script_file(fail2ban_initrc_exec_t)
+
+type fail2ban_log_t;
+logging_log_file(fail2ban_log_t)
+
+type fail2ban_var_lib_t;
+files_type(fail2ban_var_lib_t)
+
+type fail2ban_var_run_t;
+files_pid_file(fail2ban_var_run_t)
+
+type fail2ban_tmp_t;
+files_tmp_file(fail2ban_tmp_t)
+
+type fail2ban_client_t;
+type fail2ban_client_exec_t;
+init_system_domain(fail2ban_client_t, fail2ban_client_exec_t)
+role fail2ban_client_roles types fail2ban_client_t;
+
+########################################
+#
+# Server Local policy
+#
+
+allow fail2ban_t self:capability { dac_read_search sys_tty_config };
+allow fail2ban_t self:process { getpgid setsched signal };
+allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+allow fail2ban_t self:unix_stream_socket { accept connectto listen };
+allow fail2ban_t self:tcp_socket { accept listen };
+allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
+
+read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
+
+append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+
+manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
+
+manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+
+manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
+
+kernel_read_system_state(fail2ban_t)
+kernel_read_network_state(fail2ban_t)
+kernel_read_net_sysctls(fail2ban_t)
+
+corecmd_exec_bin(fail2ban_t)
+corecmd_exec_shell(fail2ban_t)
+
+corenet_all_recvfrom_netlabel(fail2ban_t)
+corenet_tcp_sendrecv_generic_if(fail2ban_t)
+corenet_tcp_sendrecv_generic_node(fail2ban_t)
+
+corenet_sendrecv_whois_client_packets(fail2ban_t)
+corenet_tcp_connect_whois_port(fail2ban_t)
+corenet_tcp_sendrecv_whois_port(fail2ban_t)
+
+dev_read_urand(fail2ban_t)
+dev_read_sysfs(fail2ban_t)
+
+domain_use_interactive_fds(fail2ban_t)
+domain_dontaudit_read_all_domains_state(fail2ban_t)
+
+files_read_etc_runtime_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_dontaudit_list_tmp(fail2ban_t)
+
+fs_getattr_all_fs(fail2ban_t)
+
+auth_use_nsswitch(fail2ban_t)
+
+logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
+logging_send_syslog_msg(fail2ban_t)
+logging_read_syslog_pid(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t)
+logging_mmap_generic_logs(fail2ban_t)
+logging_mmap_journal(fail2ban_t)
+# Not in EL9 yet
+#logging_watch_audit_log_files(fail2ban_t)
+logging_watch_all_log_files(fail2ban_t)
+logging_watch_all_log_dirs(fail2ban_t)
+logging_watch_audit_log_files(fail2ban_t)
+logging_watch_audit_log_dirs(fail2ban_t)
+logging_watch_journal_dir(fail2ban_t)
+
+mta_send_mail(fail2ban_t)
+
+sysnet_manage_config(fail2ban_t)
+
+optional_policy(`
+	apache_read_log(fail2ban_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(fail2ban_t)
+	dbus_connect_system_bus(fail2ban_t)
+
+	optional_policy(`
+		firewalld_dbus_chat(fail2ban_t)
+	')
+')
+
+optional_policy(`
+	ftp_read_log(fail2ban_t)
+')
+
+optional_policy(`
+	gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
+	iptables_domtrans(fail2ban_t)
+')
+
+optional_policy(`
+	allow fail2ban_t self:capability sys_resource;
+	allow fail2ban_t self:process setrlimit;
+	journalctl_exec(fail2ban_t)
+')
+
+optional_policy(`
+	libs_exec_ldconfig(fail2ban_t)
+')
+
+optional_policy(`
+	rpm_exec(fail2ban_t)
+')
+
+optional_policy(`
+	shorewall_domtrans(fail2ban_t)
+')
+
+########################################
+#
+# Client Local policy
+#
+
+allow fail2ban_client_t self:capability { dac_read_search  };
+allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+
+domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+
+allow fail2ban_client_t fail2ban_t:process { rlimitinh };
+
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+allow fail2ban_client_t fail2ban_var_run_t:dir write;
+stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+
+kernel_read_system_state(fail2ban_client_t)
+
+corecmd_exec_bin(fail2ban_client_t)
+
+dev_read_urand(fail2ban_client_t)
+dev_read_rand(fail2ban_client_t)
+
+domain_use_interactive_fds(fail2ban_client_t)
+
+files_search_pids(fail2ban_client_t)
+
+auth_use_nsswitch(fail2ban_client_t)
+
+libs_exec_ldconfig(fail2ban_client_t)
+
+logging_getattr_all_logs(fail2ban_client_t)
+logging_search_all_logs(fail2ban_client_t)
+logging_read_audit_log(fail2ban_client_t)
+
+userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
+userdom_use_user_terminals(fail2ban_client_t)
+
+optional_policy(`
+    apache_read_log(fail2ban_client_t)
+')

gpgkey-8738559E26F671DF9E2C6D9E683BF1BEBD0A882C.asc

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT
+Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV
+lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC
+i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO
+hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3
+BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl
+ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm
+NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h
+RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n
+2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq
+GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ
+3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX
+XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ
+uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh
+Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a
+kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf
+awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6
+7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF
+AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw
+2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs
+IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O
+ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb
+muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c
+6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg==
+=vqSW
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1,2 +1 @@
-76b4d0e69ad808950b8353c6fcf93615  fail2ban-FAIL2BAN-0_8.tar.bz2
-df94335a5d12b4750869e5fe350073fa  fail2ban-0.8.4.tar.bz2
+SHA512 (fail2ban-1.1.0.tar.gz) = 9bff7b9c41e58a953901800468e5c4153c9db6af01c7eb18111ad8620b40d03a0771020472fb759b2809d250e2bb45471e6c7e8283e72ea48290ecf7bf921821