Add patch for Dovecot 2.4 jail. Fixes BZ#2426440.

https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros.

.gitignore

@@ -1,2 +1 @@
 /fail2ban-*/
-/fail2ban-*.tar.gz*

04ff4c060cdc233af9a6deeb85a6523da0416f31.patch

@@ -0,0 +1,60 @@
+From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001
+From: Nic Boet <nic@boet.cc>
+Date: Fri, 13 Jun 2025 16:44:57 -0500
+Subject: [PATCH] Dovecot 2.4 filter support
+
+Dovecot 2.4 release is a major upgrade
+Logger event structure has changed, all messages are now
+prefixed with:
+
+        "Login aborted: " <reason> "auth failed"
+
+Maintain 2.3 support as many folks have yet to migrate,
+community edition is still receiving cretial security patches
+
+Dovecot 2.4.1
+Python 3.12.10
+
+Signed-off-by: Nic Boet <nic@boet.cc>
+---
+ config/filter.d/dovecot.conf      | 2 ++
+ fail2ban/tests/files/logs/dovecot | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
+index dc3ebbcd42..f49eebe726 100644
+--- a/config/filter.d/dovecot.conf
++++ b/config/filter.d/dovecot.conf
+@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a
+ 
+ failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
+             ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
++            ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<<F-USER>[^>]*</F-USER>>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+             ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
+             ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
+             <mdre-<mode>>
+@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N
+ # DEV Notes:
+ # * the first regex is essentially a copy of pam-generic.conf
+ # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
++# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support
+ #
+ # Author: Martin Waschbuesch
+ #         Daniel Black (rewrote with begin and end anchors)
+diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot
+index 0e33296129..4f5a0b7867 100644
+--- a/fail2ban/tests/files/logs/dovecot
++++ b/fail2ban/tests/files/logs/dovecot
+@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem
+ # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" }
+ Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210
+ 
++# Dovecot version 2.4
++# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" }
++Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=<test>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan>
++# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" }
++Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=<user@domain>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<Dp8j1Ho3suQYdo+k>
++
+ # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" }
+ Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
+ 

3728.patch

@@ -0,0 +1,160 @@
+From a763fbbdfd6486e372965b4009eb3fe5db346718 Mon Sep 17 00:00:00 2001
+From: Branch Vincent <branchevincent@gmail.com>
+Date: Sat, 27 Apr 2024 10:24:01 -0700
+Subject: [PATCH 1/3] replace distutils for python 3.12
+
+---
+ doc/conf.py                        | 5 +----
+ fail2ban/server/filterpyinotify.py | 3 +--
+ fail2ban/server/filtersystemd.py   | 3 +--
+ 3 files changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/doc/conf.py b/doc/conf.py
+index 20845a5a0e..48d27f7062 100644
+--- a/doc/conf.py
++++ b/doc/conf.py
+@@ -47,12 +47,9 @@
+ #
+ 
+ from fail2ban.version import version as fail2ban_version
+-from distutils.version import LooseVersion
+-
+-fail2ban_loose_version = LooseVersion(fail2ban_version)
+ 
+ # The short X.Y version.
+-version = ".".join(str(_) for _ in fail2ban_loose_version.version[:2])
++version = ".".join(str(_) for _ in fail2ban_version.split(".")[:2])
+ # The full version, including alpha/beta/rc tags.
+ release = fail2ban_version
+ 
+diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
+index 81bc7de393..c6972ced3f 100644
+--- a/fail2ban/server/filterpyinotify.py
++++ b/fail2ban/server/filterpyinotify.py
+@@ -24,7 +24,6 @@
+ __license__ = "GPL"
+ 
+ import logging
+-from distutils.version import LooseVersion
+ import os
+ from os.path import dirname, sep as pathsep
+ 
+@@ -38,7 +37,7 @@
+ 
+ 
+ if not hasattr(pyinotify, '__version__') \
+-  or LooseVersion(pyinotify.__version__) < '0.8.3': # pragma: no cover
++  or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover
+   raise ImportError("Fail2Ban requires pyinotify >= 0.8.3")
+ 
+ # Verify that pyinotify is functional on this system
+diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py
+index 5aea9fdadc..2d4f862b97 100644
+--- a/fail2ban/server/filtersystemd.py
++++ b/fail2ban/server/filtersystemd.py
+@@ -24,10 +24,9 @@
+ 
+ import os
+ import time
+-from distutils.version import LooseVersion
+ 
+ from systemd import journal
+-if LooseVersion(getattr(journal, '__version__', "0")) < '204':
++if getattr(journal, "__version__", "0").split(".") < "204".split("."):
+ 	raise ImportError("Fail2Ban requires systemd >= 204")
+ 
+ from .failmanager import FailManagerEmpty
+
+From ed20a9a5b9039319dd8913dfecf640e6eafee28b Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Tue, 7 May 2024 12:51:14 +0200
+Subject: [PATCH 2/3] there is no systemd < 204 and pyinotify < 0.8.3 for
+ supported python3 versions anymore
+
+---
+ fail2ban/server/filterpyinotify.py | 4 ----
+ fail2ban/server/filtersystemd.py   | 2 --
+ 2 files changed, 6 deletions(-)
+
+diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
+index c6972ced3f..f2f31e6fb5 100644
+--- a/fail2ban/server/filterpyinotify.py
++++ b/fail2ban/server/filterpyinotify.py
+@@ -36,10 +36,6 @@
+ from ..helpers import getLogger
+ 
+ 
+-if not hasattr(pyinotify, '__version__') \
+-  or pyinotify.__version__.split(".") < '0.8.3'.split("."): # pragma: no cover
+-  raise ImportError("Fail2Ban requires pyinotify >= 0.8.3")
+-
+ # Verify that pyinotify is functional on this system
+ # Even though imports -- might be dysfunctional, e.g. as on kfreebsd
+ try:
+diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py
+index 2d4f862b97..abd66e1f76 100644
+--- a/fail2ban/server/filtersystemd.py
++++ b/fail2ban/server/filtersystemd.py
+@@ -26,8 +26,6 @@
+ import time
+ 
+ from systemd import journal
+-if getattr(journal, "__version__", "0").split(".") < "204".split("."):
+-	raise ImportError("Fail2Ban requires systemd >= 204")
+ 
+ from .failmanager import FailManagerEmpty
+ from .filter import JournalFilter, Filter
+
+From 0185e1c7d5e6534ab212462dd2aeab6f89e2fb50 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Tue, 7 May 2024 13:06:50 +0200
+Subject: [PATCH 3/3] setup.py: no distutils anymore
+
+---
+ setup.py | 25 ++++++-------------------
+ 1 file changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index 9f7bd8fb59..ee9ea4df82 100755
+--- a/setup.py
++++ b/setup.py
+@@ -24,23 +24,10 @@
+ 
+ import platform
+ 
+-try:
+-	import setuptools
+-	from setuptools import setup
+-	from setuptools.command.install import install
+-	from setuptools.command.install_scripts import install_scripts
+-	from setuptools.command.build_py import build_py
+-	build_scripts = None
+-except ImportError:
+-	setuptools = None
+-	from distutils.core import setup
+-
+-# older versions
+-if setuptools is None:
+-	from distutils.command.build_py import build_py
+-	from distutils.command.build_scripts import build_scripts
+-	from distutils.command.install import install
+-	from distutils.command.install_scripts import install_scripts
++import setuptools
++from setuptools import setup
++from setuptools.command.install import install
++from setuptools.command.install_scripts import install_scripts
+ 
+ import os
+ from os.path import isfile, join, isdir, realpath
+@@ -207,9 +194,9 @@ def run(self):
+ 	url = "http://www.fail2ban.org",
+ 	license = "GPL",
+ 	platforms = "Posix",
+-	cmdclass = dict({'build_py': build_py, 'build_scripts': build_scripts} if build_scripts else {}, **{
++	cmdclass = {
+ 		'install_scripts': install_scripts_f2b, 'install': install_command_f2b
+-	}),
++	},
+ 	scripts = [
+ 		'bin/fail2ban-client',
+ 		'bin/fail2ban-server',

3782.patch

@@ -0,0 +1,94 @@
+From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001
+From: Fabian Dellwing <fabian.dellwing@mbconnectline.de>
+Date: Tue, 2 Jul 2024 07:54:15 +0200
+Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index 1c8a02deb5..a1fd749aed 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
++_daemon = (?:sshd(?:-session)?)
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+
+From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Wed, 3 Jul 2024 19:09:28 +0200
+Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782
+
+---
+ fail2ban/tests/files/logs/sshd | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
+index ed54ded4d4..7d3948ed80 100644
+--- a/fail2ban/tests/files/logs/sshd
++++ b/fail2ban/tests/files/logs/sshd
+@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for invalid user ROOT from aa
+ # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "aaaa:bbbb:cccc:1234::1:1" }
+ Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from aaaa:bbbb:cccc:1234::1:1
+ 
++# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host": "192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" }
++Jul  3 14:59:17 host sshd-session[1571]: Failed password for root from 192.0.2.1 port 56502 ssh2
++
+ #3
+ # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" }
+ Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+
+From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Wed, 3 Jul 2024 19:33:39 +0200
+Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new
+ sshd-session log format
+
+---
+ fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+index ad8adeb69f..14256ba68c 100644
+--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
++++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
++_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+
+From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Wed, 3 Jul 2024 19:35:28 +0200
+Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon)
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index a1fd749aed..3a84b1ba52 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = (?:sshd(?:-session)?)
++_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+

432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch

@@ -1,23 +0,0 @@
-From 432e7e1e93936f09e349e80d94254e5f43d0cc8a Mon Sep 17 00:00:00 2001
-From: "Sergey G. Brester" <serg.brester@sebres.de>
-Date: Mon, 28 Nov 2022 13:21:15 +0100
-Subject: [PATCH] no warning if no config value but default (debug message now)
-
-closes #3420
----
- fail2ban/client/configreader.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
-index 1b5a56a27c..c7f965ce52 100644
---- a/fail2ban/client/configreader.py
-+++ b/fail2ban/client/configreader.py
-@@ -277,7 +277,7 @@ def getOptions(self, sec, options, pOptions=None, shouldExist=False, convert=Tru
- 				# TODO: validate error handling here.
- 			except NoOptionError:
- 				if not optvalue is None:
--					logSys.warning("'%s' not defined in '%s'. Using default one: %r"
-+					logSys.debug("'%s' not defined in '%s'. Using default one: %r"
- 								% (optname, sec, optvalue))
- 					values[optname] = optvalue
- 				# elif logSys.getEffectiveLevel() <= logLevel:

54c0effceb998b73545073ac59c479d9d9bf19a4.patch

@@ -0,0 +1,23 @@
+From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Sun, 11 Aug 2024 12:10:12 +0200
+Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version
+ would log with `_COMM=sshd-session`)
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index 206b913a78..595e957f0b 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -126,7 +126,7 @@ ignoreregex =
+ 
+ maxlines = 1
+ 
+-journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session
+ 
+ # DEV Notes:
+ #

ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch

@@ -0,0 +1,148 @@
+From ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Fri, 14 Jun 2024 14:31:21 +0200
+Subject: [PATCH] beautifier detect whether it can use unicode chars in stats
+ table; asciified output of beautifier in test suite; closes gh-3750
+
+---
+ fail2ban/client/beautifier.py              | 51 ++++++++++++++--------
+ fail2ban/tests/clientbeautifiertestcase.py | 22 ++++++----
+ 2 files changed, 45 insertions(+), 28 deletions(-)
+
+diff --git a/fail2ban/client/beautifier.py b/fail2ban/client/beautifier.py
+index 7ef173a655..21c49b9483 100644
+--- a/fail2ban/client/beautifier.py
++++ b/fail2ban/client/beautifier.py
+@@ -21,8 +21,10 @@
+ __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko"
+ __license__ = "GPL"
+ 
++import sys
++
+ from ..exceptions import UnknownJailException, DuplicateJailException
+-from ..helpers import getLogger, logging
++from ..helpers import getLogger, logging, PREFER_ENC
+ 
+ # Gets the instance of the logger.
+ logSys = getLogger(__name__)
+@@ -36,6 +38,11 @@
+ 
+ class Beautifier:
+ 
++	stdoutEnc = PREFER_ENC
++	if sys.stdout and sys.stdout.encoding is not None:
++		stdoutEnc = sys.stdout.encoding
++	encUtf = 1 if stdoutEnc.lower() == 'utf-8' else 0
++
+ 	def __init__(self, cmd = None):
+ 		self.__inputCmd = cmd
+ 
+@@ -104,7 +111,11 @@ def jail_stat(response, pref=""):
+ 							jail_stat(j, "      " if i == len(jstat) else "   |  ")
+ 				msg = "\n".join(msg)
+ 			elif inC[0:1] == ['stats'] or inC[0:1] == ['statistics']:
+-				def _statstable(response):
++				chrTable = [
++					['|', '-', '|', 'x', 'x', '-', '|', '-'], ## ascii
++					["\u2551", "\u2550", "\u255F", "\u256B", "\u256C", "\u2569", "\u2502", "\u2500"] ## utf-8
++				];
++				def _statstable(response, ct):
+ 					tophead = ["Jail", "Backend", "Filter", "Actions"]
+ 					headers = ["", "", "cur", "tot", "cur", "tot"]
+ 					minlens = [8, 8, 3, 3, 3, 3]
+@@ -120,29 +131,31 @@ def _statstable(response):
+ 						f = "%%%ds" if ralign[i] else "%%-%ds"
+ 						rfmt.append(f % lens[i])
+ 						hfmt.append(f % lens[i])
+-					rfmt = [rfmt[0], rfmt[1], "%s \u2502 %s" % (rfmt[2], rfmt[3]), "%s \u2502 %s" % (rfmt[4], rfmt[5])]
+-					hfmt = [hfmt[0], hfmt[1], "%s \u2502 %s" % (hfmt[2], hfmt[3]), "%s \u2502 %s" % (hfmt[4], hfmt[5])]
++					rfmt = [rfmt[0], rfmt[1], "%s %s %s" % (rfmt[2], ct[6], rfmt[3]), "%s %s %s" % (rfmt[4], ct[6], rfmt[5])]
++					hfmt = [hfmt[0], hfmt[1], "%s %s %s" % (hfmt[2], ct[6], hfmt[3]), "%s %s %s" % (hfmt[4], ct[6], hfmt[5])]
+ 					tlens = [lens[0], lens[1], 3 + lens[2] + lens[3], 3 + lens[4] + lens[5]]
+ 					tfmt = [hfmt[0], hfmt[1], "%%-%ds" % (tlens[2],), "%%-%ds" % (tlens[3],)]
+ 					tsep = tfmt[0:2]
+-					rfmt = " \u2551 ".join(rfmt)
+-					hfmt = " \u2551 ".join(hfmt)
+-					tfmt = " \u2551 ".join(tfmt)
+-					tsep = " \u2551 ".join(tsep)
+-					separator = ((tsep % tuple(tophead[0:2])) + " \u255F\u2500" + 
+-						("\u2500\u256B\u2500".join(['\u2500' * n for n in tlens[2:]])) + '\u2500')
++					rfmt = (" "+ct[0]+" ").join(rfmt)
++					hfmt = (" "+ct[0]+" ").join(hfmt)
++					tfmt = (" "+ct[0]+" ").join(tfmt)
++					tsep = (" "+ct[0]+" ").join(tsep)
++					separator = ((tsep % tuple(tophead[0:2])) + " "+ct[2]+ct[7] + 
++						((ct[7]+ct[3]+ct[7]).join([ct[7] * n for n in tlens[2:]])) + ct[7])
+ 					ret = []
+-					ret.append(tfmt % tuple(["", ""]+tophead[2:]))
+-					ret.append(separator)
+-					ret.append(hfmt % tuple(headers))
+-					separator = "\u2550\u256C\u2550".join(['\u2550' * n for n in tlens]) + '\u2550'
+-					ret.append(separator)
++					ret.append(" "+tfmt % tuple(["", ""]+tophead[2:]))
++					ret.append(" "+separator)
++					ret.append(" "+hfmt % tuple(headers))
++					separator = (ct[1]+ct[4]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1]
++					ret.append(ct[1]+separator)
+ 					for row in rows:
+-						ret.append(rfmt % tuple(row))
+-					separator = "\u2550\u2569\u2550".join(['\u2550' * n for n in tlens]) + '\u2550'
+-					ret.append(separator)
++						ret.append(" "+rfmt % tuple(row))
++					separator = (ct[1]+ct[5]+ct[1]).join([ct[1] * n for n in tlens]) + ct[1]
++					ret.append(ct[1]+separator)
+ 					return ret
+-				msg = "\n".join(_statstable(response))
++				if not response:
++					return "No jails found."
++				msg = "\n".join(_statstable(response, chrTable[self.encUtf]))
+ 			elif len(inC) < 2:
+ 				pass # to few cmd args for below
+ 			elif inC[1] == "syslogsocket":
+diff --git a/fail2ban/tests/clientbeautifiertestcase.py b/fail2ban/tests/clientbeautifiertestcase.py
+index defedbe1bf..5fcb240479 100644
+--- a/fail2ban/tests/clientbeautifiertestcase.py
++++ b/fail2ban/tests/clientbeautifiertestcase.py
+@@ -34,6 +34,7 @@ def setUp(self):
+ 		""" Call before every test case """
+ 		super(BeautifierTest, self).setUp()
+ 		self.b = Beautifier()
++		self.b.encUtf = 0; ## we prefer ascii in test suite (see #3750)
+ 
+ 	def tearDown(self):
+ 		""" Call after every test case """
+@@ -170,22 +171,25 @@ def testStatus(self):
+ 
+ 	def testStatusStats(self):
+ 		self.b.setInputCmd(["stats"])
++		## no jails:
++		self.assertEqual(self.b.beautify({}), "No jails found.")
++		## 3 jails:
+ 		response = {
+ 			"ssh": ["systemd", (3, 6), (12, 24)],
+ 			"exim4": ["pyinotify", (6, 12), (20, 20)],
+ 			"jail-with-long-name": ["polling", (0, 0), (0, 0)]
+ 		}
+ 		output = (""
+-			+ "                    ?           ? Filter    ? Actions  \n"
+-			+ "Jail                ? Backend   ????????????????????????\n"
+-			+ "                    ?           ? cur ? tot ? cur ? tot\n"
+-			+ "????????????????????????????????????????????????????????\n"
+-			+ "ssh                 ? systemd   ?   3 ?   6 ?  12 ?  24\n"
+-			+ "exim4               ? pyinotify ?   6 ?  12 ?  20 ?  20\n"
+-			+ "jail-with-long-name ? polling   ?   0 ?   0 ?   0 ?   0\n"
+-			+ "????????????????????????????????????????????????????????"
++			+ "                     |           | Filter    | Actions  \n"
++			+ " Jail                | Backend   |-----------x-----------\n"
++			+ "                     |           | cur | tot | cur | tot\n"
++			+ "---------------------x-----------x-----------x-----------\n"
++			+ " ssh                 | systemd   |   3 |   6 |  12 |  24\n"
++			+ " exim4               | pyinotify |   6 |  12 |  20 |  20\n"
++			+ " jail-with-long-name | polling   |   0 |   0 |   0 |   0\n"
++			+ "---------------------------------------------------------"
+ 		)
+-		response = self.b.beautify(response).encode('ascii', 'replace').decode('ascii')
++		response = self.b.beautify(response)
+ 		self.assertEqual(response, output)
+ 			
+ 

fail2ban-1.1.0.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K
+iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc
+yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu
+ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf
+9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr
+jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH
+MTZipOHHYPx/7IyKJJvB1p1gvmOxyg==
+=qvry
+-----END PGP SIGNATURE-----

fail2ban.spec

@@ -8,17 +8,14 @@
 %if %{defined rhel} && 0%{?rhel} < 10
 %define legacy_var_run 1
 %endif
-%if %{defined fedora} && 0%{?fedora} < 40
-%define legacy_var_run 1
-%endif
 
 Name: fail2ban
-Version: 1.0.2
+Version: 1.1.0
 Release: 15%{?dist}
 Summary: Daemon to ban hosts that cause multiple authentication errors
 
-License: GPLv2+
+License: GPL-2.0-or-later
-URL: http://fail2ban.sourceforge.net/
+URL: https://www.fail2ban.org
 Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
 # Releases are signed by Serg G. Brester (sebres) <info AT sebres.de>.  The
@@ -41,34 +38,36 @@ Source6: Makefile
 # https://bugzilla.redhat.com/show_bug.cgi?id=1379141
 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185
 Patch0: fail2ban-partof.patch
-# Remove warning about allowipv6 from startup
-Patch2: https://github.com/fail2ban/fail2ban/commit/432e7e1e93936f09e349e80d94254e5f43d0cc8a.patch
 # default port in jail.conf is not compatible with firewalld-cmd syntax
 # https://bugzilla.redhat.com/show_bug.cgi?id=1850164
-Patch3: fail2ban-nftables.patch
+Patch1: fail2ban-nftables.patch
+# Work around encoding issues during tests
+Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03cf4f93831f1b.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2315252
+Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2295265
+Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch
+# Upstream fix to also catch sshd-session logs
+# https://bugzilla.redhat.com/show_bug.cgi?id=2332945
+Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch
+# Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1.
+# https://bugzilla.redhat.com/show_bug.cgi?id=2426440
+Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch
 
 
 BuildArch: noarch
 
-%if 0%{?rhel} && 0%{?rhel} < 8
-BuildRequires: python-devel
-BuildRequires: python-setuptools
-# For testcases
-BuildRequires: python-inotify
-%else
 BuildRequires: python3-devel
 BuildRequires: python3-setuptools
-BuildRequires: /usr/bin/2to3
 # For testcases
 BuildRequires: python3-inotify
-%endif
 # using a python3_version-based conditional does not work here, so
 # this is a proxy for "Python version greater than 3.12". asyncore
 # and asynchat were dropped from cpython core in 3.12, these modules
 # make them available again. See:
 # https://github.com/fail2ban/fail2ban/issues/3487
 # https://bugzilla.redhat.com/show_bug.cgi?id=2219991
-%if 0%{?fedora} > 38
+%if 0%{?fedora} || 0%{?rhel} >= 10
 BuildRequires: python3-pyasyncore
 BuildRequires: python3-pyasynchat
 %endif
@@ -76,7 +75,7 @@ BuildRequires: sqlite
 BuildRequires: systemd
 BuildRequires: selinux-policy-devel
 BuildRequires: make
-%if 0%{?fedora} >= 41
+%if 0%{?fedora} || 0%{?rhel} >= 11
 BuildRequires: bash-completion-devel
 %else
 BuildRequires: bash-completion
@@ -117,24 +116,14 @@ SELinux policies for Fail2Ban.
 
 %package server
 Summary: Core server component for Fail2Ban
-%if 0%{?rhel} && 0%{?rhel} < 8
-Requires: systemd-python
-Requires: ipset
-Requires: iptables
-%else
 Requires: python3-systemd
 Requires: nftables
-%endif
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
-%if 0%{?fedora} || 0%{?rhel} >= 8
 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
-%else
-Requires: %{name}-selinux
-%endif
 # see note above in BuildRequires section
-%if 0%{?fedora} > 38
+%if 0%{?fedora} || 0%{?rhel} >= 10
 Requires: python3-pyasyncore
 Requires: python3-pyasynchat
 %endif
@@ -156,13 +145,7 @@ Requires: %{name}-server = %{version}-%{release}
 Requires: %{name}-shorewall = %{version}-%{release}
 %endif
 Requires: perl-interpreter
-%if 0%{?rhel} && 0%{?rhel} < 8
-Requires: python-inotify
-# No python3 support for gamin so epel only
-Requires: gamin-python
-%else
 Requires: python3-inotify
-%endif
 Requires: /usr/bin/whois
 
 %description all
@@ -252,18 +235,9 @@ by default.
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1
-# this test uses smtpd which is removed in Python 3.12, rewriting it
-# isn't trivial
-%if 0%{?fedora} > 38
-rm -f fail2ban/tests/action_d/test_smtp.py
-%endif
 
 # Use Fedora paths
 sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
-%if 0%{?fedora} || 0%{?rhel} >= 8
-2to3 --write --nobackups .
-find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} +
-%endif
 
 # SELinux sources
 cp -p %SOURCE3 %SOURCE4 %SOURCE5 .
@@ -277,27 +251,26 @@ sed -i 's|^/run/|/var/run/|' %{name}.fc
 sed -i "/use_2to3/d" setup.py
 
 
+%generate_buildrequires
+%pyproject_buildrequires
+
+
 %build
-%if 0%{?rhel} && 0%{?rhel} < 8
+%pyproject_wheel
-%py2_build
-%else
-%py3_build
-%endif
 make -f %SOURCE6
 
 
 %install
-%if 0%{?rhel} && 0%{?rhel} < 8
+%pyproject_install
-%py2_install
-# Make symbolic link relative
-ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python
-%else
-%py3_install
 ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python
-%endif
+mv %{buildroot}%{python3_sitelib}/etc %{buildroot}
+mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir}
+rmdir %{buildroot}%{python3_sitelib}%{_prefix}
 
 mkdir -p %{buildroot}%{_unitdir}
-cp -p build/fail2ban.service %{buildroot}%{_unitdir}/
+# Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite
+# so we will do our own modification
+sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service
 mkdir -p %{buildroot}%{_mandir}/man{1,5}
 install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
@@ -308,6 +281,7 @@ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf
+mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d
 
 # Remove non-Linux actions
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
@@ -352,17 +326,7 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion
 
 
 %check
-%if 0%{?rhel} && 0%{?rhel} < 8
-%python2 bin/fail2ban-testcases --verbosity=2 --no-network
-%else
-%if 0%{?fedora} > 38
-# testRepairDb does not work with sqlite 3.42.0+
-# https://github.com/fail2ban/fail2ban/issues/3586
-%python3 bin/fail2ban-testcases --verbosity=2 --no-network -i testRepairDb
-%else
 %python3 bin/fail2ban-testcases --verbosity=2 --no-network
-%endif
-%endif
 
 
 %pre selinux
@@ -402,13 +366,8 @@ fi
 %{_bindir}/fail2ban-python
 %{_bindir}/fail2ban-regex
 %{_bindir}/fail2ban-server
-%if 0%{?rhel} && 0%{?rhel} < 8
-%{python2_sitelib}/*
-%exclude %{python2_sitelib}/fail2ban/tests
-%else
 %{python3_sitelib}/*
 %exclude %{python3_sitelib}/fail2ban/tests
-%endif
 %{_unitdir}/fail2ban.service
 %{_datadir}/bash-completion/
 %{_mandir}/man1/fail2ban.1*
@@ -444,11 +403,7 @@ fi
 %files tests
 %{_bindir}/fail2ban-testcases
 %{_mandir}/man1/fail2ban-testcases.1*
-%if 0%{?rhel} && 0%{?rhel} < 8
-%{python2_sitelib}/fail2ban/tests
-%else
 %{python3_sitelib}/fail2ban/tests
-%endif
 
 %files mail
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf
@@ -473,6 +428,56 @@ fi
 
 
 %changelog
+* Wed Dec 31 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-15
+- Add patch for Dovecot 2.4 jail. Fixes BZ#2426440.
+
+* Sat Oct 11 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-14
+- Cleanup old conditionals
+
+* Fri Oct 10 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-13
+- Fix paths in fail2ban.service (rhbz#2399981)
+
+* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 1.1.0-12
+- Rebuilt for Python 3.14.0rc3 bytecode
+
+* Thu Aug 21 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-11
+- Move from setup.py to wheels per
+  https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros.
+
+* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 1.1.0-10
+- Rebuilt for Python 3.14.0rc2 bytecode
+
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Tue Jun 03 2025 Python Maint <python-maint@redhat.com> - 1.1.0-8
+- Rebuilt for Python 3.14
+
+* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Thu Dec 19 2024 Orion Poplawski <orion@nwra.com> - 1.1.0-6
+- Add upstream fix for sshd filter (rhbz#2332945)
+
+* Wed Oct 16 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-5
+- Add upstream patch for python distutils removal.
+
+* Sat Sep 28 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-4
+- Add patch to deal with changes to OpenSSL log output.
+
+* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Fri Jul 12 2024 Nils Philippsen <nils@tiptoe.de> - 1.1.0-2
+- Use SPDX license identifier
+- Use https upstream URL
+
+* Wed Jun 12 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-1
+- Update to 1.1.0 for Python 3.13 support.
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 1.0.2-16
+- Rebuilt for Python 3.13
+
 * Sat May 11 2024 Todd Zullinger <tmz@pobox.com> - 1.0.2-15
 - Handle /var/run->/run transition in older Fedora and EPEL (RHBZ#2279054)
 

fail2ban.te

@@ -99,22 +99,12 @@ logging_read_syslog_pid(fail2ban_t)
 logging_dontaudit_search_audit_logs(fail2ban_t)
 logging_mmap_generic_logs(fail2ban_t)
 logging_mmap_journal(fail2ban_t)
-allow fail2ban_t fail2ban_log_t:file watch;
-gen_require(`
-        attribute logfile;
-')
-allow fail2ban_t logfile:dir { watch_dir_perms };
-allow fail2ban_t logfile:file { watch_file_perms };
 # Not in EL9 yet
 #logging_watch_audit_log_files(fail2ban_t)
-gen_require(`
+logging_watch_all_log_files(fail2ban_t)
-	type var_log_t, auditd_log_t;
+logging_watch_all_log_dirs(fail2ban_t)
-')
+logging_watch_audit_log_files(fail2ban_t)
-watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
+logging_watch_audit_log_dirs(fail2ban_t)
-#logging_watch_audit_log_dirs(fail2ban_t)
-allow fail2ban_t var_log_t:dir search_dir_perms;
-watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
-logging_watch_generic_log_dirs(fail2ban_t)
 logging_watch_journal_dir(fail2ban_t)
 
 mta_send_mail(fail2ban_t)

sources

@@ -1,2 +1 @@
-SHA512 (fail2ban-1.0.2.tar.gz) = 688a84361b5794e1658f53d2d200ce752fe1e3320ddb1742c32c4b4b82a79ace16ae464e7ea3eeb94a0e862bcac73c2d3a0e61dd7b28e179a4c857f950d74dbb
+SHA512 (fail2ban-1.1.0.tar.gz) = 9bff7b9c41e58a953901800468e5c4153c9db6af01c7eb18111ad8620b40d03a0771020472fb759b2809d250e2bb45471e6c7e8283e72ea48290ecf7bf921821
-SHA512 (fail2ban-1.0.2.tar.gz.asc) = 1c0af7e454d52879788d9728010a68159a94668d93799da5533999e8c821db87f651b3606347af16fd92a4540a7a343dc682f72bb3bab14e3666f848883d8644