diff --git a/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch b/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch new file mode 100644 index 0000000..cb6d5c2 --- /dev/null +++ b/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch @@ -0,0 +1,60 @@ +From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001 +From: Nic Boet +Date: Fri, 13 Jun 2025 16:44:57 -0500 +Subject: [PATCH] Dovecot 2.4 filter support + +Dovecot 2.4 release is a major upgrade +Logger event structure has changed, all messages are now +prefixed with: + + "Login aborted: " "auth failed" + +Maintain 2.3 support as many folks have yet to migrate, +community edition is still receiving cretial security patches + +Dovecot 2.4.1 +Python 3.12.10 + +Signed-off-by: Nic Boet +--- + config/filter.d/dovecot.conf | 2 ++ + fail2ban/tests/files/logs/dovecot | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf +index dc3ebbcd42..f49eebe726 100644 +--- a/config/filter.d/dovecot.conf ++++ b/config/filter.d/dovecot.conf +@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a + + failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ + ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ ++ ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<[^>]*>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$ + ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch) + > +@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N + # DEV Notes: + # * the first regex is essentially a copy of pam-generic.conf + # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) ++# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support + # + # Author: Martin Waschbuesch + # Daniel Black (rewrote with begin and end anchors) +diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot +index 0e33296129..4f5a0b7867 100644 +--- a/fail2ban/tests/files/logs/dovecot ++++ b/fail2ban/tests/files/logs/dovecot +@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem + # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" } + Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210 + ++# Dovecot version 2.4 ++# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" } ++Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan> ++# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" } ++Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session= ++ + # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" } + Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session= + diff --git a/fail2ban.spec b/fail2ban.spec index d9176f1..6ca56b5 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -8,13 +8,10 @@ %if %{defined rhel} && 0%{?rhel} < 10 %define legacy_var_run 1 %endif -%if %{defined fedora} && 0%{?fedora} < 40 -%define legacy_var_run 1 -%endif Name: fail2ban Version: 1.1.0 -Release: 6%{?dist} +Release: 15%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPL-2.0-or-later @@ -53,28 +50,24 @@ Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728 # Upstream fix to also catch sshd-session logs # https://bugzilla.redhat.com/show_bug.cgi?id=2332945 Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch +# Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1. +# https://bugzilla.redhat.com/show_bug.cgi?id=2426440 +Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch BuildArch: noarch -%if 0%{?rhel} && 0%{?rhel} < 8 -BuildRequires: python-devel -BuildRequires: python-setuptools -# For testcases -BuildRequires: python-inotify -%else BuildRequires: python3-devel BuildRequires: python3-setuptools # For testcases BuildRequires: python3-inotify -%endif # using a python3_version-based conditional does not work here, so # this is a proxy for "Python version greater than 3.12". asyncore # and asynchat were dropped from cpython core in 3.12, these modules # make them available again. See: # https://github.com/fail2ban/fail2ban/issues/3487 # https://bugzilla.redhat.com/show_bug.cgi?id=2219991 -%if 0%{?fedora} > 38 +%if 0%{?fedora} || 0%{?rhel} >= 10 BuildRequires: python3-pyasyncore BuildRequires: python3-pyasynchat %endif @@ -82,7 +75,7 @@ BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel BuildRequires: make -%if 0%{?fedora} >= 41 +%if 0%{?fedora} || 0%{?rhel} >= 11 BuildRequires: bash-completion-devel %else BuildRequires: bash-completion @@ -123,24 +116,14 @@ SELinux policies for Fail2Ban. %package server Summary: Core server component for Fail2Ban -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: systemd-python -Requires: ipset -Requires: iptables -%else Requires: python3-systemd Requires: nftables -%endif Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -%if 0%{?fedora} || 0%{?rhel} >= 8 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -%else -Requires: %{name}-selinux -%endif # see note above in BuildRequires section -%if 0%{?fedora} > 38 +%if 0%{?fedora} || 0%{?rhel} >= 10 Requires: python3-pyasyncore Requires: python3-pyasynchat %endif @@ -162,13 +145,7 @@ Requires: %{name}-server = %{version}-%{release} Requires: %{name}-shorewall = %{version}-%{release} %endif Requires: perl-interpreter -%if 0%{?rhel} && 0%{?rhel} < 8 -Requires: python-inotify -# No python3 support for gamin so epel only -Requires: gamin-python -%else Requires: python3-inotify -%endif Requires: /usr/bin/whois %description all @@ -258,11 +235,6 @@ by default. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# this test uses smtpd which is removed in Python 3.12, rewriting it -# isn't trivial -%if 0%{?fedora} > 38 -rm -f fail2ban/tests/action_d/test_smtp.py -%endif # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -279,27 +251,26 @@ sed -i 's|^/run/|/var/run/|' %{name}.fc sed -i "/use_2to3/d" setup.py +%generate_buildrequires +%pyproject_buildrequires + + %build -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_build -%else -%py3_build -%endif +%pyproject_wheel make -f %SOURCE6 %install -%if 0%{?rhel} && 0%{?rhel} < 8 -%py2_install -# Make symbolic link relative -ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python -%else -%py3_install +%pyproject_install ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python -%endif +mv %{buildroot}%{python3_sitelib}/etc %{buildroot} +mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir} +rmdir %{buildroot}%{python3_sitelib}%{_prefix} mkdir -p %{buildroot}%{_unitdir} -cp -p build/fail2ban.service %{buildroot}%{_unitdir}/ +# Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite +# so we will do our own modification +sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service mkdir -p %{buildroot}%{_mandir}/man{1,5} install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5 @@ -310,6 +281,7 @@ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ mkdir -p %{buildroot}%{_tmpfilesdir} install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d # Remove non-Linux actions rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf @@ -354,17 +326,7 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion %check -%if 0%{?rhel} && 0%{?rhel} < 8 -%python2 bin/fail2ban-testcases --verbosity=2 --no-network -%else -%if 0%{?fedora} > 38 -# testRepairDb does not work with sqlite 3.42.0+ -# https://github.com/fail2ban/fail2ban/issues/3586 -%python3 bin/fail2ban-testcases --verbosity=2 --no-network -i testRepairDb -%else %python3 bin/fail2ban-testcases --verbosity=2 --no-network -%endif -%endif %pre selinux @@ -404,13 +366,8 @@ fi %{_bindir}/fail2ban-python %{_bindir}/fail2ban-regex %{_bindir}/fail2ban-server -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/* -%exclude %{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/* %exclude %{python3_sitelib}/fail2ban/tests -%endif %{_unitdir}/fail2ban.service %{_datadir}/bash-completion/ %{_mandir}/man1/fail2ban.1* @@ -446,11 +403,7 @@ fi %files tests %{_bindir}/fail2ban-testcases %{_mandir}/man1/fail2ban-testcases.1* -%if 0%{?rhel} && 0%{?rhel} < 8 -%{python2_sitelib}/fail2ban/tests -%else %{python3_sitelib}/fail2ban/tests -%endif %files mail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf @@ -475,6 +428,34 @@ fi %changelog +* Wed Dec 31 2025 Richard Shaw - 1.1.0-15 +- Add patch for Dovecot 2.4 jail. Fixes BZ#2426440. + +* Sat Oct 11 2025 Orion Poplawski - 1.1.0-14 +- Cleanup old conditionals + +* Fri Oct 10 2025 Orion Poplawski - 1.1.0-13 +- Fix paths in fail2ban.service (rhbz#2399981) + +* Fri Sep 19 2025 Python Maint - 1.1.0-12 +- Rebuilt for Python 3.14.0rc3 bytecode + +* Thu Aug 21 2025 Richard Shaw - 1.1.0-11 +- Move from setup.py to wheels per + https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros. + +* Fri Aug 15 2025 Python Maint - 1.1.0-10 +- Rebuilt for Python 3.14.0rc2 bytecode + +* Wed Jul 23 2025 Fedora Release Engineering - 1.1.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Tue Jun 03 2025 Python Maint - 1.1.0-8 +- Rebuilt for Python 3.14 + +* Thu Jan 16 2025 Fedora Release Engineering - 1.1.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Thu Dec 19 2024 Orion Poplawski - 1.1.0-6 - Add upstream fix for sshd filter (rhbz#2332945) diff --git a/fail2ban.te b/fail2ban.te index b19bdaa..5bc2394 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -99,22 +99,12 @@ logging_read_syslog_pid(fail2ban_t) logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) -allow fail2ban_t fail2ban_log_t:file watch; -gen_require(` - attribute logfile; -') -allow fail2ban_t logfile:dir { watch_dir_perms }; -allow fail2ban_t logfile:file { watch_file_perms }; # Not in EL9 yet #logging_watch_audit_log_files(fail2ban_t) -gen_require(` - type var_log_t, auditd_log_t; -') -watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t) -#logging_watch_audit_log_dirs(fail2ban_t) -allow fail2ban_t var_log_t:dir search_dir_perms; -watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t) -logging_watch_generic_log_dirs(fail2ban_t) +logging_watch_all_log_files(fail2ban_t) +logging_watch_all_log_dirs(fail2ban_t) +logging_watch_audit_log_files(fail2ban_t) +logging_watch_audit_log_dirs(fail2ban_t) logging_watch_journal_dir(fail2ban_t) mta_send_mail(fail2ban_t)