orion pushed to fail2ban (el6). "Couple bugfixes: (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed Apr 1 01:44:23 UTC 2015
>From 48a42fbb70b21dee806e1d2d2ea940a9d2ecffea Mon Sep 17 00:00:00 2001
From: Orion Poplawski <orion at cora.nwra.com>
Date: Tue, 31 Mar 2015 19:42:55 -0600
Subject: Couple bugfixes:
- Add patch to fix strptime issue (bug #1181354)
- Fixup default logpaths (bug #1132359)
diff --git a/fail2ban-logfiles.patch b/fail2ban-logfiles.patch
new file mode 100644
index 0000000..c2cf359
--- /dev/null
+++ b/fail2ban-logfiles.patch
@@ -0,0 +1,212 @@
+diff -up fail2ban-0.9-d529151/config/jail.conf.logfiles fail2ban-0.9-d529151/config/jail.conf
+--- fail2ban-0.9-d529151/config/jail.conf.logfiles 2013-07-28 03:43:54.000000000 -0600
++++ fail2ban-0.9-d529151/config/jail.conf 2013-08-08 21:23:41.785950007 -0600
+@@ -152,20 +152,18 @@ action = %(action_)s
+ [sshd]
+
+ port = ssh
+-logpath = /var/log/auth.log
+- /var/log/sshd.log
++logpath = /var/log/secure
+
+ [sshd-ddos]
+
+ port = ssh
+-logpath = /var/log/auth.log
+- /var/log/sshd.log
++logpath = /var/log/secure
+
+ [dropbear]
+
+ port = ssh
+ filter = sshd
+-logpath = /var/log/dropbear
++logpath = /var/log/secure
+
+
+ # Generic filter for PAM. Has to be used with action which bans all
+@@ -175,12 +173,12 @@ logpath = /var/log/dropbear
+
+ # pam-generic filter can be customized to monitor specific subset of 'tty's
+ banaction = iptables-allports
+-logpath = /var/log/auth.log
++logpath = /var/log/secure
+
+ [xinetd-fail]
+
+ banaction = iptables-multiport-log
+-logpath = /var/log/daemon.log
++logpath = /var/log/messages
+ maxretry = 2
+
+ # .. custom jails
+@@ -201,7 +199,7 @@ filter = sshd
+ action = hostsdeny[daemon_list=sshd]
+ sendmail-whois[name=SSH, dest=you at example.com]
+ ignoreregex = for myuser from
+-logpath = /var/log/sshd.log
++logpath = /var/log/secure
+
+ # Here we use blackhole routes for not requiring any additional kernel support
+ # to store large volumes of banned IPs
+@@ -210,7 +208,7 @@ logpath = /var/log/sshd.log
+
+ filter = sshd
+ action = route
+-logpath = /var/log/sshd.log
++logpath = /var/log/secure
+
+ # Here we use a combination of Netfilter/Iptables and IPsets
+ # for storing large volumes of banned IPs
+@@ -221,13 +219,13 @@ logpath = /var/log/sshd.log
+
+ filter = sshd
+ action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
+-logpath = /var/log/sshd.log
++logpath = /var/log/secure
+
+ [sshd-iptables-ipset6]
+
+ filter = sshd
+ action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
+-logpath = /var/log/sshd.log
++logpath = /var/log/secure
+
+ # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
+ # option is overridden in this jail. Moreover, the action "mail-whois" defines
+@@ -238,7 +236,7 @@ logpath = /var/log/sshd.log
+ filter = sshd
+ action = ipfw[localhost=192.168.0.1]
+ sendmail-whois[name="SSH,IPFW", dest=you at example.com]
+-logpath = /var/log/auth.log
++logpath = /var/log/secure
+ ignoreip = 168.192.0.1
+
+ # bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
+@@ -250,7 +248,7 @@ ignoreip = 168.192.0.1
+ [ssh-bsd-ipfw]
+ filter = sshd
+ action = bsd-ipfw[port=ssh,table=1]
+-logpath = /var/log/auth.log
++logpath = /var/log/secure
+
+ #
+ # HTTP servers
+@@ -259,7 +257,7 @@ logpath = /var/log/auth.log
+ [apache-auth]
+
+ port = http,https
+-logpath = /var/log/apache*/*error.log
++logpath = /var/log/httpd/*error_log
+
+ # Ban hosts which agent identifies spammer robots crawling the web
+ # for email addresses. The mail outputs are buffered.
+@@ -267,21 +265,20 @@ logpath = /var/log/apache*/*error.log
+ [apache-badbots]
+
+ port = http,https
+-logpath = /var/log/apache*/*access.log
+- /var/www/*/logs/access_log
++logpath = /var/log/httpd/*access_log
+ bantime = 172800
+ maxretry = 1
+
+ [apache-noscript]
+
+ port = http,https
+-logpath = /var/log/apache*/*error.log
++logpath = /var/log/httpd/*error_log
+ maxretry = 6
+
+ [apache-overflows]
+
+ port = http,https
+-logpath = /var/log/apache*/*error.log
++logpath = /var/log/httpd/*error_log
+ maxretry = 2
+
+ # Ban attackers that try to use PHP's URL-fopen() functionality
+@@ -291,7 +288,7 @@ maxretry = 2
+ [php-url-fopen]
+
+ port = http,https
+-logpath = /var/www/*/logs/access_log
++logpath = /var/log/httpd/*access_log
+
+ # A simple PHP-fastcgi jail which works with lighttpd.
+ # If you run a lighttpd server, then you probably will
+@@ -330,7 +327,7 @@ logpath = /var/log/sogo/sogo.log
+
+ filter = apache-auth
+ action = hostsdeny
+-logpath = /var/log/apache*/*error.log
++logpath = /var/log/httpd/*error_log
+ maxretry = 6
+
+
+@@ -347,7 +344,7 @@ logpath = /var/log/proftpd/proftpd.log
+ [pure-ftpd]
+
+ port = ftp,ftp-data,ftps,ftps-data
+-logpath = /var/log/auth.log
++logpath = /var/log/secure
+ maxretry = 6
+
+ [vsftpd]
+@@ -355,7 +352,7 @@ maxretry = 6
+ port = ftp,ftp-data,ftps,ftps-data
+ logpath = /var/log/vsftpd.log
+ # or overwrite it in jails.local to be
+-# logpath = /var/log/auth.log
++# logpath = /var/log/secure
+ # if you want to rely on PAM failed login attempts
+ # vsftpd's failregex should match both of those formats
+
+@@ -384,12 +381,12 @@ maxretry = 6
+ [courier-smtp]
+
+ port = smtp,ssmtp,submission
+-logpath = /var/log/mail.log
++logpath = /var/log/maillog
+
+ [postfix]
+
+ port = smtp,ssmtp,submission
+-logpath = /var/log/mail.log
++logpath = /var/log/maillog
+
+ # The hosts.deny path can be defined with the "file" argument if it is
+ # not in /etc.
+@@ -410,7 +407,7 @@ bantime = 300
+ [courier-auth]
+
+ port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
+-logpath = /var/log/mail.log
++logpath = /var/log/maillog
+
+
+ [sasl]
+@@ -419,12 +416,12 @@ port = smtp,ssmtp,submission,imap2,i
+ # You might consider monitoring /var/log/mail.warn instead if you are
+ # running postfix since it would provide the same log lines at the
+ # "warn" level but overall at the smaller filesize.
+-logpath = /var/log/mail.log
++logpath = /var/log/maillog
+
+ [dovecot]
+
+ port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
+-logpath = /var/log/mail.log
++logpath = /var/log/maillog
+
+ #
+ # DNS servers
+@@ -519,7 +516,7 @@ maxretry = 5
+ enabled=false
+ filter = sshd
+ action = pf
+-logpath = /var/log/sshd.log
++logpath = /var/log/secure
+ maxretry=5
+
+ [3proxy]
diff --git a/fail2ban-strptime.patch b/fail2ban-strptime.patch
new file mode 100644
index 0000000..f3d6f28
--- /dev/null
+++ b/fail2ban-strptime.patch
@@ -0,0 +1,12 @@
+diff -U0 fail2ban-0.8.14/ChangeLog.strptime fail2ban-0.8.14/ChangeLog
+diff -up fail2ban-0.8.14/common/__init__.py.strptime fail2ban-0.8.14/common/__init__.py
+--- fail2ban-0.8.14/common/__init__.py.strptime 2014-08-19 14:23:33.000000000 -0600
++++ fail2ban-0.8.14/common/__init__.py 2015-03-31 19:03:56.731175410 -0600
+@@ -28,3 +28,7 @@ import logging
+
+ # Custom debug level
+ logging.HEAVYDEBUG = 5
++
++from time import strptime
++# strptime thread safety hack-around - http://bugs.python.org/issue7980
++strptime("2012", "%Y")
diff --git a/fail2ban.spec b/fail2ban.spec
index 64c652f..06b3be9 100644
--- a/fail2ban.spec
+++ b/fail2ban.spec
@@ -1,12 +1,14 @@
Summary: Ban IPs that make too many password failures
Name: fail2ban
Version: 0.8.14
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://fail2ban.sourceforge.net/
Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch1: fail2ban-sshd.patch
+# Fix strptime issue - https://bugzilla.redhat.com/show_bug.cgi?id=1181354
+Patch2: fail2ban-strptime.patch
Patch6: fail2ban-log2syslog.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: python-devel >= 2.3
@@ -41,7 +43,15 @@ and shorewall respectively.
%prep
%setup -q
%patch1 -p1 -b .sshd
+%patch2 -p1 -b .strptime
%patch6 -p1 -b .log2syslog
+# Fix logpaths
+sed -i -e 's,log/\(auth\.log\|dropbear\|secure.log\|sshd.log\),log/secure,' \
+ -e 's,log/\(daemon.log\|fail2ban\.log\),log/messages,' \
+ -e 's,log/\(mail\.log\|postfix.log\),log/maillog,' \
+ -e 's,/var/.*access.log,/var/log/httpd/*access_log,' \
+ -e 's,log/apache.*error.log,log/httpd/*error_log,' \
+ config/jail.conf
%build
python setup.py build
@@ -123,6 +133,10 @@ fi
%dir %{_localstatedir}/lib/fail2ban/
%changelog
+* Tue Mar 31 2015 Orion Poplawski <orion at cora.nwra.com> - 0.8.14-2
+- Add patch to fix strptime issue (bug #1181354)
+- Fixup default logpaths (bug #1132359)
+
* Wed Aug 20 2014 Orion Poplawski <orion at cora.nwra.com> - 0.8.14-1
- Update to 0.8.14 (bug #1130706)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/fail2ban.git/commit/?h=el6&id=48a42fbb70b21dee806e1d2d2ea940a9d2ecffea
More information about the scm-commits
mailing list