commit: 9887cc1da7851677abcb7e5cc6a8bbd60f87859f Author: Ulrich Müller <ulm <AT> gentoo <DOT> org> AuthorDate: Thu Sep 18 16:54:45 2025 +0000 Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org> CommitDate: Thu Sep 18 17:22:17 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9887cc1d
net-analyzer/fail2ban: Fix mdpr-ddos regex in filter.d/postfix.conf The current regex doesn't match the following log entry: Sep 17 18:19:20 mxhost postfix/smtpd[12345]: NOQUEUE: lost connection after CONNECT from unknown[192.0.2.25] Closes: https://bugs.gentoo.org/963047 Acked-by: Sam James <sam <AT> gentoo.org> Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org> net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild | 151 +++++++++++++++++++++ .../files/fail2ban-1.1.0-postfix-ddos.patch | 38 ++++++ 2 files changed, 189 insertions(+) diff --git a/net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild b/net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild new file mode 100644 index 000000000000..05a953241bd5 --- /dev/null +++ b/net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild @@ -0,0 +1,151 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{11..13} ) + +inherit bash-completion-r1 edo python-single-r1 systemd tmpfiles + +DESCRIPTION="Scans log files and bans IPs that show malicious signs" +HOMEPAGE="https://www.fail2ban.org/"; + +if [[ ${PV} == *9999 ]] ; then + EGIT_REPO_URI="https://github.com/fail2ban/fail2ban"; + inherit git-r3 +else + SRC_URI="https://github.com/fail2ban/fail2ban/archive/${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +LICENSE="GPL-2" +SLOT="0" +IUSE="selinux systemd test" +RESTRICT="!test? ( test )" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" + +RDEPEND=" + ${PYTHON_DEPS} + $(python_gen_cond_dep ' + dev-python/pyasyncore[${PYTHON_USEDEP}] + dev-python/pyasynchat[${PYTHON_USEDEP}] + ' 3.12) + virtual/logger + virtual/mta + selinux? ( sec-policy/selinux-fail2ban ) + systemd? ( + $(python_gen_cond_dep ' + dev-python/python-systemd[${PYTHON_USEDEP}] + ') + ) +" +BDEPEND=" + $(python_gen_cond_dep ' + dev-python/setuptools[${PYTHON_USEDEP}] + ') + test? ( + $(python_gen_cond_dep ' + dev-python/aiosmtpd[${PYTHON_USEDEP}] + ') + ) +" + +DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt ) + +PATCHES=( + "${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch + "${FILESDIR}"/${PN}-1.0.2-umask-tests.patch + "${FILESDIR}"/${PN}-1.1.0-openssh-9.8.patch + "${FILESDIR}"/${PN}-1.1.0-openssh-9.8-fixups.patch + "${FILESDIR}"/${PN}-1.1.0-openrc-nftables.patch + "${FILESDIR}"/${PN}-1.1.0-systemd-order.patch + "${FILESDIR}"/${PN}-1.1.0-postfix-ddos.patch +) + +src_prepare() { + default + + # Replace /var/run with /run, but not in the top source directory + find . -mindepth 2 -type f -exec \ + sed -i -e 's|/var\(/run/fail2ban\)|\1|g' {} + || die +} + +src_compile() { + edo ${EPYTHON} setup.py build +} + +src_test() { + # Skip testRepairDb for bug #907348 (didn't always fail..) + # https://github.com/fail2ban/fail2ban/issues/3586 + bin/fail2ban-testcases \ + --no-network \ + --ignore databasetestcase.DatabaseTest.testRepairDb \ + --verbosity=4 || die "Tests failed with ${EPYTHON}" + + # Workaround for bug #790251 + rm -rf fail2ban.egg-info || die +} + +src_install() { + edo ${EPYTHON} setup.py install --prefix="${EPREFIX}/usr" --root="${D}" + python_fix_shebang "${ED}"/usr/bin + python_optimize + + einstalldocs + + rm -rf "${ED}"/usr/share/doc/${PN} "${ED}"/run || die + + newconfd files/fail2ban-openrc.conf ${PN} + # These two are placed in the ${BUILD_DIR} after being "built" + # in install_scripts(). + newinitd "${S}"/build/fail2ban-openrc.init ${PN} + systemd_dounit "${S}"/build/${PN}.service + + dotmpfiles files/${PN}-tmpfiles.conf + + doman man/*.{1,5} + + # Use INSTALL_MASK if you do not want to touch /etc/logrotate.d. + # See http://thread.gmane.org/gmane.linux.gentoo.devel/35675 + insinto /etc/logrotate.d + newins files/${PN}-logrotate ${PN} + + keepdir /var/lib/${PN} + + newbashcomp files/bash-completion ${PN}-client + bashcomp_alias ${PN}-client ${PN}-server ${PN}-regex +} + +pkg_preinst() { + has_version "<${CATEGORY}/${PN}-0.7" + previous_less_than_0_7=$? +} + +pkg_postinst() { + tmpfiles_process ${PN}-tmpfiles.conf + + if [[ ${previous_less_than_0_7} == 0 ]] ; then + elog + elog "Configuration files are now in /etc/fail2ban/" + elog "You probably have to manually update your configuration" + elog "files before restarting Fail2Ban!" + elog + elog "Fail2Ban is not installed under /usr/lib anymore. The" + elog "new location is under /usr/share." + elog + elog "You are upgrading from version 0.6.x, please see:" + elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8"; + fi + + if ! has_version dev-python/pyinotify ; then + elog "For most jail.conf configurations, it is recommended you install" + elog "dev-python/pyinotify to control how log file modifications are detected" + fi + + if ! has_version dev-lang/python[sqlite] ; then + elog "If you want to use ${PN}'s persistent database, then reinstall" + elog "dev-lang/python with USE=sqlite. If you do not use the" + elog "persistent database feature, then you should set" + elog "dbfile = :memory: in fail2ban.conf accordingly." + fi +} diff --git a/net-analyzer/fail2ban/files/fail2ban-1.1.0-postfix-ddos.patch b/net-analyzer/fail2ban/files/fail2ban-1.1.0-postfix-ddos.patch new file mode 100644 index 000000000000..efdc463e1fea --- /dev/null +++ b/net-analyzer/fail2ban/files/fail2ban-1.1.0-postfix-ddos.patch @@ -0,0 +1,38 @@ +https://github.com/fail2ban/fail2ban/pull/4072 +https://bugs.gentoo.org/963047 + +commit 0fee8dbe9241f8d387f064a079668457a0efd33d +Author: Ulrich Müller <[email protected]> +Date: Thu Sep 18 07:20:38 2025 +0200 + + filter.d/postfix.conf: Add optional "NOQUEUE:" to mdpr-ddos + + The current regex doesn't match the following log entry, seen with + Postfix 3.10.2: + + Sep 17 18:19:20 mxhost postfix/smtpd[12345]: NOQUEUE: lost connection after CONNECT from unknown[192.0.2.25] + Sep 17 18:19:20 mxhost postfix/smtpd[12345]: disconnect from unknown[192.0.2.25] commands=0/0 + +--- a/config/filter.d/postfix.conf ++++ b/config/filter.d/postfix.conf +@@ -38,7 +38,7 @@ + + # Includes some of the log messages described in + # <http://www.postfix.org/POSTSCREEN_README.html>. +-mdpr-ddos = (?:lost connection after (?!(?:DATA|AUTH)\b)[A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT) ++mdpr-ddos = (?:NOQUEUE: )?(?:lost connection after (?!(?:DATA|AUTH)\b)[A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT) + mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:? + + mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s) +--- a/fail2ban/tests/files/logs/postfix ++++ b/fail2ban/tests/files/logs/postfix +@@ -187,6 +187,9 @@ + # failJSON: { "time": "2005-06-08T23:14:54", "match": true , "host": "192.0.2.26", "desc": "abusive clients hitting command limit (gh-3040)" } + Jun 8 23:14:54 proxy2 postfix/postscreen[473]: COMMAND COUNT LIMIT from [192.0.2.26]:15592 after RCPT + ++# failJSON: { "time": "2004-09-17T18:19:20", "match": true , "host": "192.0.2.25" } ++Sep 17 18:19:20 mxhost postfix/smtpd[12345]: NOQUEUE: lost connection after CONNECT from unknown[192.0.2.25] ++ + + # filterOptions: [{}, {"mode": "ddos"}, {"mode": "aggressive"}] + # failJSON: { "match": false, "desc": "don't affect lawful data (sporadical connection aborts within DATA-phase, see gh-1813 for discussion)" }
