Hello community,
here is the log from the commit of package fail2ban.3699 for
openSUSE:13.1:Update checked in at 2015-04-21 10:43:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1:Update/fail2ban.3699 (Old)
and /work/SRC/openSUSE:13.1:Update/.fail2ban.3699.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban.3699"
Changes:
--------
New Changes file:
--- /dev/null 2015-03-12 01:14:30.992027505 +0100
+++ /work/SRC/openSUSE:13.1:Update/.fail2ban.3699.new/fail2ban.changes
2015-04-21 10:43:03.000000000 +0200
@@ -0,0 +1,536 @@
+-------------------------------------------------------------------
+Tue Apr 14 07:14:24 UTC 2015 - mplus...@suse.com
+
+- Add missing dependency on ed (boo#926943)
+
+-------------------------------------------------------------------
+Wed Jan 21 21:00:48 UTC 2015 - jweberho...@weberhofer.at
+
+- Fixed strptime thread safety issue.
+ fail2ban-issue_906-strptime.patch (bnc#914075 gh#fail2ban/fail2ban#906)
+
+-------------------------------------------------------------------
+Tue Nov 25 11:03:06 UTC 2014 - jweberho...@weberhofer.at
+
+- Added syslog to requirements, as this version of fail2ban does not
+ work with systemd-logging: bnc#905733
+
+-------------------------------------------------------------------
+Fri Oct 17 09:44:12 UTC 2014 - jeng...@inai.de
+
+- Recommend installation of the ordering package when all
+ constituing parts are installed
+
+-------------------------------------------------------------------
+Thu Aug 21 16:50:20 UTC 2014 - jweberho...@weberhofer.at
+
+- Fixed check for %_unitdir to make fail2ban build under older systems, too.
+- Changed /usr to %{_prefix} in the spec file
+
+-------------------------------------------------------------------
+Wed Aug 20 15:44:54 UTC 2014 - jweberho...@weberhofer.at
+
+- update to 0.8.14
+ * minor fixes for claimed Python 2.4 and 2.5 compatibility
+ * Handle case when inotify watch is auto deleted on file deletion to stop
+ error messages
+ * tests - fixed few "leaky" file descriptors when files were not closed while
+ being removed physically
+ * grep in mail*-whois-lines.conf now also matches end of line to work with
+ the recidive filter
+- add fail2ban-opensuse-locations.patch to fix default locations as suggested
+ in bnc#878028
+
+-------------------------------------------------------------------
+Wed Jun 25 15:13:37 UTC 2014 - l...@linux-schulserver.de
+
+- update to 0.8.13:
+ + Fixes:
+ - action firewallcmd-ipset had non-working actioncheck. Removed.
+ redhat bug #1046816.
+ - filter pureftpd - added _daemon which got removed. Added
+
+ + New Features:
+ - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
+ - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
+
+ + Enhancements:
+ - filter asterisk now supports syslog format
+ - filter pureftpd - added all translations of "Authentication failed for
+ user"
+ - filter dovecot - lip= was optional and extended TLS errors can occur.
+ Thanks Noel Butler.
+- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed
+ upstream
+- split out nagios-plugins-fail2ban package
+
+-------------------------------------------------------------------
+Tue Feb 18 00:03:12 UTC 2014 - jeng...@inai.de
+
+- Add a new subpackage to install systemd drop-ins that couple
+ SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf,
+ f2b-restart.conf.
+
+-------------------------------------------------------------------
+Tue Feb 4 14:19:03 UTC 2014 - jweberho...@weberhofer.at
+
+- Upgraded version to 0.8.12 to fix bnc#861504 (CVE-2013-7177) and
+ bnc#861503 (CVE-2013-7176)
+
+-------------------------------------------------------------------
+Wed Jan 29 13:48:38 UTC 2014 - jweberho...@weberhofer.at
+
+Security note: The update to version 0.8.11 has fixed two additional security
+issues: A remote unauthenticated attacker may cause arbitrary IP addresses to
+be blocked by Fail2ban causing legitimate users to be blocked from accessing
+services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176
+(postfix)
+
+-------------------------------------------------------------------
+Thu Jan 23 21:35:27 UTC 2014 - jweberho...@weberhofer.at
+
+- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816
+
+- lsof was required for fail2ban's SysVinit scripts only. Not longer used for
+ newer versions of openSUSE
+
+-------------------------------------------------------------------
+Thu Jan 23 08:40:40 UTC 2014 - jweberho...@weberhofer.at
+
+- Reviewed and fixed github references in the changelog
+
+-------------------------------------------------------------------
+Wed Jan 22 09:27:43 UTC 2014 - jweberho...@weberhofer.at
+
+- Use new flushlogs syntax after logrotate
+
+-------------------------------------------------------------------
+Wed Jan 22 08:50:05 UTC 2014 - jweberho...@weberhofer.at
+
+- Update to version 0.8.12
+
+ * Log rotation can now occur with the command "flushlogs" rather than
+ reloading fail2ban or keeping the logtarget settings consistent in
+ jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798).
+
+ * Added ignorecommand option for allowing dynamic determination as to ignore
+ and IP or not.
+
+ * Remove indentation of name and loglevel while logging to SYSLOG to resolve
+ syslog(-ng) parsing problems. (dep#730202). Log lines now also
+ report "[PID]" after the name portion too.
+
+ * Epoch dates can now be enclosed within []
+
+ * New actions: badips, firewallcmd-ipset, ufw, blocklist_de
+
+ * New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid,
+ ejabberd, openwebmail, groupoffice
+
+ * Filter improvements:
+ - apache-noscript now includes php cgi scripts
+ - exim-spam filter to match spamassassin log entry for option SAdevnull.
+ - Added to sshd filter expression for
+ "Received disconnect from : 3: Auth fail"
+ - Improved ACL-handling for Asterisk
+ - Added improper command pipelining to postfix filter.
+
+ * General fixes:
+ - Added lots of jail.conf entries for missing filters that creaped in
+ over the last year.
+ - synchat changed to use push method which verifies whether all data was
+ send. This ensures that all data is sent before closing the connection.
+ - Fixed python 2.4 compatibility (as sub-second in date patterns weren't
+ 2.4 compatible)
+ - Complain/email actions fixed to only include relevant IPs to reporting
+
+ * Filter fixes:
+ - Added HTTP referrer bit of the apache access log to the apache filters.
+ - Apache 2.4 perfork regexes fixed
+ - Kernel syslog expression can have leading spaces
+ - allow for ",milliseconds" in the custom date format of proftpd.log
+ - recidive jail to block all protocols
+ - smtps not a IANA standard so may be missing from /etc/services. Due to
+ (still) common use 465 has been used as the explicit port number
+ - Filter dovecot reordered session and TLS items in regex with wider scope
+ for session characters
+
+ * Ugly Fixes (Potentially incompatible changes):
+
+ - Unfortunately at the end of last release when the action
+ firewall-cmd-direct-new was added it was too long and had a broken action
+ check. The action was renamed to firewallcmd-new to fit within jail name
+ name length. (gh#fail2ban/fail2ban#395).
+
+ - Last release added mysqld-syslog-iptables as a jail configuration. This
+ jailname was too long and it has been renamed to mysqld-syslog.
+
+- Fixed formating of github references in changelog
+- reformatted spec-file
+
+-------------------------------------------------------------------
+Thu Nov 14 05:14:35 UTC 2013 - jweberho...@weberhofer.at
+
+- Update to version 0.8.11
+
+- In light of CVE-2013-2178 that triggered our last release we have put a
+ significant effort into tightening all of the regexs of our filters to avoid
+ another similar vulnerability. We haven't examined all of these for a
potential
+ DoS scenario however it is possible that another DoS vulnerability exists
that
+ is fixed by this release. A large number of filters have been updated to
+ include more failure regexs supporting previously unbanned failures and
support
+ newer application versions too. We have test cases for most of these now
+ however if you have other examples that demonstrate that a filter is
+ insufficient we welcome your feedback. During the tightening of the regexs to
+ avoid DoS vulnerabilities there is the possibility that we have
inadvertently,
+ despite our best intentions, incorrectly allowed a failure to continue.
+
+-------------------------------------------------------------------
+Sat Sep 21 11:38:29 UTC 2013 - schue...@gmx.net
+
+- Added systemd service file and systemd-tmpfiles configuration
+
+-------------------------------------------------------------------
+Thu Jun 13 08:58:53 UTC 2013 - jweberho...@weberhofer.at
+
+- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered
+ by "bugs" in apache- filters. If you are relying on listed below apache-
++++ 339 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.1:Update/.fail2ban.3699.new/fail2ban.changes
New:
----
0.8.14.tar.gz
f2b-restart.conf
fail2ban-issue_906-strptime.patch
fail2ban-opensuse-locations.patch
fail2ban.changes
fail2ban.init
fail2ban.logrotate
fail2ban.service
fail2ban.spec
fail2ban.sysconfig
fail2ban.tmpfiles
sfw-fail2ban.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ fail2ban.spec ++++++
#
# spec file for package fail2ban
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: fail2ban
Version: 0.8.14
Release: 0
Url: http://www.fail2ban.org/
Summary: Bans IP addresses that make too many authentication failures
License: GPL-2.0+
Group: Productivity/Networking/Security
Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz
%if 0%{?suse_version} < 1230
# the init-script requires lsof
Requires: lsof
Source1: %{name}.init
%endif
Source2: %{name}.sysconfig
Source3: %{name}.logrotate
Source4: %{name}.service
Source5: %{name}.tmpfiles
Source6: sfw-fail2ban.conf
Source7: f2b-restart.conf
# PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028
jweberho...@weberhofer.at -- update default locations for logfiles
Patch100: fail2ban-opensuse-locations.patch
# PATCH-FIX-UPSTREAM fail2ban-issue_906-strptime.patch bnc#914075,
gh#fail2ban/fail2ban#906 jweberho...@weberhofer.at -- Fix strptime thread
safety issue
Patch101: fail2ban-issue_906-strptime.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%if 0%{?suse_version} >= 1230
%{?systemd_requires}
BuildRequires: systemd
%endif
BuildRequires: logrotate
BuildRequires: python-devel
Requires: cron
Requires: ed
Requires: iptables
Requires: logrotate
Requires: python >= 2.5
Requires: syslog
%if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0
Requires: python-pyinotify
%endif
%if 0%{?suse_version} >= 1220
Requires: python-gamin
%endif
%description
Fail2ban scans log files like /var/log/messages and bans IP addresses
that makes too many password failures. It updates firewall rules to
reject the IP address, can send e-mails, or set host.deny entries.
These rules can be defined by the user. Fail2Ban can read multiple log
files such as sshd or Apache web server ones.
%package -n SuSEfirewall2-fail2ban
Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd
Group: Productivity/Networking/Security
BuildArch: noarch
Recommends: packageand(SuSEfirewall2:fail2ban)
Requires: SuSEfirewall2
Requires: fail2ban
%description -n SuSEfirewall2-fail2ban
This package ships systemd files which will cause fail2ban to be ordered
in relation to SuSEfirewall2 such that the two can be run concurrently
within reason, i.e. SFW will always run first because it does a table flush.
%package -n nagios-plugins-fail2ban
Summary: Check fail2ban server and how many IPs are currently banned
Group: System/Monitoring
%define nagios_plugindir %{_prefix}/lib/nagios/plugins
%description -n nagios-plugins-fail2ban
This plugin checks if the fail2ban server is running and how many IPs are
currently banned. You can use this plugin to monitor all the jails or just a
specific jail.
How to use
----------
Just have to run the following command:
$ ./check_fail2ban --help
%prep
%setup
%patch100 -p1
%patch101 -p1
# correct doc-path
sed -i -e 's|%{_prefix}/share/doc/fail2ban|%{_docdir}/%{name}|' setup.py
%build
export CFLAGS="$RPM_OPT_FLAGS"
python setup.py build
gzip man/*.1
%install
python setup.py install \
--root=$RPM_BUILD_ROOT \
--prefix=%{_prefix}
install -d -m755 $RPM_BUILD_ROOT/%{_mandir}/man1
for i in fail2ban-client fail2ban-regex fail2ban-server; do
install -m644 man/${i}.1.gz $RPM_BUILD_ROOT/%{_mandir}/man1
done
install -d -m755 $RPM_BUILD_ROOT/%{_initrddir}
install -d -m755 $RPM_BUILD_ROOT/%{_sbindir}
%if 0%{?suse_version} < 1230
install -m755 %{SOURCE1} $RPM_BUILD_ROOT/%{_initrddir}/%{name}
ln -sf %{_initrddir}/%{name} ${RPM_BUILD_ROOT}%{_sbindir}/rc%{name}
%endif
install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE2}
$RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.%{name}
install -d -m755 $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/fail2ban
%if 0%{?suse_version} >= 1230
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
install -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/%{name}.service
install -d -m755 $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/
install -m644 %{SOURCE5} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
%endif
%if 0%{?_unitdir:1}
install -Dm0644 "%_sourcedir/sfw-fail2ban.conf" \
"%buildroot/%_unitdir/SuSEfirewall2.service.d/fail2ban.conf"
install -Dm0644 "%_sourcedir/f2b-restart.conf" \
"%buildroot/%_unitdir/fail2ban.service.d/SuSEfirewall2.conf"
%endif
install -Dm755 files/nagios/check_fail2ban
%{buildroot}/%{nagios_plugindir}/check_fail2ban
%pre
%if 0%{?suse_version} >= 1230
%service_add_pre %{name}.service
%endif
%post
%{fillup_only}
%if 0%{?suse_version} >= 1230
systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
%service_add_post %{name}.service
%endif
%preun
%if 0%{?suse_version} >= 1230
%service_del_preun %{name}.service
%else
%stop_on_removal %{name}
%endif
%postun
%if 0%{?suse_version} >= 1230
%service_del_postun %{name}.service
%else
%restart_on_update %{name}
%insserv_cleanup
%endif
%if 0%{?_unitdir:1}
%post -n SuSEfirewall2-fail2ban
%_bindir/systemctl daemon-reload >/dev/null 2>&1 || :
%postun -n SuSEfirewall2-fail2ban
%_bindir/systemctl daemon-reload >/dev/null 2>&1 || :
%endif
%files
%defattr(-, root, root)
%dir %{_sysconfdir}/%{name}
%dir %{_sysconfdir}/%{name}/action.d
%dir %{_sysconfdir}/%{name}/filter.d
%config(noreplace) %{_sysconfdir}/%{name}/*.conf
%config(noreplace) %{_sysconfdir}/%{name}/action.d/*.conf
%config(noreplace) %{_sysconfdir}/%{name}/filter.d/*.conf
%config %{_sysconfdir}/logrotate.d/fail2ban
%if 0%{?suse_version} >= 1230
%{_unitdir}/%{name}.service
%{_prefix}/lib/tmpfiles.d/%{name}.conf
%else
%{_initrddir}/%{name}
%{_sbindir}/rc%{name}
%dir %ghost /var/run/%{name}
%endif
%{_bindir}/%{name}*
%{_datadir}/%{name}
/var/adm/fillup-templates/sysconfig.%{name}
%doc %{_mandir}/man1/*
%doc COPYING ChangeLog DEVELOP README.md TODO files/cacti
%if 0%{?_unitdir:1}
%files -n SuSEfirewall2-fail2ban
%defattr(-,root,root)
%_unitdir/SuSEfirewall2.service.d
%_unitdir/fail2ban.service.d
%endif
%files -n nagios-plugins-fail2ban
%defattr(-,root,root)
%doc files/nagios/README COPYING
%dir %{_prefix}/lib/nagios
%dir %{nagios_plugindir}
%{nagios_plugindir}/check_fail2ban
%changelog
++++++ f2b-restart.conf ++++++
# When a restart is issued for SuSEfirewall2, fail2ban.service too must be
# restarted, which is what this drop-in file does.
[Unit]
PartOf=SuSEfirewall2.service
++++++ fail2ban-issue_906-strptime.patch ++++++
diff -ur fail2ban-0.8.14.orig/common/__init__.py
fail2ban-0.8.14/common/__init__.py
--- fail2ban-0.8.14.orig/common/__init__.py 2014-08-19 22:23:33.000000000
+0200
+++ fail2ban-0.8.14/common/__init__.py 2015-01-21 21:51:13.425141175 +0100
@@ -28,3 +28,7 @@
# Custom debug level
logging.HEAVYDEBUG = 5
+
+from time import strptime
+# strptime thread safety hack-around - http://bugs.python.org/issue7980
+strptime("2012", "%Y")
++++++ fail2ban-opensuse-locations.patch ++++++
diff -ur fail2ban-0.8.14.orig/config/jail.conf fail2ban-0.8.14/config/jail.conf
--- fail2ban-0.8.14.orig/config/jail.conf 2014-08-19 22:23:33.000000000
+0200
+++ fail2ban-0.8.14/config/jail.conf 2014-08-20 17:39:21.428256837 +0200
@@ -80,7 +80,7 @@
enabled = false
filter = pam-generic
action = iptables-allports[name=pam,protocol=all]
-logpath = /var/log/secure
+logpath = /var/log/messages
[xinetd-fail]
@@ -97,7 +97,7 @@
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=y...@example.com,
sender=fail2...@example.com, sendername="Fail2Ban"]
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 5
@@ -106,7 +106,7 @@
enabled = false
filter = sshd-ddos
action = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 2
@@ -135,7 +135,7 @@
filter = gssftpd
action = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
sendmail-whois[name=GSSFTPd, dest=y...@example.com]
-logpath = /var/log/daemon.log
+logpath = /var/log/messages
maxretry = 6
@@ -144,7 +144,7 @@
enabled = false
filter = pure-ftpd
action = iptables[name=pureftpd, port=ftp, protocol=tcp]
-logpath = /var/log/pureftpd.log
+logpath = /var/log/messages
maxretry = 6
@@ -153,7 +153,7 @@
enabled = false
filter = wuftpd
action = iptables[name=wuftpd, port=ftp, protocol=tcp]
-logpath = /var/log/daemon.log
+logpath = /var/log/messages
maxretry = 6
@@ -162,7 +162,7 @@
enabled = false
filter = sendmail-auth
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp",
protocol=tcp]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
[sendmail-reject]
@@ -170,7 +170,7 @@
enabled = false
filter = sendmail-reject
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp",
protocol=tcp]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
# This jail forces the backend to "polling".
@@ -181,7 +181,7 @@
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=y...@example.com]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
# ASSP SMTP Proxy Jail
@@ -202,7 +202,7 @@
action = hostsdeny[daemon_list=sshd]
sendmail-whois[name=SSH, dest=y...@example.com]
ignoreregex = for myuser from
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
# Here we use blackhole routes for not requiring any additional kernel support
@@ -212,7 +212,7 @@
enabled = false
filter = sshd
action = route
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 5
@@ -226,7 +226,7 @@
enabled = false
filter = sshd
action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 5
@@ -235,7 +235,7 @@
enabled = false
filter = sshd
action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 5
@@ -329,7 +329,7 @@
enabled = false
filter = cyrus-imap
action = iptables-multiport[name=cyrus-imap,port="143,993"]
-logpath = /var/log/mail*log
+logpath = /var/log/mail
[courierlogin]
@@ -337,7 +337,7 @@
enabled = false
filter = courierlogin
action =
iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
-logpath = /var/log/mail*log
+logpath = /var/log/mail
[couriersmtp]
@@ -345,7 +345,7 @@
enabled = false
filter = couriersmtp
action = iptables-multiport[name=couriersmtp,port="25,465,587"]
-logpath = /var/log/mail*log
+logpath = /var/log/mail
[qmail-rbl]
@@ -361,7 +361,7 @@
enabled = false
filter = sieve
action = iptables-multiport[name=sieve,port="25,465,587"]
-logpath = /var/log/mail*log
+logpath = /var/log/mail
# Do not ban anybody. Just report information about the remote host.
@@ -396,7 +396,8 @@
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=y...@example.com]
-logpath = /var/www/*/logs/access_log
+logpath = /var/log/apache/access_log
+ /var/log/apache2/*/access_log
bantime = 172800
maxretry = 1
@@ -466,7 +467,7 @@
enabled = false
action = iptables-multiport[name=php-url-open, port="http,https"]
filter = php-url-fopen
-logpath = /var/www/*/logs/access_log
+logpath = /var/log/apache/access_log
maxretry = 1
@@ -500,7 +501,7 @@
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=y...@example.com]
-logpath = /var/log/auth.log
+logpath = /var/log/messages
ignoreip = 168.192.0.1
@@ -531,7 +532,7 @@
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=y...@example.com]
-logpath = /var/log/named/security.log
+logpath = /var/lib/named/log/security.log
ignoreip = 168.192.0.1
@@ -601,7 +602,7 @@
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
sendmail-whois[name=MySQL, dest=root, sender=fail2...@example.com]
-logpath = /var/log/mysqld.log
+logpath = /var/log/mysql/mysqld.log
maxretry = 5
@@ -610,7 +611,7 @@
enabled = false
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
-logpath = /var/log/daemon.log
+logpath = /var/log/mysql/mysqld.log
maxretry = 5
@@ -637,7 +638,7 @@
enabled = false
filter = sshd
action = pf
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 5
@@ -723,7 +724,7 @@
enabled = false
filter = dovecot
action = iptables-multiport[name=dovecot,
port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
[dovecot-auth]
@@ -731,7 +732,7 @@
enabled = false
filter = dovecot
action = iptables-multiport[name=dovecot-auth,
port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
-logpath = /var/log/secure
+logpath = /var/log/mail
[solid-pop3d]
@@ -739,7 +740,7 @@
enabled = false
filter = solid-pop3d
action = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
[selinux-ssh]
@@ -761,7 +762,7 @@
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=y...@example.com,
sender=fail2...@example.com, sendername="Fail2Ban"]
blocklist_de[email="fail2...@example.com", apikey="xxxxxx",
service=%(filter)s]
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 20
++++++ fail2ban.init ++++++
#!/bin/sh
#
### BEGIN INIT INFO
# Provides: fail2ban
# Required-Start: $remote_fs $local_fs
# Should-Start: $syslog $time $network iptables
# Required-Stop: $remote_fs $local_fs
# Should-Stop: $syslog $time $network iptables
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Pidfile: /var/run/fail2ban/fail2ban.pid
# Short-Description: Bans IPs with too many authentication failures
# Description: Start fail2ban to scan logfiles and ban IP addresses
# which make too many logfiles failures, and/or sent e-mails about
### END INIT INFO
# Check for missing binaries (stale symlinks should not happen)
FAIL2BAN_CLI=/usr/bin/fail2ban-client
test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
FAIL2BAN_SRV=/usr/bin/fail2ban-server
test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban"
FAIL2BAN_SOCKET_DIR="/var/run/fail2ban"
FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock"
FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid"
if [ -e $FAIL2BAN_CONFIG ]; then
. $FAIL2BAN_CONFIG
fi
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting fail2ban "
if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then
mkdir -p $FAIL2BAN_SOCKET_DIR
fi
if [ -e $FAIL2BAN_SOCKET ]; then
if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
rm $FAIL2BAN_SOCKET
fi
fi
$FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1
rc_status -v
;;
stop)
echo -n "Shutting down fail2ban "
## Stop daemon with built-in functionality 'stop'
/sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1
if [ -f $FAIL2BAN_SOCKET ]
then
echo "$FAIL2BAN_SOCKET not removed .. removing .."
rm $FAIL2BAN_SOCKET
fi
if [ -f $FAIL2BAN_PID ]
then
echo "$FAIL2BAN_PID not removed .. removing .."
rm $FAIL2BAN_PID
fi
rc_status -v
;;
try-restart|condrestart)
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
i=60
while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do
sleep 1
i=$[$i-1]
echo -n "."
done
$0 start
rc_status
;;
reload|force-reload)
echo -n "Reload service Fail2ban "
/sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1
rc_status -v
;;
status)
echo -n "Checking for service fail2ban "
/sbin/checkproc $FAIL2BAN_SRV
rc_status -v
;;
*)
echo "Usage: $0
{start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit
++++++ fail2ban.logrotate ++++++
/var/log/fail2ban.log {
compress
dateext
maxage 365
rotate 99
size=+4096k
notifempty
missingok
create 644 root root
postrotate
fail2ban-client flushlogs 1>/dev/null || true
endscript
}
++++++ fail2ban.service ++++++
[Unit]
Description=Bans IPs with too many authentication failures
After=network.target SuSEfirewall2.service
[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/fail2ban
PIDFile=/run/fail2ban/fail2ban.pid
ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start
ExecReload=/usr/bin/fail2ban-client reload
ExecStop=/usr/bin/fail2ban-client stop
[Install]
WantedBy=multi-user.target
++++++ fail2ban.sysconfig ++++++
## Path: System/Security/Fail2ban
## Description: fail2ban options
## Type: string
## Default: ""
## ServiceReload: fail2ban
## ServiceRestart: fail2ban
#
# Options for fail2ban
#
FAIL2BAN_OPTIONS=""
++++++ fail2ban.tmpfiles ++++++
d /run/fail2ban 0755 root root
++++++ sfw-fail2ban.conf ++++++
# This drop-in file extends SuSEfirewall2.service to also start
# fail2ban.service, and to make sure that fail2ban is only (re)started after
# SFW has completed.
[Unit]
Wants=fail2ban.service
Before=fail2ban.service
