Hello community, here is the log from the commit of package fail2ban.4045 for openSUSE:13.1:Update checked in at 2015-10-09 14:05:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/fail2ban.4045 (Old) and /work/SRC/openSUSE:13.1:Update/.fail2ban.4045.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban.4045" Changes: -------- New Changes file: --- /dev/null 2015-09-24 09:51:01.260026505 +0200 +++ /work/SRC/openSUSE:13.1:Update/.fail2ban.4045.new/fail2ban.changes 2015-10-09 14:05:11.000000000 +0200 @@ -0,0 +1,846 @@ +------------------------------------------------------------------- +Wed Sep 23 06:25:26 UTC 2015 - jweberho...@weberhofer.at + +- This update will fix problems with systemd reported in bnc#917818 + +- Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog + Read about all changes from version 0.9.0 - 0.9.3 + +- Update to version 0.9.3 + +- IMPORTANT incompatible changes: + * filter.d/roundcube-auth.conf + - Changed logpath to 'errors' log (was 'userlogins') + * action.d/iptables-common.conf + - All calls to iptables command now use -w switch introduced in + iptables 1.4.20 (some distribution could have patched their + earlier base version as well) to provide this locking mechanism + useful under heavy load to avoid contesting on iptables calls. + If you need to disable, define 'action.d/iptables-common.local' + with empty value for 'lockingopt' in `[Init]` section. + * mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines + actions now include by default only the first 1000 log lines in + the emails. Adjust <grepopts> to augment the behavior. + +- Fixes: + * reload in interactive mode appends all the jails twice (gh-825) + * reload server/jail failed if database used (but was not changed) and + some jail active (gh-1072) + * filter.d/dovecot.conf - also match unknown user in passwd-file. + Thanks Anton Shestakov + * Fix fail2ban-regex not parsing journalmatch correctly from filter config + * filter.d/asterisk.conf - fix security log support for Asterisk 12+ + * filter.d/roundcube-auth.conf + - Updated regex to work with 'errors' log (1.0.5 and 1.1.1) + - Added regex to work with 'userlogins' log + * action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override + locale on systems with customized LC_ALL + * performance fix: minimizes connection overhead, close socket only at + communication end (gh-1099) + * unbanip always deletes ip from database (independent of bantime, also if + currently not banned or persistent) + * guarantee order of dbfile to be before dbpurgeage (gh-1048) + * always set 'dbfile' before other database options (gh-1050) + * kill the entire process group of the child process upon timeout (gh-1129). + Otherwise could lead to resource exhaustion due to hanging whois + processes. + * resolve /var/run/fail2ban path in setup.py to help installation + on platforms with /var/run -> /run symlink (gh-1142) + +- New Features: + * RETURN iptables target is now a variable: <returntype> + * New type of operation: pass2allow, use fail2ban for "knocking", + opening a closed port by swapping blocktype and returntype + * New filters: + - froxlor-auth - Thanks Joern Muehlencord + - apache-pass - filter Apache access log for successful authentication + * New actions: + - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires + manual pre-configuration of the shorewall. See the action file for detail. + * New jails: + - pass2allow-ftp - allows FTP traffic after successful HTTP authentication + +- Enhancements: + * action.d/cloudflare.conf - improved documentation on how to allow + multiple CF accounts, and jail.conf got new compound action + definition action_cf_mwl to submit cloudflare report. + * Check access to socket for more detailed logging on error (gh-595) + * fail2ban-testcases man page + * filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add + HEAD method verb + * Revamp of Travis and coverage automated testing + * Added a space between IP address and the following colon + in notification emails for easier text selection + * Character detection heuristics for whois output via optional setting + in mail-whois*.conf. Thanks Thomas Mayer. + Not enabled by default, if _whois_command is set to be + %(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local), + it + - detects character set of whois output (which is undefined by + RFC 3912) via heuristics of the file command + - converts whois data to UTF-8 character set with iconv + - sends the whois output in UTF-8 character set to mail program + - avoids that heirloom mailx creates binary attachment for input with + unknown character set + +- Update to version 0.9.2 (requested in boo#917818) + + * jail.conf was heavily refactored and now is similar to how it looked on + Debian systems: + - default action could be configured once for all jails + - jails definitions only provide customizations (port, logpath) + - no need to specify 'filter' if name matches jail name + + * Added fail2ban persistent database + - default location at /var/lib/fail2ban/fail2ban.sqlite3 + - allows active bans to be reinstated on restart + - log files read from last position after restart + + * Added systemd journal backend + - Dependency on python-systemd + - New "journalmatch" option added to filter configs files + - New "systemd-journal" option added to fail2ban-regex + + * Support %z (Timezone offset) and %f (sub-seconds) support for datedetector. + Enhanced existing date/time have been updated patterns to support these. + ISO8601 now defaults to localtime unless specified otherwise. Some filters + have been change as required to capture these elements in the right + timezone correctly. + + * Log levels are now set by Syslog style strings e.g. DEBUG, ERROR. + + * Optionally can read log files starting from "head" or "tail". See "logpath" + option in jail.conf(5) man page. + + * Can now set log encoding for files per jail.Default uses systemd locale. + + * iptables-common.conf replaced iptables-blocktype.conf + (iptables-blocktype.local should still be read) and now also provides + defaults for the chain, port, protocol and name tags + +- Update to version 0.9.1 + +- Refactoring (IMPORTANT -- Please review your setup and configuration): + * iptables-common.conf replaced iptables-blocktype.conf + (iptables-blocktype.local should still be read) and now also + provides defaults for the chain, port, protocol and name tags + +- Fixes: + * start of file2ban aborted (on slow hosts, systemd considers the server has + been timed out and kills him), see gh-824 + * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806. + * systemd backend error on bad utf-8 in python3 + * badips.py action error when logging HTTP error raised with badips request + * fail2ban-regex failed to work in python3 due to space/tab mix + * recidive regex samples incorrect log level + * journalmatch for recidive incorrect PRIORITY + * loglevel couldn't be changed in fail2ban.conf + * Handle case when no sqlite library is available for persistent database + * Only reban once per IP from database on fail2ban restart + * Nginx filter to support missing server_name. Closes gh-676 + * fail2ban-regex assertion error caused by miscount missed lines with + multiline regex + * Fix actions failing to execute for Python 3.4.0. Workaround for + http://bugs.python.org/issue21207 + * Database now returns persistent bans on restart (bantime < 0) + * Recursive action tags now fully processed. Fixes issue with bsd-ipfw + action + * Fixed TypeError with "ipfailures" and "ipjailfailures" action tags. + Thanks Serg G. Brester + * Correct times for non-timezone date times formats during DST + * Pass a copy of, not original, aInfo into actions to avoid side-effects + * Per-distribution paths to the exim's main log + * Ignored IPs are no longer banned when being restored from persistent + database + * Manually unbanned IPs are now removed from persistent database, such they + wont be banned again when Fail2Ban is restarted + * Pass "bantime" parameter to the actions in default jail's action + definition(s) + * filters.d/sieve.conf - fixed typo in _daemon. Thanks Jisoo Park + * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s). + Regression was introduced while strengthening failregex in 0.8.11 (bd175f) + Debian bug #755173 + * postfix-sasl - added journalmatch. Thanks Luc Maisonobe + * postfix* - match with a new daemon string (postfix/submission/smtpd). + Closes gh-804 . Thanks Paul Traina + * apache - added filter for AH01630 client denied by server configuration. + +- New features: + - New filters: + - monit Thanks Jason H Martin + - directadmin Thanks niorg + - apache-shellshock Thanks Eugene Hopkinson (SlowRiot) + - New actions: + - symbiosis-blacklist-allports for Bytemark symbiosis firewall + - fail2ban-client can fetch the running server version + - Added Cloudflare API action + +- Enhancements + * Start performance of fail2ban-client (and tests) increased, start time + and cpu usage rapidly reduced. Introduced a shared storage logic, to + bypass reading lots of config files (see gh-824). + Thanks to Joost Molenaar for good catch (reported gh-820). + * Fail2ban-regex - add print-all-matched option. Closes gh-652 + * Suppress fail2ban-client warnings for non-critical config options + * Match non "Bye Bye" disconnect messages for sshd locked account regex + * courier-smtp filter: + - match lines with user names + - match lines containing "535 Authentication failed" attempts + * Add <chain> tag to iptables-ipsets + * Realign fail2ban log output with white space to improve readability. Does + not affect SYSLOG output + * Log unhandled exceptions + * cyrus-imap: catch "user not found" attempts + * Add support for Portsentry + +- Update to version 0.9.0 + ++++ 649 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.fail2ban.4045.new/fail2ban.changes New: ---- f2b-restart.conf fail2ban-0.9.3.tar.gz fail2ban-disable-iptables-w-option.patch fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch fail2ban-exclude-dev-log-tests.patch fail2ban-opensuse-locations.patch fail2ban-opensuse-service.patch fail2ban-rpmlintrc fail2ban.changes fail2ban.logrotate fail2ban.spec fail2ban.sysconfig fail2ban.tmpfiles paths-opensuse.conf sfw-fail2ban.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ # # spec file for package fail2ban # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: fail2ban Version: 0.9.3 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ Group: Productivity/Networking/Security Url: http://www.fail2ban.org/ Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source2: %{name}.sysconfig Source3: %{name}.logrotate Source5: %{name}.tmpfiles Source6: sfw-fail2ban.conf Source7: f2b-restart.conf # Path definitions have been submitted to upstream Source8: paths-opensuse.conf # ignore some rpm-lint messages Source200: %{name}-rpmlintrc # PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberho...@weberhofer.at -- update default locations for logfiles Patch100: fail2ban-opensuse-locations.patch # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberho...@weberhofer.at -- openSUSE modifications to the service file Patch101: fail2ban-opensuse-service.patch # PATCH-FIX-OPENSUSE fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch jweberho...@weberhofer.at -- disable test which currently fails on some systems Patch102: fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberho...@weberhofer.at -- disable iptables "-w" option for older releases Patch200: fail2ban-disable-iptables-w-option.patch # PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberho...@weberhofer.at -- remove tests that can't work on opensuse < 13.3 Patch201: fail2ban-exclude-dev-log-tests.patch BuildRequires: fdupes BuildRequires: logrotate BuildRequires: python-devel # timezone package is required to run the tests BuildRequires: timezone Requires: cron Requires: ed Requires: iptables Requires: logrotate Requires: python >= 2.5 Requires: whois BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} != 1110 BuildArch: noarch %endif %if 0%{?suse_version} < 1230 # the init-script requires lsof Requires: lsof Requires: syslog %else BuildRequires: systemd Requires: systemd %{?systemd_requires} %endif %if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 BuildRequires: python-pyinotify Requires: python-pyinotify %endif %if 0%{?suse_version} >= 1220 Requires: python-gamin %endif %description Fail2ban scans log files like %{_localstatedir}/log/messages and bans IP addresses that makes too many password failures. It updates firewall rules to reject the IP address, can send e-mails, or set host.deny entries. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. %package tests Summary: Test-cases for fail2ban Group: System/Monitoring %description tests This package contains fail2ban's testcases %package -n SuSEfirewall2-fail2ban Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd Group: Productivity/Networking/Security Requires: SuSEfirewall2 Requires: fail2ban Recommends: packageand(SuSEfirewall2:fail2ban) %description -n SuSEfirewall2-fail2ban This package ships systemd files which will cause fail2ban to be ordered in relation to SuSEfirewall2 such that the two can be run concurrently within reason, i.e. SFW will always run first because it does a table flush. %package -n nagios-plugins-fail2ban %define nagios_plugindir %{_libexecdir}/nagios/plugins Summary: Check fail2ban server and how many IPs are currently banned Group: System/Monitoring %description -n nagios-plugins-fail2ban This plugin checks if the fail2ban server is running and how many IPs are currently banned. You can use this plugin to monitor all the jails or just a specific jail. How to use ---------- Just have to run the following command: $ ./check_fail2ban --help %prep %setup -q install -m644 %{SOURCE8} config/paths-opensuse.conf # Use openSUSE paths sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf %patch100 -p1 %patch101 -p1 %patch102 -p1 %if 0%{?suse_version} < 1310 %patch200 -p1 %endif %if 0%{?suse_version} < 1321 %patch201 -p1 %endif rm config/paths-debian.conf \ config/paths-fedora.conf \ config/paths-freebsd.conf \ config/paths-osx.conf # correct doc-path sed -i -e 's|%{_datadir}/doc/fail2ban|%{_docdir}/%{name}|' setup.py %build export CFLAGS="%{optflags}" python setup.py build gzip man/*.{1,5} %install python setup.py install \ --root=%{buildroot} \ --prefix=%{_prefix} install -d -m 755 %{buildroot}%{_mandir}/man{1,5} install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1 install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5 install -d -m 755 %{buildroot}%{_initrddir} install -d -m 755 %{buildroot}%{_sbindir} %if 0%{?suse_version} >= 1230 install -d -m 755 %{buildroot}%{_unitdir} install -p -m 644 files/%{name}.service %{buildroot}%{_unitdir}/%{name}.service install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/ install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf sed -i -e 's/^backend = auto/backend = systemd/' %{buildroot}%{_sysconfdir}/%{name}/paths-opensuse.conf %else install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name} ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name} install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name} %endif install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ install -d -m 755 %{buildroot}%{_localstatedir}/adm/fillup-templates install -p -m 644 %{SOURCE2} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban %if 0%{?_unitdir:1} install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \ "%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf" install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \ "%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf" %endif install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_fail2ban # install docs using the macro rm -r %{buildroot}%{_docdir}/%{name} # remove duplicates %fdupes -s %{buildroot}%{python_sitelib} %check #stat /dev/log #python -c "import platform; print(platform.system())" # tests require python-pyinotify to be installed, so don't run them on older versions %if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 # Need a UTF-8 locale to work export LANG=en_US.UTF-8 ./fail2ban-testcases-all --no-network %endif %pre %if 0%{?suse_version} >= 1230 %service_add_pre %{name}.service %endif %post %fillup_only %if 0%{?suse_version} >= 1230 systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf %service_add_post %{name}.service %endif %preun %if 0%{?suse_version} >= 1230 %service_del_preun %{name}.service %else %stop_on_removal %{name} %endif %postun %if 0%{?suse_version} >= 1230 %service_del_postun %{name}.service %else %restart_on_update %{name} %insserv_cleanup %endif %if 0%{?_unitdir:1} %post -n SuSEfirewall2-fail2ban %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : %postun -n SuSEfirewall2-fail2ban %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : %endif %files %defattr(-, root, root) %config(noreplace) %{_sysconfdir}/%{name} %config %{_sysconfdir}/logrotate.d/fail2ban %dir %{_localstatedir}/lib/fail2ban/ %if 0%{?suse_version} >= 1230 %{_unitdir}/%{name}.service %{_libexecdir}/tmpfiles.d/%{name}.conf %else %{_initddir}/%{name} %{_sbindir}/rc%{name} %dir %ghost %{_localstatedir}/run/%{name} %endif %{_bindir}/fail2ban-server %{_bindir}/fail2ban-client %{_bindir}/fail2ban-regex %{python_sitelib}/%{name} %exclude %{python_sitelib}/%{name}/tests %{python_sitelib}/%{name}-* %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %{_mandir}/man1/* %{_mandir}/man5/* %doc README.md TODO ChangeLog COPYING doc/*.txt %if 0%{?_unitdir:1} %files -n SuSEfirewall2-fail2ban %defattr(-,root,root) %{_unitdir}/SuSEfirewall2.service.d %{_unitdir}/fail2ban.service.d %endif %files tests %defattr(-,root,root) %{_bindir}/fail2ban-testcases %{python_sitelib}/%{name}/tests %files -n nagios-plugins-fail2ban %defattr(-,root,root) %doc files/nagios/README COPYING %dir %{_libexecdir}/nagios %dir %{nagios_plugindir} %{nagios_plugindir}/check_fail2ban %changelog ++++++ f2b-restart.conf ++++++ # When a restart is issued for SuSEfirewall2, fail2ban.service too must be # restarted, which is what this drop-in file does. [Unit] PartOf=SuSEfirewall2.service ++++++ fail2ban-disable-iptables-w-option.patch ++++++ diff -ur fail2ban-0.9.3-orig/config/action.d/iptables-common.conf fail2ban-0.9.3/config/action.d/iptables-common.conf --- fail2ban-0.9.3-orig/config/action.d/iptables-common.conf 2015-08-01 03:32:13.000000000 +0200 +++ fail2ban-0.9.3/config/action.d/iptables-common.conf 2015-08-26 13:35:33.542992089 +0200 @@ -55,8 +55,10 @@ # running concurrently and causing irratic behavior. -w was introduced # in iptables 1.4.20, so might be absent on older systems # See https://github.com/fail2ban/fail2ban/issues/1122 +# The default option "-w" can be used for openSUSE versions 13.2+ and +# for updated versions of openSUSE 13.1; SLE 12 supports this option. # Values: STRING -lockingopt = -w +lockingopt = # Option: iptables # Notes.: Actual command to be executed, including common to all calls options ++++++ fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch ++++++ diff -ur fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py --- fail2ban-0.9.3-orig/fail2ban/tests/actiontestcase.py 2015-08-01 03:32:13.000000000 +0200 +++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py 2015-09-07 08:37:30.842249270 +0200 @@ -204,44 +204,44 @@ or self._is_logged('sleep 60 -- timed out after 3 seconds')) self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM')) - def testExecuteTimeoutWithNastyChildren(self): - # temporary file for a nasty kid shell script - tmpFilename = tempfile.mktemp(".sh", "fail2ban_") - # Create a nasty script which would hang there for a while - with open(tmpFilename, 'w') as f: - f.write("""#!/bin/bash - trap : HUP EXIT TERM - - echo "$$" > %s.pid - echo "my pid $$ . sleeping lo-o-o-ong" - sleep 10000 - """ % tmpFilename) - - def getnastypid(): - with open(tmpFilename + '.pid') as f: - return int(f.read()) - - # First test if can kill the bastard - self.assertRaises( - RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1) - # Verify that the proccess itself got killed - self.assertFalse(pid_exists(getnastypid())) # process should have been killed - self.assertTrue(self._is_logged('timed out')) - self.assertTrue(self._is_logged('killed with SIGTERM')) - - # A bit evolved case even though, previous test already tests killing children processes - self.assertRaises( - RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename, - timeout=.2) - # Verify that the proccess itself got killed - self.assertFalse(pid_exists(getnastypid())) - self.assertTrue(self._is_logged('timed out')) - self.assertTrue(self._is_logged('killed with SIGTERM')) - - os.unlink(tmpFilename) - os.unlink(tmpFilename + '.pid') - - +# def testExecuteTimeoutWithNastyChildren(self): +# # temporary file for a nasty kid shell script +# tmpFilename = tempfile.mktemp(".sh", "fail2ban_") +# # Create a nasty script which would hang there for a while +# with open(tmpFilename, 'w') as f: +# f.write("""#!/bin/bash +# trap : HUP EXIT TERM +# +# echo "$$" > %s.pid +# echo "my pid $$ . sleeping lo-o-o-ong" +# sleep 10000 +# """ % tmpFilename) +# +# def getnastypid(): +# with open(tmpFilename + '.pid') as f: +# return int(f.read()) +# +# # First test if can kill the bastard +# self.assertRaises( +# RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1) +# # Verify that the proccess itself got killed +# self.assertFalse(pid_exists(getnastypid())) # process should have been killed +# self.assertTrue(self._is_logged('timed out')) +# self.assertTrue(self._is_logged('killed with SIGTERM')) +# +# # A bit evolved case even though, previous test already tests killing children processes +# self.assertRaises( +# RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename, +# timeout=.2) +# # Verify that the proccess itself got killed +# self.assertFalse(pid_exists(getnastypid())) +# self.assertTrue(self._is_logged('timed out')) +# self.assertTrue(self._is_logged('killed with SIGTERM')) +# +# os.unlink(tmpFilename) +# os.unlink(tmpFilename + '.pid') +# +# def testCaptureStdOutErr(self): CommandAction.executeCmd('echo "How now brown cow"') self.assertTrue(self._is_logged("'How now brown cow\\n'")) ++++++ fail2ban-exclude-dev-log-tests.patch ++++++ diff -ur fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py fail2ban-0.9.2/fail2ban/tests/servertestcase.py --- fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py 2015-04-29 05:52:48.000000000 +0200 +++ fail2ban-0.9.2/fail2ban/tests/servertestcase.py 2015-05-08 15:57:57.021437562 +0200 @@ -778,32 +778,32 @@ self.setGetTest("logtarget", "STDOUT") self.setGetTest("logtarget", "STDERR") - def testLogTargetSYSLOG(self): - if not os.path.exists("/dev/log") and sys.version_info >= (2, 7): - raise unittest.SkipTest("'/dev/log' not present") - elif not os.path.exists("/dev/log"): - return - self.assertTrue(self.server.getSyslogSocket(), "auto") - self.setGetTest("logtarget", "SYSLOG") - self.assertTrue(self.server.getSyslogSocket(), "/dev/log") +# def testLogTargetSYSLOG(self): +# if not os.path.exists("/dev/log") and sys.version_info >= (2, 7): +# raise unittest.SkipTest("'/dev/log' not present") +# elif not os.path.exists("/dev/log"): +# return +# self.assertTrue(self.server.getSyslogSocket(), "auto") +# self.setGetTest("logtarget", "SYSLOG") +# self.assertTrue(self.server.getSyslogSocket(), "/dev/log") def testSyslogSocket(self): self.setGetTest("syslogsocket", "/dev/log/NEW/PATH") - def testSyslogSocketNOK(self): - self.setGetTest("syslogsocket", "/this/path/should/not/exist") - self.setGetTestNOK("logtarget", "SYSLOG") - # set back for other tests - self.setGetTest("syslogsocket", "/dev/log") - self.setGetTest("logtarget", "SYSLOG", - **{True: {}, # should work on Linux - False: dict( # expect to fail otherwise - outCode=1, - outValue=Exception('Failed to change log target'), - repr_=True # Exceptions are not comparable apparently - ) - }[platform.system() in ('Linux',) and os.path.exists('/dev/log')] - ) +# def testSyslogSocketNOK(self): +# self.setGetTest("syslogsocket", "/this/path/should/not/exist") +# self.setGetTestNOK("logtarget", "SYSLOG") +# # set back for other tests +# self.setGetTest("syslogsocket", "/dev/log") +# self.setGetTest("logtarget", "SYSLOG", +# **{True: {}, # should work on Linux +# False: dict( # expect to fail otherwise +# outCode=1, +# outValue=Exception('Failed to change log target'), +# repr_=True # Exceptions are not comparable apparently +# ) +# }[platform.system() in ('Linux',) and os.path.exists('/dev/log')] +# ) def testLogLevel(self): self.setGetTest("loglevel", "HEAVYDEBUG") ++++++ fail2ban-opensuse-locations.patch ++++++ diff -ur fail2ban-0.9.3-orig/config/jail.conf fail2ban-0.9.3/config/jail.conf --- fail2ban-0.9.3-orig/config/jail.conf 2015-08-01 03:32:13.000000000 +0200 +++ fail2ban-0.9.3/config/jail.conf 2015-08-26 14:39:57.561851833 +0200 @@ -348,7 +348,7 @@ [roundcube-auth] port = http,https -logpath = logpath = %(roundcube_errors_log)s +logpath = %(roundcube_errors_log)s [openwebmail] @@ -628,7 +628,7 @@ # filter = named-refused # port = domain,953 # protocol = udp -# logpath = /var/log/named/security.log +# logpath = /var/lib/named/log/security.log # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. @@ -636,7 +636,7 @@ [named-refused] port = domain,953 -logpath = /var/log/named/security.log +logpath = /var/lib/named/log/security.log [nsd] diff -ur fail2ban-0.9.3-orig/config/paths-common.conf fail2ban-0.9.3/config/paths-common.conf --- fail2ban-0.9.3-orig/config/paths-common.conf 2015-08-01 03:32:13.000000000 +0200 +++ fail2ban-0.9.3/config/paths-common.conf 2015-08-26 14:40:58.187091888 +0200 @@ -62,7 +62,7 @@ mysql_log = %(syslog_daemon)s -roundcube_errors_log = /var/log/roundcube/errors +roundcube_errors_log = /srv/www/roundcubemail/logs/errors # Directory with ignorecommand scripts ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands ++++++ fail2ban-opensuse-service.patch ++++++ diff -ur fail2ban-0.9.2-orig/files/fail2ban.service fail2ban-0.9.2/files/fail2ban.service --- fail2ban-0.9.2-orig/files/fail2ban.service 2015-04-29 05:52:48.000000000 +0200 +++ fail2ban-0.9.2/files/fail2ban.service 2015-05-07 10:52:04.187045581 +0200 @@ -1,11 +1,12 @@ [Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) -After=network.target iptables.service firewalld.service +After=network.target SuSEfirewall2.service [Service] Type=forking -ExecStart=/usr/bin/fail2ban-client -x start +EnvironmentFile=-/etc/sysconfig/fail2ban +ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start ExecStop=/usr/bin/fail2ban-client stop ExecReload=/usr/bin/fail2ban-client reload PIDFile=/var/run/fail2ban/fail2ban.pid ++++++ fail2ban-rpmlintrc ++++++ addFilter("W: htaccess-file .*tests.*") addFilter("W: hidden-file-or-dir .*tests.*") addFilter("W: no-manual-page-for-binary fail2ban-testcases") ++++++ fail2ban.logrotate ++++++ /var/log/fail2ban.log { compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 644 root root postrotate fail2ban-client flushlogs 1>/dev/null || true endscript } ++++++ fail2ban.sysconfig ++++++ ## Path: System/Security/Fail2ban ## Description: fail2ban options ## Type: string ## Default: "" ## ServiceReload: fail2ban ## ServiceRestart: fail2ban # # Options for fail2ban # FAIL2BAN_OPTIONS="" ++++++ fail2ban.tmpfiles ++++++ d /run/fail2ban 0755 root root ++++++ paths-opensuse.conf ++++++ # openSUSE log-file locations [INCLUDES] before = paths-common.conf after = paths-overrides.local [DEFAULT] syslog_local0 = /var/log/messages syslog_mail = /var/log/mail syslog_mail_warn = %(syslog_mail)s syslog_authpriv = %(syslog_local0)s syslog_user = %(syslog_local0)s syslog_ftp = %(syslog_local0)s syslog_daemon = %(syslog_local0)s apache_error_log = /var/log/apache2/*error_log apache_access_log = /var/log/apache2/*access_log pureftpd_log = %(syslog_local0)s exim_main_log = /var/log/exim/main.log mysql_log = /var/log/mysql/mysqld.log roundcube_errors_log = /srv/www/roundcubemail/logs/errors solidpop3d_log = %(syslog_mail)s ++++++ sfw-fail2ban.conf ++++++ # This drop-in file extends SuSEfirewall2.service to also start # fail2ban.service, and to make sure that fail2ban is only (re)started after # SFW has completed. [Unit] Wants=fail2ban.service Before=fail2ban.service
