Next
%define python %{__python3}
# spec file based on and patches graciously taken from tpg@mandriva
Summary: Ban IP-addresses that result in too many password failures
Name: fail2ban
Version: 1.1.0
Release: %mkrel 1
License: GPLv2+
Group: System/Networking
URL: https://www.fail2ban.org/
Source0: https://github.com/fail2ban/fail2ban/archive/%{version}/%{name}-%{version}.tar.gz
Source2: %{name}.service
Source3: %{name}.tmpfiles.conf
#squidf: to cope with MGA environment specificities
Source4: paths-mageia.conf
Source5: jail.local.example
# Give up being PartOf iptables and ipset for now
# https://bugzilla.redhat.com/show_bug.cgi?id=1379141
# https://bugzilla.redhat.com/show_bug.cgi?id=1573185
#squidf: MGA does not use firewalld, like RedHat. Conflict fixed by removing firewalld instead.
Patch0: fail2ban-partof.patch
#squidf: Mageia patches
Patch10: generate-man.patch
#squidf: richer filter for nginx
Patch20: fail2ban-1.0.1-enriched-nginx-botsearch.patch
#squidf: no need to inform back the attacker about the failed request
Patch21: fail2ban-1.0.1-no-attacker-feedback-shorewall.patch
#squidf: server ip address can appear clearly on abuseipd website, in some cases
Patch22: fail2ban-1.0.1-too-much-info-abuseipd.patch
BuildArch: noarch
BuildRequires: pkgconfig(python3)
BuildRequires: pkgconfig(gamin)
BuildRequires: pkgconfig(sqlite3)
BuildRequires: systemd-units
BuildRequires: python3
BuildRequires: python3dist(dnspython)
BuildRequires: python3dist(pyinotify)
BuildRequires: python3dist(coverage)
BuildRequires: python3-systemd
BuildRequires: help2man
# using a python3_version-based conditional does not work here, so
# this is a proxy for "Python version greater than 3.12". asyncore
# and asynchat were dropped from cpython core in 3.12, these modules
# make them available again. See:
# https://github.com/fail2ban/fail2ban/issues/3487
# https://bugs.mageia.org/show_bug.cgi?id=32678
%if 0%{?mageia} >= 10
BuildRequires: python3dist(pyasyncore)
BuildRequires: python3dist(pyasynchat)
%endif
Requires: python3
Requires: tcp_wrappers >= 7.6-29
Requires: iptables >= 1.3.5-3
Requires: python3-systemd
Requires: sqlite3-tools
%if 0%{?mageia} >= 10
Requires: python3dist(pyasyncore)
Requires: python3dist(pyasynchat)
%endif
Requires(post): systemd >= %{systemd_required_version}
Requires(post): rpm-helper >= 0.24.8-1
Requires(preun):rpm-helper >= 0.24.8-1
Requires(post): systemd-units
Requires(preun):systemd-units
#(eatdirt):
#this guys does not exist and triggers that bug: https://github.com/fail2ban/fail2ban/issues/885
Recommends: python3-gamin
#let's add this guy as a backup:
Recommends: python3-pyinotify
Recommends: python3-dnspython
Recommends: whois
%description
Fail2Ban scans log files like /var/log/secure and bans IP-addresses that have
too many password failures within a specified time frame. It updates firewall
rules to reject these IP addresses. The rules needed for this can be defined by
the user. Fail2Ban can read multiple log files including sshd and Apache web
server logs.
%prep
%autosetup -p1
#squidf: specific Mageia log paths
sed -i 's|paths-debian.conf|paths-mageia.conf|g' ./config/jail.conf
%build
# (tv) fix build:
%define py3_shbang_opts %{nil}
%py3_build
%install
%py3_install
#squidf: add local configuration files
install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}
install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/%{name}
install -d %{buildroot}%{_mandir}/man1
install man/*.1 %{buildroot}%{_mandir}/man1/
install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service
install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/
install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
# Remove non-Linux actions
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
# This file is part of the fail2ban-systemd package to configure the use of
# the systemd journal as the default backend. You can remove this package
# (along with the empty fail2ban meta-package) if you do not want to use the
# journal backend
# As Apache, Nginx.. have their own log files
# you need to change the backend in such case
# while you activate the filter in a separate .local file
# See example in 01-nginx.local
[DEFAULT]
backend=systemd
EOF
#squidf: add examples to guide the user
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/01-ssh.local <<EOF
# Exemple to activate the ssh filter
# - ban for 1 hour and send email, if a mail agent is installed
# systemd backend is used unless you install the rsyslog package
# Uncomment all lines above to apply
#[sshd]
#enabled = true
#filter = sshd
#bantime = 1h
#action = %%(action_mwl)s
EOF
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/01-nginx.local <<EOF
# Apache, Nginx.. have their own log files
# you need to change the backend in such case
# Example of nginx-botsearch activation
# Uncomment all lines above to apply
#[nginx-botsearch]
#enabled = true
#filter = nginx-botsearch
#backend = polling
#journalmatch =
#action = %%(action_mwl)s
EOF
#squidf: enrich nginx filters
cat > %{buildroot}%{_sysconfdir}/%{name}/filter.d/nginx-noproxy.conf <<EOF
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =
EOF
#squidf: add nextcloud filter
cat > %{buildroot}%{_sysconfdir}/%{name}/filter.d/nextcloud.conf <<EOF
[Definition]
failregex = ^.*Login failed: '?.*'? \(Remote IP: '?<HOST>'?\).*$
^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*$
ignoreregx =
EOF
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/01-nextcloud.local <<EOF
# For NextCloud server
# Do check logpath below and adjust to your configuration
# Uncomment all lines above to apply
#[nextcloud]
#backend = polling
#journalmatch =
#enabled = true
#port = 80,443
#protocol = tcp
#filter = nextcloud
#logpath = /var/lib/nextcloud/data/nextcloud.log
#maxretry = 4
#bantime = 360
EOF
# Remove installed doc, use doc macro instead
rm -r %{buildroot}%{_docdir}/%{name}
%post
%_tmpfilescreate %{name}
%_post_service %{name}
%preun
%_preun_service %{name}
%files
%doc ChangeLog README.md TODO DEVELOP FILTERS
%{_unitdir}/%{name}.service
%{_tmpfilesdir}/%{name}.conf
%{_bindir}/%{name}-*
%config(noreplace) %{_sysconfdir}/%{name}/*.conf
%config(noreplace) %{_sysconfdir}/%{name}/jail.local.example
%config(noreplace) %{_sysconfdir}/%{name}/action.d/*.conf
%config(noreplace) %{_sysconfdir}/%{name}/action.d/*.py*
%config(noreplace) %{_sysconfdir}/%{name}/filter.d/*.conf
%config(noreplace) %{_sysconfdir}/%{name}/jail.d/*.conf
%config(noreplace) %{_sysconfdir}/%{name}/jail.d/*.local
%config(noreplace) %{_sysconfdir}/%{name}/filter.d/ignorecommands/*
%dir %{_sysconfdir}/%{name}
%dir %{_sysconfdir}/%{name}/action.d
%dir %{_sysconfdir}/%{name}/filter.d
%dir %{_sysconfdir}/%{name}/filter.d/ignorecommands
%dir %{_sysconfdir}/%{name}/jail.d
%{_mandir}/man1/*
%{python3_sitelib}/%{name}
%{python3_sitelib}/%{name}*.egg-info
%dir %{_localstatedir}/lib/fail2ban/
%ghost %dir %{_localstatedir}/run/fail2ban/
#squidf: exclude configuration files for other OS
%exclude %{_sysconfdir}/%{name}/paths-arch.conf
%exclude %{_sysconfdir}/%{name}/paths-debian.conf
%exclude %{_sysconfdir}/%{name}/paths-fedora.conf
%exclude %{_sysconfdir}/%{name}/paths-freebsd.conf
%exclude %{_sysconfdir}/%{name}/paths-opensuse.conf
%exclude %{_sysconfdir}/%{name}/paths-osx.conf
%changelog
* Sat Apr 27 2024 kekepower <kekepower> 1.1.0-1.mga10
+ Revision: 2061296
- Update to version 1.1.0
* Mon Jan 01 2024 daviddavid <daviddavid> 1.0.2-3.mga10
+ Revision: 2025361
- require pyasynchat and pyasyncore with Python 3.12+ (mga#32678)
* Wed Dec 20 2023 tv <tv> 1.0.2-2.3.mga10
+ Revision: 2020463
- Rebuild for python 3.12
- No need for ipdns
* Fri Nov 25 2022 squidf <squidf> 1.0.2-1.3.mga9
+ Revision: 1911034
- Keep syslog as default mail log
* Sun Nov 20 2022 squidf <squidf> 1.0.2-1.2.mga9
+ Revision: 1909626
- Add Nextcloud Server filter
* Sun Nov 20 2022 squidf <squidf> 1.0.2-1.1.mga9
+ Revision: 1909307
- Remove configuration files from other OS
- Add nginx-noproxy filter
* Wed Nov 09 2022 squidf <squidf> 1.0.2-1.mga9
+ Revision: 1905000
- New version: 1.0.2
- Fix dovecot-filter regression (mga#30952)
* Sat Oct 01 2022 squidf <squidf> 1.0.1-1.mga9
+ Revision: 1893665
- New version: 1.0.1
- Update patches
- Add Mageia specific configuration files
- Enrich nginx-botsearch filter
- Fix ip info sent by abuseipd command
- Remove shorewall feedback to attacker
* Thu Mar 31 2022 umeabot <umeabot> 0.11.2-5.mga9
+ Revision: 1835768
- Mageia 9 Mass Rebuild
* Tue Feb 22 2022 tv <tv> 0.11.2-4.mga9
+ Revision: 1783002
- Fix building with python-3.10
- Fix building with setuptools-58
- Rebuild for python-3.10
* Mon Sep 20 2021 ns80 <ns80> 0.11.2-3.mga9
+ Revision: 1746052
- add patch from openSUSE for CVE-2021-32749 (mga#29469)
* Fri Mar 26 2021 ovitters <ovitters> 0.11.2-2.mga9
+ Revision: 1710652
- rebuild for Python 3.9
* Tue Nov 24 2020 kekepower <kekepower> 0.11.2-1.mga8
+ Revision: 1648959
- Update to version 0.11.2
* Wed Feb 19 2020 umeabot <umeabot> 0.11.1-2.mga8
+ Revision: 1543164
- Mageia 8 Mass Rebuild
* Thu Jan 16 2020 mokraemer <mokraemer> 0.11.1-1.mga8
+ Revision: 1478175
- Fix file list
- new version 0.11.1
* Sat Sep 21 2019 daviddavid <daviddavid> 0.10.4-3.mga8
+ Revision: 1444213
- rebuild for python3.8
* Sun Jan 06 2019 kekepower <kekepower> 0.10.4-2.mga7
+ Revision: 1350231
- Rebuild for Python 3.7
* Sat Oct 06 2018 daviddavid <daviddavid> 0.10.4-1.mga7
+ Revision: 1318120
- new version: 0.10.4
* Thu Sep 20 2018 umeabot <umeabot> 0.10.3.1-2.mga7
+ Revision: 1278217
- Mageia 7 Mass Rebuild
* Thu Apr 05 2018 kekepower <kekepower> 0.10.3.1-1.mga7
+ Revision: 1215474
- Update to version 0.10.3.1
* Mon Mar 26 2018 kekepower <kekepower> 0.10.2-1.mga7
+ Revision: 1212614
- Update to version 0.10.2
* Sat Aug 05 2017 pterjan <pterjan> 0.9.5-2.mga7
+ Revision: 1135207
- Rebuild for python 3.6
* Wed Sep 21 2016 daviddavid <daviddavid> 0.9.5-1.mga6
+ Revision: 1054841
- new version: 0.9.5
* Thu Jul 14 2016 eatdirt <eatdirt> 0.9.4-2.mga6
+ Revision: 1042040
- Fix 100%%CPU bug, adding python3-pyinotify as Recommends
* Thu Mar 10 2016 daviddavid <daviddavid> 0.9.4-1.mga6
+ Revision: 988686
- new version: 0.9.4
- use new python macros
- update Source URL
* Fri Feb 19 2016 umeabot <umeabot> 0.9.3-2.mga6
+ Revision: 970804
- Mageia 6 Mass Rebuild
* Fri Oct 09 2015 ovitters <ovitters> 0.9.3-1.mga6
+ Revision: 888510
- new version 0.9.3
* Wed Oct 07 2015 ovitters <ovitters> 0.9.2-4.mga6
+ Revision: 887159
- rebuild for new python3
* Mon Aug 31 2015 ovitters <ovitters> 0.9.2-3.mga6
+ Revision: 871653
- require python3-systemd
- various cleanups from Fedora
* Mon Aug 24 2015 ovitters <ovitters> 0.9.2-1.mga6
+ Revision: 869079
- new version 0.9.2
* Wed Oct 15 2014 umeabot <umeabot> 0.8.13-5.mga5
+ Revision: 748693
- Second Mageia 5 Mass Rebuild
* Tue Sep 16 2014 umeabot <umeabot> 0.8.13-4.mga5
+ Revision: 679081
- Mageia 5 Mass Rebuild
+ tv <tv>
- s/uggests:/Recommends:/
* Sat May 31 2014 pterjan <pterjan> 0.8.13-3.mga5
+ Revision: 628174
- Rebuild for new Python
* Thu Apr 10 2014 remmy <remmy> 0.8.13-2.mga5
+ Revision: 613268
- Paths update for apache logfiles (mga#10617)
- Security fixes (mga#11569) for CVE-2013-7176 (postfix arbitrary IP-address
blocking) and CVE-2013-7177 (cyrus-imap arbitrary IP-address blocking)
* Tue Oct 22 2013 umeabot <umeabot> 0.8.10-3.mga4
+ Revision: 542575
- Mageia 4 Mass Rebuild
* Mon Oct 14 2013 pterjan <pterjan> 0.8.10-2.mga4
+ Revision: 497749
- Rebuild to add different pythonegg provides for python 2 and 3
* Wed Jun 19 2013 remmy <remmy> 0.8.10-1.mga4
+ Revision: 444901
- New upstream version, also fixing a DoS vulnerability
* Tue Mar 26 2013 colin <colin> 0.8.8-6.mga3
+ Revision: 405410
- Require syslog-daemon (as basesystem doesn't technically need one now) mga#8028
* Sun Mar 24 2013 colin <colin> 0.8.8-5.mga3
+ Revision: 404859
- Add systemd requires and general post/pre fixes (mga#9302)
* Tue Jan 22 2013 fwang <fwang> 0.8.8-4.mga3
+ Revision: 390855
- update rpm group
* Sat Jan 12 2013 colin <colin> 0.8.8-3.mga3
+ Revision: 358973
- Tidy up tmpfiles support (don't ship /var/run folder in package)
* Fri Jan 11 2013 umeabot <umeabot> 0.8.8-2.mga3
+ Revision: 350037
- Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild
* Sat Dec 29 2012 remmy <remmy> 0.8.8-1.mga3
+ Revision: 336004
- New upstream version: 0.8.8
* Fri Nov 23 2012 remmy <remmy> 0.8.7.1-3.mga3
+ Revision: 321218
- Remove init script, create systemd style tmpfile
* Sun Nov 11 2012 remmy <remmy> 0.8.7.1-2.mga3
+ Revision: 316938
- Create tmpfile on install, enabling fail2ban to start (closes mga#7871)
* Sat Aug 11 2012 remmy <remmy> 0.8.7.1-1.mga3
+ Revision: 280516
- New upstream version: 0.8.7.1
* Sat Apr 28 2012 tmb <tmb> 0.8.6-2.mga2
+ Revision: 233693
- Require rpm-helper >= 0.24.8-1 for systemd support
* Wed Mar 07 2012 remmy <remmy> 0.8.6-1.mga2
+ Revision: 221223
- Drop unneeded patches
- Provide systemd .service file
- Log to SYSLOG by default
- Moved to upstream release 0.8.6
* Wed May 04 2011 saispo <saispo> 0.8.4-5.mga1
+ Revision: 94760
- Add missing patch
- Fix fail2ban with running file in /tmp, see bug #908
* Sun Feb 20 2011 eandry <eandry> 0.8.4-4.mga1
+ Revision: 54755
- remove buildroot
- bump for upgrade
- imported package fail2ban
