guix_mirror_bot pushed a commit to branch master
in repository guix.
commit 6a57156e9746982f9cd491c6d90715b0d8662014
Author: Maxim Cournoyer <ma...@guixotic.coop>
AuthorDate: Tue Sep 23 21:23:48 2025 +0900
gnu: fail2ban: Apply patch to fix sshd jail filter.
Recent OpenSSH uses an 'sshd-session' instead of 'sshd' binary name.
* gnu/packages/patches/fail2ban-fix-sshd-filter.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/admin.scm (fail2ban): Apply it.
Change-Id: I1f46e6768f4e04e97a8fcec189de45c2f1c26e1e
---
gnu/local.mk | 1 +
gnu/packages/admin.scm | 3 +-
.../patches/fail2ban-fix-sshd-filter.patch | 96 ++++++++++++++++++++++
3 files changed, 99 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 6ea7ca806c..66555c332e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1244,6 +1244,7 @@ dist_patch_DATA =
\
%D%/packages/patches/exercism-disable-self-update.patch \
%D%/packages/patches/extempore-unbundle-external-dependencies.patch \
%D%/packages/patches/extundelete-e2fsprogs-1.44.patch \
+ %D%/packages/patches/fail2ban-fix-sshd-filter.patch \
%D%/packages/patches/fail2ban-paths-guix-conf.patch \
%D%/packages/patches/faiss-tests-CMakeLists-find-googletest.patch \
%D%/packages/patches/falcosecurity-libs-shared-build.patch \
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index fb38a5349e..2a6a490d25 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -6242,7 +6242,8 @@ alias cysdig=sudo csysdig --modern-bpf
'("paths-arch.conf" "paths-debian.conf"
"paths-fedora.conf" "paths-freebsd.conf"
"paths-opensuse.conf" "paths-osx.conf")))))
- (patches (search-patches "fail2ban-paths-guix-conf.patch"))))
+ (patches (search-patches "fail2ban-fix-sshd-filter.patch"
+ "fail2ban-paths-guix-conf.patch"))))
(build-system pyproject-build-system)
(arguments
(list
diff --git a/gnu/packages/patches/fail2ban-fix-sshd-filter.patch
b/gnu/packages/patches/fail2ban-fix-sshd-filter.patch
new file mode 100644
index 0000000000..14ea5db076
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-fix-sshd-filter.patch
@@ -0,0 +1,96 @@
+Retrieved from
https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch
+With ChangeLog hunk removed since it would not apply cleanly.
+
+From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001
+From: Fabian Dellwing <fabian.dellw...@mbconnectline.de>
+Date: Tue, 2 Jul 2024 07:54:15 +0200
+Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index 1c8a02deb5..a1fd749aed 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+
+ [DEFAULT]
+
+-_daemon = sshd
++_daemon = (?:sshd(?:-session)?)
+
+ # optional prefix (logged from several ssh versions) like "error: ", "error:
PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+
+From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.bres...@sebres.de>
+Date: Wed, 3 Jul 2024 19:09:28 +0200
+Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782
+
+---
+ fail2ban/tests/files/logs/sshd | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
+index ed54ded4d4..7d3948ed80 100644
+--- a/fail2ban/tests/files/logs/sshd
++++ b/fail2ban/tests/files/logs/sshd
+@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for
invalid user ROOT from aa
+ # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host":
"aaaa:bbbb:cccc:1234::1:1" }
+ Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from
aaaa:bbbb:cccc:1234::1:1
+
++# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host":
"192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" }
++Jul 3 14:59:17 host sshd-session[1571]: Failed password for root from
192.0.2.1 port 56502 ssh2
++
+ #3
+ # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host":
"1.2.3.4" }
+ Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+
+From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.bres...@sebres.de>
+Date: Wed, 3 Jul 2024 19:33:39 +0200
+Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new
+ sshd-session log format
+
+---
+ fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+index ad8adeb69f..14256ba68c 100644
+--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
++++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf
+
+ [DEFAULT]
+
+-_daemon = sshd
++_daemon = sshd(?:-session)?
+
+ # optional prefix (logged from several ssh versions) like "error: ", "error:
PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+
+From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.bres...@sebres.de>
+Date: Wed, 3 Jul 2024 19:35:28 +0200
+Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon)
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index a1fd749aed..3a84b1ba52 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+
+ [DEFAULT]
+
+-_daemon = (?:sshd(?:-session)?)
++_daemon = sshd(?:-session)?
+
+ # optional prefix (logged from several ssh versions) like "error: ", "error:
PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
