Hello community, here is the log from the commit of package fail2ban for openSUSE:Factory checked in at 2016-03-16 10:35:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fail2ban (Old) and /work/SRC/openSUSE:Factory/.fail2ban.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban" Changes: -------- --- /work/SRC/openSUSE:Factory/fail2ban/fail2ban.changes 2016-02-17 12:11:04.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.fail2ban.new/fail2ban.changes 2016-03-16 10:35:14.000000000 +0100 @@ -1,0 +2,96 @@ +Thu Mar 10 10:58:53 UTC 2016 - [email protected] + +- Removed patch: fail2ban-exclude-dev-log-tests.patch +- Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch +- rebased other patches +- Defined services which per default uses systemd logger +- Provide /usr/sbin/rcfail2ban also on systemd based distros + +- All files in /etc/fail2ban/ except jail.local are now automatically replaced + upon installation of fail2ban + +- The update to this versions allow to close boo#917818, as the logger-backends for + several services are now centrally set in /etc/fail2ban/paths-opensuse.conf + +- Update to version 0.9.4 + New Features: + * New interpolation feature for definition config readers - `<known/parameter>` + (means last known init definition of filters or actions with name `parameter`). + This interpolation makes possible to extend a parameters of stock filter or + action directly in jail inside jail.local file, without creating a separately + filter.d/*.local file. + As extension to interpolation `%(known/parameter)s`, that does not works for + filter and action init parameters + * New actions: + - nftables-multiport and nftables-allports - filtering using nftables + framework. Note: it requires a pre-existing chain for the filtering rule. + * New filters: + - openhab - domotic software authentication failure with the + rest api and web interface (gh-1223) + - nginx-limit-req - ban hosts, that were failed through nginx by limit + request processing rate (ngx_http_limit_req_module) + - murmur - ban hosts that repeatedly attempt to connect to + murmur/mumble-server with an invalid server password or certificate. + - haproxy-http-auth - filter to match failed HTTP Authentications against a + HAProxy server + * New jails: + - murmur - bans TCP and UDP from the bad host on the default murmur port. + * sshd filter got new failregex to match "maximum authentication + attempts exceeded" (introduced in openssh 6.8) + * Added filter for Mac OS screen sharing (VNC) daemon + + Enhancements: + * Do not rotate empty log files + * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59) + http://bugs.debian.org/798923 + * Added openSUSE path configuration (Thanks Johannes Weberhofer) + * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197) + * Added a timeout (3 sec) to urlopen within badips.py action + (Thanks M. Maraun) + * Added check against atacker's Googlebot PTR fake records + (Thanks Pablo Rodriguez Fernandez) + * Enhance filter against atacker's Googlebot PTR fake records + (gh-1226) + * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237) + * Added filter for openhab domotic software authentication failure with the + rest api and web interface (gh-1223) + * Add *_backend options for services to allow distros to set the default + backend per service, set default to systemd for Fedora as appropriate + * Performance improvements while monitoring large number of files (gh-1265). + Use associative array (dict) for monitored log files to speed up lookup + operations. Thanks @kshetragia + * Specified that fail2ban is PartOf iptables.service firewalld.service in + .service file -- would reload fail2ban if those services are restarted + * Provides new default `fail2ban_version` and interpolation variable + `fail2ban_agent` in jail.conf + * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, + and to support multiple instances of postfix having varying suffix (gh-1331) + (Thanks Tom Hendrikx) + * files/gentoo-initd to use start-stop-daemon to robustify restarting the service + + Fixes: + * roundcube-auth jail typo for logpath + * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164) + * filter.d/apache-badbots.conf + - Updated useragent string regex adding escape for `+` + * filter.d/mysqld-auth.conf + gg - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332) + * filter.d/sshd.conf + - Updated "Auth fail" regex for OpenSSH 5.9 and later + * Treat failed and killed execution of commands identically (only + different log messages), which addresses different behavior on different + exit codes of dash and bash (gh-1155) + * Fix jail.conf.5 man's section (gh-1226) + * Fixed default banaction for allports jails like pam-generic, recidive, etc + with new default variable `banaction_allports` (gh-1216) + * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character + for python version < 3.x (gh-1248) + * Use postfix_log logpath for postfix-rbl jail + * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex + * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271) + * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl + * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now) + * Removed compression and rotation count from logrotate (inherit them from + the global logrotate config) + +------------------------------------------------------------------- Old: ---- fail2ban-0.9.3.tar.gz fail2ban-exclude-dev-log-tests.patch fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch New: ---- fail2ban-0.9.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ --- /var/tmp/diff_new_pack.Klnulz/_old 2016-03-16 10:35:15.000000000 +0100 +++ /var/tmp/diff_new_pack.Klnulz/_new 2016-03-16 10:35:15.000000000 +0100 @@ -17,7 +17,7 @@ Name: fail2ban -Version: 0.9.3 +Version: 0.9.4 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ @@ -37,12 +37,8 @@ Patch100: fail2ban-opensuse-locations.patch # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch [email protected] -- openSUSE modifications to the service file Patch101: fail2ban-opensuse-service.patch -# PATCH-FIX-UPSTREAM fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch [email protected] -- fix failing test -Patch102: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch [email protected] -- disable iptables "-w" option for older releases Patch200: fail2ban-disable-iptables-w-option.patch -# PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch [email protected] -- remove tests that can't work on opensuse < 13.3 -Patch201: fail2ban-exclude-dev-log-tests.patch BuildRequires: fdupes BuildRequires: logrotate BuildRequires: python-devel @@ -121,13 +117,9 @@ %patch100 -p1 %patch101 -p1 -%patch102 -p1 %if 0%{?suse_version} < 1310 %patch200 -p1 %endif -%if 0%{?suse_version} < 1321 -%patch201 -p1 -%endif rm config/paths-debian.conf \ config/paths-fedora.conf \ @@ -137,6 +129,11 @@ # correct doc-path sed -i -e 's|%{_datadir}/doc/fail2ban|%{_docdir}/%{name}|' setup.py +# remove syslogd-logger settings for older distributions +%if 0%{?suse_version} < 1230 +sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf +%endif + %build export CFLAGS="%{optflags}" python setup.py build @@ -171,7 +168,7 @@ install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/ install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf -sed -i -e 's/^backend = auto/backend = systemd/' %{buildroot}%{_sysconfdir}/%{name}/paths-opensuse.conf +ln -sf service %{buildroot}%{_sbindir}/rc%{name} %else # without systemd @@ -180,6 +177,8 @@ ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name} %endif +echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local + install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ install -d -m 755 %{buildroot}%{_localstatedir}/adm/fillup-templates @@ -220,7 +219,9 @@ %post %fillup_only %if 0%{?suse_version} >= 1230 -systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf +systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf +# The next line is not workin in Leap 42.1, so keep the old way +#%%tmpfiles_create %%{_tmpfilesdir}/%%{name}.conf %service_add_post %{name}.service %endif @@ -249,7 +250,22 @@ %files %defattr(-, root, root) -%config(noreplace) %{_sysconfdir}/%{name} +%dir %{_sysconfdir}/%{name} +%dir %{_sysconfdir}/%{name}/action.d +%dir %{_sysconfdir}/%{name}/fail2ban.d +%dir %{_sysconfdir}/%{name}/filter.d +%dir %{_sysconfdir}/%{name}/jail.d +# +%config %{_sysconfdir}/%{name}/action.d/* +%config %{_sysconfdir}/%{name}/filter.d/* +# +%config %{_sysconfdir}/%{name}/fail2ban.conf +%config %{_sysconfdir}/%{name}/jail.conf +%config %{_sysconfdir}/%{name}/paths-common.conf +%config %{_sysconfdir}/%{name}/paths-opensuse.conf +# +%config(noreplace) %{_sysconfdir}/%{name}/jail.local +# %config %{_sysconfdir}/logrotate.d/fail2ban %dir %{_localstatedir}/lib/fail2ban/ %if 0%{?suse_version} > 1310 @@ -262,12 +278,12 @@ %if 0%{?suse_version} >= 1230 # systemd %{_unitdir}/%{name}.service -%{_libexecdir}/tmpfiles.d/%{name}.conf +%{_tmpfilesdir}/%{name}.conf %else # without-systemd %{_initddir}/%{name} -%{_sbindir}/rc%{name} %endif +%{_sbindir}/rc%{name} %{_bindir}/fail2ban-server %{_bindir}/fail2ban-client %{_bindir}/fail2ban-regex ++++++ fail2ban-0.9.3.tar.gz -> fail2ban-0.9.4.tar.gz ++++++ ++++ 5207 lines of diff (skipped) ++++++ fail2ban-opensuse-locations.patch ++++++ --- /var/tmp/diff_new_pack.Klnulz/_old 2016-03-16 10:35:15.000000000 +0100 +++ /var/tmp/diff_new_pack.Klnulz/_new 2016-03-16 10:35:15.000000000 +0100 @@ -1,16 +1,7 @@ -diff -ur fail2ban-0.9.3-orig/config/jail.conf fail2ban-0.9.3/config/jail.conf ---- fail2ban-0.9.3-orig/config/jail.conf 2015-08-01 03:32:13.000000000 +0200 -+++ fail2ban-0.9.3/config/jail.conf 2015-08-26 14:39:57.561851833 +0200 -@@ -348,7 +348,7 @@ - [roundcube-auth] - - port = http,https --logpath = logpath = %(roundcube_errors_log)s -+logpath = %(roundcube_errors_log)s - - - [openwebmail] -@@ -628,7 +628,7 @@ +diff -Nur fail2ban-0.9.4-orig/config/jail.conf fail2ban-0.9.4/config/jail.conf +--- fail2ban-0.9.4-orig/config/jail.conf 2016-03-08 03:50:10.000000000 +0100 ++++ fail2ban-0.9.4/config/jail.conf 2016-03-10 09:38:46.382071358 +0100 +@@ -669,7 +669,7 @@ # filter = named-refused # port = domain,953 # protocol = udp @@ -19,7 +10,7 @@ # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. -@@ -636,7 +636,7 @@ +@@ -677,7 +677,7 @@ [named-refused] port = domain,953 @@ -28,12 +19,12 @@ [nsd] -diff -ur fail2ban-0.9.3-orig/config/paths-common.conf fail2ban-0.9.3/config/paths-common.conf ---- fail2ban-0.9.3-orig/config/paths-common.conf 2015-08-01 03:32:13.000000000 +0200 -+++ fail2ban-0.9.3/config/paths-common.conf 2015-08-26 14:40:58.187091888 +0200 -@@ -62,7 +62,7 @@ - +diff -Nur fail2ban-0.9.4-orig/config/paths-common.conf fail2ban-0.9.4/config/paths-common.conf +--- fail2ban-0.9.4-orig/config/paths-common.conf 2016-03-08 03:50:10.000000000 +0100 ++++ fail2ban-0.9.4/config/paths-common.conf 2016-03-10 09:36:00.690852425 +0100 +@@ -74,7 +74,7 @@ mysql_log = %(syslog_daemon)s + mysql_backend = %(default_backend)s -roundcube_errors_log = /var/log/roundcube/errors +roundcube_errors_log = /srv/www/roundcubemail/logs/errors ++++++ fail2ban-opensuse-service.patch ++++++ --- /var/tmp/diff_new_pack.Klnulz/_old 2016-03-16 10:35:15.000000000 +0100 +++ /var/tmp/diff_new_pack.Klnulz/_new 2016-03-16 10:35:15.000000000 +0100 @@ -1,12 +1,14 @@ -diff -ur fail2ban-0.9.2-orig/files/fail2ban.service fail2ban-0.9.2/files/fail2ban.service ---- fail2ban-0.9.2-orig/files/fail2ban.service 2015-04-29 05:52:48.000000000 +0200 -+++ fail2ban-0.9.2/files/fail2ban.service 2015-05-07 10:52:04.187045581 +0200 -@@ -1,11 +1,12 @@ +diff -Nur fail2ban-0.9.4-orig/files/fail2ban.service fail2ban-0.9.4/files/fail2ban.service +--- fail2ban-0.9.4-orig/files/fail2ban.service 2016-03-08 03:50:10.000000000 +0100 ++++ fail2ban-0.9.4/files/fail2ban.service 2016-03-10 10:33:48.834063007 +0100 +@@ -1,12 +1,13 @@ [Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) -After=network.target iptables.service firewalld.service +-PartOf=iptables.service firewalld.service +After=network.target SuSEfirewall2.service ++PartOf=SuSEfirewall2.service [Service] Type=forking ++++++ paths-opensuse.conf ++++++ --- /var/tmp/diff_new_pack.Klnulz/_old 2016-03-16 10:35:16.000000000 +0100 +++ /var/tmp/diff_new_pack.Klnulz/_new 2016-03-16 10:35:16.000000000 +0100 @@ -36,3 +36,15 @@ roundcube_errors_log = /srv/www/roundcubemail/logs/errors solidpop3d_log = %(syslog_mail)s + +# These services will log to the journal via syslog, so use the journal by +# default. +syslog_backend = systemd +sshd_backend = systemd +dropbear_backend = systemd +proftpd_backend = systemd +pureftpd_backend = systemd +wuftpd_backend = systemd +postfix_backend = systemd +dovecot_backend = systemd +mysql_backend = systemd
