[packages/fail2ban] - updated default config files from git

adwol adwol at pld-linux.org
Mon Aug 19 04:31:37 CEST 2024 

commit 713c5272865afc7917087e6a68dc0db6dfe1e6b8
Author: Adam Osuchowski <adwol at pld-linux.org>
Date:   Mon Aug 19 02:48:34 2024 +0200

    - updated default config files from git

 fail2ban-config_from_git.patch | 303 +++++++++++++++++++++++++++++++++++++++++
 fail2ban.spec                  |   2 +
 2 files changed, 305 insertions(+)
---
diff --git a/fail2ban.spec b/fail2ban.spec
index 270dc49..cad2547 100644
--- a/fail2ban.spec
+++ b/fail2ban.spec
@@ -12,6 +12,7 @@ Source2:	%{name}.logrotate
 Source3:	paths-pld.conf
 Source4:	%{name}.sysconfig
 Patch0:		logifiles.patch
+Patch1:		%{name}-config_from_git.patch
 URL:		http://fail2ban.sourceforge.net/
 BuildRequires:	python3-devel
 BuildRequires:	python3-modules
@@ -42,6 +43,7 @@ z sshd czy plikami logów serwera WWW Apache.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 rm setup.cfg
 
 sed -E -i -e '1s,#!\s*/usr/bin/env\s+python2(\s|$),#!%{__python3}\1,' -e '1s,#!\s*/usr/bin/env\s+python(\s|$),#!%{__python3}\1,' -e '1s,#!\s*/usr/bin/python(\s|$),#!%{__python3}\1,' \
diff --git a/fail2ban-config_from_git.patch b/fail2ban-config_from_git.patch
new file mode 100644
index 0000000..b723386
--- /dev/null
+++ b/fail2ban-config_from_git.patch
@@ -0,0 +1,303 @@
+diff -ruN fail2ban-1.1.0/config/action.d/abuseipdb.conf fail2ban/config/action.d/abuseipdb.conf
+--- fail2ban-1.1.0/config/action.d/abuseipdb.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/action.d/abuseipdb.conf	2024-08-19 02:14:22.317805596 +0200
+@@ -80,7 +80,7 @@
+ #          use my (Shaun's) helper PHP script by commenting out the first #actionban
+ #          line below, uncommenting the second one, and pointing the URL at
+ #          wherever you install the helper script. For the PHP helper script, see
+-#          <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
++#          <https://github.com/parseword/fail2ban-abuseipdb/>
+ #
+ # Tags:    See jail.conf(5) man page
+ # Values:  CMD
+diff -ruN fail2ban-1.1.0/config/action.d/blocklist_de.conf fail2ban/config/action.d/blocklist_de.conf
+--- fail2ban-1.1.0/config/action.d/blocklist_de.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/action.d/blocklist_de.conf	2024-08-19 02:14:22.317805596 +0200
+@@ -30,6 +30,9 @@
+ 
+ [Definition]
+ 
++# bypass reporting of restored (already reported) tickets:
++norestored = 1
++
+ # Option:  actionstart
+ # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+ # Values:  CMD
+diff -ruN fail2ban-1.1.0/config/action.d/firewallcmd-ipset.conf fail2ban/config/action.d/firewallcmd-ipset.conf
+--- fail2ban-1.1.0/config/action.d/firewallcmd-ipset.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/action.d/firewallcmd-ipset.conf	2024-08-19 02:14:22.318805609 +0200
+@@ -18,24 +18,24 @@
+ 
+ [Definition]
+ 
+-actionstart = <ipstype_<ipsettype>/actionstart>
++actionstart = <ipsbackend_<ipsetbackend>/actionstart>
+               firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
+ 
+-actionflush = <ipstype_<ipsettype>/actionflush>
++actionflush = <ipsbackend_<ipsetbackend>/actionflush>
+ 
+ actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
+              <actionflush>
+-             <ipstype_<ipsettype>/actionstop>
++             <ipsbackend_<ipsetbackend>/actionstop>
+ 
+-actionban = <ipstype_<ipsettype>/actionban>
++actionban = <ipsbackend_<ipsetbackend>/actionban>
+ 
+ # actionprolong = %(actionban)s
+ 
+-actionunban = <ipstype_<ipsettype>/actionunban>
++actionunban = <ipsbackend_<ipsetbackend>/actionunban>
+ 
+-[ipstype_ipset]
++[ipsbackend_ipset]
+ 
+-actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> maxelem <maxelem> <familyopt>
++actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
+ 
+ actionflush = ipset flush <ipmset>
+ 
+@@ -45,9 +45,9 @@
+ 
+ actionunban = ipset -exist del <ipmset> <ip>
+ 
+-[ipstype_firewalld]
++[ipsbackend_firewalld]
+ 
+-actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> --option=maxelem=<maxelem> <firewalld_familyopt>
++actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=<ipsettype> --option=timeout=<default-ipsettime> --option=maxelem=<maxelem> <firewalld_familyopt>
+ 
+ # TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
+ actionflush = 
+@@ -60,6 +60,11 @@
+ 
+ [Init]
+ 
++# Option: ipsettype
++# Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
++# Values: hash:ip, hash:net, etc... Default: hash:ip
++ipsettype = hash:ip
++
+ # Option:  chain
+ # Notes    specifies the iptables chain to which the fail2ban rules should be
+ #          added
+@@ -87,11 +92,11 @@
+ # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
+ timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
+ 
+-# Option: ipsettype
+-# Notes.: defines type of ipset used for match-set (firewalld or ipset)
++# Option: ipsetbackend
++# Notes.: defines the backend of ipset used for match-set (firewalld or ipset)
+ # Values: firewalld or ipset
+ # Default: ipset
+-ipsettype = ipset
++ipsetbackend = ipset
+ 
+ # Option: actiontype
+ # Notes.: defines additions to the blocking rule
+diff -ruN fail2ban-1.1.0/config/action.d/firewallcmd-rich-rules.conf fail2ban/config/action.d/firewallcmd-rich-rules.conf
+--- fail2ban-1.1.0/config/action.d/firewallcmd-rich-rules.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/action.d/firewallcmd-rich-rules.conf	2024-08-19 02:14:22.318805609 +0200
+@@ -35,7 +35,7 @@
+ #
+ # Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp 
+ 
+-fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
++fwcmd_rich_rule = rule family=\"<family>\" source address=\"<ip>\" port port=\"$p\" protocol=\"<protocol>\" %(rich-suffix)s
+ 
+ actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
+ 	   
+diff -ruN fail2ban-1.1.0/config/action.d/iptables-ipset.conf fail2ban/config/action.d/iptables-ipset.conf
+--- fail2ban-1.1.0/config/action.d/iptables-ipset.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/action.d/iptables-ipset.conf	2024-08-19 02:14:22.319805622 +0200
+@@ -24,7 +24,7 @@
+ # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+ # Values:  CMD
+ #
+-actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> maxelem <maxelem> <familyopt>
++actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
+               <_ipt_add_rules>
+ 
+ # Option:  actionflush
+@@ -66,6 +66,11 @@
+ 
+ [Init]
+ 
++# Option: ipsettype
++# Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
++# Values: hash:ip, hash:net, etc... Default: hash:ip
++ipsettype = hash:ip
++
+ # Option: default-ipsettime
+ # Notes:  specifies default timeout in seconds (handled default ipset timeout only)
+ # Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
+diff -ruN fail2ban-1.1.0/config/action.d/shorewall-ipset-proto6.conf fail2ban/config/action.d/shorewall-ipset-proto6.conf
+--- fail2ban-1.1.0/config/action.d/shorewall-ipset-proto6.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/action.d/shorewall-ipset-proto6.conf	2024-08-19 02:14:22.320805635 +0200
+@@ -51,7 +51,7 @@
+ # Values:  CMD
+ #
+ actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
+-              then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-ipsettime> maxelem <maxelem>;
++              then ipset -quiet -exist create f2b-<name> <ipsettype> timeout <default-ipsettime> maxelem <maxelem>;
+               fi
+ 
+ # Option:  actionstop
+@@ -94,6 +94,11 @@
+ 
+ [Init]
+ 
++# Option: ipsettype
++# Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
++# Values: hash:ip, hash:net, etc... Default: hash:ip
++ipsettype = hash:ip
++
+ # Option: maxelem
+ # Notes:  maximal number of elements which can be stored in the ipset
+ #         You may want to increase this for long-duration/high-volume jails
+diff -ruN fail2ban-1.1.0/config/filter.d/apache-overflows.conf fail2ban/config/filter.d/apache-overflows.conf
+--- fail2ban-1.1.0/config/filter.d/apache-overflows.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/filter.d/apache-overflows.conf	2024-08-19 02:14:22.321805648 +0200
+@@ -8,7 +8,7 @@
+ 
+ [Definition]
+ 
+-failregex = ^%(_apache_error_client)s (?:(?:AH001[23][456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
++failregex = ^%(_apache_error_client)s (?:(?:AH(?:001[23][456]|10244): )?[Ii]nvalid (method|URI)\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
+ 
+ ignoreregex =
+ 
+diff -ruN fail2ban-1.1.0/config/filter.d/postfix.conf fail2ban/config/filter.d/postfix.conf
+--- fail2ban-1.1.0/config/filter.d/postfix.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/filter.d/postfix.conf	2024-08-19 02:14:22.324805688 +0200
+@@ -12,7 +12,7 @@
+ 
+ _daemon = postfix(-\w+)?/[^/\[:\s]+(?:/smtp[ds])?
+ _port = (?::\d+)?
+-_pref = [A-Z]{4}
++_pref = [A-Z]{4,}
+ 
+ prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
+ 
+diff -ruN fail2ban-1.1.0/config/filter.d/proxmox.conf fail2ban/config/filter.d/proxmox.conf
+--- fail2ban-1.1.0/config/filter.d/proxmox.conf	1970-01-01 01:00:00.000000000 +0100
++++ fail2ban/config/filter.d/proxmox.conf	2024-08-19 02:14:22.324805688 +0200
+@@ -0,0 +1,20 @@
++# Fail2Ban filter for Proxmox Web GUI
++#
++# Jail example:
++#    [proxmox]
++#    enabled = true
++#    port = https,http,8006
++#    filter = proxmox
++#    logpath = /var/log/daemon.log
++#    maxretry = 3
++#    # 1 hour
++#    bantime = 3600
++
++[Definition]
++
++_daemon = pvedaemon
++
++failregex = ^\s*\S+ %(_daemon)s\[\d+\]: authentication failure; rhost=<ADDR> user=<F-USER>\S+</F-USER>
++
++ignoreregex =
++
+diff -ruN fail2ban-1.1.0/config/filter.d/recidive.conf fail2ban/config/filter.d/recidive.conf
+--- fail2ban-1.1.0/config/filter.d/recidive.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/filter.d/recidive.conf	2024-08-19 02:14:22.324805688 +0200
+@@ -24,14 +24,15 @@
+ _daemon = (?:fail2ban(?:-server|\.actions)\s*)
+ 
+ # The name of the jail that this filter is used for. In jail.conf, name the jail using
+-# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`
+-_jailname = recidive
++# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`,
++# default all jails excepting recidive
++_jailname = (?!recidive\])[^\]]*
+ 
+-failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
++failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[<_jailname>\]\s+Ban\s+<HOST>
+ 
+ [lt_short]
+ _daemon = (?:fail2ban(?:-server|\.actions)?\s*)
+-failregex = ^%(__prefix_line)s(?:\s*fail2ban(?:\.actions)?\s*%(__pid_re)s?:\s+)?(?:NOTICE\s+)?\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
++failregex = ^%(__prefix_line)s(?:\s*fail2ban(?:\.actions)?\s*%(__pid_re)s?:\s+)?(?:NOTICE\s+)?\[<_jailname>\]\s+Ban\s+<HOST>
+ 
+ [lt_journal]
+ _daemon = <lt_short/_daemon>
+diff -ruN fail2ban-1.1.0/config/filter.d/roundcube-auth.conf fail2ban/config/filter.d/roundcube-auth.conf
+--- fail2ban-1.1.0/config/filter.d/roundcube-auth.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/filter.d/roundcube-auth.conf	2024-08-19 02:14:22.324805688 +0200
+@@ -13,10 +13,9 @@
+ 
+ [Definition]
+ 
+-prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
++prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: (?:<[\w]+> )?<F-CONTENT>.+</F-CONTENT>$
+ 
+-failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
+-            ^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
++failregex = ^(?:Login failed|(?i:Failed) login) for <F-USER>(?:(?P<simple>\S+)|.*)</F-USER> (?:against \S+ )?from <ADDR>(?:(?:\([^\)]*\))?\.(?! from ) (?(simple)(?:\S+(?! from ) )*|(?:(?! from ).)*(?: user=(?P=user))? )in \S+\.php on line \d+| in session \w+)?(?: \([^\)]*\))?$
+ 
+ ignoreregex = 
+ 
+diff -ruN fail2ban-1.1.0/config/filter.d/sshd.conf fail2ban/config/filter.d/sshd.conf
+--- fail2ban-1.1.0/config/filter.d/sshd.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/filter.d/sshd.conf	2024-08-19 02:14:22.325805701 +0200
+@@ -16,7 +16,7 @@
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
++_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
+@@ -126,7 +126,7 @@
+ 
+ maxlines = 1
+ 
+-journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session
+ 
+ # DEV Notes:
+ #
+diff -ruN fail2ban-1.1.0/config/jail.conf fail2ban/config/jail.conf
+--- fail2ban-1.1.0/config/jail.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/jail.conf	2024-08-19 02:14:22.326805714 +0200
+@@ -205,8 +205,8 @@
+ # iptables-multiport, shorewall, etc) It is used to define
+ # action_* variables. Can be overridden globally or per
+ # section within jail.local file
+-banaction = iptables-multiport
+-banaction_allports = iptables-allports
++#banaction = iptables-multiport
++#banaction_allports = iptables-allports
+ 
+ # The simplest action to take: ban only
+ action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+@@ -990,3 +990,6 @@
+ port    = 1080
+ logpath = %(syslog_daemon)s
+ 
++[proxmox]
++port = https,http,8006
++logpath = /var/log/daemon.log
+diff -ruN fail2ban-1.1.0/config/paths-debian.conf fail2ban/config/paths-debian.conf
+--- fail2ban-1.1.0/config/paths-debian.conf	2024-04-25 23:08:13.000000000 +0200
++++ fail2ban/config/paths-debian.conf	2024-08-19 02:14:22.326805714 +0200
+@@ -9,6 +9,11 @@
+ 
+ [DEFAULT]
+ 
++banaction = nftables
++banaction_allports = nftables[type=allports]
++
++sshd_backend = systemd
++
+ syslog_mail = /var/log/mail.log
+ 
+ # control the `mail.warn` setting, see `/etc/rsyslog.d/50-default.conf` (if commented `mail.*` wins).
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/fail2ban.git/commitdiff/713c5272865afc7917087e6a68dc0db6dfe1e6b8

More information about the pld-cvs-commit mailing list