Summary: Ban IPs that make too many password failures

Name: fail2ban

Version: 0.8.11

Release: 1%{?dist}

License: GPLv2+

Group: System Environment/Daemons

URL: http://fail2ban.sourceforge.net/

Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz

Source1: fail2ban-logrotate

Patch0: fail2ban-0.8.3-init.patch

Patch1: fail2ban-0.8.7.1-sshd.patch

Patch6: fail2ban-log2syslog.patch

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root

BuildRequires: python-devel >= 2.3

# For testcases

BuildRequires: python-inotify

BuildArch: noarch

Requires: ed

Requires: iptables

Requires: gamin-python

Requires: python-inotify

%if 0%{?fedora} >= 19

BuildRequires: systemd

Requires(post): systemd

Requires(preun): systemd

Requires(postun): systemd

%else

Requires: initscripts

Requires(post): /sbin/chkconfig

Requires(preun): /sbin/chkconfig

Requires(preun): /sbin/service

%endif

%description

Fail2ban scans log files like /var/log/pwdfail or

/var/log/apache/error_log and bans IP that makes too many password

failures. It updates firewall rules to reject the IP address.

To use the hostsdeny and shorewall actions you must install tcp_wrappers

and shorewall respectively.

%prep

%setup -q

%patch0 -p1 -b .init

%patch1 -p1 -b .sshd

%patch6 -p1 -b .log2syslog

%build

python setup.py build

%install

rm -rf %{buildroot}

python setup.py install -O1 --root %{buildroot}

%if 0%{?fedora} >= 19

mkdir -p %{buildroot}%{_unitdir}

cp -p files/fail2ban.service %{buildroot}%{_unitdir}/

%else

mkdir -p %{buildroot}%{_initddir}

install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban

%endif

mkdir -p %{buildroot}%{_mandir}/man1

install -p -m 644 man/fail2ban*.1 %{buildroot}%{_mandir}/man1

mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d

install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban

install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/

install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/

mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d

install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf

# Remove installed doc, use doc macro instead

rm -r %{buildroot}%{_docdir}/%{name}

# Testcases need network access

#%check

#./fail2ban-testcases

%clean

rm -rf %{buildroot}

%post

%if 0%{?fedora} >= 19

%systemd_post fail2ban.service

%else

/sbin/chkconfig --add %{name}

%endif

%preun

%if 0%{?fedora} >= 19

%systemd_preun fail2ban.service

%else

if [ $1 = 0 ]; then

  /sbin/service %{name} stop > /dev/null 2>&1

  /sbin/chkconfig --del %{name}

fi

%endif

%if 0%{?fedora} >= 19

%postun

%systemd_postun_with_restart fail2ban.service

%endif

%files

%defattr(-,root,root,-)

%doc README.md TODO ChangeLog COPYING doc/*.txt

#doc config/fail2ban.conf*

%{_bindir}/fail2ban-server

%{_bindir}/fail2ban-client

%{_bindir}/fail2ban-regex

%{_datadir}/fail2ban

%if 0%{?fedora} >= 19

%{_unitdir}/fail2ban.service

%else

%{_initddir}/fail2ban

%endif

%{_mandir}/man1/fail2ban*.1*

%dir %{_sysconfdir}/fail2ban

%dir %{_sysconfdir}/fail2ban/action.d

%dir %{_sysconfdir}/fail2ban/filter.d

%config(noreplace) %{_sysconfdir}/fail2ban/fail2ban.conf

%config(noreplace) %{_sysconfdir}/fail2ban/jail.conf

%config(noreplace) %{_sysconfdir}/fail2ban/action.d/*.conf

%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf

%config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban

%dir %{_localstatedir}/run/fail2ban/

%config(noreplace) %{_sysconfdir}/tmpfiles.d/fail2ban.conf

%dir %{_localstatedir}/lib/fail2ban/

%changelog

* Mon Nov 25 2013 Adam Tkac <vonsch@gmail.com> - 0.8.11-1

- update to 0.8.11 (#1034355)

- drop part of the fail2ban-0.8.3-init.patch (merged)

- fail2ban-hostsdeny.patch has been merged

- fail2ban-mailx.patch has been merged

- fail2ban-notmp.patch has been merged

* Wed Aug 28 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.10-3

- Add upstream patch to fix mailx argument ordering (bug #998020)

* Fri Aug 16 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.10-2

- Add upstream patch to fix hostsdeny permission issue

* Wed Jun 12 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.10-1

- Update to 0.8.10 security release

- Use upstream provided systemd files

- Drop upstreamed patches, rebase log2syslog and notmp patches

* Fri Mar 15 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-4

- Use systemd init for Fedora 19+ (bug #883158)

* Thu Feb 14 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-3

- Add patch from upstream to fix module imports (Bug #892365)

- Add patch from upstream to UTF-8 characters in syslog (Bug #905097)

- Drop Requires: tcp_wrappers and shorewall (Bug #781341)

* Fri Jan 18 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-2

- Add patch to prevent sshd blocks of successful logins for systems that use

  sssd or ldap

* Mon Dec 17 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-1

- Update to 0.8.8 (CVE-2012-5642 Bug #887914)

* Thu Oct 11 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.7.1-1

- Update to 0.8.7.1

- Drop fd_cloexec, pyinotify, and examplemail patches fixed upstream

- Rebase sshd and notmp patches

- Use _initddir macro

* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-29

- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-28

- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Sat Apr  9 2011 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-27

- Move tmp files to /var/lib (suggested by Phil Anderson).

- Enable inotify support (by Jonathan Underwood).

- Fixes RH bugs #669966, #669965, #551895, #552947, #658849, #656584.

* Sun Feb 14 2010 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-24

- Patch by Jonathan G. Underwood <jonathan.underwood@gmail.com> to

  cloexec another fd leak.

* Fri Sep 11 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-23

- update to 0.8.4.

* Wed Sep  2 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-22

- Update to a newer svn snapshot to fix python 2.6 issue.

* Thu Aug 27 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-21

- Log to syslog (RH bug #491983). Also deals with RH bug #515116.

- Check inodes of log files (RH bug #503852).

* Sat Feb 14 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-18

- Fix CVE-2009-0362 (Fedora bugs #485461, #485464, #485465, #485466).

* Mon Dec 01 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 0.8.3-17

- Rebuild for Python 2.6

* Sun Aug 24 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-16

- Update to 0.8.3.

* Wed May 21 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.8.2-15

- fix license tag

* Thu Mar 27 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-14

- Close on exec fixes by Jonathan Underwood.

* Sun Mar 16 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-13

- Add %%{_localstatedir}/run/fail2ban (David Rees).

* Fri Mar 14 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-12

- Update to 0.8.2.

* Thu Jan 31 2008 Jonathan G. Underwood <jonathan.underwood@gmail.com> - 0.8.1-11

- Move socket file from /tmp to /var/run to prevent SElinux from stopping

  fail2ban from starting (BZ #429281)

- Change logic in init file to start with -x to remove the socket file in case

  of unclean shutdown

* Wed Aug 15 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.1-10

- Update to 0.8.1.

- Remove patch fixing CVE-2007-4321 (upstream).

- Remove AllowUsers patch (upstream).

- Add dependency to gamin-python.

* Thu Jun 21 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-9

- Fix remote log injection (no CVE assignment yet).

* Sun Jun  3 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-8

- Also trigger on non-AllowUsers failures (Jonathan Underwood

  <jonathan.underwood@gmail.com>).

* Wed May 23 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-7

- logrotate should restart fail2ban (Zing <zing@fastmail.fm>).

- send mail to root; logrotate (Jonathan Underwood

  <jonathan.underwood@gmail.com>)

* Sat May 19 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-4

- Update to 0.8.0.

- enable ssh by default, fix log file for ssh scanning, adjust python

  dependency (Jonathan Underwood <jonathan.underwood@gmail.com>)

* Sat Dec 30 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-3

- Remove forgotten condrestart.

* Fri Dec 29 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-2

- Move /usr/lib/fail2ban to %%{_datadir}/fail2ban.

- Don't default chkconfig to enabled.

- Add dependencies on service/chkconfig.

- Use example iptables/ssh config as default config.

* Mon Dec 25 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-1

- Initial build.