Summary: Ban IPs that make too many password failures Name: fail2ban Version: 0.9.2 Release: 1%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildRequires: python2-devel # For testcases BuildRequires: python-inotify BuildArch: noarch Requires: ed Requires: ipset Requires: iptables Requires: gamin-python Requires: python-inotify %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 BuildRequires: systemd Requires: systemd-python Requires(post): systemd Requires(preun): systemd Requires(postun): systemd %else Requires: initscripts Requires(post): /sbin/chkconfig Requires(preun): /sbin/chkconfig Requires(preun): /sbin/service %endif %description Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. To use the hostsdeny and shorewall actions you must install tcp_wrappers and shorewall respectively. %prep %setup -q # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf # Start after firewalld (https://bugzilla.redhat.com/show_bug.cgi?id=1067147) sed -i -e '/^After=/s/$/ firewalld.service/' files/fail2ban.service %build python setup.py build %install python setup.py install -O1 --root %{buildroot} # Do not load user paths # https://bugzilla.redhat.com/show_bug.cgi?id=1202151 sed -i -e '1s/python$/python -Es/' %{buildroot}%{_bindir}/fail2ban-{client,server} %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 mkdir -p %{buildroot}%{_unitdir} cp -p files/fail2ban.service %{buildroot}%{_unitdir}/ %else mkdir -p %{buildroot}%{_initddir} install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban %endif mkdir -p %{buildroot}%{_mandir}/man{1,5} install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5 mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/ install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf # Remove non-Linux actions rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf # Remove installed doc, use doc macro instead rm -r %{buildroot}%{_docdir}/%{name} %check # Need a UTF-8 locale to work export LANG=en_US.UTF-8 ./fail2ban-testcases-all --no-network %post %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 %systemd_post fail2ban.service %else /sbin/chkconfig --add %{name} %endif %preun %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 %systemd_preun fail2ban.service %else if [ $1 = 0 ]; then /sbin/service %{name} stop > /dev/null 2>&1 /sbin/chkconfig --del %{name} fi %endif %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 %postun %systemd_postun_with_restart fail2ban.service %endif %files %doc README.md TODO ChangeLog COPYING doc/*.txt %{_bindir}/fail2ban-server %{_bindir}/fail2ban-client %{_bindir}/fail2ban-regex %{_bindir}/fail2ban-testcases %{python_sitelib}/* %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 %{_unitdir}/fail2ban.service %else %{_initddir}/fail2ban %endif %{_mandir}/man1/fail2ban*.1* %{_mandir}/man5/*.5* %config(noreplace) %{_sysconfdir}/fail2ban %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban %config(noreplace) %{_sysconfdir}/tmpfiles.d/fail2ban.conf %dir %{_localstatedir}/lib/fail2ban/ %dir %{_localstatedir}/run/fail2ban/ %changelog * Wed May 20 2015 Orion Poplawski - 0.9.2-1 - Add requires ipset - Do not load user paths (bug #1202151) - Remove non-Linux actions - Run tests * Mon May 18 2015 Orion Poplawski - 0.9.2-1 - Update to 0.9.2 * Fri Nov 28 2014 Orion Poplawski - 0.9.1-1 - Update to 0.9.1 (bug #1169024) - Fix php-url-fopen logpath (bug #1169026) * Tue Mar 18 2014 Orion Poplawski - 0.9-2 - Use Fedora paths - Start after firewalld (bug #1067147) * Mon Mar 17 2014 Orion Poplawski - 0.9-1 - Update to 0.9 * Tue Sep 24 2013 Orion Poplawski - 0.9-0.3.git1f1a561 - Update to current 0.9 git branch - Rebase init patch, drop jail.d and notmp patch applied upstream * Fri Aug 9 2013 Orion Poplawski - 0.9-0.2.gitd529151 - Ship jail.conf(5) man page - Ship empty /etc/fail2ban/jail.d directory * Thu Aug 8 2013 Orion Poplawski - 0.9-0.1.gitd529151 - Update to 0.9 git branch - Rebase patches - Require systemd-python for journal support * Sat Aug 03 2013 Fedora Release Engineering - 0.8.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Wed Jun 12 2013 Orion Poplawski - 0.8.10-1 - Update to 0.8.10 security release - Use upstream provided systemd files - Drop upstreamed patches, rebase log2syslog and notmp patches * Fri Mar 15 2013 Orion Poplawski - 0.8.8-4 - Use systemd init for Fedora 19+ (bug #883158) * Thu Feb 14 2013 Orion Poplawski - 0.8.8-3 - Add patch from upstream to fix module imports (Bug #892365) - Add patch from upstream to UTF-8 characters in syslog (Bug #905097) - Drop Requires: tcp_wrappers and shorewall (Bug #781341) * Fri Jan 18 2013 Orion Poplawski - 0.8.8-2 - Add patch to prevent sshd blocks of successful logins for systems that use sssd or ldap * Mon Dec 17 2012 Orion Poplawski - 0.8.8-1 - Update to 0.8.8 (CVE-2012-5642 Bug #887914) * Thu Oct 11 2012 Orion Poplawski - 0.8.7.1-1 - Update to 0.8.7.1 - Drop fd_cloexec, pyinotify, and examplemail patches fixed upstream - Rebase sshd and notmp patches - Use _initddir macro * Thu Jul 19 2012 Fedora Release Engineering - 0.8.4-29 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Fri Jan 13 2012 Fedora Release Engineering - 0.8.4-28 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild * Sat Apr 9 2011 Axel Thimm - 0.8.4-27 - Move tmp files to /var/lib (suggested by Phil Anderson). - Enable inotify support (by Jonathan Underwood). - Fixes RH bugs #669966, #669965, #551895, #552947, #658849, #656584. * Sun Feb 14 2010 Axel Thimm - 0.8.4-24 - Patch by Jonathan G. Underwood to cloexec another fd leak. * Fri Sep 11 2009 Axel Thimm - 0.8.4-23 - update to 0.8.4. * Wed Sep 2 2009 Axel Thimm - 0.8.3-22 - Update to a newer svn snapshot to fix python 2.6 issue. * Thu Aug 27 2009 Axel Thimm - 0.8.3-21 - Log to syslog (RH bug #491983). Also deals with RH bug #515116. - Check inodes of log files (RH bug #503852). * Sat Feb 14 2009 Axel Thimm - 0.8.3-18 - Fix CVE-2009-0362 (Fedora bugs #485461, #485464, #485465, #485466). * Mon Dec 01 2008 Ignacio Vazquez-Abrams - 0.8.3-17 - Rebuild for Python 2.6 * Sun Aug 24 2008 Axel Thimm - 0.8.3-16 - Update to 0.8.3. * Wed May 21 2008 Tom "spot" Callaway - 0.8.2-15 - fix license tag * Thu Mar 27 2008 Axel Thimm - 0.8.2-14 - Close on exec fixes by Jonathan Underwood. * Sun Mar 16 2008 Axel Thimm - 0.8.2-13 - Add %%{_localstatedir}/run/fail2ban (David Rees). * Fri Mar 14 2008 Axel Thimm - 0.8.2-12 - Update to 0.8.2. * Thu Jan 31 2008 Jonathan G. Underwood - 0.8.1-11 - Move socket file from /tmp to /var/run to prevent SElinux from stopping fail2ban from starting (BZ #429281) - Change logic in init file to start with -x to remove the socket file in case of unclean shutdown * Wed Aug 15 2007 Axel Thimm - 0.8.1-10 - Update to 0.8.1. - Remove patch fixing CVE-2007-4321 (upstream). - Remove AllowUsers patch (upstream). - Add dependency to gamin-python. * Thu Jun 21 2007 Axel Thimm - 0.8.0-9 - Fix remote log injection (no CVE assignment yet). * Sun Jun 3 2007 Axel Thimm - 0.8.0-8 - Also trigger on non-AllowUsers failures (Jonathan Underwood ). * Wed May 23 2007 Axel Thimm - 0.8.0-7 - logrotate should restart fail2ban (Zing ). - send mail to root; logrotate (Jonathan Underwood ) * Sat May 19 2007 Axel Thimm - 0.8.0-4 - Update to 0.8.0. - enable ssh by default, fix log file for ssh scanning, adjust python dependency (Jonathan Underwood ) * Sat Dec 30 2006 Axel Thimm - 0.6.2-3 - Remove forgotten condrestart. * Fri Dec 29 2006 Axel Thimm - 0.6.2-2 - Move /usr/lib/fail2ban to %%{_datadir}/fail2ban. - Don't default chkconfig to enabled. - Add dependencies on service/chkconfig. - Use example iptables/ssh config as default config. * Mon Dec 25 2006 Axel Thimm - 0.6.2-1 - Initial build.