rpms/fail2ban
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added upstream patches to fix ipv6 support with ufw (see https://github.com/fail2ban/fail2ban/issues/2331 ) [release 0.11.2-3mamba;Sat May 29 2021]

Browse Source
This commit is contained in:
Silvan Calarco 2024-01-05 22:12:44 +01:00
parent 6659c36a33
commit c836039d3b
4 changed files with 156 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
fail2ban-0.11.2-ufw-0.36-ipv6-2.patch Normal file
View File

@ -0,0 +1,37 @@
From 5debaa4cac2723fa863ede9ed32c19cc82c71786 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Thu, 6 May 2021 20:23:58 +0200
Subject: [PATCH] option "add", can be set to "insert <num>" instead of prepend
(customization or backwards compat)
---
config/action.d/ufw.conf | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf
index b47fa7e77..bf06fe679 100644
--- a/config/action.d/ufw.conf
+++ b/config/action.d/ufw.conf
@@ -19,9 +19,9 @@ actioncheck =
actionban = if [ -n "<application>" ] && ufw app info "<application>"
then
- ufw prepend <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
+ ufw <add> <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
else
- ufw prepend <blocktype> from <ip> to <destination> comment "<comment>"
+ ufw <add> <blocktype> from <ip> to <destination> comment "<comment>"
fi
ss -K dst [<ip>]
@@ -33,6 +33,10 @@ actionunban = if [ -n "<application>" ] && ufw app info "<application>"
fi
[Init]
+# Option: add
+# Notes.: can be set to "insert 1" to insert a rule at certain position (here 1):
+add = prepend
+
# Option: blocktype
# Notes.: reject or deny
blocktype = reject

58
fail2ban-0.11.2-ufw-0.36-ipv6.patch Normal file
View File

@ -0,0 +1,58 @@
From e4e7a83cffb4fb5cbb35c204795fba45c8f40c61 Mon Sep 17 00:00:00 2001
From: usernamepi <53445688+usernamepi@users.noreply.github.com>
Date: Thu, 6 May 2021 13:44:36 +0200
Subject: [PATCH] Update ufw.conf
Prerequisites:
* The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY.
* Ufw version is => 0.36 (released in 2018)
* Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses.
* Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532
* Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open.
Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option.
My system apparently is compiled that way.
---
config/action.d/ufw.conf | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf
index d2f731f2e6..b47fa7e772 100644
--- a/config/action.d/ufw.conf
+++ b/config/action.d/ufw.conf
@@ -13,17 +13,26 @@ actionstop =
actioncheck =
-actionban = [ -n "<application>" ] && app="app <application>"
- ufw insert <insertpos> <blocktype> from <ip> to <destination> $app
-
-actionunban = [ -n "<application>" ] && app="app <application>"
- ufw delete <blocktype> from <ip> to <destination> $app
+# ufw does "quickly process packets for which we already have a connection" in before.rules,
+# therefore all related sockets should be closed
+# actionban is using `ss` to do so, this only handles IPv4 and IPv6.
+
+actionban = if [ -n "<application>" ] && ufw app info "<application>"
+ then
+ ufw prepend <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
+ else
+ ufw prepend <blocktype> from <ip> to <destination> comment "<comment>"
+ fi
+ ss -K dst [<ip>]
+
+actionunban = if [ -n "<application>" ] && ufw app info "<application>"
+ then
+ ufw delete <blocktype> from <ip> to <destination> app "<application>"
+ else
+ ufw delete <blocktype> from <ip> to <destination>
+ fi
[Init]
-# Option: insertpos
-# Notes.: The position number in the firewall list to insert the block rule
-insertpos = 1
-
# Option: blocktype
# Notes.: reject or deny
blocktype = reject

45
fail2ban-0.11.2-ufw-add-kill-options.patch Normal file
View File

@ -0,0 +1,45 @@
From 8f6a8df3a45395620e434fd15b4ede694a1d00aa Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Thu, 6 May 2021 21:47:06 +0200
Subject: [PATCH] added new options `kill-mode` and `kill`, which makes the
drop of all connections optional
---
config/action.d/ufw.conf | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf
index bf06fe679..cf8c22bec 100644
--- a/config/action.d/ufw.conf
+++ b/config/action.d/ufw.conf
@@ -23,7 +23,7 @@ actionban = if [ -n "<application>" ] && ufw app info "<application>"
else
ufw <add> <blocktype> from <ip> to <destination> comment "<comment>"
fi
- ss -K dst [<ip>]
+ <kill>
actionunban = if [ -n "<application>" ] && ufw app info "<application>"
then
@@ -32,6 +32,21 @@ actionunban = if [ -n "<application>" ] && ufw app info "<application>"
ufw delete <blocktype> from <ip> to <destination>
fi
+# Option: kill-mode
+# Notes.: can be set to ss (may be extended later with other modes) to immediately drop all connections from banned IP, default empty (no kill)
+# Example: banaction = ufw[kill-mode=ss]
+kill-mode =
+
+# intern conditional parameter used to provide killing mode after ban:
+_kill_ =
+_kill_ss = ss -K dst "[<ip>]"
+
+# Option: kill
+# Notes.: can be used to specify custom killing feature, by default depending on option kill-mode
+# Examples: banaction = ufw[kill='ss -K "( sport = :http || sport = :https )" dst "[<ip>]"']
+ banaction = ufw[kill='cutter "<ip>"']
+kill = <_kill_<kill-mode>>
+
[Init]
# Option: add
# Notes.: can be set to "insert 1" to insert a rule at certain position (here 1):

20
fail2ban.spec
View File

@ -1,26 +1,33 @@
Name: fail2ban
Version: 0.11.2
Release: 2mamba
Release: 3mamba
Summary: Daemon to ban hosts that cause multiple authentication errors
Group: Applications/Security
Vendor: openmamba
Distribution: openmamba
Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
URL: http://www.fail2ban.org
URL: http://www.fail2ban.org/wiki/index.php/Main_Page
Source: https://github.com/fail2ban/fail2ban.git/%{version}/fail2ban-%{version}.tar.bz2
Source1: fail2ban-paths-openmamba.conf
Patch0: fail2ban-0.11.2-ufw-0.36-ipv6.patch
Patch1: fail2ban-0.11.2-ufw-0.36-ipv6-2.patch
Patch2: fail2ban-0.11.2-ufw-add-kill-options.patch
License: GPL
## AUTOBUILDREQ-BEGIN
## AUTOBUILDREQ-END
BuildRequires: libpython3-devel
## AUTOBUILDREQ-END
Requires: python3 >= %python3_version
Requires: python-systemd-py3
Requires: python-pyinotify-py3
%description
Daemon to ban hosts that cause multiple authentication errors.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
sed -i "s|/var/run/|/run/|" files/fail2ban.service.in \
files/fail2ban-tmpfiles.conf fail2ban/server/*.py \
@ -43,7 +50,7 @@ CFLAGS="%{optflags}" %{__python3} setup.py build
--install-lib=%{python3_sitearch} \
--record=%{name}.filelist
sed -i "s,.*/man/.*,&.gz," %{name}.filelist
sed -i "\,\.egg-info/,d;s,.*/man/.*,&.gz," %{name}.filelist
sed -i "/fail2ban\/tests\//d" %{name}.filelist
@ -107,9 +114,14 @@ rm -f %{buildroot}%{_sysconfdir}/paths-{arch,debian,fedora,freebsd,opensuse,osx}
%{_mandir}/man5/jail.conf.5*
%dir %{python3_sitearch}/fail2ban
%{python3_sitearch}/fail2ban/*
%dir %{python3_sitearch}/fail2ban-%{version}-py*.egg-info
%{python3_sitearch}/fail2ban-%{version}-py*.egg-info/*
%doc COPYING THANKS
%changelog
* Sat May 29 2021 Silvan Calarco <silvan.calarco@mambasoft.it> 0.11.2-3mamba
- added upstream patches to fix ipv6 support with ufw (see https://github.com/fail2ban/fail2ban/issues/2331 )
* Mon Mar 15 2021 Silvan Calarco <silvan.calarco@mambasoft.it> 0.11.2-2mamba
- update paths-openmamba.conf and remove other distro configurations