From c836039d3b1ebebfa5614b9a369b0eeb94b62767 Mon Sep 17 00:00:00 2001 From: Silvan Calarco Date: Fri, 5 Jan 2024 22:12:44 +0100 Subject: [PATCH] added upstream patches to fix ipv6 support with ufw (see https://github.com/fail2ban/fail2ban/issues/2331 ) [release 0.11.2-3mamba;Sat May 29 2021] --- fail2ban-0.11.2-ufw-0.36-ipv6-2.patch | 37 ++++++++++++++ fail2ban-0.11.2-ufw-0.36-ipv6.patch | 58 ++++++++++++++++++++++ fail2ban-0.11.2-ufw-add-kill-options.patch | 45 +++++++++++++++++ fail2ban.spec | 20 ++++++-- 4 files changed, 156 insertions(+), 4 deletions(-) create mode 100644 fail2ban-0.11.2-ufw-0.36-ipv6-2.patch create mode 100644 fail2ban-0.11.2-ufw-0.36-ipv6.patch create mode 100644 fail2ban-0.11.2-ufw-add-kill-options.patch diff --git a/fail2ban-0.11.2-ufw-0.36-ipv6-2.patch b/fail2ban-0.11.2-ufw-0.36-ipv6-2.patch new file mode 100644 index 0000000..4afcfc1 --- /dev/null +++ b/fail2ban-0.11.2-ufw-0.36-ipv6-2.patch @@ -0,0 +1,37 @@ +From 5debaa4cac2723fa863ede9ed32c19cc82c71786 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Thu, 6 May 2021 20:23:58 +0200 +Subject: [PATCH] option "add", can be set to "insert " instead of prepend + (customization or backwards compat) + +--- + config/action.d/ufw.conf | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf +index b47fa7e77..bf06fe679 100644 +--- a/config/action.d/ufw.conf ++++ b/config/action.d/ufw.conf +@@ -19,9 +19,9 @@ actioncheck = + + actionban = if [ -n "" ] && ufw app info "" + then +- ufw prepend from to app "" comment "" ++ ufw from to app "" comment "" + else +- ufw prepend from to comment "" ++ ufw from to comment "" + fi + ss -K dst [] + +@@ -33,6 +33,10 @@ actionunban = if [ -n "" ] && ufw app info "" + fi + + [Init] ++# Option: add ++# Notes.: can be set to "insert 1" to insert a rule at certain position (here 1): ++add = prepend ++ + # Option: blocktype + # Notes.: reject or deny + blocktype = reject diff --git a/fail2ban-0.11.2-ufw-0.36-ipv6.patch b/fail2ban-0.11.2-ufw-0.36-ipv6.patch new file mode 100644 index 0000000..30b3189 --- /dev/null +++ b/fail2ban-0.11.2-ufw-0.36-ipv6.patch @@ -0,0 +1,58 @@ +From e4e7a83cffb4fb5cbb35c204795fba45c8f40c61 Mon Sep 17 00:00:00 2001 +From: usernamepi <53445688+usernamepi@users.noreply.github.com> +Date: Thu, 6 May 2021 13:44:36 +0200 +Subject: [PATCH] Update ufw.conf + +Prerequisites: +* The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY. +* Ufw version is => 0.36 (released in 2018) + +* Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses. +* Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532 +* Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open. + Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option. + My system apparently is compiled that way. +--- + config/action.d/ufw.conf | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf +index d2f731f2e6..b47fa7e772 100644 +--- a/config/action.d/ufw.conf ++++ b/config/action.d/ufw.conf +@@ -13,17 +13,26 @@ actionstop = + + actioncheck = + +-actionban = [ -n "" ] && app="app " +- ufw insert from to $app +- +-actionunban = [ -n "" ] && app="app " +- ufw delete from to $app ++# ufw does "quickly process packets for which we already have a connection" in before.rules, ++# therefore all related sockets should be closed ++# actionban is using `ss` to do so, this only handles IPv4 and IPv6. ++ ++actionban = if [ -n "" ] && ufw app info "" ++ then ++ ufw prepend from to app "" comment "" ++ else ++ ufw prepend from to comment "" ++ fi ++ ss -K dst [] ++ ++actionunban = if [ -n "" ] && ufw app info "" ++ then ++ ufw delete from to app "" ++ else ++ ufw delete from to ++ fi + + [Init] +-# Option: insertpos +-# Notes.: The position number in the firewall list to insert the block rule +-insertpos = 1 +- + # Option: blocktype + # Notes.: reject or deny + blocktype = reject diff --git a/fail2ban-0.11.2-ufw-add-kill-options.patch b/fail2ban-0.11.2-ufw-add-kill-options.patch new file mode 100644 index 0000000..1d02012 --- /dev/null +++ b/fail2ban-0.11.2-ufw-add-kill-options.patch @@ -0,0 +1,45 @@ +From 8f6a8df3a45395620e434fd15b4ede694a1d00aa Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Thu, 6 May 2021 21:47:06 +0200 +Subject: [PATCH] added new options `kill-mode` and `kill`, which makes the + drop of all connections optional + +--- + config/action.d/ufw.conf | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf +index bf06fe679..cf8c22bec 100644 +--- a/config/action.d/ufw.conf ++++ b/config/action.d/ufw.conf +@@ -23,7 +23,7 @@ actionban = if [ -n "" ] && ufw app info "" + else + ufw from to comment "" + fi +- ss -K dst [] ++ + + actionunban = if [ -n "" ] && ufw app info "" + then +@@ -32,6 +32,21 @@ actionunban = if [ -n "" ] && ufw app info "" + ufw delete from to + fi + ++# Option: kill-mode ++# Notes.: can be set to ss (may be extended later with other modes) to immediately drop all connections from banned IP, default empty (no kill) ++# Example: banaction = ufw[kill-mode=ss] ++kill-mode = ++ ++# intern conditional parameter used to provide killing mode after ban: ++_kill_ = ++_kill_ss = ss -K dst "[]" ++ ++# Option: kill ++# Notes.: can be used to specify custom killing feature, by default depending on option kill-mode ++# Examples: banaction = ufw[kill='ss -K "( sport = :http || sport = :https )" dst "[]"'] ++ banaction = ufw[kill='cutter ""'] ++kill = <_kill_> ++ + [Init] + # Option: add + # Notes.: can be set to "insert 1" to insert a rule at certain position (here 1): diff --git a/fail2ban.spec b/fail2ban.spec index b76b95f..06056ff 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,26 +1,33 @@ Name: fail2ban Version: 0.11.2 -Release: 2mamba +Release: 3mamba Summary: Daemon to ban hosts that cause multiple authentication errors Group: Applications/Security Vendor: openmamba Distribution: openmamba Packager: Silvan Calarco -URL: http://www.fail2ban.org +URL: http://www.fail2ban.org/wiki/index.php/Main_Page Source: https://github.com/fail2ban/fail2ban.git/%{version}/fail2ban-%{version}.tar.bz2 Source1: fail2ban-paths-openmamba.conf +Patch0: fail2ban-0.11.2-ufw-0.36-ipv6.patch +Patch1: fail2ban-0.11.2-ufw-0.36-ipv6-2.patch +Patch2: fail2ban-0.11.2-ufw-add-kill-options.patch License: GPL ## AUTOBUILDREQ-BEGIN -## AUTOBUILDREQ-END BuildRequires: libpython3-devel +## AUTOBUILDREQ-END Requires: python3 >= %python3_version Requires: python-systemd-py3 +Requires: python-pyinotify-py3 %description Daemon to ban hosts that cause multiple authentication errors. %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 sed -i "s|/var/run/|/run/|" files/fail2ban.service.in \ files/fail2ban-tmpfiles.conf fail2ban/server/*.py \ @@ -43,7 +50,7 @@ CFLAGS="%{optflags}" %{__python3} setup.py build --install-lib=%{python3_sitearch} \ --record=%{name}.filelist -sed -i "s,.*/man/.*,&.gz," %{name}.filelist +sed -i "\,\.egg-info/,d;s,.*/man/.*,&.gz," %{name}.filelist sed -i "/fail2ban\/tests\//d" %{name}.filelist @@ -107,9 +114,14 @@ rm -f %{buildroot}%{_sysconfdir}/paths-{arch,debian,fedora,freebsd,opensuse,osx} %{_mandir}/man5/jail.conf.5* %dir %{python3_sitearch}/fail2ban %{python3_sitearch}/fail2ban/* +%dir %{python3_sitearch}/fail2ban-%{version}-py*.egg-info +%{python3_sitearch}/fail2ban-%{version}-py*.egg-info/* %doc COPYING THANKS %changelog +* Sat May 29 2021 Silvan Calarco 0.11.2-3mamba +- added upstream patches to fix ipv6 support with ufw (see https://github.com/fail2ban/fail2ban/issues/2331 ) + * Mon Mar 15 2021 Silvan Calarco 0.11.2-2mamba - update paths-openmamba.conf and remove other distro configurations