summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam James <sam@gentoo.org>2024-08-29 02:53:56 +0100
committerSam James <sam@gentoo.org>2024-08-29 02:53:56 +0100
commita74794caf315f33baf0a2ca7ee9da1aa649b85fd (patch)
treed567739e55b06f569c3c6d0d92c039e936eb15bc /net-analyzer/fail2ban
parentdev-libs/userspace-rcu: add 0.14.1 (diff)
downloadgentoo-a74794caf315f33baf0a2ca7ee9da1aa649b85fd.tar.gz
gentoo-a74794caf315f33baf0a2ca7ee9da1aa649b85fd.tar.bz2
gentoo-a74794caf315f33baf0a2ca7ee9da1aa649b85fd.zip
net-analyzer/fail2ban: fix openssh-9.8 compat harder; openrc tweak
* Fix OpenSSH 9.8 harder by backporting more patches from upstream * Backport mjo's OpenRC init script tweak for nftables Bug: https://bugs.gentoo.org/935392 Closes: https://bugs.gentoo.org/936838 Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'net-analyzer/fail2ban')
-rw-r--r--net-analyzer/fail2ban/fail2ban-1.1.0-r2.ebuild138
-rw-r--r--net-analyzer/fail2ban/files/fail2ban-1.1.0-openrc-nftables.patch25
-rw-r--r--net-analyzer/fail2ban/files/fail2ban-1.1.0-openssh-9.8-fixups.patch40
3 files changed, 203 insertions, 0 deletions
diff --git a/net-analyzer/fail2ban/fail2ban-1.1.0-r2.ebuild b/net-analyzer/fail2ban/fail2ban-1.1.0-r2.ebuild
new file mode 100644
index 000000000000..5cf1db15faa4
--- /dev/null
+++ b/net-analyzer/fail2ban/fail2ban-1.1.0-r2.ebuild
@@ -0,0 +1,138 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_SINGLE_IMPL=1
+PYTHON_COMPAT=( python3_{10..13} )
+
+inherit bash-completion-r1 distutils-r1 systemd tmpfiles
+
+DESCRIPTION="Scans log files and bans IPs that show malicious signs"
+HOMEPAGE="https://www.fail2ban.org/"
+
+if [[ ${PV} == *9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/fail2ban/fail2ban"
+ inherit git-r3
+else
+ SRC_URI="https://github.com/fail2ban/fail2ban/archive/${PV}.tar.gz -> ${P}.tar.gz"
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="selinux systemd test"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ $(python_gen_cond_dep '
+ dev-python/pyasyncore[${PYTHON_USEDEP}]
+ dev-python/pyasynchat[${PYTHON_USEDEP}]
+ ' 3.12)
+ virtual/logger
+ virtual/mta
+ selinux? ( sec-policy/selinux-fail2ban )
+ systemd? (
+ $(python_gen_cond_dep '
+ dev-python/python-systemd[${PYTHON_USEDEP}]
+ ')
+ )
+"
+BDEPEND="
+ test? (
+ $(python_gen_cond_dep '
+ dev-python/aiosmtpd[${PYTHON_USEDEP}]
+ ')
+ )
+"
+
+DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt )
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch
+ "${FILESDIR}"/${PN}-1.0.2-umask-tests.patch
+ "${FILESDIR}"/${PN}-1.1.0-openssh-9.8.patch
+ "${FILESDIR}"/${PN}-1.1.0-openssh-9.8-fixups.patch
+ "${FILESDIR}"/${PN}-1.1.0-openrc-nftables.patch
+)
+
+python_prepare_all() {
+ distutils-r1_python_prepare_all
+
+ # Replace /var/run with /run, but not in the top source directory
+ find . -mindepth 2 -type f -exec \
+ sed -i -e 's|/var\(/run/fail2ban\)|\1|g' {} + || die
+}
+
+python_test() {
+ # Skip testRepairDb for bug #907348 (didn't always fail..)
+ # https://github.com/fail2ban/fail2ban/issues/3586
+ bin/fail2ban-testcases \
+ --no-network \
+ --ignore databasetestcase.DatabaseTest.testRepairDb \
+ --verbosity=4 || die "Tests failed with ${EPYTHON}"
+
+ # Workaround for bug #790251
+ rm -rf fail2ban.egg-info || die
+}
+
+python_install_all() {
+ distutils-r1_python_install_all
+
+ rm -rf "${ED}"/usr/share/doc/${PN} "${ED}"/run || die
+
+ newconfd files/fail2ban-openrc.conf ${PN}
+
+ # These two are placed in the ${BUILD_DIR} after being "built"
+ # in install_scripts().
+ newinitd "${BUILD_DIR}/fail2ban-openrc.init" "${PN}"
+ systemd_dounit "${BUILD_DIR}/${PN}.service"
+
+ dotmpfiles files/${PN}-tmpfiles.conf
+
+ doman man/*.{1,5}
+
+ # Use INSTALL_MASK if you do not want to touch /etc/logrotate.d.
+ # See http://thread.gmane.org/gmane.linux.gentoo.devel/35675
+ insinto /etc/logrotate.d
+ newins files/${PN}-logrotate ${PN}
+
+ keepdir /var/lib/${PN}
+
+ newbashcomp files/bash-completion ${PN}-client
+ bashcomp_alias ${PN}-client ${PN}-server ${PN}-regex
+}
+
+pkg_preinst() {
+ has_version "<${CATEGORY}/${PN}-0.7"
+ previous_less_than_0_7=$?
+}
+
+pkg_postinst() {
+ tmpfiles_process ${PN}-tmpfiles.conf
+
+ if [[ ${previous_less_than_0_7} == 0 ]] ; then
+ elog
+ elog "Configuration files are now in /etc/fail2ban/"
+ elog "You probably have to manually update your configuration"
+ elog "files before restarting Fail2Ban!"
+ elog
+ elog "Fail2Ban is not installed under /usr/lib anymore. The"
+ elog "new location is under /usr/share."
+ elog
+ elog "You are upgrading from version 0.6.x, please see:"
+ elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8"
+ fi
+
+ if ! has_version dev-python/pyinotify ; then
+ elog "For most jail.conf configurations, it is recommended you install"
+ elog "dev-python/pyinotify to control how log file modifications are detected"
+ fi
+
+ if ! has_version dev-lang/python[sqlite] ; then
+ elog "If you want to use ${PN}'s persistent database, then reinstall"
+ elog "dev-lang/python with USE=sqlite. If you do not use the"
+ elog "persistent database feature, then you should set"
+ elog "dbfile = :memory: in fail2ban.conf accordingly."
+ fi
+}
diff --git a/net-analyzer/fail2ban/files/fail2ban-1.1.0-openrc-nftables.patch b/net-analyzer/fail2ban/files/fail2ban-1.1.0-openrc-nftables.patch
new file mode 100644
index 000000000000..844be1cedd34
--- /dev/null
+++ b/net-analyzer/fail2ban/files/fail2ban-1.1.0-openrc-nftables.patch
@@ -0,0 +1,25 @@
+https://github.com/fail2ban/fail2ban/commit/9e31cfc1f10e8304dc0b5adf0a429d57fcb598a3
+
+From 9e31cfc1f10e8304dc0b5adf0a429d57fcb598a3 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Sat, 24 Aug 2024 11:59:59 -0400
+Subject: [PATCH] files/fail2ban-openrc.init.in: start after nftables
+
+The "after iptables" clause in the OpenRC service script's depend()
+function causes fail2ban to start after iptables, if iptables is
+scheduled to start. Here we add "after nftables" as well: nftables is
+the successor to iptables, and fail2ban supports it out-of-the-box.
+If nftables is scheduled to start, we want to wait until it's done
+before starting fail2ban.
+--- a/files/fail2ban-openrc.init.in
++++ b/files/fail2ban-openrc.init.in
+@@ -44,7 +44,7 @@ retry="30"
+
+ depend() {
+ use logger
+- after iptables
++ after iptables nftables
+ }
+
+ checkconfig() {
+
diff --git a/net-analyzer/fail2ban/files/fail2ban-1.1.0-openssh-9.8-fixups.patch b/net-analyzer/fail2ban/files/fail2ban-1.1.0-openssh-9.8-fixups.patch
new file mode 100644
index 000000000000..06ff07bd0599
--- /dev/null
+++ b/net-analyzer/fail2ban/files/fail2ban-1.1.0-openssh-9.8-fixups.patch
@@ -0,0 +1,40 @@
+https://bugs.gentoo.org/936838
+https://github.com/fail2ban/fail2ban/commit/c769046a1f729880cc53efdff4b52ac96010752f
+https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4
+
+From c769046a1f729880cc53efdff4b52ac96010752f Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Sun, 11 Aug 2024 11:55:39 +0200
+Subject: [PATCH] Revert "`filterd./sshd.conf`: fixed journalmatch
+ (sshd.service seems to be renamed to ssh.service)" - it'd patched in debian
+ branch. This reverts commit 6fce23e7baa484c7d1f9b0c9a11986f3916c41dd.
+
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -126,7 +126,7 @@ ignoreregex =
+
+ maxlines = 1
+
+-journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
+
+ # DEV Notes:
+ #
+
+From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Sun, 11 Aug 2024 12:10:12 +0200
+Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version
+ would log with `_COMM=sshd-session`)
+
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -126,7 +126,7 @@ ignoreregex =
+
+ maxlines = 1
+
+-journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session
+
+ # DEV Notes:
+ #