diff options
author | Sam James <sam@gentoo.org> | 2024-08-29 02:53:56 +0100 |
---|---|---|
committer | Sam James <sam@gentoo.org> | 2024-08-29 02:53:56 +0100 |
commit | a74794caf315f33baf0a2ca7ee9da1aa649b85fd (patch) | |
tree | d567739e55b06f569c3c6d0d92c039e936eb15bc /net-analyzer/fail2ban | |
parent | dev-libs/userspace-rcu: add 0.14.1 (diff) | |
download | gentoo-a74794caf315f33baf0a2ca7ee9da1aa649b85fd.tar.gz gentoo-a74794caf315f33baf0a2ca7ee9da1aa649b85fd.tar.bz2 gentoo-a74794caf315f33baf0a2ca7ee9da1aa649b85fd.zip |
net-analyzer/fail2ban: fix openssh-9.8 compat harder; openrc tweak
* Fix OpenSSH 9.8 harder by backporting more patches from upstream
* Backport mjo's OpenRC init script tweak for nftables
Bug: https://bugs.gentoo.org/935392
Closes: https://bugs.gentoo.org/936838
Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'net-analyzer/fail2ban')
3 files changed, 203 insertions, 0 deletions
diff --git a/net-analyzer/fail2ban/fail2ban-1.1.0-r2.ebuild b/net-analyzer/fail2ban/fail2ban-1.1.0-r2.ebuild new file mode 100644 index 000000000000..5cf1db15faa4 --- /dev/null +++ b/net-analyzer/fail2ban/fail2ban-1.1.0-r2.ebuild @@ -0,0 +1,138 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_SINGLE_IMPL=1 +PYTHON_COMPAT=( python3_{10..13} ) + +inherit bash-completion-r1 distutils-r1 systemd tmpfiles + +DESCRIPTION="Scans log files and bans IPs that show malicious signs" +HOMEPAGE="https://www.fail2ban.org/" + +if [[ ${PV} == *9999 ]] ; then + EGIT_REPO_URI="https://github.com/fail2ban/fail2ban" + inherit git-r3 +else + SRC_URI="https://github.com/fail2ban/fail2ban/archive/${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +LICENSE="GPL-2" +SLOT="0" +IUSE="selinux systemd test" +RESTRICT="!test? ( test )" + +RDEPEND=" + $(python_gen_cond_dep ' + dev-python/pyasyncore[${PYTHON_USEDEP}] + dev-python/pyasynchat[${PYTHON_USEDEP}] + ' 3.12) + virtual/logger + virtual/mta + selinux? ( sec-policy/selinux-fail2ban ) + systemd? ( + $(python_gen_cond_dep ' + dev-python/python-systemd[${PYTHON_USEDEP}] + ') + ) +" +BDEPEND=" + test? ( + $(python_gen_cond_dep ' + dev-python/aiosmtpd[${PYTHON_USEDEP}] + ') + ) +" + +DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt ) + +PATCHES=( + "${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch + "${FILESDIR}"/${PN}-1.0.2-umask-tests.patch + "${FILESDIR}"/${PN}-1.1.0-openssh-9.8.patch + "${FILESDIR}"/${PN}-1.1.0-openssh-9.8-fixups.patch + "${FILESDIR}"/${PN}-1.1.0-openrc-nftables.patch +) + +python_prepare_all() { + distutils-r1_python_prepare_all + + # Replace /var/run with /run, but not in the top source directory + find . -mindepth 2 -type f -exec \ + sed -i -e 's|/var\(/run/fail2ban\)|\1|g' {} + || die +} + +python_test() { + # Skip testRepairDb for bug #907348 (didn't always fail..) + # https://github.com/fail2ban/fail2ban/issues/3586 + bin/fail2ban-testcases \ + --no-network \ + --ignore databasetestcase.DatabaseTest.testRepairDb \ + --verbosity=4 || die "Tests failed with ${EPYTHON}" + + # Workaround for bug #790251 + rm -rf fail2ban.egg-info || die +} + +python_install_all() { + distutils-r1_python_install_all + + rm -rf "${ED}"/usr/share/doc/${PN} "${ED}"/run || die + + newconfd files/fail2ban-openrc.conf ${PN} + + # These two are placed in the ${BUILD_DIR} after being "built" + # in install_scripts(). + newinitd "${BUILD_DIR}/fail2ban-openrc.init" "${PN}" + systemd_dounit "${BUILD_DIR}/${PN}.service" + + dotmpfiles files/${PN}-tmpfiles.conf + + doman man/*.{1,5} + + # Use INSTALL_MASK if you do not want to touch /etc/logrotate.d. + # See http://thread.gmane.org/gmane.linux.gentoo.devel/35675 + insinto /etc/logrotate.d + newins files/${PN}-logrotate ${PN} + + keepdir /var/lib/${PN} + + newbashcomp files/bash-completion ${PN}-client + bashcomp_alias ${PN}-client ${PN}-server ${PN}-regex +} + +pkg_preinst() { + has_version "<${CATEGORY}/${PN}-0.7" + previous_less_than_0_7=$? +} + +pkg_postinst() { + tmpfiles_process ${PN}-tmpfiles.conf + + if [[ ${previous_less_than_0_7} == 0 ]] ; then + elog + elog "Configuration files are now in /etc/fail2ban/" + elog "You probably have to manually update your configuration" + elog "files before restarting Fail2Ban!" + elog + elog "Fail2Ban is not installed under /usr/lib anymore. The" + elog "new location is under /usr/share." + elog + elog "You are upgrading from version 0.6.x, please see:" + elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8" + fi + + if ! has_version dev-python/pyinotify ; then + elog "For most jail.conf configurations, it is recommended you install" + elog "dev-python/pyinotify to control how log file modifications are detected" + fi + + if ! has_version dev-lang/python[sqlite] ; then + elog "If you want to use ${PN}'s persistent database, then reinstall" + elog "dev-lang/python with USE=sqlite. If you do not use the" + elog "persistent database feature, then you should set" + elog "dbfile = :memory: in fail2ban.conf accordingly." + fi +} diff --git a/net-analyzer/fail2ban/files/fail2ban-1.1.0-openrc-nftables.patch b/net-analyzer/fail2ban/files/fail2ban-1.1.0-openrc-nftables.patch new file mode 100644 index 000000000000..844be1cedd34 --- /dev/null +++ b/net-analyzer/fail2ban/files/fail2ban-1.1.0-openrc-nftables.patch @@ -0,0 +1,25 @@ +https://github.com/fail2ban/fail2ban/commit/9e31cfc1f10e8304dc0b5adf0a429d57fcb598a3 + +From 9e31cfc1f10e8304dc0b5adf0a429d57fcb598a3 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <michael@orlitzky.com> +Date: Sat, 24 Aug 2024 11:59:59 -0400 +Subject: [PATCH] files/fail2ban-openrc.init.in: start after nftables + +The "after iptables" clause in the OpenRC service script's depend() +function causes fail2ban to start after iptables, if iptables is +scheduled to start. Here we add "after nftables" as well: nftables is +the successor to iptables, and fail2ban supports it out-of-the-box. +If nftables is scheduled to start, we want to wait until it's done +before starting fail2ban. +--- a/files/fail2ban-openrc.init.in ++++ b/files/fail2ban-openrc.init.in +@@ -44,7 +44,7 @@ retry="30" + + depend() { + use logger +- after iptables ++ after iptables nftables + } + + checkconfig() { + diff --git a/net-analyzer/fail2ban/files/fail2ban-1.1.0-openssh-9.8-fixups.patch b/net-analyzer/fail2ban/files/fail2ban-1.1.0-openssh-9.8-fixups.patch new file mode 100644 index 000000000000..06ff07bd0599 --- /dev/null +++ b/net-analyzer/fail2ban/files/fail2ban-1.1.0-openssh-9.8-fixups.patch @@ -0,0 +1,40 @@ +https://bugs.gentoo.org/936838 +https://github.com/fail2ban/fail2ban/commit/c769046a1f729880cc53efdff4b52ac96010752f +https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4 + +From c769046a1f729880cc53efdff4b52ac96010752f Mon Sep 17 00:00:00 2001 +From: sebres <info@sebres.de> +Date: Sun, 11 Aug 2024 11:55:39 +0200 +Subject: [PATCH] Revert "`filterd./sshd.conf`: fixed journalmatch + (sshd.service seems to be renamed to ssh.service)" - it'd patched in debian + branch. This reverts commit 6fce23e7baa484c7d1f9b0c9a11986f3916c41dd. + +--- a/config/filter.d/sshd.conf ++++ b/config/filter.d/sshd.conf +@@ -126,7 +126,7 @@ ignoreregex = + + maxlines = 1 + +-journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd ++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + + # DEV Notes: + # + +From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001 +From: sebres <info@sebres.de> +Date: Sun, 11 Aug 2024 12:10:12 +0200 +Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version + would log with `_COMM=sshd-session`) + +--- a/config/filter.d/sshd.conf ++++ b/config/filter.d/sshd.conf +@@ -126,7 +126,7 @@ ignoreregex = + + maxlines = 1 + +-journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd ++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session + + # DEV Notes: + # |