summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Heinemann2017-01-15 12:19:09 +0100
committerThomas Heinemann2017-01-15 12:19:09 +0100
commit49e2ffdd43ccbd51b301a3075792c42a08525cc7 (patch)
tree6f2c149da8ff0f98515e7a690428ef49a3cda807
downloadaur-49e2ffdd43ccbd51b301a3075792c42a08525cc7.tar.gz
initial release
-rw-r--r--.SRCINFO40
-rw-r--r--PKGBUILD90
-rw-r--r--fail2ban.install3
-rw-r--r--failregex.patch12
-rw-r--r--filter.patch38
-rwxr-xr-xip64set30
-rwxr-xr-xip64tables29
-rw-r--r--ip64tables-allports.conf14
-rw-r--r--ip64tables-ipset-proto6-allports.conf64
-rw-r--r--ip64tables-multiport.conf15
10 files changed, 335 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 00000000000..217923865c2
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,40 @@
+pkgbase = fail2ban6
+ pkgdesc = Bans IPs after too many failed authentication attempts (IPv6 supported based on crycode patch)
+ pkgver = 0.9.6
+ pkgrel = 1
+ url = http://www.fail2ban.org/
+ install = fail2ban.install
+ arch = any
+ license = GPL
+ checkdepends = python-setuptools
+ checkdepends = python-coverage
+ makedepends = python-setuptools
+ depends = iptables
+ depends = python-pyinotify
+ depends = whois
+ depends = sqlite
+ depends = python-systemd
+ provides = fail2ban
+ conflicts = fail2ban
+ backup = etc/fail2ban/fail2ban.conf
+ backup = etc/fail2ban/jail.conf
+ backup = etc/logrotate.d/fail2ban
+ source = fail2ban-0.9.6.tar.gz::https://github.com/fail2ban/fail2ban/archive/0.9.6.tar.gz
+ source = failregex.patch
+ source = filter.patch
+ source = ip64tables
+ source = ip64tables-allports.conf
+ source = ip64tables-multiport.conf
+ source = ip64set
+ source = ip64tables-ipset-proto6-allports.conf
+ md5sums = 8758789d40366f5e212b4e6b629297d1
+ md5sums = 096da47cbf505d2cf6fb718d7df9f9a5
+ md5sums = 0640491c11f56f91f1ce6fe31a3d84c2
+ md5sums = 2ad1875d08cc53537e623cea334baa25
+ md5sums = 1bb20dcd9db96e95c79cfe1e77f823dd
+ md5sums = 7785327e2fae4b051be7a82e97318010
+ md5sums = 6119045904445c559e9e53cb1a9c5fb0
+ md5sums = 699c29dfec7528da62ccaecbdc263f6e
+
+pkgname = fail2ban6
+
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 00000000000..af4afc8fe97
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,90 @@
+# $Id$
+# Maintainer: Felix Yan <felixonmars@archlinux.org>
+# Contributor: Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
+# Contributor: Geoffroy Carrier <geoffroy.carrier@koon.fr>
+# Contributor: michalzxc
+# Contributor: nbags <neilbags@gmail.com>
+# Contributor: Thomas Heinemann <thomas@niphba.de>
+
+pkgname=fail2ban6
+pkgver=0.9.6
+pkgrel=1
+provides=(fail2ban)
+conflicts=(fail2ban)
+pkgdesc='Bans IPs after too many failed authentication attempts (IPv6 supported based on crycode patch)'
+url='http://www.fail2ban.org/'
+license=('GPL')
+arch=('any')
+depends=('iptables' 'python-pyinotify' 'whois' 'sqlite' 'python-systemd')
+makedepends=('python-setuptools')
+checkdepends=('python-setuptools' 'python-coverage')
+backup=(etc/fail2ban/fail2ban.conf
+ etc/fail2ban/jail.conf
+ etc/logrotate.d/fail2ban)
+install=fail2ban.install
+source=(fail2ban-$pkgver.tar.gz::https://github.com/fail2ban/fail2ban/archive/$pkgver.tar.gz
+ failregex.patch
+ filter.patch
+ ip64tables
+ ip64tables-allports.conf
+ ip64tables-multiport.conf
+ ip64set
+ ip64tables-ipset-proto6-allports.conf)
+md5sums=('8758789d40366f5e212b4e6b629297d1'
+ '096da47cbf505d2cf6fb718d7df9f9a5'
+ '0640491c11f56f91f1ce6fe31a3d84c2'
+ '2ad1875d08cc53537e623cea334baa25'
+ '1bb20dcd9db96e95c79cfe1e77f823dd'
+ '7785327e2fae4b051be7a82e97318010'
+ '6119045904445c559e9e53cb1a9c5fb0'
+ '699c29dfec7528da62ccaecbdc263f6e')
+
+check() {
+ cd fail2ban-$pkgver
+ ./fail2ban-2to3
+ coverage run bin/fail2ban-testcases || warning "Tests failed"
+}
+
+package() {
+ cd fail2ban-$pkgver
+
+ # patch crycode ipv6
+ cd fail2ban/server
+ patch < $srcdir/failregex.patch
+ patch < $srcdir/filter.patch
+ cd ../..
+
+ python setup.py install --prefix /usr --root "$pkgdir" --optimize=1
+
+ chmod 644 "$pkgdir/usr/lib/python3.6/site-packages/fail2ban-$pkgver-py3.6.egg-info"/*
+
+ install -Dm644 files/fail2ban.service \
+ "$pkgdir"/usr/lib/systemd/system/fail2ban.service
+ install -Dm644 files/fail2ban-tmpfiles.conf \
+ "$pkgdir"/usr/lib/tmpfiles.d/fail2ban.conf
+ install -Dm644 files/fail2ban-logrotate \
+ "$pkgdir"/etc/logrotate.d/fail2ban
+ install -Dm644 files/bash-completion \
+ "$pkgdir"/usr/share/bash-completion/completions/fail2ban
+
+ # fix sendmail location
+ sed -i 's/sbin/bin/g' "$pkgdir"/etc/fail2ban/action.d/sendmail*.conf
+
+ install -Dm644 man/fail2ban.1 "$pkgdir"/usr/share/man/man1/fail2ban.1
+ install -Dm644 man/fail2ban-client.1 \
+ "$pkgdir"/usr/share/man/man1/fail2ban-client.1
+ install -Dm644 man/fail2ban-regex.1 \
+ "$pkgdir"/usr/share/man/man1/fail2ban-regex.1
+ install -Dm644 man/fail2ban-server.1 \
+ "$pkgdir"/usr/share/man/man1/fail2ban-server.1
+ install -Dm644 man/jail.conf.5 "$pkgdir"/usr/share/man/man5/jail.conf.5
+
+ # include ip64 files
+ install -Dm755 $srcdir/ip64tables $pkgdir/usr/bin/ip64tables
+ install -Dm644 $srcdir/ip64tables-allports.conf $pkgdir/etc/fail2ban/action.d/ip64tables-allports.conf
+ install -Dm644 $srcdir/ip64tables-multiport.conf $pkgdir/etc/fail2ban/action.d/ip64tables-multiport.conf
+ install -Dm755 $srcdir/ip64set $pkgdir/usr/bin/ip64set
+ install -Dm644 $srcdir/ip64tables-ipset-proto6-allports.conf $pkgdir/etc/fail2ban/action.d/ip64tables-ipset-proto6-allports.conf
+
+ rm -r "$pkgdir/run"
+}
diff --git a/fail2ban.install b/fail2ban.install
new file mode 100644
index 00000000000..54a73d9a5f9
--- /dev/null
+++ b/fail2ban.install
@@ -0,0 +1,3 @@
+post_install() {
+ usr/bin/systemd-tmpfiles --create fail2ban.conf
+}
diff --git a/failregex.patch b/failregex.patch
new file mode 100644
index 00000000000..6ff45378070
--- /dev/null
+++ b/failregex.patch
@@ -0,0 +1,12 @@
+# Fail2Ban IPv6 Patch for Fail2Ban v0.9.3, v0.9.4, v0.9.5
+--- failregex.py.orig
++++ failregex.py
+@@ -44,7 +44,7 @@
+ self._matchCache = None
+ # Perform shortcuts expansions.
+ # Replace "<HOST>" with default regular expression for host.
+- regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)")
++ regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_:]*\w)")
+ # Replace "<SKIPLINES>" with regular expression for multiple lines.
+ regexSplit = regex.split("<SKIPLINES>")
+ regex = regexSplit[0]
diff --git a/filter.patch b/filter.patch
new file mode 100644
index 00000000000..bfee65b963a
--- /dev/null
+++ b/filter.patch
@@ -0,0 +1,38 @@
+# Fail2Ban IPv6 Patch for Fail2Ban v0.9.3, v0.9.4, v0.9.5
+--- filter.py.orig
++++ filter.py
+@@ -849,6 +849,7 @@
+ class DNSUtils:
+
+ IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
++ IP_CRE6 = re.compile("^(?:[0-9:A-Fa-f]{3,})$")
+
+ @staticmethod
+ def dnsToIp(dns):
+@@ -883,19 +884,21 @@
+ if match:
+ return match
+ else:
+- return None
++ match = DNSUtils.IP_CRE6.match(text)
++ if match:
++ """ Right Here, we faced to a ipv6
++ """
++ return match
++ else:
++ return None
+
+ @staticmethod
+ def isValidIP(string):
+ """ Return true if str is a valid IP
++ We Consider that logfiles didn't make errors ;)
+ """
+- s = string.split('/', 1)
+- try:
+- socket.inet_aton(s[0])
+- return True
+- except socket.error:
+- return False
++ return True
+
+ @staticmethod
diff --git a/ip64set b/ip64set
new file mode 100755
index 00000000000..c862f8e5bac
--- /dev/null
+++ b/ip64set
@@ -0,0 +1,30 @@
+#!/bin/bash
+# ipset switch
+LINE=$*
+LINE6=`echo $LINE | sed s/f2b-/f2b6-/`
+
+RESULT=`echo $LINE | egrep " ([0-9]{1,3}\.){3}[0-9]{1,3}" | wc -l`
+RESULT6=`echo $LINE | egrep "(::[A-Fa-f0-9])|((:[A-Fa-f0-9]{1,4}){2,})" | wc -l `
+
+if [ $RESULT -eq "1" ]; then
+ # IPv4
+ ipset $LINE
+ ERRCODE=$?
+
+elif [ $RESULT6 -eq "1" ]; then
+ # IPv6
+ ipset $LINE6
+ ERRCODE=$?
+
+else
+ # IPv4 + IPv6
+ ipset $LINE
+ ERRCODE=$?
+ ipset $LINE6
+ if [ $? -ge "1" ]; then
+ ERRCODE=$?
+ fi
+
+fi
+
+exit $ERRCODE
diff --git a/ip64tables b/ip64tables
new file mode 100755
index 00000000000..7b1639de533
--- /dev/null
+++ b/ip64tables
@@ -0,0 +1,29 @@
+#!/bin/bash
+# iptables/ip6tables switch
+LINE=$*
+
+RESULT=`echo $LINE | egrep " ([0-9]{1,3}\.){3}[0-9]{1,3}" | wc -l`
+RESULT6=`echo $LINE | egrep "(::[A-Fa-f0-9])|((:[A-Fa-f0-9]{1,4}){2,})" | wc -l `
+
+if [ $RESULT -eq "1" ]; then
+ # IPv4
+ iptables $LINE
+ ERRCODE=$?
+
+elif [ $RESULT6 -eq "1" ]; then
+ # IPv6
+ ip6tables $LINE
+ ERRCODE=$?
+
+else
+ # IPv4 + IPv6
+ iptables $LINE
+ ERRCODE=$?
+ ip6tables $LINE
+ if [ $? -ge "1" ]; then
+ ERRCODE=$?
+ fi
+
+fi
+
+exit $ERRCODE
diff --git a/ip64tables-allports.conf b/ip64tables-allports.conf
new file mode 100644
index 00000000000..7474f7d5d31
--- /dev/null
+++ b/ip64tables-allports.conf
@@ -0,0 +1,14 @@
+[Definition]
+actionstart = ip64tables -N fail2ban-<name>
+ ip64tables -A fail2ban-<name> -j RETURN
+ ip64tables -I INPUT -p <protocol> -j fail2ban-<name>
+actionstop = ip64tables -D INPUT -p <protocol> -j fail2ban-<name>
+ ip64tables -F fail2ban-<name>
+ ip64tables -X fail2ban-<name>
+actioncheck = ip64tables -n -L INPUT | grep -q fail2ban-<name>
+actionban = ip64tables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionunban = ip64tables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+name = default
+protocol = tcp
diff --git a/ip64tables-ipset-proto6-allports.conf b/ip64tables-ipset-proto6-allports.conf
new file mode 100644
index 00000000000..f077da876ef
--- /dev/null
+++ b/ip64tables-ipset-proto6-allports.conf
@@ -0,0 +1,64 @@
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules which probably won't be protocol version 6.
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = ipset create f2b-<name> hash:ip family inet timeout <bantime>
+ ipset create f2b6-<name> hash:ip family inet6 timeout <bantime>
+ <iptables> -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
+ ip6tables -I <chain> -m set --match-set f2b6-<name> src -j <blocktype>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
+ ip6tables -D <chain> -m set --match-set f2b6-<name> src -j <blocktype>
+ ipset flush f2b-<name>
+ ipset flush f2b6-<name>
+ ipset destroy f2b-<name>
+ ipset destroy f2b6-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipset del f2b-<name> <ip> -exist
+
+[Init]
+
+# Option: bantime
+# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values: [ NUM ] Default: 600
+#
+bantime = 600
diff --git a/ip64tables-multiport.conf b/ip64tables-multiport.conf
new file mode 100644
index 00000000000..5b0c04a0cec
--- /dev/null
+++ b/ip64tables-multiport.conf
@@ -0,0 +1,15 @@
+[Definition]
+actionstart = ip64tables -N fail2ban-<name>
+ ip64tables -A fail2ban-<name> -j RETURN
+ ip64tables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = ip64tables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ ip64tables -F fail2ban-<name>
+ ip64tables -X fail2ban-<name>
+actioncheck = ip64tables -n -L INPUT | grep -q fail2ban-<name>
+actionban = ip64tables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionunban = ip64tables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+name = default
+port = ssh
+protocol = tcp