diff options
author | Thomas Heinemann | 2017-01-15 12:19:09 +0100 |
---|---|---|
committer | Thomas Heinemann | 2017-01-15 12:19:09 +0100 |
commit | 49e2ffdd43ccbd51b301a3075792c42a08525cc7 (patch) | |
tree | 6f2c149da8ff0f98515e7a690428ef49a3cda807 | |
download | aur-49e2ffdd43ccbd51b301a3075792c42a08525cc7.tar.gz |
initial release
-rw-r--r-- | .SRCINFO | 40 | ||||
-rw-r--r-- | PKGBUILD | 90 | ||||
-rw-r--r-- | fail2ban.install | 3 | ||||
-rw-r--r-- | failregex.patch | 12 | ||||
-rw-r--r-- | filter.patch | 38 | ||||
-rwxr-xr-x | ip64set | 30 | ||||
-rwxr-xr-x | ip64tables | 29 | ||||
-rw-r--r-- | ip64tables-allports.conf | 14 | ||||
-rw-r--r-- | ip64tables-ipset-proto6-allports.conf | 64 | ||||
-rw-r--r-- | ip64tables-multiport.conf | 15 |
10 files changed, 335 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..217923865c2f --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,40 @@ +pkgbase = fail2ban6 + pkgdesc = Bans IPs after too many failed authentication attempts (IPv6 supported based on crycode patch) + pkgver = 0.9.6 + pkgrel = 1 + url = http://www.fail2ban.org/ + install = fail2ban.install + arch = any + license = GPL + checkdepends = python-setuptools + checkdepends = python-coverage + makedepends = python-setuptools + depends = iptables + depends = python-pyinotify + depends = whois + depends = sqlite + depends = python-systemd + provides = fail2ban + conflicts = fail2ban + backup = etc/fail2ban/fail2ban.conf + backup = etc/fail2ban/jail.conf + backup = etc/logrotate.d/fail2ban + source = fail2ban-0.9.6.tar.gz::https://github.com/fail2ban/fail2ban/archive/0.9.6.tar.gz + source = failregex.patch + source = filter.patch + source = ip64tables + source = ip64tables-allports.conf + source = ip64tables-multiport.conf + source = ip64set + source = ip64tables-ipset-proto6-allports.conf + md5sums = 8758789d40366f5e212b4e6b629297d1 + md5sums = 096da47cbf505d2cf6fb718d7df9f9a5 + md5sums = 0640491c11f56f91f1ce6fe31a3d84c2 + md5sums = 2ad1875d08cc53537e623cea334baa25 + md5sums = 1bb20dcd9db96e95c79cfe1e77f823dd + md5sums = 7785327e2fae4b051be7a82e97318010 + md5sums = 6119045904445c559e9e53cb1a9c5fb0 + md5sums = 699c29dfec7528da62ccaecbdc263f6e + +pkgname = fail2ban6 + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..af4afc8fe97b --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,90 @@ +# $Id$ +# Maintainer: Felix Yan <felixonmars@archlinux.org> +# Contributor: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> +# Contributor: Geoffroy Carrier <geoffroy.carrier@koon.fr> +# Contributor: michalzxc +# Contributor: nbags <neilbags@gmail.com> +# Contributor: Thomas Heinemann <thomas@niphba.de> + +pkgname=fail2ban6 +pkgver=0.9.6 +pkgrel=1 +provides=(fail2ban) +conflicts=(fail2ban) +pkgdesc='Bans IPs after too many failed authentication attempts (IPv6 supported based on crycode patch)' +url='http://www.fail2ban.org/' +license=('GPL') +arch=('any') +depends=('iptables' 'python-pyinotify' 'whois' 'sqlite' 'python-systemd') +makedepends=('python-setuptools') +checkdepends=('python-setuptools' 'python-coverage') +backup=(etc/fail2ban/fail2ban.conf + etc/fail2ban/jail.conf + etc/logrotate.d/fail2ban) +install=fail2ban.install +source=(fail2ban-$pkgver.tar.gz::https://github.com/fail2ban/fail2ban/archive/$pkgver.tar.gz + failregex.patch + filter.patch + ip64tables + ip64tables-allports.conf + ip64tables-multiport.conf + ip64set + ip64tables-ipset-proto6-allports.conf) +md5sums=('8758789d40366f5e212b4e6b629297d1' + '096da47cbf505d2cf6fb718d7df9f9a5' + '0640491c11f56f91f1ce6fe31a3d84c2' + '2ad1875d08cc53537e623cea334baa25' + '1bb20dcd9db96e95c79cfe1e77f823dd' + '7785327e2fae4b051be7a82e97318010' + '6119045904445c559e9e53cb1a9c5fb0' + '699c29dfec7528da62ccaecbdc263f6e') + +check() { + cd fail2ban-$pkgver + ./fail2ban-2to3 + coverage run bin/fail2ban-testcases || warning "Tests failed" +} + +package() { + cd fail2ban-$pkgver + + # patch crycode ipv6 + cd fail2ban/server + patch < $srcdir/failregex.patch + patch < $srcdir/filter.patch + cd ../.. + + python setup.py install --prefix /usr --root "$pkgdir" --optimize=1 + + chmod 644 "$pkgdir/usr/lib/python3.6/site-packages/fail2ban-$pkgver-py3.6.egg-info"/* + + install -Dm644 files/fail2ban.service \ + "$pkgdir"/usr/lib/systemd/system/fail2ban.service + install -Dm644 files/fail2ban-tmpfiles.conf \ + "$pkgdir"/usr/lib/tmpfiles.d/fail2ban.conf + install -Dm644 files/fail2ban-logrotate \ + "$pkgdir"/etc/logrotate.d/fail2ban + install -Dm644 files/bash-completion \ + "$pkgdir"/usr/share/bash-completion/completions/fail2ban + + # fix sendmail location + sed -i 's/sbin/bin/g' "$pkgdir"/etc/fail2ban/action.d/sendmail*.conf + + install -Dm644 man/fail2ban.1 "$pkgdir"/usr/share/man/man1/fail2ban.1 + install -Dm644 man/fail2ban-client.1 \ + "$pkgdir"/usr/share/man/man1/fail2ban-client.1 + install -Dm644 man/fail2ban-regex.1 \ + "$pkgdir"/usr/share/man/man1/fail2ban-regex.1 + install -Dm644 man/fail2ban-server.1 \ + "$pkgdir"/usr/share/man/man1/fail2ban-server.1 + install -Dm644 man/jail.conf.5 "$pkgdir"/usr/share/man/man5/jail.conf.5 + + # include ip64 files + install -Dm755 $srcdir/ip64tables $pkgdir/usr/bin/ip64tables + install -Dm644 $srcdir/ip64tables-allports.conf $pkgdir/etc/fail2ban/action.d/ip64tables-allports.conf + install -Dm644 $srcdir/ip64tables-multiport.conf $pkgdir/etc/fail2ban/action.d/ip64tables-multiport.conf + install -Dm755 $srcdir/ip64set $pkgdir/usr/bin/ip64set + install -Dm644 $srcdir/ip64tables-ipset-proto6-allports.conf $pkgdir/etc/fail2ban/action.d/ip64tables-ipset-proto6-allports.conf + + rm -r "$pkgdir/run" +} diff --git a/fail2ban.install b/fail2ban.install new file mode 100644 index 000000000000..54a73d9a5f98 --- /dev/null +++ b/fail2ban.install @@ -0,0 +1,3 @@ +post_install() { + usr/bin/systemd-tmpfiles --create fail2ban.conf +} diff --git a/failregex.patch b/failregex.patch new file mode 100644 index 000000000000..6ff45378070c --- /dev/null +++ b/failregex.patch @@ -0,0 +1,12 @@ +# Fail2Ban IPv6 Patch for Fail2Ban v0.9.3, v0.9.4, v0.9.5 +--- failregex.py.orig ++++ failregex.py +@@ -44,7 +44,7 @@ + self._matchCache = None + # Perform shortcuts expansions. + # Replace "<HOST>" with default regular expression for host. +- regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)") ++ regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_:]*\w)") + # Replace "<SKIPLINES>" with regular expression for multiple lines. + regexSplit = regex.split("<SKIPLINES>") + regex = regexSplit[0] diff --git a/filter.patch b/filter.patch new file mode 100644 index 000000000000..bfee65b963a0 --- /dev/null +++ b/filter.patch @@ -0,0 +1,38 @@ +# Fail2Ban IPv6 Patch for Fail2Ban v0.9.3, v0.9.4, v0.9.5 +--- filter.py.orig ++++ filter.py +@@ -849,6 +849,7 @@ + class DNSUtils: + + IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$") ++ IP_CRE6 = re.compile("^(?:[0-9:A-Fa-f]{3,})$") + + @staticmethod + def dnsToIp(dns): +@@ -883,19 +884,21 @@ + if match: + return match + else: +- return None ++ match = DNSUtils.IP_CRE6.match(text) ++ if match: ++ """ Right Here, we faced to a ipv6 ++ """ ++ return match ++ else: ++ return None + + @staticmethod + def isValidIP(string): + """ Return true if str is a valid IP ++ We Consider that logfiles didn't make errors ;) + """ +- s = string.split('/', 1) +- try: +- socket.inet_aton(s[0]) +- return True +- except socket.error: +- return False ++ return True + + @staticmethod diff --git a/ip64set b/ip64set new file mode 100755 index 000000000000..c862f8e5bacb --- /dev/null +++ b/ip64set @@ -0,0 +1,30 @@ +#!/bin/bash +# ipset switch +LINE=$* +LINE6=`echo $LINE | sed s/f2b-/f2b6-/` + +RESULT=`echo $LINE | egrep " ([0-9]{1,3}\.){3}[0-9]{1,3}" | wc -l` +RESULT6=`echo $LINE | egrep "(::[A-Fa-f0-9])|((:[A-Fa-f0-9]{1,4}){2,})" | wc -l ` + +if [ $RESULT -eq "1" ]; then + # IPv4 + ipset $LINE + ERRCODE=$? + +elif [ $RESULT6 -eq "1" ]; then + # IPv6 + ipset $LINE6 + ERRCODE=$? + +else + # IPv4 + IPv6 + ipset $LINE + ERRCODE=$? + ipset $LINE6 + if [ $? -ge "1" ]; then + ERRCODE=$? + fi + +fi + +exit $ERRCODE diff --git a/ip64tables b/ip64tables new file mode 100755 index 000000000000..7b1639de5335 --- /dev/null +++ b/ip64tables @@ -0,0 +1,29 @@ +#!/bin/bash +# iptables/ip6tables switch +LINE=$* + +RESULT=`echo $LINE | egrep " ([0-9]{1,3}\.){3}[0-9]{1,3}" | wc -l` +RESULT6=`echo $LINE | egrep "(::[A-Fa-f0-9])|((:[A-Fa-f0-9]{1,4}){2,})" | wc -l ` + +if [ $RESULT -eq "1" ]; then + # IPv4 + iptables $LINE + ERRCODE=$? + +elif [ $RESULT6 -eq "1" ]; then + # IPv6 + ip6tables $LINE + ERRCODE=$? + +else + # IPv4 + IPv6 + iptables $LINE + ERRCODE=$? + ip6tables $LINE + if [ $? -ge "1" ]; then + ERRCODE=$? + fi + +fi + +exit $ERRCODE diff --git a/ip64tables-allports.conf b/ip64tables-allports.conf new file mode 100644 index 000000000000..7474f7d5d31c --- /dev/null +++ b/ip64tables-allports.conf @@ -0,0 +1,14 @@ +[Definition] +actionstart = ip64tables -N fail2ban-<name> + ip64tables -A fail2ban-<name> -j RETURN + ip64tables -I INPUT -p <protocol> -j fail2ban-<name> +actionstop = ip64tables -D INPUT -p <protocol> -j fail2ban-<name> + ip64tables -F fail2ban-<name> + ip64tables -X fail2ban-<name> +actioncheck = ip64tables -n -L INPUT | grep -q fail2ban-<name> +actionban = ip64tables -I fail2ban-<name> 1 -s <ip> -j DROP +actionunban = ip64tables -D fail2ban-<name> -s <ip> -j DROP + +[Init] +name = default +protocol = tcp diff --git a/ip64tables-ipset-proto6-allports.conf b/ip64tables-ipset-proto6-allports.conf new file mode 100644 index 000000000000..f077da876efe --- /dev/null +++ b/ip64tables-ipset-proto6-allports.conf @@ -0,0 +1,64 @@ +# Fail2Ban configuration file +# +# Author: Daniel Black +# +# This is for ipset protocol 6 (and hopefully later) (ipset v6.14). +# Use ipset -V to see the protocol and version. Version 4 should use +# iptables-ipset-proto4.conf. +# +# This requires the program ipset which is normally in package called ipset. +# +# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. +# +# If you are running on an older kernel you make need to patch in external +# modules which probably won't be protocol version 6. + +[INCLUDES] + +before = iptables-common.conf + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = ipset create f2b-<name> hash:ip family inet timeout <bantime> + ipset create f2b6-<name> hash:ip family inet6 timeout <bantime> + <iptables> -I <chain> -m set --match-set f2b-<name> src -j <blocktype> + ip6tables -I <chain> -m set --match-set f2b6-<name> src -j <blocktype> + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blocktype> + ip6tables -D <chain> -m set --match-set f2b6-<name> src -j <blocktype> + ipset flush f2b-<name> + ipset flush f2b6-<name> + ipset destroy f2b-<name> + ipset destroy f2b6-<name> + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = ipset del f2b-<name> <ip> -exist + +[Init] + +# Option: bantime +# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) +# Values: [ NUM ] Default: 600 +# +bantime = 600 diff --git a/ip64tables-multiport.conf b/ip64tables-multiport.conf new file mode 100644 index 000000000000..5b0c04a0cec9 --- /dev/null +++ b/ip64tables-multiport.conf @@ -0,0 +1,15 @@ +[Definition] +actionstart = ip64tables -N fail2ban-<name> + ip64tables -A fail2ban-<name> -j RETURN + ip64tables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +actionstop = ip64tables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + ip64tables -F fail2ban-<name> + ip64tables -X fail2ban-<name> +actioncheck = ip64tables -n -L INPUT | grep -q fail2ban-<name> +actionban = ip64tables -I fail2ban-<name> 1 -s <ip> -j DROP +actionunban = ip64tables -D fail2ban-<name> -s <ip> -j DROP + +[Init] +name = default +port = ssh +protocol = tcp |