initial release

10 files changed, 335 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..217923865c2f
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,40 @@
+pkgbase = fail2ban6
+	pkgdesc = Bans IPs after too many failed authentication attempts (IPv6 supported based on crycode patch)
+	pkgver = 0.9.6
+	pkgrel = 1
+	url = http://www.fail2ban.org/
+	install = fail2ban.install
+	arch = any
+	license = GPL
+	checkdepends = python-setuptools
+	checkdepends = python-coverage
+	makedepends = python-setuptools
+	depends = iptables
+	depends = python-pyinotify
+	depends = whois
+	depends = sqlite
+	depends = python-systemd
+	provides = fail2ban
+	conflicts = fail2ban
+	backup = etc/fail2ban/fail2ban.conf
+	backup = etc/fail2ban/jail.conf
+	backup = etc/logrotate.d/fail2ban
+	source = fail2ban-0.9.6.tar.gz::https://github.com/fail2ban/fail2ban/archive/0.9.6.tar.gz
+	source = failregex.patch
+	source = filter.patch
+	source = ip64tables
+	source = ip64tables-allports.conf
+	source = ip64tables-multiport.conf
+	source = ip64set
+	source = ip64tables-ipset-proto6-allports.conf
+	md5sums = 8758789d40366f5e212b4e6b629297d1
+	md5sums = 096da47cbf505d2cf6fb718d7df9f9a5
+	md5sums = 0640491c11f56f91f1ce6fe31a3d84c2
+	md5sums = 2ad1875d08cc53537e623cea334baa25
+	md5sums = 1bb20dcd9db96e95c79cfe1e77f823dd
+	md5sums = 7785327e2fae4b051be7a82e97318010
+	md5sums = 6119045904445c559e9e53cb1a9c5fb0
+	md5sums = 699c29dfec7528da62ccaecbdc263f6e
+
+pkgname = fail2ban6
+
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..af4afc8fe97b
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,90 @@
+# $Id$
+# Maintainer: Felix Yan <felixonmars@archlinux.org>
+# Contributor: Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
+# Contributor: Geoffroy Carrier <geoffroy.carrier@koon.fr>
+# Contributor: michalzxc
+# Contributor: nbags <neilbags@gmail.com>
+# Contributor: Thomas Heinemann <thomas@niphba.de>
+
+pkgname=fail2ban6
+pkgver=0.9.6
+pkgrel=1
+provides=(fail2ban)
+conflicts=(fail2ban)
+pkgdesc='Bans IPs after too many failed authentication attempts (IPv6 supported based on crycode patch)'
+url='http://www.fail2ban.org/'
+license=('GPL')
+arch=('any')
+depends=('iptables' 'python-pyinotify' 'whois' 'sqlite' 'python-systemd')
+makedepends=('python-setuptools')
+checkdepends=('python-setuptools' 'python-coverage')
+backup=(etc/fail2ban/fail2ban.conf
+        etc/fail2ban/jail.conf
+        etc/logrotate.d/fail2ban)
+install=fail2ban.install
+source=(fail2ban-$pkgver.tar.gz::https://github.com/fail2ban/fail2ban/archive/$pkgver.tar.gz
+        failregex.patch
+        filter.patch
+        ip64tables
+        ip64tables-allports.conf
+        ip64tables-multiport.conf
+        ip64set
+        ip64tables-ipset-proto6-allports.conf)
+md5sums=('8758789d40366f5e212b4e6b629297d1'
+         '096da47cbf505d2cf6fb718d7df9f9a5'
+         '0640491c11f56f91f1ce6fe31a3d84c2'
+         '2ad1875d08cc53537e623cea334baa25'
+         '1bb20dcd9db96e95c79cfe1e77f823dd'
+         '7785327e2fae4b051be7a82e97318010'
+         '6119045904445c559e9e53cb1a9c5fb0'
+         '699c29dfec7528da62ccaecbdc263f6e')
+
+check() {
+  cd fail2ban-$pkgver
+  ./fail2ban-2to3
+  coverage run bin/fail2ban-testcases || warning "Tests failed"
+}
+
+package() {
+  cd fail2ban-$pkgver
+  
+  # patch crycode ipv6
+  cd fail2ban/server
+  patch < $srcdir/failregex.patch
+  patch < $srcdir/filter.patch
+  cd ../..
+  
+  python setup.py install --prefix /usr --root "$pkgdir" --optimize=1
+
+  chmod 644 "$pkgdir/usr/lib/python3.6/site-packages/fail2ban-$pkgver-py3.6.egg-info"/*
+
+  install -Dm644 files/fail2ban.service \
+    "$pkgdir"/usr/lib/systemd/system/fail2ban.service
+  install -Dm644 files/fail2ban-tmpfiles.conf \
+    "$pkgdir"/usr/lib/tmpfiles.d/fail2ban.conf
+  install -Dm644 files/fail2ban-logrotate \
+    "$pkgdir"/etc/logrotate.d/fail2ban
+  install -Dm644 files/bash-completion \
+    "$pkgdir"/usr/share/bash-completion/completions/fail2ban
+
+  # fix sendmail location
+  sed -i 's/sbin/bin/g' "$pkgdir"/etc/fail2ban/action.d/sendmail*.conf
+
+  install -Dm644 man/fail2ban.1 "$pkgdir"/usr/share/man/man1/fail2ban.1
+  install -Dm644 man/fail2ban-client.1 \
+    "$pkgdir"/usr/share/man/man1/fail2ban-client.1
+  install -Dm644 man/fail2ban-regex.1 \
+    "$pkgdir"/usr/share/man/man1/fail2ban-regex.1
+  install -Dm644 man/fail2ban-server.1 \
+    "$pkgdir"/usr/share/man/man1/fail2ban-server.1
+  install -Dm644 man/jail.conf.5 "$pkgdir"/usr/share/man/man5/jail.conf.5
+
+  # include ip64 files
+  install -Dm755 $srcdir/ip64tables $pkgdir/usr/bin/ip64tables
+  install -Dm644 $srcdir/ip64tables-allports.conf $pkgdir/etc/fail2ban/action.d/ip64tables-allports.conf
+  install -Dm644 $srcdir/ip64tables-multiport.conf $pkgdir/etc/fail2ban/action.d/ip64tables-multiport.conf
+  install -Dm755 $srcdir/ip64set $pkgdir/usr/bin/ip64set
+  install -Dm644 $srcdir/ip64tables-ipset-proto6-allports.conf $pkgdir/etc/fail2ban/action.d/ip64tables-ipset-proto6-allports.conf
+
+  rm -r "$pkgdir/run"
+}
diff --git a/fail2ban.install b/fail2ban.install
new file mode 100644
index 000000000000..54a73d9a5f98
--- /dev/null
+++ b/fail2ban.install
@@ -0,0 +1,3 @@
+post_install() {
+  usr/bin/systemd-tmpfiles --create fail2ban.conf
+}
diff --git a/failregex.patch b/failregex.patch
new file mode 100644
index 000000000000..6ff45378070c
--- /dev/null
+++ b/failregex.patch
@@ -0,0 +1,12 @@
+# Fail2Ban IPv6 Patch for Fail2Ban v0.9.3, v0.9.4, v0.9.5
+--- failregex.py.orig
++++ failregex.py
+@@ -44,7 +44,7 @@
+ 		self._matchCache = None
+ 		# Perform shortcuts expansions.
+ 		# Replace "<HOST>" with default regular expression for host.
+-		regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)")
++		regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_:]*\w)")
+ 		# Replace "<SKIPLINES>" with regular expression for multiple lines.
+ 		regexSplit = regex.split("<SKIPLINES>")
+ 		regex = regexSplit[0]
diff --git a/filter.patch b/filter.patch
new file mode 100644
index 000000000000..bfee65b963a0
--- /dev/null
+++ b/filter.patch
@@ -0,0 +1,38 @@
+# Fail2Ban IPv6 Patch for Fail2Ban v0.9.3, v0.9.4, v0.9.5
+--- filter.py.orig
++++ filter.py
+@@ -849,6 +849,7 @@
+ class DNSUtils:
+ 
+ 	IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
++	IP_CRE6 = re.compile("^(?:[0-9:A-Fa-f]{3,})$")
+ 
+ 	@staticmethod
+ 	def dnsToIp(dns):
+@@ -883,19 +884,21 @@
+ 		if match:
+ 			return match
+ 		else:
+-			return None
++			match = DNSUtils.IP_CRE6.match(text)
++			if match:
++				""" Right Here, we faced to a ipv6
++				"""
++				return match
++			else:
++				return None
+ 
+ 	@staticmethod
+ 	def isValidIP(string):
+ 		""" Return true if str is a valid IP
++		We Consider that logfiles didn't make errors ;) 
+ 		"""
+-		s = string.split('/', 1)
+-		try:
+-			socket.inet_aton(s[0])
+-			return True
+-		except socket.error:
+-			return False
++		return True
+ 
+ 	@staticmethod
diff --git a/ip64set b/ip64set
new file mode 100755
index 000000000000..c862f8e5bacb
--- /dev/null
+++ b/ip64set
@@ -0,0 +1,30 @@
+#!/bin/bash
+# ipset switch
+LINE=$*
+LINE6=`echo $LINE | sed s/f2b-/f2b6-/`
+
+RESULT=`echo $LINE | egrep " ([0-9]{1,3}\.){3}[0-9]{1,3}" | wc -l`
+RESULT6=`echo $LINE | egrep "(::[A-Fa-f0-9])|((:[A-Fa-f0-9]{1,4}){2,})" | wc -l `
+
+if [ $RESULT -eq "1" ]; then
+  # IPv4
+  ipset $LINE
+  ERRCODE=$?
+
+elif [ $RESULT6 -eq "1" ]; then
+  # IPv6
+  ipset $LINE6
+  ERRCODE=$?
+
+else
+  # IPv4 + IPv6
+  ipset $LINE
+  ERRCODE=$?
+  ipset $LINE6
+  if [ $? -ge "1" ]; then
+    ERRCODE=$?
+  fi
+
+fi
+
+exit $ERRCODE
diff --git a/ip64tables b/ip64tables
new file mode 100755
index 000000000000..7b1639de5335
--- /dev/null
+++ b/ip64tables
@@ -0,0 +1,29 @@
+#!/bin/bash
+# iptables/ip6tables switch
+LINE=$*
+
+RESULT=`echo $LINE | egrep " ([0-9]{1,3}\.){3}[0-9]{1,3}" | wc -l`
+RESULT6=`echo $LINE | egrep "(::[A-Fa-f0-9])|((:[A-Fa-f0-9]{1,4}){2,})" | wc -l `
+
+if [ $RESULT -eq "1" ]; then
+  # IPv4
+  iptables $LINE
+  ERRCODE=$?
+
+elif [ $RESULT6 -eq "1" ]; then
+  # IPv6
+  ip6tables $LINE
+  ERRCODE=$?
+
+else
+  # IPv4 + IPv6
+  iptables $LINE
+  ERRCODE=$?
+  ip6tables $LINE
+  if [ $? -ge "1" ]; then
+    ERRCODE=$?
+  fi
+
+fi
+
+exit $ERRCODE
diff --git a/ip64tables-allports.conf b/ip64tables-allports.conf
new file mode 100644
index 000000000000..7474f7d5d31c
--- /dev/null
+++ b/ip64tables-allports.conf
@@ -0,0 +1,14 @@
+[Definition]
+actionstart = ip64tables -N fail2ban-<name>
+              ip64tables -A fail2ban-<name> -j RETURN
+              ip64tables -I INPUT -p <protocol> -j fail2ban-<name>
+actionstop = ip64tables -D INPUT -p <protocol> -j fail2ban-<name>
+             ip64tables -F fail2ban-<name>
+             ip64tables -X fail2ban-<name>
+actioncheck = ip64tables -n -L INPUT | grep -q fail2ban-<name>
+actionban = ip64tables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionunban = ip64tables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+name = default
+protocol = tcp
diff --git a/ip64tables-ipset-proto6-allports.conf b/ip64tables-ipset-proto6-allports.conf
new file mode 100644
index 000000000000..f077da876efe
--- /dev/null
+++ b/ip64tables-ipset-proto6-allports.conf
@@ -0,0 +1,64 @@
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules which probably won't be protocol version 6.
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = ipset create f2b-<name> hash:ip family inet timeout <bantime>
+              ipset create f2b6-<name> hash:ip family inet6 timeout <bantime>
+              <iptables> -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
+              ip6tables -I <chain> -m set --match-set f2b6-<name> src -j <blocktype>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
+             ip6tables -D <chain> -m set --match-set f2b6-<name> src -j <blocktype>
+             ipset flush f2b-<name>
+             ipset flush f2b6-<name>
+             ipset destroy f2b-<name>
+             ipset destroy f2b6-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipset del f2b-<name> <ip> -exist
+
+[Init]
+
+# Option: bantime
+# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values:  [ NUM ]  Default: 600
+#
+bantime = 600
diff --git a/ip64tables-multiport.conf b/ip64tables-multiport.conf
new file mode 100644
index 000000000000..5b0c04a0cec9
--- /dev/null
+++ b/ip64tables-multiport.conf
@@ -0,0 +1,15 @@
+[Definition]
+actionstart = ip64tables -N fail2ban-<name>
+              ip64tables -A fail2ban-<name> -j RETURN
+              ip64tables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = ip64tables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+             ip64tables -F fail2ban-<name>
+             ip64tables -X fail2ban-<name>
+actioncheck = ip64tables -n -L INPUT | grep -q fail2ban-<name>
+actionban = ip64tables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionunban = ip64tables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+name = default
+port = ssh
+protocol = tcp