specs/f/fail2ban/fail2ban-vl.spec

%bcond_with systemd
%bcond_with tests

%global py2to3 /usr/bin/2to3-3.8

Summary: Ban IPs that make too many password failures
Name: fail2ban
Version: 0.11.2
Release: 1%{?_dist_release}%{?with_systemd:.systemd}
Group: system
Vendor: Project Vine
Distribution: Vine Linux

License: GPLv2+
URL: https://github.com/fail2ban/fail2ban
Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: fail2ban-logrotate

# Fixes century selector for tests
# https://bugzilla.redhat.com/show_bug.cgi?id=1912472
Patch1: https://github.com/fail2ban/fail2ban/commit/f259dac74721c00f0184bf45277137771fc747fe.patch

Patch1000: CVE-2021-32749.patch

BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: python3-devel
BuildRequires: python3-rpm-macros
BuildRequires: python3-setuptools
Requires: iptables, ipset
#Requires: tcp_wrappers
Requires: python3-inotify
%if %{with systemd}
%{?systemd_requires}
%else
Requires: initscripts
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig
Requires(preun): /sbin/service
%endif

%description
Fail2ban scans log files like /var/log/pwdfail or
/var/log/apache/error_log and bans IP that makes too many password
failures. It updates firewall rules to reject the IP address.


%prep
%setup -q
%autosetup -p1

%{py2to3} --write --nobackups .
find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} +


%build
%{py3_build}


%install
rm -rf %{buildroot}
%{py3_install}

%if %{with systemd}
mkdir -p %{buildroot}%{_unitdir}
install -p -m 0644 build/fail2ban.service %{buildroot}%{_unitdir}/
mkdir -p %{buildroot}%{_tmpfilesdir}
install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf
install -d -m 0755 %{buildroot}/run/fail2ban/
install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
# systemd journal configuration
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
# This file is part of the fail2ban-systemd package to configure the use of
# the systemd journal as the default backend.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not want to use the
# journal backend
[DEFAULT]
backend=systemd
EOF
%else
mkdir -p %{buildroot}%{_initddir}
install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban
%endif
mkdir -p %{buildroot}%{_mandir}/man{1,5}
install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/
install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/

rm -rf %{buildroot}%{_docdir}/fail2ban

# Remove non-Linux actions
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf
rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf


%if %{with tests}
%check
export LANG=ja_JP.UTF-8
%{__python3} bin/fail2ban-testcases --verbosity=2 --no-network
%endif


%clean
rm -rf %{buildroot}


%post
%if %{with systemd}
%systemd_post fail2ban.service
%else
/sbin/chkconfig --add %{name}
%endif

%preun
%if %{with systemd}
%systemd_preun fail2ban.service
%else
if [ $1 = 0 -o -x /bin/systemctl ]; then
  /sbin/service %{name} stop > /dev/null 2>&1
  /sbin/chkconfig --del %{name}
fi
%endif

%if %{with systemd}
%postun
%systemd_postun_with_restart fail2ban.service
%endif


%files
%defattr(-,root,root,-)
%license COPYING
%doc ChangeLog DEVELOP FILTERS README.md THANKS TODO doc/*.txt
#doc config/fail2ban.conf*
%{_bindir}/fail2ban-python
%{_bindir}/fail2ban-server
%{_bindir}/fail2ban-client
%{_bindir}/fail2ban-regex
%{_bindir}/fail2ban-testcases
#%{_datadir}/fail2ban
%{python3_sitelib}/fail2ban*
%{_mandir}/man1/*.1*
%{_mandir}/man5/*.5*
%dir %{_sysconfdir}/fail2ban
%dir %{_sysconfdir}/fail2ban/action.d
%dir %{_sysconfdir}/fail2ban/filter.d
%dir %{_sysconfdir}/fail2ban/filter.d/ignorecommands
%dir %{_sysconfdir}/fail2ban/jail.d
%config(noreplace) %{_sysconfdir}/fail2ban/*.conf
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/*
%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf
%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/ignorecommands/*
%config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
%dir %{_localstatedir}/lib/fail2ban/
%if %{with systemd}
%{_unitdir}/*
%config(noreplace) %{_sysconfdir}/fail2ban/jail.d/*
%config(noreplace) %{_tmpfilesdir}/fail2ban.conf
%dir /run/%{name}/
%ghost %verify(not size mtime md5) /run/%{name}/%{name}.pid
%else
%{_initddir}/fail2ban
%dir %{_localstatedir}/run/fail2ban/
%endif


%changelog
* Wed Jul 28 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 0.11.2-1
- new upstream release.
- imported Patch1000 from upstream to fix CVE-2021-32749.
- dropped Patch1-4: fixed in upstream.
- imported Patch1 from rawhide.

* Sat Aug 15 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 0.11.1-2
- rebuilt with python-3.8.

* Fri May 01 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 0.11.1-1
- new upstream release.
- added systemd support (disabled as default).

* Tue Aug 27 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 0.10.4-1
- new upstream release.
- switched to python3.

* Sat Dec 30 2017 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 0.10.1-1
- new upstream release.

* Fri Jun  3 2016 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 0.9.4-1
- new upstream release.

* Sun Feb  8 2015 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 0.8.14-1
- new upstream release.

* Mon Jun 10 2013 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 0.8.9-1
- new upstream release.

* Thu Oct 18 2012 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 0.8.7.1-2
- initial build on Vine Linux.

* Thu Oct 11 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.7.1-1
- Update to 0.8.7.1
- Drop fd_cloexec, pyinotify, and examplemail patches fixed upstream
- Rebase sshd and notmp patches
- Use _initddir macro

* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-29
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Sat Apr  9 2011 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-27
- Move tmp files to /var/lib (suggested by Phil Anderson).
- Enable inotify support (by Jonathan Underwood).
- Fixes RH bugs #669966, #669965, #551895, #552947, #658849, #656584.

* Sun Feb 14 2010 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-24
- Patch by Jonathan G. Underwood <jonathan.underwood@gmail.com> to
  cloexec another fd leak.

* Fri Sep 11 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-23
- update to 0.8.4.

* Wed Sep  2 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-22
- Update to a newer svn snapshot to fix python 2.6 issue.

* Thu Aug 27 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-21
- Log to syslog (RH bug #491983). Also deals with RH bug #515116.
- Check inodes of log files (RH bug #503852).

* Sat Feb 14 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-18
- Fix CVE-2009-0362 (Fedora bugs #485461, #485464, #485465, #485466).

* Mon Dec 01 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 0.8.3-17
- Rebuild for Python 2.6

* Sun Aug 24 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-16
- Update to 0.8.3.

* Wed May 21 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.8.2-15
- fix license tag

* Thu Mar 27 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-14
- Close on exec fixes by Jonathan Underwood.

* Sun Mar 16 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-13
- Add %%{_localstatedir}/run/fail2ban (David Rees).

* Fri Mar 14 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-12
- Update to 0.8.2.

* Thu Jan 31 2008 Jonathan G. Underwood <jonathan.underwood@gmail.com> - 0.8.1-11
- Move socket file from /tmp to /var/run to prevent SElinux from stopping
  fail2ban from starting (BZ #429281)
- Change logic in init file to start with -x to remove the socket file in case
  of unclean shutdown

* Wed Aug 15 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.1-10
- Update to 0.8.1.
- Remove patch fixing CVE-2007-4321 (upstream).
- Remove AllowUsers patch (upstream).
- Add dependency to gamin-python.

* Thu Jun 21 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-9
- Fix remote log injection (no CVE assignment yet).

* Sun Jun  3 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-8
- Also trigger on non-AllowUsers failures (Jonathan Underwood
  <jonathan.underwood@gmail.com>).

* Wed May 23 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-7
- logrotate should restart fail2ban (Zing <zing@fastmail.fm>).
- send mail to root; logrotate (Jonathan Underwood
  <jonathan.underwood@gmail.com>)

* Sat May 19 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-4
- Update to 0.8.0.
- enable ssh by default, fix log file for ssh scanning, adjust python
  dependency (Jonathan Underwood <jonathan.underwood@gmail.com>)

* Sat Dec 30 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-3
- Remove forgotten condrestart.

* Fri Dec 29 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-2
- Move /usr/lib/fail2ban to %%{_datadir}/fail2ban.
- Don't default chkconfig to enabled.
- Add dependencies on service/chkconfig.
- Use example iptables/ssh config as default config.

* Mon Dec 25 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-1
- Initial build.