Merge branch '0.10' into 0.11

2017-11-06 18:57:53 +01:00 · 2017-11-06 18:57:53 +01:00 · 70b933f405
parent 12419b75f2 7e756da2b9
commit 70b933f405
9 changed files with 46 additions and 64 deletions
--- a/4
+++ b/4
@ -39,6 +39,10 @@ ver. 0.11.0-dev-0 (2017/??/??) - development nightly edition
  ports are enclosed in curly braces `{ }` in the `jail.local` etc. This may cause a double-brackets now.

 ### Fixes
+* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely 
+  (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
+* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
+  in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
 * action.d/pf.conf: 
  - fixed syntax error in achnor definition (documentation, see gh-1919);
  - enclose ports in braces for multiport jails (see gh-1925);
--- a/config/jail.conf
+++ b/config/jail.conf
@ -227,10 +227,11 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]

 # Report block via blocklist.de fail2ban reporting service API
 # 
-# See the IMPORTANT note in action.d/blocklist_de.conf for when to
-# use this action. Create a file jail.d/blocklist_de.local containing
-# [Init]
-# blocklist_de_apikey = {api key from registration]
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
+# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
+# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
+# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
+# corresponding jail.d/my-jail.local file).
 #
 action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

@ -659,7 +660,7 @@ logpath = /opt/kerio/mailserver/store/logs/security.log

 [courier-auth]

-port     = smtp,465,submission,imap3,imaps,pop3,pop3s
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
 logpath  = %(syslog_mail)s
 backend  = %(syslog_backend)s

@ -667,7 +668,7 @@ backend  = %(syslog_backend)s
 [postfix-sasl]

 filter   = postfix[mode=auth]
-port     = smtp,465,submission,imap3,imaps,pop3,pop3s
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
@ -677,27 +678,27 @@ backend  = %(postfix_backend)s

 [perdition]

-port   = imap3,imaps,pop3,pop3s
+port   = imap,imaps,pop3,pop3s
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s


 [squirrelmail]

-port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
+port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
 logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log


 [cyrus-imap]

-port   = imap3,imaps
+port   = imap,imaps
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s


 [uwimap-auth]

-port   = imap3,imaps
+port   = imap,imaps
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s

--- a/config/paths-common.conf
+++ b/config/paths-common.conf
@ -9,21 +9,36 @@ after  = paths-overrides.local

 default_backend = %(default/backend)s

+# Initial common values (to overwrite in path-<distribution>.conf)...
+# There is no sensible generic defaults for syslog log targets, thus
+# leaving them empty here (resp. set to mostly used variant) in order 
+# to avoid errors while parsing/interpolating configs.
+#
+# Note systemd-backend does not need the logpath at all.
+#
+syslog_local0 = /var/log/messages
+
+syslog_authpriv = /var/log/auth.log
+syslog_daemon  = %(syslog_local0)s
+syslog_ftp = %(syslog_local0)s
+syslog_mail =
+syslog_mail_warn =
+syslog_user = %(syslog_local0)s
+
+# Set the default syslog backend target to default_backend
+syslog_backend = %(default_backend)s
+
+# Default values for several jails:
+
 sshd_log = %(syslog_authpriv)s
 sshd_backend = %(default_backend)s

 dropbear_log = %(syslog_authpriv)s
 dropbear_backend = %(default_backend)s

-# There is no sensible generic defaults for syslog log targets, thus
-# leaving them empty here so that no errors while parsing/interpolating configs
-syslog_daemon =
-syslog_ftp =
-syslog_local0 =
-syslog_mail_warn =
-syslog_user =
-# Set the default syslog backend target to default_backend
-syslog_backend = %(default_backend)s
+apache_error_log = /var/log/apache2/*error.log
+
+apache_access_log = /var/log/apache2/*access.log

 # from /etc/audit/auditd.conf
 auditd_log = /var/log/audit/audit.log
--- a/config/paths-debian.conf
+++ b/config/paths-debian.conf
@ -15,23 +15,12 @@ syslog_mail = /var/log/mail.log
 # syslog_mail_warn = /var/log/mail.warn
 syslog_mail_warn = %(syslog_mail)s

-syslog_authpriv = /var/log/auth.log
-
-# syslog_auth = /var/log/auth.log
-#
 syslog_user  =  /var/log/user.log

 syslog_ftp = /var/log/syslog

 syslog_daemon =  /var/log/daemon.log

-syslog_local0 =  /var/log/messages
-
-
-apache_error_log = /var/log/apache2/*error.log
-
-apache_access_log = /var/log/apache2/*access.log
-
 exim_main_log = /var/log/exim4/mainlog

 # was in debian squeezy but not in wheezy
--- a/config/paths-fedora.conf
+++ b/config/paths-fedora.conf
@ -15,15 +15,6 @@ syslog_mail_warn = /var/log/maillog

 syslog_authpriv = /var/log/secure

-syslog_user =  /var/log/messages
-
-syslog_ftp  = /var/log/messages
-
-syslog_daemon  = /var/log/messages
-
-syslog_local0  = /var/log/messages
-
-
 apache_error_log = /var/log/httpd/*error_log

 apache_access_log = /var/log/httpd/*access_log
--- a/config/paths-freebsd.conf
+++ b/config/paths-freebsd.conf
@ -15,19 +15,10 @@ syslog_mail = /var/log/maillog

 syslog_mail_warn = /var/log/maillog

-syslog_authpriv = /var/log/auth.log
-
 # note - is only ftp.info - if notice /var/log/messages may be needed
 syslog_ftp = /var/log/xferlog

-syslog_daemon = /var/log/messages
-
-syslog_local0 = /var/log/messages
-
 # Linux things
-# we fake to avoid parse error in startups
-
-auditd_log = /dev/null

 # http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
 # http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
--- a/config/paths-opensuse.conf
+++ b/config/paths-opensuse.conf
@ -9,24 +9,12 @@ after  = paths-overrides.local

 [DEFAULT]

-syslog_local0  = /var/log/messages
-
 syslog_mail = /var/log/mail

 syslog_mail_warn = %(syslog_mail)s

 syslog_authpriv = %(syslog_local0)s

-syslog_user =  %(syslog_local0)s
-
-syslog_ftp  = %(syslog_local0)s
-
-syslog_daemon  = %(syslog_local0)s
-
-apache_error_log = /var/log/apache2/*error_log
-
-apache_access_log = /var/log/apache2/*access_log
-
 pureftpd_log = %(syslog_local0)s

 exim_main_log = /var/log/exim/main.log
--- a/config/paths-osx.conf
+++ b/config/paths-osx.conf
@ -17,11 +17,11 @@ syslog_mail_warn = /var/log/mail.warn
 syslog_authpriv = /var/log/secure.log
 #syslog_auth = 

-#syslog_user = 
+syslog_user = 

-#syslog_ftp = 
+syslog_ftp = 

-#syslog_daemon = 
+syslog_daemon = 

-#syslog_local0 =
+syslog_local0 =

--- a/files/gentoo-initd
+++ b/files/gentoo-initd
@ -18,6 +18,9 @@
 # Author: Sireyessire, Cyril Jaquier
 #

+description="Daemon to ban hosts that cause multiple authentication errors"
+description_reload="reload configuration"
+description_showlog="show fail2ban logs"
 extra_started_commands="reload showlog"

 FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"