From a4899fabf883a064948e47ae0e08fef52d1d718d Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 5 Sep 2006 06:10:29 +0000 Subject: [PATCH] Initial minimalistic but working packaging of fail2ban 0.7.1 --- debian/changelog | 6 + debian/control | 22 ++-- debian/fail2ban.default | 23 ++++ debian/fail2ban.init | 143 +++++++++++++++++++++++ debian/patches/00list | 9 +- debian/patches/X00_rigid_python24.dpatch | 45 +++++++ debian/rules | 22 ++-- 7 files changed, 244 insertions(+), 26 deletions(-) create mode 100644 debian/fail2ban.default create mode 100644 debian/fail2ban.init create mode 100755 debian/patches/X00_rigid_python24.dpatch diff --git a/debian/changelog b/debian/changelog index fc2d68c1..b37100b7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +fail2ban (0.7.1-1) UNRELEASED; urgency=low + + * (NOT RELEASED YET) New upstream release + + -- Yaroslav Halchenko Tue, 5 Sep 2006 00:26:08 -0400 + fail2ban (0.6.1-11) unstable; urgency=low * Adjusted manpage for fail2ban.conf to point to shipped examples of diff --git a/debian/control b/debian/control index 8c3e312c..f609bb78 100644 --- a/debian/control +++ b/debian/control @@ -5,21 +5,25 @@ Maintainer: Yaroslav Halchenko Uploaders: Barak Pearlmutter Build-Depends: debhelper (>= 4.1.67), dpatch Build-Depends-Indep: python, python-dev, help2man, python-central (>= 0.4.17) -XS-Python-Version: current, >= 2.3 +XS-Python-Version: current, >= 2.4 Standards-Version: 3.7.2 Package: fail2ban Architecture: all Depends: ${python:Depends}, iptables, lsb-base (>=2.0-7) -XB-Python-Version: ${python:Versions} +XB-Python-Version: 2.4 Description: bans IPs that cause multiple authentication errors - Monitors (in daemon mode) or just scans log files (e.g. /var/log/auth.log, - /var/log/apache/access.log) and temporarily bans failure-prone - addresses by updating existing firewall rules. Currently, by default, - supports ssh/apache but configuration can be easily extended for scanning - the other ASCII log files. Firewall rules are given in the config file, - thus it can be adopted to be used with a variety of firewalls (e.g. iptables, - ipfwadm). + Monitors log files (e.g. /var/log/auth.log, + /var/log/apache/access.log) and temporarily or persistently bans + failure-prone addresses by updating existing firewall rules. The + software was completely rewritten at version 0.7.0 and now allows + easy specification of different actions to be taken such as to ban an + IP using iptables or hostsdeny rules, or simply to send a + notification email. Currently, by default, supports ssh/apache/vsftpd + but configuration can be easily extended for scanning the other ASCII + log files. All filters and actions are given in the config files, + thus fail2ban can be adopted to be used with a variety of files and + firewalls. . Homepage: http://www.sourceforge.net/projects/fail2ban diff --git a/debian/fail2ban.default b/debian/fail2ban.default new file mode 100644 index 00000000..e800bb97 --- /dev/null +++ b/debian/fail2ban.default @@ -0,0 +1,23 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Author: Cyril Jaquier +# +# $Revision: 1.2 $ + +# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for +# valid options. +FAIL2BAN_OPTS="" diff --git a/debian/fail2ban.init b/debian/fail2ban.init new file mode 100644 index 00000000..bbf50e0d --- /dev/null +++ b/debian/fail2ban.init @@ -0,0 +1,143 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: fail2ban +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Should-Start: $time $network $syslog iptables firehol shorewall ipmasq +# Should-Stop: $network $syslog iptables firehol shorewall ipmasq +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start/stop fail2ban +# Description: Start/stop fail2ban, a daemon scanning the log files and +# banning potential attackers. +### END INIT INFO + +# Author: Aaron Isotton +# Modified: by Yaroslav Halchenko +# reindented + minor corrections + to work on sarge without modifications +# +PATH=/usr/sbin:/usr/bin:/sbin:/bin +DESC="authentication failure monitor" +NAME=fail2ban +DAEMON=/usr/bin/$NAME-client +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME +DAEMON_ARGS="$FAIL2BAN_OPTS" + +# Load the VERBOSE setting and other rcS variables +[ -f /etc/default/rcS ] && . /etc/default/rcS + +# Predefine what can be missing from lsb source later on -- necessary to run +# on sarge. Just present it in a bit more compact way from what was shipped +log_daemon_msg () { + [ -z "$1" ] && return 1 + echo -n "$1:" + [ -z "$2" ] || echo -n " $2" +} + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +# Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined +# so we must be ok +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --exec $DAEMON --test -- \ + $DAEMON_ARGS start > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --exec $DAEMON -- \ + $DAEMON_ARGS start > /dev/null\ + || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + $DAEMON status > /dev/null || return 1 + $DAEMON stop > /dev/null || return 2 + return 0 +} + + +# yoh: +# shortcut function to don't duplicate case statements and to don't use +# bashisms (arrays). Fixes #368218 +# +log_end_msg_wrapper() +{ + [ $1 -lt $2 ] && value=0 || value=1 + log_end_msg $value +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2 + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2 + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + log_end_msg_wrapper $? 1 + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + status) + log_daemon_msg "Status of $DESC" + pidofproc $NAME $PIDFILE > /dev/null + status=$? + case $status in + 0) log_success_msg " $NAME is running" + exit 0 + ;; + 1|2) log_failure_msg " $NAME is not running but $PIDFILE exists" + exit 1 + ;; + 3) log_warning_msg " $NAME is not running" + exit 3 + ;; + 4) log_failure_msg " $PIDFILE not readable, status of $NAME unknown" + exit 4 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 + exit 3 + ;; +esac + +: diff --git a/debian/patches/00list b/debian/patches/00list index e7423a0b..79c58d7e 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1,8 +1 @@ -00_empty_ip -00_locale_config -00_verbosity -00_proftpd_section -00_vsftpd_regexp -01_apache2_other -02_sasl_section -03_fail2ban_conf_5_manpage +X00_rigid_python24 diff --git a/debian/patches/X00_rigid_python24.dpatch b/debian/patches/X00_rigid_python24.dpatch new file mode 100755 index 00000000..a8ea5f5b --- /dev/null +++ b/debian/patches/X00_rigid_python24.dpatch @@ -0,0 +1,45 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## rigid_python2.4.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Due to currently default python2.3 we need to hardcode use of python2.4 +## DP: for now + +@DPATCH@ + +diff -Naur fail2ban-0.7.1/fail2ban-client fail2ban-0.7.1.modified/fail2ban-client +--- fail2ban-0.7.1/fail2ban-client 2006-08-23 16:56:23.000000000 -0400 ++++ fail2ban-0.7.1.modified/fail2ban-client 2006-09-05 00:58:47.000000000 -0400 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python2.4 + # This file is part of Fail2Ban. + # + # Fail2Ban is free software; you can redistribute it and/or modify +diff -Naur fail2ban-0.7.1/fail2ban-server fail2ban-0.7.1.modified/fail2ban-server +--- fail2ban-0.7.1/fail2ban-server 2006-08-23 15:51:26.000000000 -0400 ++++ fail2ban-0.7.1.modified/fail2ban-server 2006-09-05 00:58:54.000000000 -0400 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python2.4 + # This file is part of Fail2Ban. + # + # Fail2Ban is free software; you can redistribute it and/or modify +diff -Naur fail2ban-0.7.1/fail2ban-testcases fail2ban-0.7.1.modified/fail2ban-testcases +--- fail2ban-0.7.1/fail2ban-testcases 2006-08-20 18:53:15.000000000 -0400 ++++ fail2ban-0.7.1.modified/fail2ban-testcases 2006-09-05 00:59:18.000000000 -0400 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python2.4 + # This file is part of Fail2Ban. + # + # Fail2Ban is free software; you can redistribute it and/or modify +diff -Naur fail2ban-0.7.1/setup.py fail2ban-0.7.1.modified/setup.py +--- fail2ban-0.7.1/setup.py 2006-08-22 18:09:25.000000000 -0400 ++++ fail2ban-0.7.1.modified/setup.py 2006-09-05 00:59:06.000000000 -0400 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python2.4 + + # This file is part of Fail2Ban. + # diff --git a/debian/rules b/debian/rules index eec01b82..bdbf0c14 100755 --- a/debian/rules +++ b/debian/rules @@ -26,12 +26,12 @@ configure-stamp: build: patch copy-inits: - cp config/gentoo-confd debian/fail2ban.default - cp config/debian-initd debian/fail2ban.init - cp config/fail2ban.logrotate debian/ +# cp config/gentoo-confd debian/fail2ban.default +# cp config/debian-initd debian/fail2ban.init +# cp config/fail2ban.logrotate debian/ clean-inits: - rm -f debian/fail2ban.{default,init,logrotate} +# rm -f debian/fail2ban.{default,init,logrotate} clean: clean-inits unpatch dh_testdir @@ -51,8 +51,11 @@ install: build copy-inits # Add here commands to install the package into debian/fail2ban. python setup.py install --root=$(DESTDIR) --no-compile - mkdir -p $(DESTDIR)/etc - cp config/fail2ban.conf.iptables $(DESTDIR)/etc/fail2ban.conf + #X Evil - must be removed after Debian switches over to 2.4, now + # distutils.setup will override the enterpreter line to /usr/bin/python + install fail2ban-server fail2ban-client $(DESTDIR)/usr/bin +#X mkdir -p $(DESTDIR)/etc +#X cp config/fail2ban.conf.iptables $(DESTDIR)/etc/fail2ban.conf # To build manpage $(MANPAGE): fail2ban fail2ban.h2m @@ -62,19 +65,20 @@ $(MANPAGE): fail2ban fail2ban.h2m binary-arch: # Build architecture-independent files here. -binary-indep: install $(MANPAGE) +#X binary-indep: install $(MANPAGE) +binary-indep: install dh_testdir dh_testroot dh_installchangelogs CHANGELOG dh_installdocs - dh_installexamples config/fail2ban.conf.* +#X dh_installexamples config/fail2ban.conf.* # dh_install # dh_installdebconf dh_installlogrotate dh_installinit -- defaults 99 # dh_installcron # dh_installinfo - dh_installman fail2ban.8 man/fail2ban.conf.5 +#X dh_installman fail2ban.8 man/fail2ban.conf.5 dh_pycentral dh_python dh_link