Just two files to enable fail2ban within systemd:
files/fail2ban-tmpfiles.conf | 1 +
files/fail2ban.service | 14 ++++++++++++++
* 'systemd' of https://github.com/opoplawski/fail2ban:
Add After, PIDFile, and change WantedBy to multi-user.target in fail2ban.server
Add systemd unit file and tmpfiles.d configuration files
* 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban:
Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file.
Added support for MySQL logfiles
Conflicts:
testcases/datedetectortestcase.py -- conflictde with other added test cases
* 'master' of https://github.com/labynocle/fail2ban:
change the license to GPLv2 + adapat text
fix the script name to check_fail2ban everywhere
Replace the check_fail2ban script by a new one which respects the Nagios specs (like status, output, perfdata, help...). Also add a README which includes the content of f2ban.txt (which is now removed)
* 001-fail2ban-server-socket-close-on-exec-no-leak.diff
Add code that marks server and client sockets with FD_CLOEXEC flags.
Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
Unix sockets managed by fail2ban-server don't need to be passed to any
child process. Fail2ban already uses the FD_CLOEXEC flags in the filter
code.
This patch also avoids giving iptables access to fail2ban UNIX socket in
a SELinux environment (A sane SELinux policy should trigger an audit
event because "iptables" will be given read/write access to the fail2ban
control socket).
Some random references related to this bug:
http://sourceforge.net/tracker/?func=detail&atid=689044&aid=2086568&group_id=121032http://www.redhat.com/archives/fedora-selinux-list/2009-June/msg00124.htmlhttp://forums.fedoraforum.org/showthread.php?t=234230
* 002-fail2ban-filters-close-on-exec-typo-fix.diff
There is a typo in the fail2ban server/filter.py source code. The
FD_CLOEXEC is correctly set but additional *random* flags are also set.
It has no side-effect as long as the fd doesn't match a valid flag :)
"fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)" <== the 3rd
parameter should be flags, not a file descriptor.
* 003-fail2ban-gamin-socket-close-on-exec-no-leak.diff
Add code that marks the Gamin monitor file descriptor with FD_CLOEXEC
flags. Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
---
File descriptors in action process before patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lrwx------ 1 root root 64 3 -> socket:[116361] <== NOK (fail2ban.sock leak)
lr-x------ 1 root root 64 4 -> /proc/20090/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
lrwx------ 1 root root 64 6 -> socket:[115608] <== NOK (gamin sock leak)
File descriptors in action process after patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lr-x------ 1 root root 64 3 -> /proc/18284/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
* commit '0.8.8-145-g72b0647': (114 commits)
ENH: Slight tune ups for fresh SOGo filter + comment into the sample log file
ENH: postfix filter -- react also on (450 4.7.1) with empty from/to. fixes#126
TST: basic testing of reading the shipped jail.conf (forcing all jails to be enabled)
ENH: allow to force enable all jails (for testing), do not crash for jails without actions (just warn)
ENH: minor -- add default value into the warning if option had none provided
ENH: _copy_lines_between_files -- read all needed, and only then write/flush at once
ENH: move pyinotify callback debug message into callback + delay string interpolations
ENH: adding ability to incorporate tracebacks into log lines while running tests
ENH: FailManager -- improve log message to report total # of detected failures as well
BF: allow to wait longer for FilterPoll in test_move_file
ENH: elaborated debug log message about already detected failures
BF: Remove custom __str__ for MonitorFailures and just adjust __name__ of the generated class
DOC: Added suggested by @beilber description of .d/ + added I formatting to all filenames
ENH: increase timeout to 20 sec from 10 sec in assert_correct_last_attempt
BF: fixing up for handling of TAI64N timestamps and adding some unittest for prev commit (not effective much though)
An example of failed logins against sogo
Update sogo-auth.conf
Added Daniel and Steven to THANKS
My improvements to manpages
PKG: change email that I want in RPMs
...
* pr/117/head:
An example of failed logins against sogo
Update sogo-auth.conf
Update config/filter.d/sogo-auth.conf
Create sogo-auth.conf
Update config/jail.conf
Yaroslav Halchenko