Spec file update

Instead of restarting fail2ban daemon

createlinks

@@ -17,7 +17,11 @@ safe_symlink("restart", "root/etc/e-smith/events/fail2ban-conf/services2adjust/f
 safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/fail2ban");
 safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/fail2ban");
 safe_symlink("restart", "root/etc/e-smith/events/remoteaccess-update/services2adjust/fail2ban");
+event_link("fail2ban-suspend-logs", "logrotate", "02");
+event_link("fail2ban-resume-logs", "logrotate", "98");
 
-service_link_enhanced("fail2ban", "S92", "7");
+safe_touch("root/var/log/fail2ban/daemon.log");
+
+service_link_enhanced("fail2ban", "S99", "7");
 service_link_enhanced("fail2ban", "K08", "6");
 service_link_enhanced("fail2ban", "K08", "0");

root/etc/e-smith/events/actions/fail2ban-resume-logs

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+STATUS=$(/sbin/e-smith/db configuration getprop fail2ban status || echo disabled)
+if [ "$STATUS" != "enabled" ]; then
+  exit 0
+fi
+
+sleep 1
+for JAIL in http-overflows http-noscript http-scan http-auth; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL addlogpath /var/log/httpd/error_log
+  fi
+done
+
+for JAIL in pam-generic ftp; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL addlogpath /var/log/secure
+  fi
+done
+
+for JAIL in lemonldap; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL addlogpath /var/log/messages
+  fi
+done

root/etc/e-smith/events/actions/fail2ban-suspend-logs

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+STATUS=$(/sbin/e-smith/db configuration getprop fail2ban status || echo disabled)
+if [ "$STATUS" != "enabled" ]; then
+  exit 0
+fi
+
+for JAIL in http-overflows http-noscript http-scan http-auth; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL dellogpath /var/log/httpd/error_log
+  fi
+done
+
+for JAIL in pam-generic ftp; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL dellogpath /var/log/secure
+  fi
+done
+
+for JAIL in lemonldap; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL dellogpath /var/log/messages
+  fi
+done

root/etc/e-smith/templates/etc/fail2ban/fail2ban.conf/10All

@@ -2,3 +2,4 @@
 loglevel = 3
 logtarget = /var/log/fail2ban/daemon.log
 socket = /var/run/fail2ban/fail2ban.sock
+pidfile = /var/run/fail2ban/fail2ban.pid

root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP

@@ -25,7 +25,9 @@ unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
 
 # Add a local whitelist
 foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
-    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
+    my $addr = $_;
+    $addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
+    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
     push @ip, "$ip/$bits";
 }
 

root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service40LemonLDAPNG

@@ -10,7 +10,7 @@ my $port = join (",", @ports);
 
 $OUT .=<<"EOF";
 
-[sogo]
+[lemonldap]
 enabled  = true
 filter   = lemonldap-ng
 logpath  = /var/log/messages

root/etc/fail2ban/action.d/smeserver-iptables.conf

@@ -1,6 +1,9 @@
 
 [Definition]
 
+actionstart =
+actionstop =
+actioncheck =
 actionban = /sbin/e-smith/smeserver-fail2ban --host=<ip> --proto=<protocol> --port=<port> --bantime=<bantime>
 actionunban = /sbin/e-smith/smeserver-fail2ban --host=<ip> --unban --proto=<protocol> --port=<port>
 

root/etc/fail2ban/filter.d/apache-auth.local

@@ -0,0 +1,2 @@
+[Definition]
+ignoreregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: /etc/httpd/conf/proxy/proxy\.pac\s*$

root/etc/fail2ban/filter.d/apache-scan.conf

@@ -1,7 +1,7 @@
 [Definition]
 re_pma = (admin|administrator|database|db|sql|typo3|xampp\/)?(pma|PMA|phpmyadmin|phpMyAdmin(\-?[\d\.\-]+((rc|pl|beta)\d+)?)?|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2|php\-my\-admin|sqlmanager|websql|sqlweb|MyAdmin|phpadmin|sql|pma2005|databaseadmin|phpmanager)(\/main\.php|setup\.php|read_dump\.php|read_dump\.phpmain\.php)?
 re_admin = administrator(\/index\.php)?|manager(\/(status|html))?|webadmin|ecrire|admin((\.php)|(\/(config|login)\.php))?|mailadmin|setup\.php|admin\/modules\/backup\/page\.backup\.php
-re_proxy = freenode-proxy-checker\.txt|proxy|proxychecker|proxyheader\.php
+re_proxy = freenode-proxy-checker\.txt|proxychecker|proxyheader\.php
 re_various = vtigercrm|typo3|scripts|wp\-admin|wp\-login\.php|wordpress|horde(\d+(\/+README)?)?|w00tw00t\.*|\/?plmplmplm\/plm\.php
 
 failregex = \[client <HOST>\] File does not exist: .*\/(%(re_pma)s|%(re_admin)s|%(re_proxy)s|%(re_various)s)$

root/etc/fail2ban/filter.d/sogo-auth.conf

@@ -1,20 +0,0 @@
-# /etc/fail2ban/filter.d/sogo-auth.conf
-#
-# Fail2Ban configuration file
-# By Arnd Brandes
-# SOGo
-#
-
-[Definition]
-# Option: failregex
-# Filter Ban in /var/log/sogo/sogo.log
-# Note: the error log may contain multiple hosts, whereas the first one 
-# is the client and all others are poxys. We match the first one, only
-
-failregex = Login from '<HOST>' for user '.*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
-
-# Option: ignoreregex
-# Notes.: regex to ignore. If this regex matches, the line is ignored.
-# Values: TEXT
-#
-ignoreregex = 

smeserver-fail2ban.spec

@@ -1,4 +1,4 @@
-%define version 0.1.3
+%define version 0.1.11
 %define release 1
 %define name smeserver-fail2ban
 
@@ -22,6 +22,30 @@ Requires: fail2ban
 Configure fail2ban on SME Server
 
 %changelog
+* Mon Feb 29 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.11-1.sme
+- Ignore failure to get proxy.pac
+
+* Wed Apr 15 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.10-1.sme
+- Start fail2ban a bit later [SME: 8708]
+
+* Tue Jan 27 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.9-1.sme
+- Suspend log monitoring during logrotate [SME: 8708]
+
+* Thu Jan 15 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.8-1.sme
+- Fix LL::NG jail name
+
+* Wed Sep 17 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.7-1.sme
+- Restart fail2ban during logrotate so it reopens httpd logs [SME: 8557]
+
+* Mon Sep 8 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.6.sme
+- Backport a few changes from sme9 branch to work with fail2ban 0.8.14
+
+* Wed Jun 25 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.5-1.sme
+- Correctly handle single IP in IgnoreIP prop
+
+* Tue Jun 24 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.4-1.sme
+- Relax proxy regex so requests for proxy.pac doesn't match
+
 * Wed Dec 18 2013 Daniel Berteaud <daniel@firewall-services.com> - 0.1.3-1.sme
 - Fix port, which was incorrectly set to proto
 
@@ -48,7 +72,9 @@ perl createlinks
 /bin/rm -f %{name}-%{version}-filelist
 /sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
    --dir /var/log/fail2ban 'attr(0750,root,root)' \
+   --file /var/log/fail2ban/daemon.log 'config(noreplace) %attr(0600,root,root)' \
    --file /etc/cron.daily/cleanup_fail2ban 'attr(0755,root,root)' \
+   --file /etc/fail2ban/filter.d/apache-auth.local 'config(noreplace) %attr(0644,root,root)' \
   > %{name}-%{version}-filelist
 
 %files -f %{name}-%{version}-filelist