Spec file update

Instead of restarting fail2ban daemon

createlinks

@@ -17,7 +17,11 @@ safe_symlink("restart", "root/etc/e-smith/events/fail2ban-conf/services2adjust/f
 safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/fail2ban");
 safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/fail2ban");
 safe_symlink("restart", "root/etc/e-smith/events/remoteaccess-update/services2adjust/fail2ban");
+event_link("fail2ban-suspend-logs", "logrotate", "02");
+event_link("fail2ban-resume-logs", "logrotate", "98");
 
-service_link_enhanced("fail2ban", "S92", "7");
+safe_touch("root/var/log/fail2ban/daemon.log");
+
+service_link_enhanced("fail2ban", "S99", "7");
 service_link_enhanced("fail2ban", "K08", "6");
 service_link_enhanced("fail2ban", "K08", "0");

root/etc/e-smith/events/actions/fail2ban-resume-logs

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+STATUS=$(/sbin/e-smith/db configuration getprop fail2ban status || echo disabled)
+if [ "$STATUS" != "enabled" ]; then
+  exit 0
+fi
+
+sleep 1
+# Makes sure /var/log/httpd/error_log is not a dangling symlink
+[ -e /var/log/httpd/error_log ] || touch /var/log/httpd/error_log
+for JAIL in http-overflows http-noscript http-scan http-auth; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL addlogpath /var/log/httpd/error_log
+  fi
+done
+
+[ -e /var/log/secure ] || touch /var/log/secure
+for JAIL in pam-generic ftp; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL addlogpath /var/log/secure
+  fi
+done
+
+[ -e /var/log/messages ] || touch /var/log/messages
+for JAIL in lemonldap; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL addlogpath /var/log/messages
+  fi
+done

root/etc/e-smith/events/actions/fail2ban-suspend-logs

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+STATUS=$(/sbin/e-smith/db configuration getprop fail2ban status || echo disabled)
+if [ "$STATUS" != "enabled" ]; then
+  exit 0
+fi
+
+for JAIL in http-overflows http-noscript http-scan http-auth; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL dellogpath /var/log/httpd/error_log
+  fi
+done
+
+for JAIL in pam-generic ftp; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL dellogpath /var/log/secure
+  fi
+done
+
+for JAIL in lemonldap; do
+  /usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
+  if [ $? -eq 0 ]; then
+    /usr/bin/fail2ban-client set $JAIL dellogpath /var/log/messages
+  fi
+done

root/etc/e-smith/templates/etc/fail2ban/fail2ban.conf/10All

@@ -1,4 +1,8 @@
 [Definition]
-loglevel = 3
+loglevel = INFO
 logtarget = /var/log/fail2ban/daemon.log
+syslogsocket = auto
 socket = /var/run/fail2ban/fail2ban.sock
+pidfile = /var/run/fail2ban/fail2ban.pid
+dbfile = /var/lib/fail2ban/fail2ban.sqlite3
+dbpurgeage = 604800

root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP

@@ -9,9 +9,11 @@ my $n = esmith::NetworksDB->open_ro() ||
 my @ip = ("127.0.0.0/8", $LocalIP);
 
 # Add hosts which can access the server-manager to the whitelist
-foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')){
-    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
-    push @ip, "$ip/$bits";
+unless (($fail2ban{FilterValidRemoteHosts} || 'disabled') eq 'enabled'){
+  foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')){
+      my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
+      push @ip, "$ip/$bits" unless "$ip/$bits" eq '0.0.0.0/0';
+  }
 }
 
 unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
@@ -25,7 +27,9 @@ unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
 
 # Add a local whitelist
 foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
-    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
+    my $addr = $_;
+    $addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
+    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
     push @ip, "$ip/$bits";
 }
 

root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service25httpd

@@ -55,4 +55,43 @@ EOF
 
 $OUT .= "           smeserver-sendmail[name=\"Apache (auth)\",dest=$maildest]\n"
     if ($mail eq 'enabled');
+
+$OUT .=<<"EOF";
+
+[http-badbots]
+enabled  = true
+filter   = apache-badbots
+logpath  = /var/log/httpd/error_log
+action   = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
+EOF
+
+$OUT .= "           smeserver-sendmail[name=\"Apache (badbots)\",dest=$maildest]\n"
+    if ($mail eq 'enabled');
+
+$OUT .=<<"EOF";
+
+[http-shellshock]
+enabled  = true
+filter   = apache-shellshock
+logpath  = /var/log/httpd/error_log
+action   = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
+EOF
+
+$OUT .= "           smeserver-sendmail[name=\"Apache (shellshock)\",dest=$maildest]\n"
+    if ($mail eq 'enabled');
+
+$OUT .=<<"EOF";
+
+[http-fakegooglebot]
+enabled  = true
+filter   = apache-fakegooglebot
+logpath  = /var/log/httpd/error_log
+action   = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
+EOF
+
+$OUT .= "           smeserver-sendmail[name=\"Apache (fakegooglebot)\",dest=$maildest]\n"
+    if ($mail eq 'enabled');
+
+
+
 }

root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service40LemonLDAPNG

@@ -10,7 +10,7 @@ my $port = join (",", @ports);
 
 $OUT .=<<"EOF";
 
-[sogo]
+[lemonldap]
 enabled  = true
 filter   = lemonldap-ng
 logpath  = /var/log/messages

root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service50Ejabberd

@@ -9,7 +9,7 @@ $OUT .=<<"EOF";
 
 [ejabberd]
 enabled  = true
-filter   = ejabberd
+filter   = ejabberd-auth
 logpath  = /var/log/ejabberd.run/current
 action   = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
 EOF

root/etc/fail2ban/action.d/smeserver-iptables.conf

@@ -1,6 +1,9 @@
 
 [Definition]
 
+actionstart =
+actionstop =
+actioncheck =
 actionban = /sbin/e-smith/smeserver-fail2ban --host=<ip> --proto=<protocol> --port=<port> --bantime=<bantime>
 actionunban = /sbin/e-smith/smeserver-fail2ban --host=<ip> --unban --proto=<protocol> --port=<port>
 

root/etc/fail2ban/filter.d/apache-auth.local

@@ -0,0 +1,2 @@
+[Definition]
+ignoreregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: /etc/httpd/conf/proxy/proxy\.pac\s*$

root/etc/fail2ban/filter.d/apache-scan.conf

@@ -1,7 +1,7 @@
 [Definition]
 re_pma = (admin|administrator|database|db|sql|typo3|xampp\/)?(pma|PMA|phpmyadmin|phpMyAdmin(\-?[\d\.\-]+((rc|pl|beta)\d+)?)?|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2|php\-my\-admin|sqlmanager|websql|sqlweb|MyAdmin|phpadmin|sql|pma2005|databaseadmin|phpmanager)(\/main\.php|setup\.php|read_dump\.php|read_dump\.phpmain\.php)?
 re_admin = administrator(\/index\.php)?|manager(\/(status|html))?|webadmin|ecrire|admin((\.php)|(\/(config|login)\.php))?|mailadmin|setup\.php|admin\/modules\/backup\/page\.backup\.php
-re_proxy = freenode-proxy-checker\.txt|proxy|proxychecker|proxyheader\.php
+re_proxy = freenode-proxy-checker\.txt|proxychecker|proxyheader\.php
 re_various = vtigercrm|typo3|scripts|wp\-admin|wp\-login\.php|wordpress|horde(\d+(\/+README)?)?|w00tw00t\.*|\/?plmplmplm\/plm\.php
 
 failregex = \[client <HOST>\] File does not exist: .*\/(%(re_pma)s|%(re_admin)s|%(re_proxy)s|%(re_various)s)$

root/etc/fail2ban/filter.d/ejabberd.conf

@@ -1,4 +0,0 @@
-[Definition]
-
-failregex =  Failed authentication for .*@.* from IP <HOST>
-ignoreregex =

root/etc/fail2ban/filter.d/qpsmtpd.conf

@@ -5,5 +5,7 @@ before = common.conf
 
 _daemon = qpsmtpd
 
-failregex =  ^\s*\d+\s*logging::logterse plugin \(deny\): ` <HOST>\s*.*90\d.*msg denied before queued$
+failregex = ^\s*\d+\s*logging::logterse plugin \(deny\): ` <HOST>\s*.*90\d.*msg denied before queued$
+            ^\s*\d+\s*\(deny\) logging::logterse: ` <HOST>\s*.*90\d.*msg denied before queued$
+
 ignoreregex =

root/etc/fail2ban/filter.d/sogo-auth.conf

@@ -1,20 +0,0 @@
-# /etc/fail2ban/filter.d/sogo-auth.conf
-#
-# Fail2Ban configuration file
-# By Arnd Brandes
-# SOGo
-#
-
-[Definition]
-# Option: failregex
-# Filter Ban in /var/log/sogo/sogo.log
-# Note: the error log may contain multiple hosts, whereas the first one 
-# is the client and all others are poxys. We match the first one, only
-
-failregex = Login from '<HOST>' for user '.*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
-
-# Option: ignoreregex
-# Notes.: regex to ignore. If this regex matches, the line is ignored.
-# Values: TEXT
-#
-ignoreregex = 

smeserver-fail2ban.spec

@@ -1,4 +1,4 @@
-%define version 0.1.3
+%define version 0.1.17
 %define release 1
 %define name smeserver-fail2ban
 
@@ -7,6 +7,7 @@ Summary: fail2ban integration on SME Server
 Name: %{name}
 Version: %{version}
 Release: %{release}%{?dist}
+Epoch: 9
 License: GPL
 Group: Networking/Daemons
 Source: %{name}-%{version}.tar.gz
@@ -22,6 +23,55 @@ Requires: fail2ban
 Configure fail2ban on SME Server
 
 %changelog
+* Thu Nov 17 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.17-1.sme
+- Makes sur log files exist before resuming monitoring after a logrotate
+  [SME: 9875]
+
+* Tue Aug 2 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.16-1.sme
+- Add a new prop (FilterValidRemoteHosts) to allow blacklisting of hosts allowed
+  to access the server-manager
+- Ignore 0.0.0.0/0.0.0.0 by default [SME: 9719]
+
+* Tue Jul 5 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.15-1.sme
+- Fix compat with older qpsmtpd
+
+* Thu Jun 9 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.14-1.sme
+- Update regex for qpsmtpd 0.96
+
+* Mon Feb 29 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.13-1.sme
+- Ignore failure to get proxy.pac
+
+* Fri Jul 24 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.12-1.sme
+- Updates for fail2ban 0.9.2
+- Add more httpd jails
+- Switch to upstream Ejabberd filter
+
+* Wed Apr 15 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.11-1.sme
+- Start fail2ban a bit later [SME: 8708]
+
+* Tue Jan 27 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.10-1.sme
+- Suspend log monitoring during logrotate [SME: 8708]
+
+* Thu Jan 15 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.9-1.sme
+- Fix LL::NG jail name
+
+* Wed Sep 17 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.8-1.sme
+- Restart fail2ban during logrotate event so it re-open apache log file [SME: 8557]
+
+* Wed Jun 25 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.7-1.sme
+- Correctly handle single IP in IgnoreIP prop
+
+* Tue Jun 24 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.6-1.sme
+- Relax proxy regex so requests for proxy.pac aren't matched
+
+* Mon Jun 23 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.5-1.sme
+- Pre-create the logfile so fail2ban can start the first time
+- Remove most warnings on startup
+
+* Wed Apr 23 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.4-1.sme
+- New branch for SME9
+- Remove sogo-auth.conf which is included in EL6 build of fail2ban
+
 * Wed Dec 18 2013 Daniel Berteaud <daniel@firewall-services.com> - 0.1.3-1.sme
 - Fix port, which was incorrectly set to proto
 
@@ -48,7 +98,9 @@ perl createlinks
 /bin/rm -f %{name}-%{version}-filelist
 /sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
    --dir /var/log/fail2ban 'attr(0750,root,root)' \
+   --file /var/log/fail2ban/daemon.log 'config(noreplace) %attr(0600,root,root)' \
    --file /etc/cron.daily/cleanup_fail2ban 'attr(0755,root,root)' \
+   --file /etc/fail2ban/filter.d/apache-auth.local 'config(noreplace) %attr(0644,root,root)' \
   > %{name}-%{version}-filelist
 
 %files -f %{name}-%{version}-filelist