diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile index 63f12cf8cddd..9cbaf89b9b2f 100644 --- a/security/py-fail2ban/Makefile +++ b/security/py-fail2ban/Makefile @@ -1,85 +1,85 @@ PORTNAME= fail2ban DISTVERSION= 1.1.0 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} MAINTAINER= cy@FreeBSD.org COMMENT= Scans log files and bans IP that makes too many password failures WWW= https://www.fail2ban.org/wiki/index.php/Main_Page LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYING RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3@${PY_FLAVOR} USES= cpe python:patch,run shebangfix USE_GITHUB= yes USE_PYTHON= autoplist distutils PYDISTUTILS_BUILDARGS+= --without-tests PYDISTUTILS_INSTALLARGS+= --install-data=${ETCDIR} USE_RC_SUBR= fail2ban SHEBANG_FILES= config/filter.d/ignorecommands/apache-fakegooglebot SHEBANG_LANG= fail2ban-python NO_ARCH= yes SUB_LIST+= PYTHON_CMD=${PYTHON_CMD} PORTDOCS= DEVELOP README.md OPTIONS_DEFINE= DOCS INOTIFY OPTIONS_DEFAULT= INOTIFY INOTIFY_DESC= Support for (lib)inotify to monitor filesystem changes INOTIFY_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pyinotify>=0.8.3:devel/py-pyinotify@${PY_FLAVOR} FILES= ${WRKSRC}/bin/fail2ban-client \ ${WRKSRC}/fail2ban/client/configreader.py \ ${WRKSRC}/fail2ban/client/fail2bancmdline.py \ ${WRKSRC}/fail2ban/client/fail2banregex.py \ ${WRKSRC}/man/fail2ban-client.1 \ ${WRKSRC}/man/fail2ban-client.h2m ${WRKSRC}/setup.py MAN_FILES= ${WRKSRC}/man/fail2ban-client.1 \ ${WRKSRC}/man/fail2ban-client.h2m \ ${WRKSRC}/man/fail2ban-regex.1 ${WRKSRC}/man/fail2ban-server.1 \ ${WRKSRC}/man/fail2ban.1 FAIL2BAN_DBDIR= /var/db/${PORTNAME} PLIST_SUB= FAIL2BAN_DBDIR=${FAIL2BAN_DBDIR} PY2TO3_CMD= ${LOCALBASE}/bin/2to3-${PYTHON_VER} PY2TO3_ARG= --no-diffs --write --nobackups --fix=all post-patch: @${REINPLACE_CMD} -e 's,/etc/fail2ban,${ETCDIR},g' ${FILES} @${REINPLACE_CMD} -e 's,paths-debian.conf,paths-freebsd.conf,g' \ ${WRKSRC}/config/jail.conf @${REINPLACE_CMD} -e 's,/var/lib/fail2ban/,${FAIL2BAN_DBDIR}/,g' \ ${WRKSRC}/config/fail2ban.conf @${REINPLACE_CMD} -e 's,jail.conf(5),fail2ban-jail.conf(5),g' \ ${MAN_FILES} @${REINPLACE_CMD} -e 's, sed , ${SED} ,g' \ ${WRKSRC}/config/action.d/hostsdeny.conf # XXX Ideally this should be in do-build but it only works in # XXX post-patch (cd ${WRKSRC}/ && ${PY2TO3_CMD} ${PY2TO3_ARG} bin/* fail2ban) post-install: @${MKDIR} ${STAGEDIR}${FAIL2BAN_DBDIR} ${STAGEDIR}/var/run/fail2ban .for file in fail2ban-client fail2ban-regex fail2ban-server fail2ban ${INSTALL_MAN} ${WRKSRC}/man/${file}.1 ${STAGEDIR}${PREFIX}/share/man/man1 .endfor ${INSTALL_MAN} ${WRKSRC}/man/jail.conf.5 ${STAGEDIR}${PREFIX}/share/man/man5/fail2ban-jail.conf.5 post-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} (cd ${WRKSRC}/ && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}) do-test: @cd ${WRKSRC} && ${PYTHON_CMD} ${PYDISTUTILS_SETUP} test .include diff --git a/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf b/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf deleted file mode 100644 index 3f4310c54c0f..000000000000 --- a/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf +++ /dev/null @@ -1,142 +0,0 @@ ---- sshd-session.conf.orig 2025-03-27 08:42:15.550403000 -0700 -+++ sshd-session.conf 2025-03-27 08:42:34.056893000 -0700 -@@ -0,0 +1,139 @@ -+# Fail2Ban filter for openssh -+# -+# If you want to protect OpenSSH from being bruteforced by password -+# authentication then get public key authentication working before disabling -+# PasswordAuthentication in sshd_config. -+# -+# -+# "Connection from port \d+" requires LogLevel VERBOSE in sshd_config -+# -+ -+[INCLUDES] -+ -+# Read common prefixes. If any customizations available -- read them from -+# common.local -+before = common.conf -+ -+[DEFAULT] -+ -+_daemon = sshd-session -+ -+# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " -+__pref = (?:(?:error|fatal): (?:PAM: )?)? -+# optional suffix (logged from several ssh versions) like " [preauth]" -+#__suff = (?: port \d+)?(?: \[preauth\])?\s* -+__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s* -+__on_port_opt = (?: (?:port \d+|on \S+)){0,2} -+# close by authenticating user (don't use after %(__authng_user)s because of catch-all `.*?`): -+__authng_user = (?: (?:by|from))?(?: (?:invalid|authenticating) user \S+|.*?)?(?: from)? -+ -+# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", -+# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors. -+__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) -+ -+# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`: -+__pam_auth = pam_[a-z]+ -+ -+[Definition] -+ -+prefregex = ^%(__prefix_line)s%(__pref)s.+$ -+ -+cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*? (?:from )?( via \S+)?%(__suff)s$ -+ ^User not known to the underlying authentication module for .*? (?:from )?%(__suff)s$ -+ > -+ ^Failed for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) -+ ^ROOT LOGIN REFUSED FROM -+ ^[iI](?:llegal|nvalid) user .*? (?:from )?%(__suff)s$ -+ ^User \S+|.*? (?:from )? not allowed because not listed in AllowUsers%(__suff)s$ -+ ^User \S+|.*? (?:from )? not allowed because listed in DenyUsers%(__suff)s$ -+ ^User \S+|.*? (?:from )? not allowed because not in any group%(__suff)s$ -+ ^refused connect from \S+ \(\) -+ ^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ -+ ^User \S+|.*? (?:from )? not allowed because a group is listed in DenyGroups%(__suff)s$ -+ ^User \S+|.*? (?:from )? not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ -+ ^%(__pam_auth)s\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$ -+ ^maximum authentication attempts exceeded for (?:invalid user )?.*? (?:from )?%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ -+ ^User \S+|.*? not allowed because account is locked%(__suff)s -+ ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ -+ ^Disconnecting: Too many authentication failures(?: for \S+|.*?)?%(__suff)s$ -+ ^Received disconnect from %(__on_port_opt)s:\s*11: -+ -other> -+ ^Accepted \w+ for \S+ from (?:\s|$) -+ -+cmnfailed-any = \S+ -+cmnfailed-ignore = \b(?!publickey)\S+ -+cmnfailed-invalid = -+cmnfailed-nofail = (?:publickey|\S+) -+cmnfailed = > -+ -+mdre-normal = -+# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) -+mdre-normal-other = ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s %(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$ -+ -+mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for) -+ ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) -+ ^Bad protocol version identification '(?:[^']|.*?)' (?:from )?%(__suff)s$ -+ ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: -+ ^Read from socket failed: Connection reset by peer -+ ^(?:banner exchange|ssh_dispatch_run_fatal): Connection from <__on_port_opt>: (?:invalid format|(?:message authentication code incorrect|[Cc]onnection corrupted) \[preauth\]) -+ -+# same as mdre-normal-other, but as failure (without with [preauth] and with on no preauth phase as helper to identify address): -+mdre-ddos-other = ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s %(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?\s+\[preauth\]\s*$ -+ ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s (?:%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?|\s*)$ -+ -+mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available -+ ^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found. -+ ^Unable to negotiate a <__alg_match> -+ ^no matching <__alg_match> found: -+# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only: -+mdre-extra-other = ^Disconnected(?: from)?(?: (?:invalid|authenticating)) user \S+|.*? (?:from )?%(__on_port_opt)s \[preauth\]\s*$ -+ -+mdre-aggressive = %(mdre-ddos)s -+ %(mdre-extra)s -+# mdre-extra-other is fully included within mdre-ddos-other: -+mdre-aggressive-other = %(mdre-ddos-other)s -+ -+# Parameter "publickey": nofail (default), invalid, any, ignore -+publickey = nofail -+# consider failed publickey for invalid users only: -+cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user (?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) -+# consider failed publickey for valid users too (don't need RE, see cmnfailed): -+cmnfailre-failed-pub-any = -+# same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed): -+cmnfailre-failed-pub-nofail = -+# don't consider failed publickey as failures (don't need RE, see cmnfailed): -+cmnfailre-failed-pub-ignore = -+ -+cfooterre = ^Connection from -+ -+failregex = %(cmnfailre)s -+ > -+ %(cfooterre)s -+ -+# Parameter "mode": normal (default), ddos, extra or aggressive (combines all) -+# Usage example (for jail.local): -+# [sshd] -+# mode = extra -+# # or another jail (rewrite filter parameters of jail): -+# [sshd-aggressive] -+# filter = sshd[mode=aggressive] -+# -+mode = normal -+ -+#filter = sshd[mode=aggressive] -+ -+ignoreregex = -+ -+maxlines = 1 -+ -+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd -+ -+# DEV Notes: -+# -+# "Failed \S+ for .*? from ..." failregex uses non-greedy catch-all because -+# it is coming before use of which is not hard-anchored at the end as well, -+# and later catch-all's could contain user-provided input, which need to be greedily -+# matched away first. -+# -+# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres -+# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester.