diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile index cbc9cd490909..eb08a64c5e1c 100644 --- a/security/py-fail2ban/Makefile +++ b/security/py-fail2ban/Makefile @@ -1,85 +1,85 @@ PORTNAME= fail2ban DISTVERSION= 1.1.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} MAINTAINER= cy@FreeBSD.org COMMENT= Scans log files and bans IP that makes too many password failures WWW= https://www.fail2ban.org/wiki/index.php/Main_Page LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYING RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3@${PY_FLAVOR} USES= cpe python:patch,run shebangfix USE_GITHUB= yes USE_PYTHON= autoplist distutils PYDISTUTILS_BUILDARGS+= --without-tests PYDISTUTILS_INSTALLARGS+= --install-data=${ETCDIR} USE_RC_SUBR= fail2ban SHEBANG_FILES= config/filter.d/ignorecommands/apache-fakegooglebot SHEBANG_LANG= fail2ban-python NO_ARCH= yes SUB_LIST+= PYTHON_CMD=${PYTHON_CMD} PORTDOCS= DEVELOP README.md OPTIONS_DEFINE= DOCS INOTIFY OPTIONS_DEFAULT= INOTIFY INOTIFY_DESC= Support for (lib)inotify to monitor filesystem changes INOTIFY_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pyinotify>=0.8.3:devel/py-pyinotify@${PY_FLAVOR} FILES= ${WRKSRC}/bin/fail2ban-client \ ${WRKSRC}/fail2ban/client/configreader.py \ ${WRKSRC}/fail2ban/client/fail2bancmdline.py \ ${WRKSRC}/fail2ban/client/fail2banregex.py \ ${WRKSRC}/man/fail2ban-client.1 \ ${WRKSRC}/man/fail2ban-client.h2m ${WRKSRC}/setup.py MAN_FILES= ${WRKSRC}/man/fail2ban-client.1 \ ${WRKSRC}/man/fail2ban-client.h2m \ ${WRKSRC}/man/fail2ban-regex.1 ${WRKSRC}/man/fail2ban-server.1 \ ${WRKSRC}/man/fail2ban.1 FAIL2BAN_DBDIR= /var/db/${PORTNAME} PLIST_SUB= FAIL2BAN_DBDIR=${FAIL2BAN_DBDIR} PY2TO3_CMD= ${LOCALBASE}/bin/2to3-${PYTHON_VER} PY2TO3_ARG= --no-diffs --write --nobackups --fix=all post-patch: @${REINPLACE_CMD} -e 's,/etc/fail2ban,${ETCDIR},g' ${FILES} @${REINPLACE_CMD} -e 's,paths-debian.conf,paths-freebsd.conf,g' \ ${WRKSRC}/config/jail.conf @${REINPLACE_CMD} -e 's,/var/lib/fail2ban/,${FAIL2BAN_DBDIR}/,g' \ ${WRKSRC}/config/fail2ban.conf @${REINPLACE_CMD} -e 's,jail.conf(5),fail2ban-jail.conf(5),g' \ ${MAN_FILES} @${REINPLACE_CMD} -e 's, sed , ${SED} ,g' \ ${WRKSRC}/config/action.d/hostsdeny.conf # XXX Ideally this should be in do-build but it only works in # XXX post-patch (cd ${WRKSRC}/ && ${PY2TO3_CMD} ${PY2TO3_ARG} bin/* fail2ban) post-install: @${MKDIR} ${STAGEDIR}${FAIL2BAN_DBDIR} ${STAGEDIR}/var/run/fail2ban .for file in fail2ban-client fail2ban-regex fail2ban-server fail2ban ${INSTALL_MAN} ${WRKSRC}/man/${file}.1 ${STAGEDIR}${PREFIX}/share/man/man1 .endfor ${INSTALL_MAN} ${WRKSRC}/man/jail.conf.5 ${STAGEDIR}${PREFIX}/share/man/man5/fail2ban-jail.conf.5 post-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} (cd ${WRKSRC}/ && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}) do-test: @cd ${WRKSRC} && ${PYTHON_CMD} ${PYDISTUTILS_SETUP} test .include diff --git a/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf b/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf new file mode 100644 index 000000000000..ad786447e655 --- /dev/null +++ b/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf @@ -0,0 +1,44 @@ +--- bsd-sshd-session.conf.orig 2025-03-27 08:35:58.483811000 -0700 ++++ bsd-sshd-session.conf 2025-03-27 08:41:34.639425000 -0700 +@@ -0,0 +1,41 @@ ++# Fail2Ban configuration file ++# ++# Author: Cyril Jaquier ++# ++# $Revision: 663 $ ++# ++ ++[INCLUDES] ++ ++# Read common prefixes. If any customizations available -- read them from ++# common.local ++before = common.conf ++ ++ ++[Definition] ++ ++_daemon = sshd-session ++ ++# Option: failregex ++# Notes.: regex to match the password failures messages in the logfile. The ++# host must be matched by a group named "host". The tag "" can ++# be used for standard IP/hostname matching and is only an alias for ++# (?:::f{4,6}:)?(?P\S+) ++# Values: TEXT ++# ++failregex = ^%(__prefix_line)s(?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from \s*$ ++ ^%(__prefix_line)sDid not receive identification string from $ ++ ^%(__prefix_line)sFailed [-/\w]+ for .* from (?: port \d*)?(?: ssh\d*)?$ ++ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ++ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ++ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from port \d*$ ++ ^%(__prefix_line)sUser \S+ from not allowed because not listed in AllowUsers$ ++ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ ++ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ++ ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[\] .* POSSIBLE BREAK-IN ATTEMPT!$ ++ ++# Option: ignoreregex ++# Notes.: regex to ignore. If this regex matches, the line is ignored. ++# Values: TEXT ++# ++ignoreregex = diff --git a/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf b/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf new file mode 100644 index 000000000000..3f4310c54c0f --- /dev/null +++ b/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf @@ -0,0 +1,142 @@ +--- sshd-session.conf.orig 2025-03-27 08:42:15.550403000 -0700 ++++ sshd-session.conf 2025-03-27 08:42:34.056893000 -0700 +@@ -0,0 +1,139 @@ ++# Fail2Ban filter for openssh ++# ++# If you want to protect OpenSSH from being bruteforced by password ++# authentication then get public key authentication working before disabling ++# PasswordAuthentication in sshd_config. ++# ++# ++# "Connection from port \d+" requires LogLevel VERBOSE in sshd_config ++# ++ ++[INCLUDES] ++ ++# Read common prefixes. If any customizations available -- read them from ++# common.local ++before = common.conf ++ ++[DEFAULT] ++ ++_daemon = sshd-session ++ ++# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " ++__pref = (?:(?:error|fatal): (?:PAM: )?)? ++# optional suffix (logged from several ssh versions) like " [preauth]" ++#__suff = (?: port \d+)?(?: \[preauth\])?\s* ++__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s* ++__on_port_opt = (?: (?:port \d+|on \S+)){0,2} ++# close by authenticating user (don't use after %(__authng_user)s because of catch-all `.*?`): ++__authng_user = (?: (?:by|from))?(?: (?:invalid|authenticating) user \S+|.*?)?(?: from)? ++ ++# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", ++# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors. ++__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) ++ ++# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`: ++__pam_auth = pam_[a-z]+ ++ ++[Definition] ++ ++prefregex = ^%(__prefix_line)s%(__pref)s.+$ ++ ++cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*? (?:from )?( via \S+)?%(__suff)s$ ++ ^User not known to the underlying authentication module for .*? (?:from )?%(__suff)s$ ++ > ++ ^Failed for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) ++ ^ROOT LOGIN REFUSED FROM ++ ^[iI](?:llegal|nvalid) user .*? (?:from )?%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because not listed in AllowUsers%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because listed in DenyUsers%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because not in any group%(__suff)s$ ++ ^refused connect from \S+ \(\) ++ ^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because a group is listed in DenyGroups%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ ++ ^%(__pam_auth)s\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$ ++ ^maximum authentication attempts exceeded for (?:invalid user )?.*? (?:from )?%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ ++ ^User \S+|.*? not allowed because account is locked%(__suff)s ++ ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ ++ ^Disconnecting: Too many authentication failures(?: for \S+|.*?)?%(__suff)s$ ++ ^Received disconnect from %(__on_port_opt)s:\s*11: ++ -other> ++ ^Accepted \w+ for \S+ from (?:\s|$) ++ ++cmnfailed-any = \S+ ++cmnfailed-ignore = \b(?!publickey)\S+ ++cmnfailed-invalid = ++cmnfailed-nofail = (?:publickey|\S+) ++cmnfailed = > ++ ++mdre-normal = ++# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) ++mdre-normal-other = ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s %(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$ ++ ++mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for) ++ ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) ++ ^Bad protocol version identification '(?:[^']|.*?)' (?:from )?%(__suff)s$ ++ ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: ++ ^Read from socket failed: Connection reset by peer ++ ^(?:banner exchange|ssh_dispatch_run_fatal): Connection from <__on_port_opt>: (?:invalid format|(?:message authentication code incorrect|[Cc]onnection corrupted) \[preauth\]) ++ ++# same as mdre-normal-other, but as failure (without with [preauth] and with on no preauth phase as helper to identify address): ++mdre-ddos-other = ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s %(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?\s+\[preauth\]\s*$ ++ ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s (?:%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?|\s*)$ ++ ++mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available ++ ^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found. ++ ^Unable to negotiate a <__alg_match> ++ ^no matching <__alg_match> found: ++# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only: ++mdre-extra-other = ^Disconnected(?: from)?(?: (?:invalid|authenticating)) user \S+|.*? (?:from )?%(__on_port_opt)s \[preauth\]\s*$ ++ ++mdre-aggressive = %(mdre-ddos)s ++ %(mdre-extra)s ++# mdre-extra-other is fully included within mdre-ddos-other: ++mdre-aggressive-other = %(mdre-ddos-other)s ++ ++# Parameter "publickey": nofail (default), invalid, any, ignore ++publickey = nofail ++# consider failed publickey for invalid users only: ++cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user (?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) ++# consider failed publickey for valid users too (don't need RE, see cmnfailed): ++cmnfailre-failed-pub-any = ++# same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed): ++cmnfailre-failed-pub-nofail = ++# don't consider failed publickey as failures (don't need RE, see cmnfailed): ++cmnfailre-failed-pub-ignore = ++ ++cfooterre = ^Connection from ++ ++failregex = %(cmnfailre)s ++ > ++ %(cfooterre)s ++ ++# Parameter "mode": normal (default), ddos, extra or aggressive (combines all) ++# Usage example (for jail.local): ++# [sshd] ++# mode = extra ++# # or another jail (rewrite filter parameters of jail): ++# [sshd-aggressive] ++# filter = sshd[mode=aggressive] ++# ++mode = normal ++ ++#filter = sshd[mode=aggressive] ++ ++ignoreregex = ++ ++maxlines = 1 ++ ++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd ++ ++# DEV Notes: ++# ++# "Failed \S+ for .*? from ..." failregex uses non-greedy catch-all because ++# it is coming before use of which is not hard-anchored at the end as well, ++# and later catch-all's could contain user-provided input, which need to be greedily ++# matched away first. ++# ++# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres ++# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester.