[PATCH] gnu: admin: Add fail2ban 0.11.2.

  • Done
  • quality assurance status badge
Details
3 participants
  • Ludovic Courtès
  • muradm
  • Jean Pierre De Jesus DIAZ
Owner
unassigned
Submitted by
muradm
Severity
normal
M
M
muradm wrote on 15 Jul 2022 20:17
(address . guix-patches@gnu.org)
20220715181703.27416-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 195 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 +++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 571 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (364 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..1a342728fa 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,195 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (substitute* "fail2ban/tests/utils.py"
+ (("tests.addTest.unittest.makeSuite.actiontestcase.CommandActionTest..") "")
+ (("tests.addTest.unittest.makeSuite.misctestcase.SetupTest..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.DNSUtilsNetworkTests..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.IgnoreIPDNS..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.GetFailures..") "")
+ (("tests.addTest.unittest.makeSuite.fail2banclienttestcase.Fail2banServerTest..") "")
+ (("tests.addTest.unittest.makeSuite.servertestcase.ServerConfigReaderTests..") ""))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (for-each delete-file
+ '("config/paths-arch.conf"
+ "config/paths-debian.conf"
+ "config/paths-fedora.conf"
+ "config/paths-freebsd.conf"
+ "config/paths-opensuse.conf"
+ "config/paths-osx.conf"
+ "config/action.d/apf.conf"
+ "config/action.d/bsd-ipfw.conf"
+ "config/action.d/dshield.conf"
+ "config/action.d/ipfilter.conf"
+ "config/action.d/ipfw.conf"
+ "config/action.d/firewallcmd-allports.conf"
+ "config/action.d/firewallcmd-common.conf"
+ "config/action.d/firewallcmd-ipset.conf"
+ "config/action.d/firewallcmd-multiport.conf"
+ "config/action.d/firewallcmd-new.conf"
+ "config/action.d/firewallcmd-rich-logging.conf"
+ "config/action.d/firewallcmd-rich-rules.conf"
+ "config/action.d/osx-afctl.conf"
+ "config/action.d/osx-ipfw.conf"
+ "config/action.d/pf.conf"
+ "config/action.d/nginx-block-map.conf"
+ "config/action.d/npf.conf"
+ "config/action.d/shorewall.conf"
+ "config/action.d/shorewall-ipset-proto6.conf"
+ "config/action.d/ufw.conf"))
+ (let* ((awk (assoc-ref inputs "gawk"))
+ (awk (string-append awk "/bin/awk"))
+ (bind-utils (assoc-ref inputs "bind"))
+ (dig (string-append bind-utils "/bin/dig"))
+ (nsupdate (string-append bind-utils "/bin/nsupdate"))
+ (coreutils (assoc-ref inputs "coreutils"))
+ (cat (string-append coreutils "/bin/cat"))
+ (cut (string-append coreutils "/bin/cut"))
+ (date (string-append coreutils "/bin/date"))
+ (echo (string-append coreutils "/bin/echo"))
+ (head (string-append coreutils "/bin/head"))
+ (id (string-append coreutils "/bin/id"))
+ (printf (string-append coreutils "/bin/printf"))
+ (rm (string-append coreutils "/bin/rm"))
+ (tail (string-append coreutils "/bin/tail"))
+ (test (string-append coreutils "/bin/test"))
+ (touch (string-append coreutils "/bin/touch"))
+ (tr (string-append coreutils "/bin/tr"))
+ (truncate (string-append coreutils "/bin/truncate"))
+ (wc (string-append coreutils "/bin/wc"))
+ (curl (assoc-ref inputs "curl"))
+ (curl (string-append curl "/bin/curl"))
+ (grep (assoc-ref inputs "grep"))
+ (grep (string-append grep "/bin/grep"))
+ (jq (assoc-ref inputs "jq"))
+ (jq (string-append jq "/bin/jq"))
+ (iproute2 (assoc-ref inputs "iproute2"))
+ (ip (string-append iproute2 "/bin/ip"))
+ (ipset (assoc-ref inputs "ipset"))
+ (ipset (string-append ipset "/sbin/ipset"))
+ (iptables (assoc-ref inputs "iptables"))
+ (ip6tables (string-append iptables "/sbin/ip6tables"))
+ (iptables (string-append iptables "/sbin/iptables"))
+ (nft (assoc-ref inputs "nftables"))
+ (nft (string-append nft "/sbin/nft"))
+ (perl (assoc-ref inputs "perl"))
+ (perl (string-append nft "/bin/perl"))
+ (sed (assoc-ref inputs "sed"))
+ (sed (string-append sed "/bin/sed"))
+ (sendmail (assoc-ref inputs "sendmail"))
+ (sendmail (string-append sed "/sbin/sendmail"))
+ (whois (assoc-ref inputs "whois"))
+ (whois (string-append whois "/bin/whois")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with mailcmd = mail ...
+ ;; TODO: deal with geoiplookup ..
+ (("awk") awk)
+ (("cat ") (string-append cat " "))
+ (("curl") curl)
+ (("cut -d") (string-append cut " -d"))
+ ((" date ") (string-append " " date " "))
+ (("`date`") (string-append "`" date "`"))
+ (("dig") dig)
+ (("echo ") (string-append echo " "))
+ (("grep ") (string-append grep " "))
+ (("head ") (string-append head " "))
+ (("id -") (string-append id " -"))
+ (("ip -4 addr") (string-append ip " -4 addr"))
+ (("ip -6 addr") (string-append ip " -6 addr"))
+ (("ip route") (string-append ip " route"))
+ (("ipset ") (string-append ipset " "))
+ (("iptables <") (string-append iptables " <"))
+ (("ip6tables <") (string-append ip6tables " <"))
+ (("jq") jq)
+ (("/usr/bin/nsupdate") nsupdate)
+ (("nftables = nft") (string-append "nftables = " nft))
+ (("perl -e") (string-append perl " -e"))
+ (("printf ") (string-append printf " "))
+ ((" rm ") (string-append " " rm " "))
+ ((" sed ") (string-append " " sed " "))
+ (("/usr/sbin/sendmail") sendmail)
+ ((" tail ") (string-append " " tail " "))
+ (("test -e") (string-append test " -e"))
+ ((" touch ") (string-append " " touch " "))
+ ((" tr ") (string-append " " tr " "))
+ (("wc ") (string-append wc " "))
+ (("_whois = whois") (string-append "_whois = " whois))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf")))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban
This message was truncated. Download the full message here.
M
M
muradm wrote on 15 Jul 2022 21:02
[PATCH v2] gnu: admin: Add fail2ban 0.11.2.
(address . 56579@debbugs.gnu.org)
20220715190246.29929-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 181 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 ++++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 557 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (367 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..183d0a0cb5 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,181 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (substitute* "fail2ban/tests/utils.py"
+ (("tests.addTest.unittest.makeSuite.actiontestcase.CommandActionTest..") "")
+ (("tests.addTest.unittest.makeSuite.misctestcase.SetupTest..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.DNSUtilsNetworkTests..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.IgnoreIPDNS..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.GetFailures..") "")
+ (("tests.addTest.unittest.makeSuite.fail2banclienttestcase.Fail2banServerTest..") "")
+ (("tests.addTest.unittest.makeSuite.servertestcase.ServerConfigReaderTests..") ""))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (for-each delete-file
+ '("config/paths-arch.conf"
+ "config/paths-debian.conf"
+ "config/paths-fedora.conf"
+ "config/paths-freebsd.conf"
+ "config/paths-opensuse.conf"
+ "config/paths-osx.conf"
+ "config/action.d/apf.conf"
+ "config/action.d/bsd-ipfw.conf"
+ "config/action.d/dshield.conf"
+ "config/action.d/ipfilter.conf"
+ "config/action.d/ipfw.conf"
+ "config/action.d/firewallcmd-allports.conf"
+ "config/action.d/firewallcmd-common.conf"
+ "config/action.d/firewallcmd-ipset.conf"
+ "config/action.d/firewallcmd-multiport.conf"
+ "config/action.d/firewallcmd-new.conf"
+ "config/action.d/firewallcmd-rich-logging.conf"
+ "config/action.d/firewallcmd-rich-rules.conf"
+ "config/action.d/osx-afctl.conf"
+ "config/action.d/osx-ipfw.conf"
+ "config/action.d/pf.conf"
+ "config/action.d/nginx-block-map.conf"
+ "config/action.d/npf.conf"
+ "config/action.d/shorewall.conf"
+ "config/action.d/shorewall-ipset-proto6.conf"
+ "config/action.d/ufw.conf"))
+ (let* ((awk (search-input-file inputs "/bin/awk"))
+ (cat (search-input-file inputs "/bin/cat"))
+ (curl (search-input-file inputs "/bin/curl"))
+ (cut (search-input-file inputs "/bin/cut"))
+ (date (search-input-file inputs "/bin/date"))
+ (dig (search-input-file inputs "/bin/dig"))
+ (echo (search-input-file inputs "/bin/echo"))
+ (grep (search-input-file inputs "/bin/grep"))
+ (head (search-input-file inputs "/bin/head"))
+ (id (search-input-file inputs "/bin/id"))
+ (ip (search-input-file inputs "/sbin/ip"))
+ (ipset (search-input-file inputs "/sbin/ipset"))
+ (ip6tables (search-input-file inputs "/sbin/ip6tables"))
+ (iptables (search-input-file inputs "/sbin/iptables"))
+ (jq (search-input-file inputs "/bin/jq"))
+ (nft (search-input-file inputs "/sbin/nft"))
+ (nsupdate (search-input-file inputs "/bin/nsupdate"))
+ (perl (search-input-file inputs "/bin/perl"))
+ (printf (search-input-file inputs "/bin/printf"))
+ (rm (search-input-file inputs "/bin/rm"))
+ (sed (search-input-file inputs "/bin/sed"))
+ (sendmail (search-input-file inputs "/sbin/sendmail"))
+ (tail (search-input-file inputs "/bin/tail"))
+ (test (search-input-file inputs "/bin/test"))
+ (touch (search-input-file inputs "/bin/touch"))
+ (tr (search-input-file inputs "/bin/tr"))
+ (truncate (search-input-file inputs "/bin/truncate"))
+ (wc (search-input-file inputs "/bin/wc"))
+ (whois (search-input-file inputs "/bin/whois")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("awk") awk)
+ (("cat ") (string-append cat " "))
+ (("curl") curl)
+ (("cut -d") (string-append cut " -d"))
+ ((" date ") (string-append " " date " "))
+ (("`date`") (string-append "`" date "`"))
+ (("dig") dig)
+ (("echo ") (string-append echo " "))
+ (("grep ") (string-append grep " "))
+ (("head ") (string-append head " "))
+ (("id -") (string-append id " -"))
+ (("ip -4 addr") (string-append ip " -4 addr"))
+ (("ip -6 addr") (string-append ip " -6 addr"))
+ (("ip route") (string-append ip " route"))
+ (("ipset ") (string-append ipset " "))
+ (("iptables <") (string-append iptables " <"))
+ (("ip6tables <") (string-append ip6tables " <"))
+ (("jq") jq)
+ (("/usr/bin/nsupdate") nsupdate)
+ (("mail -E") (string-append sendmail " -E"))
+ (("nftables = nft") (string-append "nftables = " nft))
+ (("perl -e") (string-append perl " -e"))
+ (("printf ") (string-append printf " "))
+ ((" rm ") (string-append " " rm " "))
+ ((" sed ") (string-append " " sed " "))
+ (("/usr/sbin/sendmail") sendmail)
+ ((" tail ") (string-append " " tail " "))
+ (("test -e") (string-append test " -e"))
+ ((" touch ") (string-append " " touch " "))
+ ((" tr ") (string-append " " tr " "))
+ (("wc ") (string-append wc " "))
+ (("_whois = whois") (string-append "_whois = " whois))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf")))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+-
This message was truncated. Download the full message here.
M
M
muradm wrote on 15 Jul 2022 22:25
[PATCH v3] gnu: admin: Add fail2ban 0.11.2.
(address . 56579@debbugs.gnu.org)
20220715202512.4836-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 162 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 ++++++
.../patches/fail2ban-paths-guix-conf.patch | 32 ++++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 538 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (403 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..8e16f8256a 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,162 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (let ((make-suite
+ (lambda (t)
+ (string-append "tests.addTest.unittest.makeSuite." t ".."))))
+ (substitute* "fail2ban/tests/utils.py"
+ (((make-suite "actiontestcase.CommandActionTest")) "")
+ (((make-suite "misctestcase.SetupTest")) "")
+ (((make-suite "filtertestcase.DNSUtilsNetworkTests")) "")
+ (((make-suite "filtertestcase.IgnoreIPDNS")) "")
+ (((make-suite "filtertestcase.GetFailures")) "")
+ (((make-suite "fail2banclienttestcase.Fail2banServerTest")) "")
+ (((make-suite "servertestcase.ServerConfigReaderTests")) "")))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (with-directory-excursion "config"
+ (for-each delete-file '("paths-arch.conf"
+ "paths-debian.conf"
+ "paths-fedora.conf"
+ "paths-freebsd.conf"
+ "paths-opensuse.conf"
+ "paths-osx.conf")))
+ (with-directory-excursion "config/action.d"
+ (for-each delete-file
+ '("apf.conf"
+ "bsd-ipfw.conf"
+ "dshield.conf"
+ "ipfilter.conf"
+ "ipfw.conf"
+ "firewallcmd-allports.conf"
+ "firewallcmd-common.conf"
+ "firewallcmd-ipset.conf"
+ "firewallcmd-multiport.conf"
+ "firewallcmd-new.conf"
+ "firewallcmd-rich-logging.conf"
+ "firewallcmd-rich-rules.conf"
+ "osx-afctl.conf"
+ "osx-ipfw.conf"
+ "pf.conf"
+ "nginx-block-map.conf"
+ "npf.conf"
+ "shorewall.conf"
+ "shorewall-ipset-proto6.conf"
+ "ufw.conf")))
+ (let* ((lookup-cmd (lambda (i) (search-input-file inputs i)))
+ (bin (lambda (i) (lookup-cmd (string-append "/bin/" i))))
+ (sbin (lambda (i) (lookup-cmd (string-append "/sbin/" i))))
+ (ip (sbin "ip"))
+ (sendmail (sbin "sendmail")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("(awk|curl|dig|jq)" all cmd)
+ (bin cmd))
+ (("(cat|echo|grep|head|printf|wc) " all cmd)
+ (string-append (bin cmd) " "))
+ ((" (date|rm|sed|tail|touch|tr) " all cmd)
+ (string-append " " (bin cmd) " "))
+ (("cut -d")
+ (string-append (bin "cut") " -d"))
+ (("`date`")
+ (string-append "`" (bin "date") "`"))
+ (("id -")
+ (string-append (bin "id") " -"))
+ (("ip -([46]) addr" all ver)
+ (string-append ip " -" ver " addr"))
+ (("ip route")
+ (string-append ip " route"))
+ (("ipset ")
+ (string-append (sbin "ipset") " "))
+ (("(iptables|ip6tables) <" all cmd)
+ (string-append (sbin cmd) " <"))
+ (("/usr/bin/nsupdate") (bin "nsupdate"))
+ (("mail -E")
+ (string-append sendmail " -E"))
+ (("nftables = nft")
+ (string-append "nftables = " (sbin "nft")))
+ (("perl -e")
+ (string-append (bin "perl") " -e"))
+ (("/usr/sbin/sendmail") sendmail)
+ (("test -e")
+ (string-append (bin "test") " -e"))
+ (("_whois = whois")
+ (string-append "_whois = " (bin "whois")))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf")))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
new file mode 100644
index 0000000000..b0b14364b1
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
@@ -0,0 +1,64 @@
+From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Sun, 19 Sep 2021 18:49:18 +0200
+Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup
+ command: use_2to3 is invalid (setuptools 58+)
+
+---
+ setup.py | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index f4c2550f6f..98413273c5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -48,7 +48,7 @@
+ from glob import glob
+
+ from fail2ban.setup import updatePyExec
+-
++from fail2ban.version import version
+
+ source_dir = os.path.realpath(os.path.dirname(
+ # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.):
+@@ -112,22 +112,12 @@ def update_scripts(self, dry_run=False):
+ # Wrapper to specify fail2ban own options:
+ class install_command_f2b(install):
+ user_options = install.user_options + [
+- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+ ('without-tests', None, 'without tests files installation'),
+ ]
+ def initialize_options(self):
+- self.disable_2to3 = None
+ self.without_tests = not with_tests
+ install.initialize_options(self)
+ def finalize_options(self):
+- global _2to3
+- ## in the test cases 2to3 should be already done (fail2ban-2to3):
+- if self.disable_2to3:
+- _2to3 = False
+- if _2to3:
+- cmdclass = self.distribution.cmdclass
+- cmdclass['build_py'] = build_py_2to3
+- cmdclass['build_scripts'] = build_scripts_2to3
+ if self.without_tests:
+ self.distribution.scripts.remove
This message was truncated. Download the full message here.
M
M
muradm wrote on 16 Jul 2022 00:11
[PATCH v4] gnu: admin: Add fail2ban 0.11.2.
(address . 56579@debbugs.gnu.org)
20220715221132.11937-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 181 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 ++++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 557 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (392 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..0a14144059 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,181 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (let ((make-suite
+ (lambda (t)
+ (string-append "tests.addTest.unittest.makeSuite." t ".."))))
+ (substitute* "fail2ban/tests/utils.py"
+ (((make-suite "actiontestcase.CommandActionTest")) "")
+ (((make-suite "misctestcase.SetupTest")) "")
+ (((make-suite "filtertestcase.DNSUtilsNetworkTests")) "")
+ (((make-suite "filtertestcase.IgnoreIPDNS")) "")
+ (((make-suite "filtertestcase.GetFailures")) "")
+ (((make-suite "fail2banclienttestcase.Fail2banServerTest")) "")
+ (((make-suite "servertestcase.ServerConfigReaderTests")) "")))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (with-directory-excursion "config"
+ (for-each delete-file '("paths-arch.conf"
+ "paths-debian.conf"
+ "paths-fedora.conf"
+ "paths-freebsd.conf"
+ "paths-opensuse.conf"
+ "paths-osx.conf")))
+ (with-directory-excursion "config/action.d"
+ (for-each delete-file
+ '("apf.conf"
+ "bsd-ipfw.conf"
+ "dshield.conf"
+ "ipfilter.conf"
+ "ipfw.conf"
+ "firewallcmd-allports.conf"
+ "firewallcmd-common.conf"
+ "firewallcmd-ipset.conf"
+ "firewallcmd-multiport.conf"
+ "firewallcmd-new.conf"
+ "firewallcmd-rich-logging.conf"
+ "firewallcmd-rich-rules.conf"
+ "osx-afctl.conf"
+ "osx-ipfw.conf"
+ "pf.conf"
+ "nginx-block-map.conf"
+ "npf.conf"
+ "shorewall.conf"
+ "shorewall-ipset-proto6.conf"
+ "ufw.conf")))
+ (let* ((lookup-cmd (lambda (i) (search-input-file inputs i)))
+ (bin (lambda (i) (lookup-cmd (string-append "/bin/" i))))
+ (sbin (lambda (i) (lookup-cmd (string-append "/sbin/" i))))
+ (ip (sbin "ip"))
+ (sendmail (sbin "sendmail")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("(awk|curl|dig|jq)" all cmd)
+ (bin cmd))
+ (("(cat|echo|grep|head|printf|wc) " all cmd)
+ (string-append (bin cmd) " "))
+ ((" (date|rm|sed|tail|touch|tr) " all cmd)
+ (string-append " " (bin cmd) " "))
+ (("cut -d")
+ (string-append (bin "cut") " -d"))
+ (("`date`")
+ (string-append "`" (bin "date") "`"))
+ (("id -")
+ (string-append (bin "id") " -"))
+ (("ip -([46]) addr" all ver)
+ (string-append ip " -" ver " addr"))
+ (("ip route")
+ (string-append ip " route"))
+ (("ipset ")
+ (string-append (sbin "ipset") " "))
+ (("(iptables|ip6tables) <" all cmd)
+ (string-append (sbin cmd) " <"))
+ (("/usr/bin/nsupdate") (bin "nsupdate"))
+ (("mail -E")
+ (string-append sendmail " -E"))
+ (("nftables = nft")
+ (string-append "nftables = " (sbin "nft")))
+ (("perl -e")
+ (string-append (bin "perl") " -e"))
+ (("/usr/sbin/sendmail") sendmail)
+ (("test -e")
+ (string-append (bin "test") " -e"))
+ (("_whois = whois")
+ (string-append "_whois = " (bin "whois")))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf"))))
+ (add-after 'install 'copy-man-pages
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((man (string-append (assoc-ref outputs "out") "/man"))
+ (install-man
+ (lambda (m)
+ (lambda (f)
+ (install-file
+ (string-append f "." m)
+ (string-append man "/man" m)))))
+ (install-man1 (install-man "1"))
+ (install-man5 (install-man "5")))
+ (with-directory-excursion "man"
+ (for-each install-man1 '("fail2ban"
+ "fail2ban-client"
+ "fail2ban-python"
+ "fail2ban-regex"
+ "fail2ban-server"
+ "fail2ban-testcases"))
+ (for-each install-man5 '("jail.conf")))))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
new file mode 100644
index 0000000000..b0b14364b1
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
@@ -0,0 +1,64 @@
+From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Sun, 19 Sep 2021 18:49:18 +0200
+Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup
+ command: use_2to3 is invalid (setuptools 58+)
+
+---
+ setup.py | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index f4c2550f6f..98413273c5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -48,7
This message was truncated. Download the full message here.
M
M
muradm wrote on 17 Jul 2022 04:30
[PATCH v5] gnu: admin: Add fail2ban 0.11.2.
(address . 56579@debbugs.gnu.org)
20220717023040.422-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 195 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 +++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 571 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (386 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..4e2b7b081a 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,195 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (let ((make-suite
+ (lambda (t)
+ (string-append "tests.addTest.unittest.makeSuite." t ".."))))
+ (substitute* "fail2ban/tests/utils.py"
+ (((make-suite "actiontestcase.CommandActionTest")) "")
+ (((make-suite "misctestcase.SetupTest")) "")
+ (((make-suite "filtertestcase.DNSUtilsNetworkTests")) "")
+ (((make-suite "filtertestcase.IgnoreIPDNS")) "")
+ (((make-suite "filtertestcase.GetFailures")) "")
+ (((make-suite "fail2banclienttestcase.Fail2banServerTest")) "")
+ (((make-suite "servertestcase.ServerConfigReaderTests")) "")))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'fix-default-config
+ (lambda* (#:key outputs #:allow-other-keys)
+ (for-each
+ (lambda (f)
+ (substitute* f
+ (("/etc/fail2ban")
+ (string-append
+ (assoc-ref outputs "out")
+ "/etc/fail2ban"))))
+ '("config/paths-common.conf"
+ "fail2ban/tests/utils.py"
+ "fail2ban/client/configreader.py"
+ "fail2ban/client/fail2bancmdline.py"
+ "fail2ban/client/fail2banregex.py"))))
+ (add-after 'fix-default-config 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (with-directory-excursion "config"
+ (for-each delete-file '("paths-arch.conf"
+ "paths-debian.conf"
+ "paths-fedora.conf"
+ "paths-freebsd.conf"
+ "paths-opensuse.conf"
+ "paths-osx.conf")))
+ (with-directory-excursion "config/action.d"
+ (for-each delete-file
+ '("apf.conf"
+ "bsd-ipfw.conf"
+ "dshield.conf"
+ "ipfilter.conf"
+ "ipfw.conf"
+ "firewallcmd-allports.conf"
+ "firewallcmd-common.conf"
+ "firewallcmd-ipset.conf"
+ "firewallcmd-multiport.conf"
+ "firewallcmd-new.conf"
+ "firewallcmd-rich-logging.conf"
+ "firewallcmd-rich-rules.conf"
+ "osx-afctl.conf"
+ "osx-ipfw.conf"
+ "pf.conf"
+ "nginx-block-map.conf"
+ "npf.conf"
+ "shorewall.conf"
+ "shorewall-ipset-proto6.conf"
+ "ufw.conf")))
+ (let* ((lookup-cmd (lambda (i) (search-input-file inputs i)))
+ (bin (lambda (i) (lookup-cmd (string-append "/bin/" i))))
+ (sbin (lambda (i) (lookup-cmd (string-append "/sbin/" i))))
+ (ip (sbin "ip"))
+ (sendmail (sbin "sendmail")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("(awk|curl|dig|jq)" all cmd)
+ (bin cmd))
+ (("(cat|echo|grep|head|printf|wc) " all cmd)
+ (string-append (bin cmd) " "))
+ ((" (date|rm|sed|tail|touch|tr) " all cmd)
+ (string-append " " (bin cmd) " "))
+ (("cut -d")
+ (string-append (bin "cut") " -d"))
+ (("`date`")
+ (string-append "`" (bin "date") "`"))
+ (("id -")
+ (string-append (bin "id") " -"))
+ (("ip -([46]) addr" all ver)
+ (string-append ip " -" ver " addr"))
+ (("ip route")
+ (string-append ip " route"))
+ (("ipset ")
+ (string-append (sbin "ipset") " "))
+ (("(iptables|ip6tables) <" all cmd)
+ (string-append (sbin cmd) " <"))
+ (("/usr/bin/nsupdate") (bin "nsupdate"))
+ (("mail -E")
+ (string-append sendmail " -E"))
+ (("nftables = nft")
+ (string-append "nftables = " (sbin "nft")))
+ (("perl -e")
+ (string-append (bin "perl") " -e"))
+ (("/usr/sbin/sendmail") sendmail)
+ (("test -e")
+ (string-append (bin "test") " -e"))
+ (("_whois = whois")
+ (string-append "_whois = " (bin "whois")))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf"))))
+ (add-after 'install 'copy-man-pages
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((man (string-append (assoc-ref outputs "out") "/man"))
+ (install-man
+ (lambda (m)
+ (lambda (f)
+ (install-file
+ (string-append f "." m)
+ (string-append man "/man" m)))))
+ (install-man1 (install-man "1"))
+ (install-man5 (install-man "5")))
+ (with-directory-excursion "man"
+ (for-each install-man1 '("fail2ban"
+ "fail2ban-client"
+ "fail2ban-python"
+ "fail2ban-regex"
+ "fail2ban-server"
+ "fail2ban-testcases"))
+ (for-each install-man5 '("jail.conf")))))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ba
This message was truncated. Download the full message here.
J
J
Jean Pierre De Jesus DIAZ wrote on 17 Jul 2022 15:48
[PATCH] gnu: admin: Add fail2ban 0.11.2.
sE5Pxddee_FMO-j1th3cmyr5VP6QpIXxaqEURcno3i7s_nY9lc8bWcxVZ7wxPc-rBPK6POdqtHLTAH3IU9yk4brE1GYbpRjrd284L5GRrYc=@jeandudey.tech
Hello muradm!

Toggle quote (3 lines)
>+ (arguments
>+ '(#:phases (modify-phases %standard-phases

I think you can benefit a little bit from using G-Expressions here:

(arguments
(list #:phases
#~(modify-phases %modify-phases
...)))

For example:

Toggle quote (3 lines)
>+ (let* ((awk (assoc-ref inputs "gawk"))
>+ (awk (string-append awk "/bin/awk"))

Could be replaced by:

(let* ((awk (string-append #$gawk "/bin/awk"))))

Applies to others too. Could save some vertical space.

Jean-Pierre De Jesus DIAZ
M
M
muradm wrote on 17 Jul 2022 18:13
(name . Jean Pierre De Jesus DIAZ)(address . me@jeandudey.tech)(name . 56579@debbugs.gnu.org)(address . 56579@debbugs.gnu.org)
87k08bra06.fsf@muradm.net
Hi, I think you are commenting on initial versions.
Please refer to last v5, which is quite crafted.

Jean Pierre De Jesus DIAZ <me@jeandudey.tech> writes:

Toggle quote (27 lines)
> Hello muradm!
>
>>+ (arguments
>>+ '(#:phases (modify-phases %standard-phases
>
> I think you can benefit a little bit from using G-Expressions
> here:
>
> (arguments
> (list #:phases
> #~(modify-phases %modify-phases
> ...)))
>
> For example:
>
>>+ (let* ((awk (assoc-ref inputs "gawk"))
>>+ (awk (string-append awk
>>"/bin/awk"))
>
> Could be replaced by:
>
> (let* ((awk (string-append #$gawk "/bin/awk"))))
>
> Applies to others too. Could save some vertical space.
>
> —
> Jean-Pierre De Jesus DIAZ
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLUNZkACgkQ6M7O0mLO
BeJ+7xAAv7ZUa9iaoL1JaTC36V3BN75deSO0Q7Am0VtoGWENXrh+KKtxreblmVOY
9MC2LwyH836V55UVwN+wpubVl5/+t0EJwPc8XC2SMKBDFySBh3ERh7ebjc+qaKsX
hVmOvLxO6X1GO3ntvfyfQv3T5eXbQUJRmUtDBDHNb0AgZjhv8io1igqnI9MuKq1j
K0z/zEDwJr66eKyLcpP9W0sqas3bfvtaAY5OTdoaqh40UA5+jXzj0UKW8j0GXaLT
GMcRCUzc21R4oeSM8bg71GfpZ4kGMUgIaQhRAJ4Q+e9b408pOBwODdZwNn8ugi1g
T/x0l7yhQaomHWMxzQ5MnpuzX7AgTe00QAB+m7vSqDWMsmXrgtrNumWiyNMEWYc3
IMw+YTLKDp7vI4s3AFg24rQtWBNHYZqAfsofX2Z/C6ib4BrQzomD9FgFg5XXFECX
pSWWb+EBQkz5j8wLdPhjnDb7HhMI0p2+LQBZ/pc+ajV3ZyUa2+0438uJw+CcOAYr
HFd11OzDqpESw3+caGKFrqQbihBWUVojIro85phK66+nYRnxa0ZepjW4bRBJSodf
db5jHCDq3v1OzQdgasQoTosBwbyj4Obt2h9ZvsfuvFxIuUwBfoGlnTMWcjLxHPUC
Nsr2+vQM7GcGdjDCxU0eS5DXYIrjpBs/eL7dCyUaKG2wzzaXhPo=
=fB4O
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 1 Aug 2022 17:19
Re: bug#56579: [PATCH] gnu: admin: Add fail2ban 0.11.2.
(name . muradm)(address . mail@muradm.net)(address . 56579-done@debbugs.gnu.org)
87mtcovvnv.fsf_-_@gnu.org
Hi,

muradm <mail@muradm.net> skribis:

Toggle quote (19 lines)
> * gnu/packages/admin.scm (fail2ban): New variable.
> ---
> gnu/packages/admin.scm | 195 ++++++++++++++++++
> .../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++
> ...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++
> .../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
> .../patches/fail2ban-paths-guix-conf.patch | 32 +++
> .../fail2ban-python310-server-action.patch | 27 +++
> .../fail2ban-python310-server-actions.patch | 25 +++
> .../fail2ban-python310-server-jails.patch | 25 +++
> 8 files changed, 571 insertions(+)
> create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
> create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
> create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
> create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
> create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
> create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
> create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Applied with minimal changes: added the patches to ‘gnu/local.mk’,
changed (for-each (lambda (f) (substitute* f …)) files) to
(substitute* files …), changed ‘coreutils’ to ‘coreutils-minimal’,
changed license to ‘gpl2+’ since headers carry the “or any later
version” wording, and tweaked indentation.

Thanks!

Ludo’.
Closed
?