[PATCH] gnu: admin: Add fail2ban 0.11.2.

  • Done
  • quality assurance status badge
Details
3 participants
  • Ludovic Courtès
  • muradm
  • Jean Pierre De Jesus DIAZ
Owner
unassigned
Submitted by
muradm
Severity
normal
M
M
muradm wrote on 15 Jul 2022 20:17
(address . guix-patches@gnu.org)
20220715181703.27416-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 195 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 +++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 571 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (364 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..1a342728fa 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,195 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (substitute* "fail2ban/tests/utils.py"
+ (("tests.addTest.unittest.makeSuite.actiontestcase.CommandActionTest..") "")
+ (("tests.addTest.unittest.makeSuite.misctestcase.SetupTest..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.DNSUtilsNetworkTests..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.IgnoreIPDNS..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.GetFailures..") "")
+ (("tests.addTest.unittest.makeSuite.fail2banclienttestcase.Fail2banServerTest..") "")
+ (("tests.addTest.unittest.makeSuite.servertestcase.ServerConfigReaderTests..") ""))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (for-each delete-file
+ '("config/paths-arch.conf"
+ "config/paths-debian.conf"
+ "config/paths-fedora.conf"
+ "config/paths-freebsd.conf"
+ "config/paths-opensuse.conf"
+ "config/paths-osx.conf"
+ "config/action.d/apf.conf"
+ "config/action.d/bsd-ipfw.conf"
+ "config/action.d/dshield.conf"
+ "config/action.d/ipfilter.conf"
+ "config/action.d/ipfw.conf"
+ "config/action.d/firewallcmd-allports.conf"
+ "config/action.d/firewallcmd-common.conf"
+ "config/action.d/firewallcmd-ipset.conf"
+ "config/action.d/firewallcmd-multiport.conf"
+ "config/action.d/firewallcmd-new.conf"
+ "config/action.d/firewallcmd-rich-logging.conf"
+ "config/action.d/firewallcmd-rich-rules.conf"
+ "config/action.d/osx-afctl.conf"
+ "config/action.d/osx-ipfw.conf"
+ "config/action.d/pf.conf"
+ "config/action.d/nginx-block-map.conf"
+ "config/action.d/npf.conf"
+ "config/action.d/shorewall.conf"
+ "config/action.d/shorewall-ipset-proto6.conf"
+ "config/action.d/ufw.conf"))
+ (let* ((awk (assoc-ref inputs "gawk"))
+ (awk (string-append awk "/bin/awk"))
+ (bind-utils (assoc-ref inputs "bind"))
+ (dig (string-append bind-utils "/bin/dig"))
+ (nsupdate (string-append bind-utils "/bin/nsupdate"))
+ (coreutils (assoc-ref inputs "coreutils"))
+ (cat (string-append coreutils "/bin/cat"))
+ (cut (string-append coreutils "/bin/cut"))
+ (date (string-append coreutils "/bin/date"))
+ (echo (string-append coreutils "/bin/echo"))
+ (head (string-append coreutils "/bin/head"))
+ (id (string-append coreutils "/bin/id"))
+ (printf (string-append coreutils "/bin/printf"))
+ (rm (string-append coreutils "/bin/rm"))
+ (tail (string-append coreutils "/bin/tail"))
+ (test (string-append coreutils "/bin/test"))
+ (touch (string-append coreutils "/bin/touch"))
+ (tr (string-append coreutils "/bin/tr"))
+ (truncate (string-append coreutils "/bin/truncate"))
+ (wc (string-append coreutils "/bin/wc"))
+ (curl (assoc-ref inputs "curl"))
+ (curl (string-append curl "/bin/curl"))
+ (grep (assoc-ref inputs "grep"))
+ (grep (string-append grep "/bin/grep"))
+ (jq (assoc-ref inputs "jq"))
+ (jq (string-append jq "/bin/jq"))
+ (iproute2 (assoc-ref inputs "iproute2"))
+ (ip (string-append iproute2 "/bin/ip"))
+ (ipset (assoc-ref inputs "ipset"))
+ (ipset (string-append ipset "/sbin/ipset"))
+ (iptables (assoc-ref inputs "iptables"))
+ (ip6tables (string-append iptables "/sbin/ip6tables"))
+ (iptables (string-append iptables "/sbin/iptables"))
+ (nft (assoc-ref inputs "nftables"))
+ (nft (string-append nft "/sbin/nft"))
+ (perl (assoc-ref inputs "perl"))
+ (perl (string-append nft "/bin/perl"))
+ (sed (assoc-ref inputs "sed"))
+ (sed (string-append sed "/bin/sed"))
+ (sendmail (assoc-ref inputs "sendmail"))
+ (sendmail (string-append sed "/sbin/sendmail"))
+ (whois (assoc-ref inputs "whois"))
+ (whois (string-append whois "/bin/whois")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with mailcmd = mail ...
+ ;; TODO: deal with geoiplookup ..
+ (("awk") awk)
+ (("cat ") (string-append cat " "))
+ (("curl") curl)
+ (("cut -d") (string-append cut " -d"))
+ ((" date ") (string-append " " date " "))
+ (("`date`") (string-append "`" date "`"))
+ (("dig") dig)
+ (("echo ") (string-append echo " "))
+ (("grep ") (string-append grep " "))
+ (("head ") (string-append head " "))
+ (("id -") (string-append id " -"))
+ (("ip -4 addr") (string-append ip " -4 addr"))
+ (("ip -6 addr") (string-append ip " -6 addr"))
+ (("ip route") (string-append ip " route"))
+ (("ipset ") (string-append ipset " "))
+ (("iptables <") (string-append iptables " <"))
+ (("ip6tables <") (string-append ip6tables " <"))
+ (("jq") jq)
+ (("/usr/bin/nsupdate") nsupdate)
+ (("nftables = nft") (string-append "nftables = " nft))
+ (("perl -e") (string-append perl " -e"))
+ (("printf ") (string-append printf " "))
+ ((" rm ") (string-append " " rm " "))
+ ((" sed ") (string-append " " sed " "))
+ (("/usr/sbin/sendmail") sendmail)
+ ((" tail ") (string-append " " tail " "))
+ (("test -e") (string-append test " -e"))
+ ((" touch ") (string-append " " touch " "))
+ ((" tr ") (string-append " " tr " "))
+ (("wc ") (string-append wc " "))
+ (("_whois = whois") (string-append "_whois = " whois))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf")))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban
This message was truncated. Download the full message here.
M
M
muradm wrote on 15 Jul 2022 21:02
[PATCH v2] gnu: admin: Add fail2ban 0.11.2.
(address . 56579@debbugs.gnu.org)
20220715190246.29929-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 181 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 ++++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 557 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (367 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..183d0a0cb5 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,181 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (substitute* "fail2ban/tests/utils.py"
+ (("tests.addTest.unittest.makeSuite.actiontestcase.CommandActionTest..") "")
+ (("tests.addTest.unittest.makeSuite.misctestcase.SetupTest..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.DNSUtilsNetworkTests..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.IgnoreIPDNS..") "")
+ (("tests.addTest.unittest.makeSuite.filtertestcase.GetFailures..") "")
+ (("tests.addTest.unittest.makeSuite.fail2banclienttestcase.Fail2banServerTest..") "")
+ (("tests.addTest.unittest.makeSuite.servertestcase.ServerConfigReaderTests..") ""))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (for-each delete-file
+ '("config/paths-arch.conf"
+ "config/paths-debian.conf"
+ "config/paths-fedora.conf"
+ "config/paths-freebsd.conf"
+ "config/paths-opensuse.conf"
+ "config/paths-osx.conf"
+ "config/action.d/apf.conf"
+ "config/action.d/bsd-ipfw.conf"
+ "config/action.d/dshield.conf"
+ "config/action.d/ipfilter.conf"
+ "config/action.d/ipfw.conf"
+ "config/action.d/firewallcmd-allports.conf"
+ "config/action.d/firewallcmd-common.conf"
+ "config/action.d/firewallcmd-ipset.conf"
+ "config/action.d/firewallcmd-multiport.conf"
+ "config/action.d/firewallcmd-new.conf"
+ "config/action.d/firewallcmd-rich-logging.conf"
+ "config/action.d/firewallcmd-rich-rules.conf"
+ "config/action.d/osx-afctl.conf"
+ "config/action.d/osx-ipfw.conf"
+ "config/action.d/pf.conf"
+ "config/action.d/nginx-block-map.conf"
+ "config/action.d/npf.conf"
+ "config/action.d/shorewall.conf"
+ "config/action.d/shorewall-ipset-proto6.conf"
+ "config/action.d/ufw.conf"))
+ (let* ((awk (search-input-file inputs "/bin/awk"))
+ (cat (search-input-file inputs "/bin/cat"))
+ (curl (search-input-file inputs "/bin/curl"))
+ (cut (search-input-file inputs "/bin/cut"))
+ (date (search-input-file inputs "/bin/date"))
+ (dig (search-input-file inputs "/bin/dig"))
+ (echo (search-input-file inputs "/bin/echo"))
+ (grep (search-input-file inputs "/bin/grep"))
+ (head (search-input-file inputs "/bin/head"))
+ (id (search-input-file inputs "/bin/id"))
+ (ip (search-input-file inputs "/sbin/ip"))
+ (ipset (search-input-file inputs "/sbin/ipset"))
+ (ip6tables (search-input-file inputs "/sbin/ip6tables"))
+ (iptables (search-input-file inputs "/sbin/iptables"))
+ (jq (search-input-file inputs "/bin/jq"))
+ (nft (search-input-file inputs "/sbin/nft"))
+ (nsupdate (search-input-file inputs "/bin/nsupdate"))
+ (perl (search-input-file inputs "/bin/perl"))
+ (printf (search-input-file inputs "/bin/printf"))
+ (rm (search-input-file inputs "/bin/rm"))
+ (sed (search-input-file inputs "/bin/sed"))
+ (sendmail (search-input-file inputs "/sbin/sendmail"))
+ (tail (search-input-file inputs "/bin/tail"))
+ (test (search-input-file inputs "/bin/test"))
+ (touch (search-input-file inputs "/bin/touch"))
+ (tr (search-input-file inputs "/bin/tr"))
+ (truncate (search-input-file inputs "/bin/truncate"))
+ (wc (search-input-file inputs "/bin/wc"))
+ (whois (search-input-file inputs "/bin/whois")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("awk") awk)
+ (("cat ") (string-append cat " "))
+ (("curl") curl)
+ (("cut -d") (string-append cut " -d"))
+ ((" date ") (string-append " " date " "))
+ (("`date`") (string-append "`" date "`"))
+ (("dig") dig)
+ (("echo ") (string-append echo " "))
+ (("grep ") (string-append grep " "))
+ (("head ") (string-append head " "))
+ (("id -") (string-append id " -"))
+ (("ip -4 addr") (string-append ip " -4 addr"))
+ (("ip -6 addr") (string-append ip " -6 addr"))
+ (("ip route") (string-append ip " route"))
+ (("ipset ") (string-append ipset " "))
+ (("iptables <") (string-append iptables " <"))
+ (("ip6tables <") (string-append ip6tables " <"))
+ (("jq") jq)
+ (("/usr/bin/nsupdate") nsupdate)
+ (("mail -E") (string-append sendmail " -E"))
+ (("nftables = nft") (string-append "nftables = " nft))
+ (("perl -e") (string-append perl " -e"))
+ (("printf ") (string-append printf " "))
+ ((" rm ") (string-append " " rm " "))
+ ((" sed ") (string-append " " sed " "))
+ (("/usr/sbin/sendmail") sendmail)
+ ((" tail ") (string-append " " tail " "))
+ (("test -e") (string-append test " -e"))
+ ((" touch ") (string-append " " touch " "))
+ ((" tr ") (string-append " " tr " "))
+ (("wc ") (string-append wc " "))
+ (("_whois = whois") (string-append "_whois = " whois))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf")))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+-
This message was truncated. Download the full message here.
M
M
muradm wrote on 15 Jul 2022 22:25
[PATCH v3] gnu: admin: Add fail2ban 0.11.2.
(address . 56579@debbugs.gnu.org)
20220715202512.4836-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 162 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 ++++++
.../patches/fail2ban-paths-guix-conf.patch | 32 ++++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 538 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (403 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..8e16f8256a 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,162 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (let ((make-suite
+ (lambda (t)
+ (string-append "tests.addTest.unittest.makeSuite." t ".."))))
+ (substitute* "fail2ban/tests/utils.py"
+ (((make-suite "actiontestcase.CommandActionTest")) "")
+ (((make-suite "misctestcase.SetupTest")) "")
+ (((make-suite "filtertestcase.DNSUtilsNetworkTests")) "")
+ (((make-suite "filtertestcase.IgnoreIPDNS")) "")
+ (((make-suite "filtertestcase.GetFailures")) "")
+ (((make-suite "fail2banclienttestcase.Fail2banServerTest")) "")
+ (((make-suite "servertestcase.ServerConfigReaderTests")) "")))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (with-directory-excursion "config"
+ (for-each delete-file '("paths-arch.conf"
+ "paths-debian.conf"
+ "paths-fedora.conf"
+ "paths-freebsd.conf"
+ "paths-opensuse.conf"
+ "paths-osx.conf")))
+ (with-directory-excursion "config/action.d"
+ (for-each delete-file
+ '("apf.conf"
+ "bsd-ipfw.conf"
+ "dshield.conf"
+ "ipfilter.conf"
+ "ipfw.conf"
+ "firewallcmd-allports.conf"
+ "firewallcmd-common.conf"
+ "firewallcmd-ipset.conf"
+ "firewallcmd-multiport.conf"
+ "firewallcmd-new.conf"
+ "firewallcmd-rich-logging.conf"
+ "firewallcmd-rich-rules.conf"
+ "osx-afctl.conf"
+ "osx-ipfw.conf"
+ "pf.conf"
+ "nginx-block-map.conf"
+ "npf.conf"
+ "shorewall.conf"
+ "shorewall-ipset-proto6.conf"
+ "ufw.conf")))
+ (let* ((lookup-cmd (lambda (i) (search-input-file inputs i)))
+ (bin (lambda (i) (lookup-cmd (string-append "/bin/" i))))
+ (sbin (lambda (i) (lookup-cmd (string-append "/sbin/" i))))
+ (ip (sbin "ip"))
+ (sendmail (sbin "sendmail")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("(awk|curl|dig|jq)" all cmd)
+ (bin cmd))
+ (("(cat|echo|grep|head|printf|wc) " all cmd)
+ (string-append (bin cmd) " "))
+ ((" (date|rm|sed|tail|touch|tr) " all cmd)
+ (string-append " " (bin cmd) " "))
+ (("cut -d")
+ (string-append (bin "cut") " -d"))
+ (("`date`")
+ (string-append "`" (bin "date") "`"))
+ (("id -")
+ (string-append (bin "id") " -"))
+ (("ip -([46]) addr" all ver)
+ (string-append ip " -" ver " addr"))
+ (("ip route")
+ (string-append ip " route"))
+ (("ipset ")
+ (string-append (sbin "ipset") " "))
+ (("(iptables|ip6tables) <" all cmd)
+ (string-append (sbin cmd) " <"))
+ (("/usr/bin/nsupdate") (bin "nsupdate"))
+ (("mail -E")
+ (string-append sendmail " -E"))
+ (("nftables = nft")
+ (string-append "nftables = " (sbin "nft")))
+ (("perl -e")
+ (string-append (bin "perl") " -e"))
+ (("/usr/sbin/sendmail") sendmail)
+ (("test -e")
+ (string-append (bin "test") " -e"))
+ (("_whois = whois")
+ (string-append "_whois = " (bin "whois")))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf")))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
new file mode 100644
index 0000000000..b0b14364b1
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
@@ -0,0 +1,64 @@
+From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Sun, 19 Sep 2021 18:49:18 +0200
+Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup
+ command: use_2to3 is invalid (setuptools 58+)
+
+---
+ setup.py | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index f4c2550f6f..98413273c5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -48,7 +48,7 @@
+ from glob import glob
+
+ from fail2ban.setup import updatePyExec
+-
++from fail2ban.version import version
+
+ source_dir = os.path.realpath(os.path.dirname(
+ # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.):
+@@ -112,22 +112,12 @@ def update_scripts(self, dry_run=False):
+ # Wrapper to specify fail2ban own options:
+ class install_command_f2b(install):
+ user_options = install.user_options + [
+- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+ ('without-tests', None, 'without tests files installation'),
+ ]
+ def initialize_options(self):
+- self.disable_2to3 = None
+ self.without_tests = not with_tests
+ install.initialize_options(self)
+ def finalize_options(self):
+- global _2to3
+- ## in the test cases 2to3 should be already done (fail2ban-2to3):
+- if self.disable_2to3:
+- _2to3 = False
+- if _2to3:
+- cmdclass = self.distribution.cmdclass
+- cmdclass['build_py'] = build_py_2to3
+- cmdclass['build_scripts'] = build_scripts_2to3
+ if self.without_tests:
+ self.distribution.scripts.remove
This message was truncated. Download the full message here.
M
M
muradm wrote on 16 Jul 2022 00:11
[PATCH v4] gnu: admin: Add fail2ban 0.11.2.
(address . 56579@debbugs.gnu.org)
20220715221132.11937-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 181 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 +++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 +++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 ++++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 557 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (392 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..0a14144059 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,181 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (let ((make-suite
+ (lambda (t)
+ (string-append "tests.addTest.unittest.makeSuite." t ".."))))
+ (substitute* "fail2ban/tests/utils.py"
+ (((make-suite "actiontestcase.CommandActionTest")) "")
+ (((make-suite "misctestcase.SetupTest")) "")
+ (((make-suite "filtertestcase.DNSUtilsNetworkTests")) "")
+ (((make-suite "filtertestcase.IgnoreIPDNS")) "")
+ (((make-suite "filtertestcase.GetFailures")) "")
+ (((make-suite "fail2banclienttestcase.Fail2banServerTest")) "")
+ (((make-suite "servertestcase.ServerConfigReaderTests")) "")))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (with-directory-excursion "config"
+ (for-each delete-file '("paths-arch.conf"
+ "paths-debian.conf"
+ "paths-fedora.conf"
+ "paths-freebsd.conf"
+ "paths-opensuse.conf"
+ "paths-osx.conf")))
+ (with-directory-excursion "config/action.d"
+ (for-each delete-file
+ '("apf.conf"
+ "bsd-ipfw.conf"
+ "dshield.conf"
+ "ipfilter.conf"
+ "ipfw.conf"
+ "firewallcmd-allports.conf"
+ "firewallcmd-common.conf"
+ "firewallcmd-ipset.conf"
+ "firewallcmd-multiport.conf"
+ "firewallcmd-new.conf"
+ "firewallcmd-rich-logging.conf"
+ "firewallcmd-rich-rules.conf"
+ "osx-afctl.conf"
+ "osx-ipfw.conf"
+ "pf.conf"
+ "nginx-block-map.conf"
+ "npf.conf"
+ "shorewall.conf"
+ "shorewall-ipset-proto6.conf"
+ "ufw.conf")))
+ (let* ((lookup-cmd (lambda (i) (search-input-file inputs i)))
+ (bin (lambda (i) (lookup-cmd (string-append "/bin/" i))))
+ (sbin (lambda (i) (lookup-cmd (string-append "/sbin/" i))))
+ (ip (sbin "ip"))
+ (sendmail (sbin "sendmail")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("(awk|curl|dig|jq)" all cmd)
+ (bin cmd))
+ (("(cat|echo|grep|head|printf|wc) " all cmd)
+ (string-append (bin cmd) " "))
+ ((" (date|rm|sed|tail|touch|tr) " all cmd)
+ (string-append " " (bin cmd) " "))
+ (("cut -d")
+ (string-append (bin "cut") " -d"))
+ (("`date`")
+ (string-append "`" (bin "date") "`"))
+ (("id -")
+ (string-append (bin "id") " -"))
+ (("ip -([46]) addr" all ver)
+ (string-append ip " -" ver " addr"))
+ (("ip route")
+ (string-append ip " route"))
+ (("ipset ")
+ (string-append (sbin "ipset") " "))
+ (("(iptables|ip6tables) <" all cmd)
+ (string-append (sbin cmd) " <"))
+ (("/usr/bin/nsupdate") (bin "nsupdate"))
+ (("mail -E")
+ (string-append sendmail " -E"))
+ (("nftables = nft")
+ (string-append "nftables = " (sbin "nft")))
+ (("perl -e")
+ (string-append (bin "perl") " -e"))
+ (("/usr/sbin/sendmail") sendmail)
+ (("test -e")
+ (string-append (bin "test") " -e"))
+ (("_whois = whois")
+ (string-append "_whois = " (bin "whois")))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf"))))
+ (add-after 'install 'copy-man-pages
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((man (string-append (assoc-ref outputs "out") "/man"))
+ (install-man
+ (lambda (m)
+ (lambda (f)
+ (install-file
+ (string-append f "." m)
+ (string-append man "/man" m)))))
+ (install-man1 (install-man "1"))
+ (install-man5 (install-man "5")))
+ (with-directory-excursion "man"
+ (for-each install-man1 '("fail2ban"
+ "fail2ban-client"
+ "fail2ban-python"
+ "fail2ban-regex"
+ "fail2ban-server"
+ "fail2ban-testcases"))
+ (for-each install-man5 '("jail.conf")))))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
new file mode 100644
index 0000000000..b0b14364b1
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
@@ -0,0 +1,64 @@
+From 5ac303df8a171f748330d4c645ccbf1c2c7f3497 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Sun, 19 Sep 2021 18:49:18 +0200
+Subject: [PATCH] fix gh-3098: build fails with error in fail2ban setup
+ command: use_2to3 is invalid (setuptools 58+)
+
+---
+ setup.py | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index f4c2550f6f..98413273c5 100755
+--- a/setup.py
++++ b/setup.py
+@@ -48,7
This message was truncated. Download the full message here.
M
M
muradm wrote on 17 Jul 2022 04:30
[PATCH v5] gnu: admin: Add fail2ban 0.11.2.
(address . 56579@debbugs.gnu.org)
20220717023040.422-1-mail@muradm.net
* gnu/packages/admin.scm (fail2ban): New variable.
---
gnu/packages/admin.scm | 195 ++++++++++++++++++
.../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++
...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++
.../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
.../patches/fail2ban-paths-guix-conf.patch | 32 +++
.../fail2ban-python310-server-action.patch | 27 +++
.../fail2ban-python310-server-actions.patch | 25 +++
.../fail2ban-python310-server-jails.patch | 25 +++
8 files changed, 571 insertions(+)
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Toggle diff (386 lines)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 88cb8fded9..4e2b7b081a 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -100,6 +100,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages crypto)
#:use-module (gnu packages cryptsetup)
+ #:use-module (gnu packages curl)
#:use-module (gnu packages cyrus-sasl)
#:use-module (gnu packages dns)
#:use-module (gnu packages elf)
@@ -134,6 +135,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages mcrypt)
#:use-module (gnu packages mpi)
#:use-module (gnu packages ncurses)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages openldap)
#:use-module (gnu packages patchutils)
#:use-module (gnu packages pciutils)
@@ -152,6 +154,7 @@ (define-module (gnu packages admin)
#:use-module (gnu packages ruby)
#:use-module (gnu packages selinux)
#:use-module (gnu packages serialization)
+ #:use-module (gnu packages sqlite)
#:use-module (gnu packages ssh)
#:use-module (gnu packages sphinx)
#:use-module (gnu packages tcl)
@@ -5231,3 +5234,195 @@ (define-public seatd
mediate access to shared devices, such as graphics and input, for applications
that require it.")
(license license:expat)))
+
+(define-public fail2ban
+ (package
+ (name "fail2ban")
+ (version "0.11.2")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/fail2ban/fail2ban")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db"))
+ (modules '((guix build utils)))
+ (snippet
+ '(begin
+ ;; get rid of absolute paths
+ (substitute* "setup.py"
+ (("/etc/fail2ban") "etc/fail2ban")
+ (("/var/lib/fail2ban") "var/lib/fail2ban")
+ (("\"/usr/bin/\"") "\"usr/bin/\"")
+ (("\"/usr/lib/fail2ban/\"") "\"usr/lib/fail2ban/\"")
+ (("'/usr/share/doc/fail2ban'") "'usr/share/doc/fail2ban'"))
+ ;; disable tests performing unacceptable side-effects
+ (let ((make-suite
+ (lambda (t)
+ (string-append "tests.addTest.unittest.makeSuite." t ".."))))
+ (substitute* "fail2ban/tests/utils.py"
+ (((make-suite "actiontestcase.CommandActionTest")) "")
+ (((make-suite "misctestcase.SetupTest")) "")
+ (((make-suite "filtertestcase.DNSUtilsNetworkTests")) "")
+ (((make-suite "filtertestcase.IgnoreIPDNS")) "")
+ (((make-suite "filtertestcase.GetFailures")) "")
+ (((make-suite "fail2banclienttestcase.Fail2banServerTest")) "")
+ (((make-suite "servertestcase.ServerConfigReaderTests")) "")))))
+ (patches
+ (search-patches
+ "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch"
+ "fail2ban-python310-server-action.patch"
+ "fail2ban-python310-server-actions.patch"
+ "fail2ban-python310-server-jails.patch"
+ "fail2ban-0.11.2_fix-test-suite.patch"
+ "fail2ban-0.11.2_CVE-2021-32749.patch"
+ "fail2ban-paths-guix-conf.patch"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:phases (modify-phases %standard-phases
+ (add-before 'build 'invoke-2to3
+ (lambda _
+ (invoke "./fail2ban-2to3")))
+ (add-before 'install 'fix-default-config
+ (lambda* (#:key outputs #:allow-other-keys)
+ (for-each
+ (lambda (f)
+ (substitute* f
+ (("/etc/fail2ban")
+ (string-append
+ (assoc-ref outputs "out")
+ "/etc/fail2ban"))))
+ '("config/paths-common.conf"
+ "fail2ban/tests/utils.py"
+ "fail2ban/client/configreader.py"
+ "fail2ban/client/fail2bancmdline.py"
+ "fail2ban/client/fail2banregex.py"))))
+ (add-after 'fix-default-config 'set-action-dependencies
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; deleting things that are not feasible to fix
+ ;; or won't be used any way
+ (with-directory-excursion "config"
+ (for-each delete-file '("paths-arch.conf"
+ "paths-debian.conf"
+ "paths-fedora.conf"
+ "paths-freebsd.conf"
+ "paths-opensuse.conf"
+ "paths-osx.conf")))
+ (with-directory-excursion "config/action.d"
+ (for-each delete-file
+ '("apf.conf"
+ "bsd-ipfw.conf"
+ "dshield.conf"
+ "ipfilter.conf"
+ "ipfw.conf"
+ "firewallcmd-allports.conf"
+ "firewallcmd-common.conf"
+ "firewallcmd-ipset.conf"
+ "firewallcmd-multiport.conf"
+ "firewallcmd-new.conf"
+ "firewallcmd-rich-logging.conf"
+ "firewallcmd-rich-rules.conf"
+ "osx-afctl.conf"
+ "osx-ipfw.conf"
+ "pf.conf"
+ "nginx-block-map.conf"
+ "npf.conf"
+ "shorewall.conf"
+ "shorewall-ipset-proto6.conf"
+ "ufw.conf")))
+ (let* ((lookup-cmd (lambda (i) (search-input-file inputs i)))
+ (bin (lambda (i) (lookup-cmd (string-append "/bin/" i))))
+ (sbin (lambda (i) (lookup-cmd (string-append "/sbin/" i))))
+ (ip (sbin "ip"))
+ (sendmail (sbin "sendmail")))
+ (for-each
+ (lambda (f)
+ (substitute* f
+ ;; TODO: deal with geoiplookup ..
+ (("(awk|curl|dig|jq)" all cmd)
+ (bin cmd))
+ (("(cat|echo|grep|head|printf|wc) " all cmd)
+ (string-append (bin cmd) " "))
+ ((" (date|rm|sed|tail|touch|tr) " all cmd)
+ (string-append " " (bin cmd) " "))
+ (("cut -d")
+ (string-append (bin "cut") " -d"))
+ (("`date`")
+ (string-append "`" (bin "date") "`"))
+ (("id -")
+ (string-append (bin "id") " -"))
+ (("ip -([46]) addr" all ver)
+ (string-append ip " -" ver " addr"))
+ (("ip route")
+ (string-append ip " route"))
+ (("ipset ")
+ (string-append (sbin "ipset") " "))
+ (("(iptables|ip6tables) <" all cmd)
+ (string-append (sbin cmd) " <"))
+ (("/usr/bin/nsupdate") (bin "nsupdate"))
+ (("mail -E")
+ (string-append sendmail " -E"))
+ (("nftables = nft")
+ (string-append "nftables = " (sbin "nft")))
+ (("perl -e")
+ (string-append (bin "perl") " -e"))
+ (("/usr/sbin/sendmail") sendmail)
+ (("test -e")
+ (string-append (bin "test") " -e"))
+ (("_whois = whois")
+ (string-append "_whois = " (bin "whois")))))
+ (find-files "config/action.d" "\\.conf$")))
+ (substitute* "config/jail.conf"
+ (("before = paths-debian.conf") "before = paths-guix.conf"))))
+ (add-after 'install 'copy-man-pages
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((man (string-append (assoc-ref outputs "out") "/man"))
+ (install-man
+ (lambda (m)
+ (lambda (f)
+ (install-file
+ (string-append f "." m)
+ (string-append man "/man" m)))))
+ (install-man1 (install-man "1"))
+ (install-man5 (install-man "5")))
+ (with-directory-excursion "man"
+ (for-each install-man1 '("fail2ban"
+ "fail2ban-client"
+ "fail2ban-python"
+ "fail2ban-regex"
+ "fail2ban-server"
+ "fail2ban-testcases"))
+ (for-each install-man5 '("jail.conf")))))))))
+ (inputs (list
+ gawk
+ coreutils
+ curl
+ grep
+ jq
+ iproute
+ ipset
+ iptables
+ `(,isc-bind "utils")
+ nftables
+ perl
+ python-pyinotify
+ sed
+ sendmail
+ sqlite
+ whois))
+ (home-page "http://www.fail2ban.org")
+ (synopsis "Daemon to ban hosts that cause multiple authentication errors")
+ (description "Fail2Ban scans log files like /var/log/auth.log and bans IP
+addresses conducting too many failed login attempts. It does this by updating
+system firewall rules to reject new connections from those IP addresses, for
+a configurable amount of time. Fail2Ban comes out-of-the-box ready to read
+many standard log files, such as those for sshd and Apache, and is easily
+configured to read any log file of your choosing, for any error you wish.
+
+Though Fail2Ban is able to reduce the rate of incorrect authentication
+attempts, it cannot eliminate the risk presented by weak authentication. Set
+up services to use only two factor, or public/private authentication
+mechanisms if you really want to protect services.")
+ (license license:gpl2)))
diff --git a/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
new file mode 100644
index 0000000000..d3c677918c
--- /dev/null
+++ b/gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf | 2 +-
+ config/action.d/dshield.conf | 2 +-
+ config/action.d/mail-buffered.conf | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf | 6 +++---
+ config/action.d/mail.conf | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Option: mailargs
+ # Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.: Your system mail command. Is passed 2 args: subject and recipient
+ # Values: CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+
+ # Option: actionstop
+ # Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+
+ # Option: actioncheck
+ # Notes.: command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+
+ # Option: actionunban
+ # Notes.: command executed when unbanning an IP. Take care that the
diff --git a/gnu/packages/patches/fail2ba
This message was truncated. Download the full message here.
J
J
Jean Pierre De Jesus DIAZ wrote on 17 Jul 2022 15:48
[PATCH] gnu: admin: Add fail2ban 0.11.2.
sE5Pxddee_FMO-j1th3cmyr5VP6QpIXxaqEURcno3i7s_nY9lc8bWcxVZ7wxPc-rBPK6POdqtHLTAH3IU9yk4brE1GYbpRjrd284L5GRrYc=@jeandudey.tech
Hello muradm!

Toggle quote (3 lines)
>+ (arguments
>+ '(#:phases (modify-phases %standard-phases

I think you can benefit a little bit from using G-Expressions here:

(arguments
(list #:phases
#~(modify-phases %modify-phases
...)))

For example:

Toggle quote (3 lines)
>+ (let* ((awk (assoc-ref inputs "gawk"))
>+ (awk (string-append awk "/bin/awk"))

Could be replaced by:

(let* ((awk (string-append #$gawk "/bin/awk"))))

Applies to others too. Could save some vertical space.

Jean-Pierre De Jesus DIAZ
M
M
muradm wrote on 17 Jul 2022 18:13
(name . Jean Pierre De Jesus DIAZ)(address . me@jeandudey.tech)(name . 56579@debbugs.gnu.org)(address . 56579@debbugs.gnu.org)
87k08bra06.fsf@muradm.net
Hi, I think you are commenting on initial versions.
Please refer to last v5, which is quite crafted.

Jean Pierre De Jesus DIAZ <me@jeandudey.tech> writes:

Toggle quote (27 lines)
> Hello muradm!
>
>>+ (arguments
>>+ '(#:phases (modify-phases %standard-phases
>
> I think you can benefit a little bit from using G-Expressions
> here:
>
> (arguments
> (list #:phases
> #~(modify-phases %modify-phases
> ...)))
>
> For example:
>
>>+ (let* ((awk (assoc-ref inputs "gawk"))
>>+ (awk (string-append awk
>>"/bin/awk"))
>
> Could be replaced by:
>
> (let* ((awk (string-append #$gawk "/bin/awk"))))
>
> Applies to others too. Could save some vertical space.
>
> —
> Jean-Pierre De Jesus DIAZ
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEESPY5lma9A9l5HGLP6M7O0mLOBeIFAmLUNZkACgkQ6M7O0mLO
BeJ+7xAAv7ZUa9iaoL1JaTC36V3BN75deSO0Q7Am0VtoGWENXrh+KKtxreblmVOY
9MC2LwyH836V55UVwN+wpubVl5/+t0EJwPc8XC2SMKBDFySBh3ERh7ebjc+qaKsX
hVmOvLxO6X1GO3ntvfyfQv3T5eXbQUJRmUtDBDHNb0AgZjhv8io1igqnI9MuKq1j
K0z/zEDwJr66eKyLcpP9W0sqas3bfvtaAY5OTdoaqh40UA5+jXzj0UKW8j0GXaLT
GMcRCUzc21R4oeSM8bg71GfpZ4kGMUgIaQhRAJ4Q+e9b408pOBwODdZwNn8ugi1g
T/x0l7yhQaomHWMxzQ5MnpuzX7AgTe00QAB+m7vSqDWMsmXrgtrNumWiyNMEWYc3
IMw+YTLKDp7vI4s3AFg24rQtWBNHYZqAfsofX2Z/C6ib4BrQzomD9FgFg5XXFECX
pSWWb+EBQkz5j8wLdPhjnDb7HhMI0p2+LQBZ/pc+ajV3ZyUa2+0438uJw+CcOAYr
HFd11OzDqpESw3+caGKFrqQbihBWUVojIro85phK66+nYRnxa0ZepjW4bRBJSodf
db5jHCDq3v1OzQdgasQoTosBwbyj4Obt2h9ZvsfuvFxIuUwBfoGlnTMWcjLxHPUC
Nsr2+vQM7GcGdjDCxU0eS5DXYIrjpBs/eL7dCyUaKG2wzzaXhPo=
=fB4O
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 1 Aug 2022 17:19
Re: bug#56579: [PATCH] gnu: admin: Add fail2ban 0.11.2.
(name . muradm)(address . mail@muradm.net)(address . 56579-done@debbugs.gnu.org)
87mtcovvnv.fsf_-_@gnu.org
Hi,

muradm <mail@muradm.net> skribis:

Toggle quote (19 lines)
> * gnu/packages/admin.scm (fail2ban): New variable.
> ---
> gnu/packages/admin.scm | 195 ++++++++++++++++++
> .../fail2ban-0.11.2_CVE-2021-32749.patch | 155 ++++++++++++++
> ...2ban-0.11.2_fix-setuptools-drop-2to3.patch | 64 ++++++
> .../fail2ban-0.11.2_fix-test-suite.patch | 48 +++++
> .../patches/fail2ban-paths-guix-conf.patch | 32 +++
> .../fail2ban-python310-server-action.patch | 27 +++
> .../fail2ban-python310-server-actions.patch | 25 +++
> .../fail2ban-python310-server-jails.patch | 25 +++
> 8 files changed, 571 insertions(+)
> create mode 100644 gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch
> create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch
> create mode 100644 gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch
> create mode 100644 gnu/packages/patches/fail2ban-paths-guix-conf.patch
> create mode 100644 gnu/packages/patches/fail2ban-python310-server-action.patch
> create mode 100644 gnu/packages/patches/fail2ban-python310-server-actions.patch
> create mode 100644 gnu/packages/patches/fail2ban-python310-server-jails.patch

Applied with minimal changes: added the patches to ‘gnu/local.mk’,
changed (for-each (lambda (f) (substitute* f …)) files) to
(substitute* files …), changed ‘coreutils’ to ‘coreutils-minimal’,
changed license to ‘gpl2+’ since headers carry the “or any later
version” wording, and tweaked indentation.

Thanks!

Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 56579@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 56579
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch