diff options
-rw-r--r-- | recipes-security/fail2ban/fail2ban_0.10.0.bb | 41 | ||||
-rwxr-xr-x | recipes-security/fail2ban/files/fail2ban_setup.py | 175 | ||||
-rw-r--r-- | recipes-security/fail2ban/files/initd | 98 |
3 files changed, 314 insertions, 0 deletions
diff --git a/recipes-security/fail2ban/fail2ban_0.10.0.bb b/recipes-security/fail2ban/fail2ban_0.10.0.bb new file mode 100644 index 0000000..465316c --- /dev/null +++ b/recipes-security/fail2ban/fail2ban_0.10.0.bb | |||
@@ -0,0 +1,41 @@ | |||
1 | SUMMARY = "Daemon to ban hosts that cause multiple authentication errors." | ||
2 | DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \ | ||
3 | many failed login attempts. It does this by updating system firewall rules to reject new \ | ||
4 | connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \ | ||
5 | out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \ | ||
6 | and is easy to configure to read any log file you choose, for any error you choose." | ||
7 | HOMEPAGE = "http://www.fail2ban.org" | ||
8 | |||
9 | LICENSE = "GPL-2.0" | ||
10 | LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" | ||
11 | |||
12 | SRCREV ="c60784540c5307d16cdc136ace5b395961492e73" | ||
13 | SRC_URI = " \ | ||
14 | git://github.com/fail2ban/fail2ban.git;branch=0.10 \ | ||
15 | file://initd \ | ||
16 | file://fail2ban_setup.py \ | ||
17 | " | ||
18 | |||
19 | inherit update-rc.d setuptools | ||
20 | |||
21 | S = "${WORKDIR}/git" | ||
22 | |||
23 | INITSCRIPT_PACKAGES = "${PN}" | ||
24 | INITSCRIPT_NAME = "fail2ban-server" | ||
25 | INITSCRIPT_PARAMS = "defaults 25" | ||
26 | |||
27 | do_compile_prepend () { | ||
28 | cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py | ||
29 | } | ||
30 | |||
31 | do_install_append () { | ||
32 | install -d ${D}/${sysconfdir}/fail2ban | ||
33 | install -d ${D}/${sysconfdir}/init.d | ||
34 | install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server | ||
35 | } | ||
36 | |||
37 | FILES_${PN} += "/run" | ||
38 | |||
39 | INSANE_SKIP_${PN}_append = "already-stripped" | ||
40 | |||
41 | RDEPENDS_${PN} = "sysklogd iptables sqlite3 python python-pyinotify" | ||
diff --git a/recipes-security/fail2ban/files/fail2ban_setup.py b/recipes-security/fail2ban/files/fail2ban_setup.py new file mode 100755 index 0000000..a5d4ed6 --- /dev/null +++ b/recipes-security/fail2ban/files/fail2ban_setup.py | |||
@@ -0,0 +1,175 @@ | |||
1 | #!/usr/bin/env python | ||
2 | # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- | ||
3 | # vi: set ft=python sts=4 ts=4 sw=4 noet : | ||
4 | |||
5 | # This file is part of Fail2Ban. | ||
6 | # | ||
7 | # Fail2Ban is free software; you can redistribute it and/or modify | ||
8 | # it under the terms of the GNU General Public License as published by | ||
9 | # the Free Software Foundation; either version 2 of the License, or | ||
10 | # (at your option) any later version. | ||
11 | # | ||
12 | # Fail2Ban is distributed in the hope that it will be useful, | ||
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
15 | # GNU General Public License for more details. | ||
16 | # | ||
17 | # You should have received a copy of the GNU General Public License | ||
18 | # along with Fail2Ban; if not, write to the Free Software | ||
19 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | ||
20 | |||
21 | __author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko" | ||
22 | __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors" | ||
23 | __license__ = "GPL" | ||
24 | |||
25 | import platform | ||
26 | |||
27 | try: | ||
28 | import setuptools | ||
29 | from setuptools import setup | ||
30 | from setuptools.command.install import install | ||
31 | from setuptools.command.install_scripts import install_scripts | ||
32 | except ImportError: | ||
33 | setuptools = None | ||
34 | from distutils.core import setup | ||
35 | |||
36 | # all versions | ||
37 | from distutils.command.build_py import build_py | ||
38 | from distutils.command.build_scripts import build_scripts | ||
39 | if setuptools is None: | ||
40 | from distutils.command.install import install | ||
41 | from distutils.command.install_scripts import install_scripts | ||
42 | try: | ||
43 | # python 3.x | ||
44 | from distutils.command.build_py import build_py_2to3 | ||
45 | from distutils.command.build_scripts import build_scripts_2to3 | ||
46 | _2to3 = True | ||
47 | except ImportError: | ||
48 | # python 2.x | ||
49 | _2to3 = False | ||
50 | |||
51 | import os | ||
52 | from os.path import isfile, join, isdir, realpath | ||
53 | import sys | ||
54 | import warnings | ||
55 | from glob import glob | ||
56 | |||
57 | from fail2ban.setup import updatePyExec | ||
58 | |||
59 | if setuptools and "test" in sys.argv: | ||
60 | import logging | ||
61 | logSys = logging.getLogger("fail2ban") | ||
62 | hdlr = logging.StreamHandler(sys.stdout) | ||
63 | fmt = logging.Formatter("%(asctime)-15s %(message)s") | ||
64 | hdlr.setFormatter(fmt) | ||
65 | logSys.addHandler(hdlr) | ||
66 | if set(["-q", "--quiet"]) & set(sys.argv): | ||
67 | logSys.setLevel(logging.CRITICAL) | ||
68 | warnings.simplefilter("ignore") | ||
69 | sys.warnoptions.append("ignore") | ||
70 | elif set(["-v", "--verbose"]) & set(sys.argv): | ||
71 | logSys.setLevel(logging.DEBUG) | ||
72 | else: | ||
73 | logSys.setLevel(logging.INFO) | ||
74 | elif "test" in sys.argv: | ||
75 | print("python distribute required to execute fail2ban tests") | ||
76 | print("") | ||
77 | |||
78 | longdesc = ''' | ||
79 | Fail2Ban scans log files like /var/log/pwdfail or | ||
80 | /var/log/apache/error_log and bans IP that makes | ||
81 | too many password failures. It updates firewall rules | ||
82 | to reject the IP address or executes user defined | ||
83 | commands.''' | ||
84 | |||
85 | if setuptools: | ||
86 | setup_extra = { | ||
87 | 'test_suite': "fail2ban.tests.utils.gatherTests", | ||
88 | 'use_2to3': True, | ||
89 | } | ||
90 | else: | ||
91 | setup_extra = {} | ||
92 | |||
93 | data_files_extra = [] | ||
94 | |||
95 | # Installing documentation files only under Linux or other GNU/ systems | ||
96 | # (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding | ||
97 | # installation there (see e.g. #1233) | ||
98 | platform_system = platform.system().lower() | ||
99 | doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt'] | ||
100 | if platform_system in ('solaris', 'sunos'): | ||
101 | doc_files.append('README.Solaris') | ||
102 | if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'): | ||
103 | data_files_extra.append( | ||
104 | ('/usr/share/doc/fail2ban', doc_files) | ||
105 | ) | ||
106 | |||
107 | # Get version number, avoiding importing fail2ban. | ||
108 | # This is due to tests not functioning for python3 as 2to3 takes place later | ||
109 | exec(open(join("fail2ban", "version.py")).read()) | ||
110 | |||
111 | setup( | ||
112 | name = "fail2ban", | ||
113 | version = version, | ||
114 | description = "Ban IPs that make too many password failures", | ||
115 | long_description = longdesc, | ||
116 | author = "Cyril Jaquier & Fail2Ban Contributors", | ||
117 | author_email = "cyril.jaquier@fail2ban.org", | ||
118 | url = "http://www.fail2ban.org", | ||
119 | license = "GPL", | ||
120 | platforms = "Posix", | ||
121 | cmdclass = { | ||
122 | 'build_py': build_py, 'build_scripts': build_scripts, | ||
123 | }, | ||
124 | scripts = [ | ||
125 | 'bin/fail2ban-client', | ||
126 | 'bin/fail2ban-server', | ||
127 | 'bin/fail2ban-regex', | ||
128 | 'bin/fail2ban-testcases', | ||
129 | # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper | ||
130 | ], | ||
131 | packages = [ | ||
132 | 'fail2ban', | ||
133 | 'fail2ban.client', | ||
134 | 'fail2ban.server', | ||
135 | 'fail2ban.tests', | ||
136 | 'fail2ban.tests.action_d', | ||
137 | ], | ||
138 | package_data = { | ||
139 | 'fail2ban.tests': | ||
140 | [ join(w[0], f).replace("fail2ban/tests/", "", 1) | ||
141 | for w in os.walk('fail2ban/tests/files') | ||
142 | for f in w[2]] + | ||
143 | [ join(w[0], f).replace("fail2ban/tests/", "", 1) | ||
144 | for w in os.walk('fail2ban/tests/config') | ||
145 | for f in w[2]] + | ||
146 | [ join(w[0], f).replace("fail2ban/tests/", "", 1) | ||
147 | for w in os.walk('fail2ban/tests/action_d') | ||
148 | for f in w[2]] | ||
149 | }, | ||
150 | data_files = [ | ||
151 | ('/etc/fail2ban', | ||
152 | glob("config/*.conf") | ||
153 | ), | ||
154 | ('/etc/fail2ban/filter.d', | ||
155 | glob("config/filter.d/*.conf") | ||
156 | ), | ||
157 | ('/etc/fail2ban/filter.d/ignorecommands', | ||
158 | [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)] | ||
159 | ), | ||
160 | ('/etc/fail2ban/action.d', | ||
161 | glob("config/action.d/*.conf") + | ||
162 | glob("config/action.d/*.py") | ||
163 | ), | ||
164 | ('/etc/fail2ban/fail2ban.d', | ||
165 | '' | ||
166 | ), | ||
167 | ('/etc/fail2ban/jail.d', | ||
168 | '' | ||
169 | ), | ||
170 | ('/var/lib/fail2ban', | ||
171 | '' | ||
172 | ), | ||
173 | ] + data_files_extra, | ||
174 | **setup_extra | ||
175 | ) | ||
diff --git a/recipes-security/fail2ban/files/initd b/recipes-security/fail2ban/files/initd new file mode 100644 index 0000000..4f4b394 --- /dev/null +++ b/recipes-security/fail2ban/files/initd | |||
@@ -0,0 +1,98 @@ | |||
1 | #!/bin/sh | ||
2 | ### BEGIN INIT INFO | ||
3 | # Provides: fail2ban | ||
4 | # Required-Start: $local_fs $remote_fs | ||
5 | # Required-Stop: $local_fs $remote_fs | ||
6 | # Should-Start: $time $network $syslog iptables firehol shorewall ferm | ||
7 | # Should-Stop: $network $syslog iptables firehol shorewall ferm | ||
8 | # Default-Start: 2 3 4 5 | ||
9 | # Default-Stop: 0 1 6 | ||
10 | # Short-Description: Start/Stop fail2ban | ||
11 | # Description: Start/Stop fail2ban, a daemon to ban hosts that cause multiple authentication errors | ||
12 | ### END INIT INFO | ||
13 | |||
14 | # Source function library. | ||
15 | . /etc/init.d/functions | ||
16 | |||
17 | # Check that the config file exists | ||
18 | [ -f /etc/fail2ban/fail2ban.conf ] || exit 0 | ||
19 | |||
20 | check_privsep_dir() { | ||
21 | # Create the PrivSep empty dir if necessary | ||
22 | if [ ! -d /var/run/fail2ban ]; then | ||
23 | mkdir /var/run/fail2ban | ||
24 | chmod 0755 /var/run/fail2ban | ||
25 | fi | ||
26 | } | ||
27 | |||
28 | FAIL2BAN="/usr/bin/fail2ban-client" | ||
29 | prog=fail2ban-server | ||
30 | lockfile=${LOCKFILE-/var/lock/subsys/fail2ban} | ||
31 | socket=${SOCKET-/var/run/fail2ban/fail2ban.sock} | ||
32 | pidfile=${PIDFILE-/var/run/fail2ban/fail2ban.pid} | ||
33 | RETVAL=0 | ||
34 | |||
35 | start() { | ||
36 | echo -n $"Starting fail2ban: " | ||
37 | check_privsep_dir | ||
38 | ${FAIL2BAN} -x start > /dev/null | ||
39 | RETVAL=$? | ||
40 | if [ $RETVAL = 0 ]; then | ||
41 | touch ${lockfile} | ||
42 | echo_success | ||
43 | else | ||
44 | echo_failure | ||
45 | fi | ||
46 | echo | ||
47 | return $RETVAL | ||
48 | } | ||
49 | |||
50 | stop() { | ||
51 | echo -n $"Stopping fail2ban: " | ||
52 | ${FAIL2BAN} stop > /dev/null | ||
53 | RETVAL=$? | ||
54 | if [ $RETVAL = 0 ]; then | ||
55 | rm -f ${lockfile} ${pidfile} | ||
56 | echo_success | ||
57 | else | ||
58 | echo_failure | ||
59 | fi | ||
60 | echo | ||
61 | return $RETVAL | ||
62 | } | ||
63 | |||
64 | reload() { | ||
65 | echo "Reloading fail2ban: " | ||
66 | ${FAIL2BAN} reload | ||
67 | RETVAL=$? | ||
68 | echo | ||
69 | return $RETVAL | ||
70 | } | ||
71 | |||
72 | # See how we were called. | ||
73 | case "$1" in | ||
74 | start) | ||
75 | status -p ${pidfile} ${prog} >/dev/null 2>&1 && exit 0 | ||
76 | start | ||
77 | ;; | ||
78 | stop) | ||
79 | stop | ||
80 | ;; | ||
81 | reload) | ||
82 | reload | ||
83 | ;; | ||
84 | restart) | ||
85 | stop | ||
86 | start | ||
87 | ;; | ||
88 | status) | ||
89 | status -p ${pidfile} ${prog} | ||
90 | RETVAL=$? | ||
91 | [ $RETVAL = 0 ] && ${FAIL2BAN} status | ||
92 | ;; | ||
93 | *) | ||
94 | echo $"Usage: fail2ban {start|stop|restart|reload|status}" | ||
95 | RETVAL=2 | ||
96 | esac | ||
97 | |||
98 | exit $RETVAL | ||