fail2ban is a daemon to ban hosts that cause multiple authentication
errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0
through 0.11.2, there is a vulnerability that leads to possible remote
code execution in the mailing action mail-whois. Command `mail` from
mailutils package used in mail actions like `mail-whois` can execute
command if unescaped sequences (`\n~`) are available in "foreign" input
(for instance in whois output). To exploit the vulnerability, an
attacker would need to insert malicious characters into the response
sent by the whois server, either via a MITM attack or by taking over a
whois server. The issue is patched in versions 0.10.7 and 0.11.3. As a
workaround, one may avoid the usage of action `mail-whois` or patch the
vulnerability manually.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Support for fail2ban is added by the services/fail2ban module in the
SELinux refpolicy.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes (reproducible):
http://autobuild.buildroot.net/results/50f/50f199bfe06d054cc6770760e73ac0de594a0670/diffoscope-results.txt
Fail2ban installs the fail2ban-python symlink pointing to the host python
intepreter used to run setup.py, which is naturally not valid at runtime and
breaks the reproducible tests as shown in the diffoscope results:
│ -lrwxrwxrwx 0 0 0 0 2020-10-04 10:50:38.000000 ./usr/bin/fail2ban-python -> /home/naourr/work/instance-0/output-1/host/bin/python
│ +lrwxrwxrwx 0 0 0 0 2020-10-04 10:50:38.000000 ./usr/bin/fail2ban-python -> /home/naourr/work/instance-0/output-2/host/bin/python
As a workaround, update the symlink after installation to point to the
correct target python.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
fail2ban needs python-systemd for its systemd backend to
be able to read logs from systemd/journald
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The fail2ban codebase is still native python2, but 2to3 is supported
upstream.
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
[Peter: ensure host-python3 is available]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bump fail2ban to verison 0.11.1.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
All these packages have an upstream-provided service, but buildroot
enabled manually the services in exactly the same way as the [Install]
section.
This is not needed anymore
Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr>
[yann.morin.1998@free.fr: fix check-package errors]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
fail2ban default configuration is not compatible with buildroot as is.
In order to not force the user to overwrite it in an overlay and
having a fail2ban service running out of the box, this patch adds a
fixup step to adapt the default configuration to running on buildroot.
The dbfile is None to not add a dependency on
BR2_PACKAGE_PYTHON_SQLITE.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fail2ban scans log files (e.g. /var/log/apache/error_log)
and bans IPs that show malicious behaviours.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[Thomas: simplify $(SED) expression by using comma as a separator
instead of slash.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
