From patchwork Sat Nov 24 23:24:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Angelo Compagnucci X-Patchwork-Id: 1002710 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="HWWo/0RC"; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 432Tm472yjz9sPP for ; Sun, 25 Nov 2018 10:24:36 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 037DF88564; Sat, 24 Nov 2018 23:24:34 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAIieW2M-fNR; Sat, 24 Nov 2018 23:24:31 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id E67628854A; Sat, 24 Nov 2018 23:24:30 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 09B6B1BF38C for ; Sat, 24 Nov 2018 23:24:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 06E0E85102 for ; Sat, 24 Nov 2018 23:24:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uC1ti4LQ4dnN for ; Sat, 24 Nov 2018 23:24:28 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 851FD85008 for ; Sat, 24 Nov 2018 23:24:28 +0000 (UTC) Received: by mail-wr1-f68.google.com with SMTP id v6so15371264wrr.12 for ; Sat, 24 Nov 2018 15:24:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=IKC50NtZZlc0ue0VY5DRA5DLK31afq11LIp5PSSE6gs=; b=HWWo/0RCaUiZCS8qKrI5m5es3T4qlSjVlzgGQQbeVdX0p7rHSNWGliL9HUDpVfXXIo l0gQz68hhY46NN9rrEWZAsjzkXnus89/DjTFJiceftEa2yFavLx7zqXKDbnoezN66HgE Ld05STfbkz3806mWvH6nqvCqSwNMOTMl5dFn6148mzfilG0UBK8Q5+FdxQY00x7u4Uwu XjwLUcqOyVJ6L78qL6zBWR2WSdhv2t695IK6FSEOc5F9WTkhbwFIbWIeF+37HF3UKLpf 2E9q4sDUFNUKvcgv6mWqYLTv8EXWizCpSdqQ76sbhoVNHeO9QkWd30h6xw2l2Eu11U++ sIBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=IKC50NtZZlc0ue0VY5DRA5DLK31afq11LIp5PSSE6gs=; b=olYoAccvRcmv2M1PBAw9OgDRvpCsFvHsJJKVad4pMR/tBGawSa0bda59kTAX+Yo7dy fh/TxbusbbpMDLNdGnQ1DsGuS5bg/zAirKEUgPGzG9Xmit07oCyXNc1ZwkF4/aO/wv/P j6a0YxuBWiyu8uzVLfseOi8BbEwViG+6c5CJfw2/dI1UzMp8xZf2s6W7/xZwzaPJzdH0 V+bGn4WRHRNCARGjfSi5jxHSGGlrnyGCuh1VCO9yhGwbOHUPPlBXtKtv+NCrUCKS6zpO Dktqse9z/8v4xnfU+D9uIv2NVFj1MgupYPfKxjHMLKn7Iukrke3hZ3mrxvAagTIN2HlQ 2VyA== X-Gm-Message-State: AA+aEWYlGZSa46d0xww8dHvTWseDXE3e7FX7LWJ3tKqDdCKyRdYFn47y PzKSkbm/XQLyHcfiK+vNY2q/Cjj8 X-Google-Smtp-Source: AFSGD/W9k2VqeBwVJikYsln20HMwpG6sxfw8befNvzjpZODMyT+Gmvx8DcPAyLly93hxq4PtnSLUyA== X-Received: by 2002:a5d:4c8a:: with SMTP id z10mr14532878wrs.75.1543101866593; Sat, 24 Nov 2018 15:24:26 -0800 (PST) Received: from localhost.localdomain ([37.160.15.84]) by smtp.gmail.com with ESMTPSA id v5sm14827362wrr.11.2018.11.24.15.24.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 24 Nov 2018 15:24:26 -0800 (PST) From: Angelo Compagnucci X-Google-Original-From: Angelo Compagnucci To: buildroot@buildroot.org Date: Sun, 25 Nov 2018 00:24:22 +0100 Message-Id: <20181124232422.16914-1-angelo@amarulasolutions.com> X-Mailer: git-send-email 2.17.1 Subject: [Buildroot] [PATCH v3] package/fail2ban: new package X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Angelo Compagnucci MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show malicious behaviours. Signed-off-by: Angelo Compagnucci --- Changes: v1->v2: * Adding sha256 for license file * getting service file for systemd from source directory v2->v3: * Fixing suggestions made by Thomas Petazzoni DEVELOPERS | 1 + package/Config.in | 1 + package/fail2ban/Config.in | 15 +++++++++++++++ package/fail2ban/S60fail2ban | 23 +++++++++++++++++++++++ package/fail2ban/fail2ban.hash | 3 +++ package/fail2ban/fail2ban.mk | 27 +++++++++++++++++++++++++++ 6 files changed, 70 insertions(+) create mode 100644 package/fail2ban/Config.in create mode 100644 package/fail2ban/S60fail2ban create mode 100644 package/fail2ban/fail2ban.hash create mode 100644 package/fail2ban/fail2ban.mk diff --git a/DEVELOPERS b/DEVELOPERS index 53467da489..277bbab21e 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -146,6 +146,7 @@ F: package/libunwind/ N: Angelo Compagnucci F: package/corkscrew/ +F: package/fail2ban/ F: package/i2c-tools/ F: package/mender/ F: package/mono/ diff --git a/package/Config.in b/package/Config.in index b60e7700ad..88b35cd9f8 100644 --- a/package/Config.in +++ b/package/Config.in @@ -1826,6 +1826,7 @@ menu "Networking applications" source "package/ejabberd/Config.in" source "package/ethtool/Config.in" source "package/faifa/Config.in" + source "package/fail2ban/Config.in" source "package/fastd/Config.in" source "package/fcgiwrap/Config.in" source "package/flannel/Config.in" diff --git a/package/fail2ban/Config.in b/package/fail2ban/Config.in new file mode 100644 index 0000000000..8fa63bfdcb --- /dev/null +++ b/package/fail2ban/Config.in @@ -0,0 +1,15 @@ +config BR2_PACKAGE_FAIL2BAN + bool "fail2ban" + depends on BR2_PACKAGE_PYTHON + help + Fail2ban scans log files (e.g. /var/log/apache/error_log) and + bans IPs that show the malicious signs -- too many password + failures, seeking for exploits, etc. Out of the box Fail2Ban + comes with filters for various services (apache, courier, + ssh, etc). + + Fail2Ban is able to reduce the rate of incorrect + authentications attempts however it cannot eliminate the risk + that weak authentication presents. + + https://www.fail2ban.org diff --git a/package/fail2ban/S60fail2ban b/package/fail2ban/S60fail2ban new file mode 100644 index 0000000000..b181ecde2c --- /dev/null +++ b/package/fail2ban/S60fail2ban @@ -0,0 +1,23 @@ +#!/bin/sh + +case "$1" in + start) + printf "Starting fail2ban: " + start-stop-daemon -S -q -m -p /var/run/fail2ban.pid \ + -b -x fail2ban-server -- -xf start + [ $? = 0 ] && echo "OK" || echo "FAIL" + ;; + stop) + printf "Stopping fail2ban: " + start-stop-daemon -K -q -p /var/run/fail2ban.pid + [ $? = 0 ] && echo "OK" || echo "FAIL" + ;; + restart) + "$0" stop + sleep 1 + "$0" start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + ;; +esac diff --git a/package/fail2ban/fail2ban.hash b/package/fail2ban/fail2ban.hash new file mode 100644 index 0000000000..25d120c115 --- /dev/null +++ b/package/fail2ban/fail2ban.hash @@ -0,0 +1,3 @@ +# sha256 locally computed +sha256 d6ca1bbc7e7944f7acb2ba7c1065953cd9837680bc4d175f30ed155c6a372449 fail2ban-0.10.4.tar.gz +sha256 a75fec0260742fe6275d63ff6a5d97b924b28766558306b3fa4069763096929b COPYING diff --git a/package/fail2ban/fail2ban.mk b/package/fail2ban/fail2ban.mk new file mode 100644 index 0000000000..99c614e076 --- /dev/null +++ b/package/fail2ban/fail2ban.mk @@ -0,0 +1,27 @@ +################################################################################ +# +# fail2ban +# +################################################################################ + +FAIL2BAN_VERSION = 0.10.4 +FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION)) +FAIL2BAN_LICENSE = GPL-2.0+ +FAIL2BAN_LICENSE_FILES = COPYING +FAIL2BAN_SETUP_TYPE = distutils + +define FAIL2BAN_INSTALL_INIT_SYSV + $(INSTALL) -D -m 755 package/fail2ban/S60fail2ban \ + $(TARGET_DIR)/etc/init.d/S60fail2ban +endef + +define FAIL2BAN_INSTALL_INIT_SYSTEMD + $(INSTALL) -D -m 0644 $(@D)/files/fail2ban.service.in \ + $(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service + mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants + ln -fs ../../../../usr/lib//systemd/system/fail2ban.service \ + $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/fail2ban.service + $(SED) 's/@BINDIR@/\/usr\/bin/g' $(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service +endef + +$(eval $(python-package))