From patchwork Mon Apr 23 15:05:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Angelo Compagnucci X-Patchwork-Id: 902990 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=amarulasolutions.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=amarulasolutions.com header.i=@amarulasolutions.com header.b="g7PJ1xOq"; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40V8sr1CrDz9rx7 for ; Tue, 24 Apr 2018 01:05:51 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id EA5F388BF0; Mon, 23 Apr 2018 15:05:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQsCWUbLwlvq; Mon, 23 Apr 2018 15:05:43 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id AC32E88BA9; Mon, 23 Apr 2018 15:05:43 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 93DAD1CF0A3 for ; Mon, 23 Apr 2018 15:05:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 90DB588BA9 for ; Mon, 23 Apr 2018 15:05:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3l7+Ga2G4kl for ; Mon, 23 Apr 2018 15:05:37 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr0-f194.google.com (mail-wr0-f194.google.com [209.85.128.194]) by whitealder.osuosl.org (Postfix) with ESMTPS id 236A788B94 for ; Mon, 23 Apr 2018 15:05:36 +0000 (UTC) Received: by mail-wr0-f194.google.com with SMTP id v15-v6so24137445wrm.10 for ; Mon, 23 Apr 2018 08:05:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; h=from:to:cc:subject:date:message-id; bh=JRt4kG6V6GhAt9GBabRHKR/91fgczw+GRyvMAXVQBhw=; b=g7PJ1xOqQP6oHW4TI0XhgJEZfMRdIP2frlSyaS+IaAdJf87ULUlsN9M1ycnp7pGqXJ cgAMu/LOWy/KeOu3a+d20uoC0b3nmWgJmmJ8Zh2nfS2SAMvwzpYvMJL/KjEJVsvVq/Az iN3flqzk25QJZ3ZO00F/LCkfIReb47amwZ2Os= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=JRt4kG6V6GhAt9GBabRHKR/91fgczw+GRyvMAXVQBhw=; b=Qz7XAmutxJkDoh/WtK/zi5Q/GjiuxSyYtnn8vaFCoipQkNGy6J+dWjlhDk/4aO24yw 4jYxUQLvRJipdCm203yypqy86Pmh420TfXWRNSlWy7m/thHL2Coka7DDrxxArmD/XTYx 6A4FZRHGDCQ2ePbAJJPyAl4H3dbS3ow39VNNpoFzQTlxSdWfze49UOHTzyayP5uxX3bK rzCgDe0wAN8+Fl4N8KDg8KBJaI03ovHRVPZjHfZ8XS0NolNMBdqoVsuTvaBBpB12LaeD fcnjOjFkfFuubUTB/otSLNGXM+B1vm4c4Vt+jf3AsRzJtSqPXutxn4PK+MtGeYJp1aYo InFQ== X-Gm-Message-State: ALQs6tB1AKVzf2hGDoBB6sXlyXCPGtIOZeJ89+ga+aCE7g2za/O20LzQ Hq/u99gGxzeZnHdURJUfGt7q8Alwa6E= X-Google-Smtp-Source: AIpwx4+tkfExMhKy6uCk5cORIrMoAjXUtJwHMZT2xDyjulhFqk0rqec5VV3Mil5KVE7pLAswjB4ulQ== X-Received: by 2002:adf:b8b0:: with SMTP id i45-v6mr17523418wrf.105.1524495934567; Mon, 23 Apr 2018 08:05:34 -0700 (PDT) Received: from localhost.localdomain (host211-95-static.0-79-b.business.telecomitalia.it. [79.0.95.211]) by smtp.gmail.com with ESMTPSA id 19sm10109433wmv.18.2018.04.23.08.05.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 23 Apr 2018 08:05:33 -0700 (PDT) From: Angelo Compagnucci To: buildroot@buildroot.org Date: Mon, 23 Apr 2018 17:05:30 +0200 Message-Id: <1524495930-7061-1-git-send-email-angelo@amarulasolutions.com> X-Mailer: git-send-email 2.7.4 Subject: [Buildroot] [PATCH] package/fail2ban: new package X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.24 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Angelo Compagnucci MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show malicious behaviours. Signed-off-by: Angelo Compagnucci --- package/Config.in | 1 + package/fail2ban/Config.in | 14 ++++++++++++++ package/fail2ban/S60fail2ban | 23 +++++++++++++++++++++++ package/fail2ban/fail2ban.hash | 2 ++ package/fail2ban/fail2ban.mk | 28 ++++++++++++++++++++++++++++ package/fail2ban/fail2ban.service | 17 +++++++++++++++++ 6 files changed, 85 insertions(+) create mode 100644 package/fail2ban/Config.in create mode 100644 package/fail2ban/S60fail2ban create mode 100644 package/fail2ban/fail2ban.hash create mode 100644 package/fail2ban/fail2ban.mk create mode 100644 package/fail2ban/fail2ban.service diff --git a/package/Config.in b/package/Config.in index ecd9b8f..2ff123b 100644 --- a/package/Config.in +++ b/package/Config.in @@ -1700,6 +1700,7 @@ menu "Networking applications" source "package/ejabberd/Config.in" source "package/ethtool/Config.in" source "package/faifa/Config.in" + source "package/fail2ban/Config.in" source "package/fastd/Config.in" source "package/fcgiwrap/Config.in" source "package/flannel/Config.in" diff --git a/package/fail2ban/Config.in b/package/fail2ban/Config.in new file mode 100644 index 0000000..cf82526 --- /dev/null +++ b/package/fail2ban/Config.in @@ -0,0 +1,14 @@ +config BR2_PACKAGE_FAIL2BAN + bool "fail2ban" + depends on BR2_PACKAGE_PYTHON + help + Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs + that show the malicious signs -- too many password failures, seeking + for exploits, etc. Out of the box Fail2Ban comes with filters for + various services (apache, courier, ssh, etc). + + Fail2Ban is able to reduce the rate of incorrect authentications + attempts however it cannot eliminate the risk that weak authentication + presents. + + https://www.fail2ban.org diff --git a/package/fail2ban/S60fail2ban b/package/fail2ban/S60fail2ban new file mode 100644 index 0000000..92559e9 --- /dev/null +++ b/package/fail2ban/S60fail2ban @@ -0,0 +1,23 @@ +#!/bin/sh + +case "$1" in + start) + printf "Starting fail2ban: " + start-stop-daemon -S -q -m -p /run/fail2ban.pid \ + -b -x fail2ban-server -- -xf start + [ $? = 0 ] && echo "OK" || echo "FAIL" + ;; + stop) + printf "Stopping fail2ban: " + start-stop-daemon -K -q -p /run/fail2ban.pid + [ $? = 0 ] && echo "OK" || echo "FAIL" + ;; + restart) + "$0" stop + sleep 1 + "$0" start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + ;; +esac diff --git a/package/fail2ban/fail2ban.hash b/package/fail2ban/fail2ban.hash new file mode 100644 index 0000000..eff6457 --- /dev/null +++ b/package/fail2ban/fail2ban.hash @@ -0,0 +1,2 @@ +# sha256 locally computed +sha256 7ee3fd0e94d58c94298718b25e6bcfa96932712b7aa683580e162403f68d40c8 fail2ban-0.10.3.1.tar.gz diff --git a/package/fail2ban/fail2ban.mk b/package/fail2ban/fail2ban.mk new file mode 100644 index 0000000..7e65f1d --- /dev/null +++ b/package/fail2ban/fail2ban.mk @@ -0,0 +1,28 @@ +################################################################################ +# +# fail2ban +# +################################################################################ + +FAIL2BAN_VERSION = 0.10.3.1 +FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION)) +FAIL2BAN_LICENSE = GPL-2.0+ +FAIL2BAN_LICENSE_FILES = README.md +FAIL2BAN_SETUP_TYPE = setuptools +FAIL2BAN_INSTALL_TARGET_OPTS = --root=$(TARGET_DIR) --prefix=/usr + +define FAIL2BAN_INSTALL_INIT_SYSV + $(INSTALL) -D -m 755 package/fail2ban/S60fail2ban \ + $(TARGET_DIR)/etc/init.d/S60fail2ban +endef + +define FAIL2BAN_INSTALL_INIT_SYSTEMD + $(INSTALL) -D -m 0644 package/fail2ban/fail2ban.service \ + $(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service + mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants + ln -fs ../../../../usr/lib//systemd/system/fail2ban.service \ + $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/fail2ban.service + $(SED) 's/@BINDIR@/\/usr\/bin/g' $(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service +endef + +$(eval $(python-package)) diff --git a/package/fail2ban/fail2ban.service b/package/fail2ban/fail2ban.service new file mode 100644 index 0000000..1ec8068 --- /dev/null +++ b/package/fail2ban/fail2ban.service @@ -0,0 +1,17 @@ +[Unit] +Description=Fail2Ban Service +Documentation=man:fail2ban(1) +After=network.target iptables.service firewalld.service ip6tables.service ipset.service +PartOf=iptables.service firewalld.service ip6tables.service ipset.service + +[Service] +Type=simple +ExecStart=/usr/bin/fail2ban-server -xf start +ExecStop=/usr/bin/fail2ban-client stop +ExecReload=/usr/bin/fail2ban-client reload +PIDFile=/run/fail2ban/fail2ban.pid +Restart=on-failure +RestartPreventExitStatus=0 255 + +[Install] +WantedBy=multi-user.target