diff options
| author | muradm <mail@muradm.net> | 2022-07-17 05:30:40 +0300 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2022-08-01 17:20:27 +0200 |
| commit | d7e7494bc4d69de9db49488ee812e572c3250211 (patch) | |
| tree | f8ea83e950b0d55685793554e8b4c1afedc79c0d /gnu/packages/admin.scm | |
| parent | 18d998ffdb8a64478f984bac479734e3fcc90cc3 (diff) | |
| download | guix-d7e7494bc4d69de9db49488ee812e572c3250211.tar guix-d7e7494bc4d69de9db49488ee812e572c3250211.tar.gz | |
gnu: Add fail2ban.
* gnu/packages/admin.scm (fail2ban): New variable.
* gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch,
gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch,
gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch,
gnu/packages/patches/fail2ban-paths-guix-conf.patch,
gnu/packages/patches/fail2ban-python310-server-action.patch,
gnu/packages/patches/fail2ban-python310-server-actions.patch,
gnu/packages/patches/fail2ban-python310-server-jails.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
Co-authored-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'gnu/packages/admin.scm')
| -rw-r--r-- | gnu/packages/admin.scm | 217 |
1 files changed, 217 insertions, 0 deletions
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 571271b5ab..146423d068 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -100,6 +100,7 @@ #:use-module (gnu packages cross-base) #:use-module (gnu packages crypto) #:use-module (gnu packages cryptsetup) + #:use-module (gnu packages curl) #:use-module (gnu packages cyrus-sasl) #:use-module (gnu packages dns) #:use-module (gnu packages elf) @@ -134,6 +135,7 @@ #:use-module (gnu packages mcrypt) #:use-module (gnu packages mpi) #:use-module (gnu packages ncurses) + #:use-module (gnu packages networking) #:use-module (gnu packages openldap) #:use-module (gnu packages patchutils) #:use-module (gnu packages pciutils) @@ -152,6 +154,7 @@ #:use-module (gnu packages ruby) #:use-module (gnu packages selinux) #:use-module (gnu packages serialization) + #:use-module (gnu packages sqlite) #:use-module (gnu packages ssh) #:use-module (gnu packages sphinx) #:use-module (gnu packages tcl) @@ -5230,3 +5233,217 @@ allows applications to use whatever seat management is available.") mediate access to shared devices, such as graphics and input, for applications that require it.") (license license:expat))) + +(define-public fail2ban + (package + (name "fail2ban") + (version "0.11.2") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/fail2ban/fail2ban") + (commit version))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "00d9q8m284q2wy6q462nipzszplfbvrs9fhgn0y3imwsc24kv1db")) + (modules '((guix build utils))) + (snippet + '(begin + ;; Get rid of absolute file names. + (substitute* "setup.py" + (("/etc/fail2ban") + "etc/fail2ban") + (("/var/lib/fail2ban") + "var/lib/fail2ban") + (("\"/usr/bin/\"") + "\"usr/bin/\"") + (("\"/usr/lib/fail2ban/\"") + "\"usr/lib/fail2ban/\"") + (("'/usr/share/doc/fail2ban'") + "'usr/share/doc/fail2ban'")) + ;; disable tests performing unacceptable side-effects + (let ((make-suite (lambda (t) + (string-append + "tests.addTest.unittest.makeSuite." + t "..")))) + (substitute* "fail2ban/tests/utils.py" + (((make-suite "actiontestcase.CommandActionTest")) + "") + (((make-suite "misctestcase.SetupTest")) + "") + (((make-suite + "filtertestcase.DNSUtilsNetworkTests")) + "") + (((make-suite "filtertestcase.IgnoreIPDNS")) + "") + (((make-suite "filtertestcase.GetFailures")) + "") + (((make-suite + "fail2banclienttestcase.Fail2banServerTest")) + "") + (((make-suite + "servertestcase.ServerConfigReaderTests")) + ""))))) + (patches (search-patches + "fail2ban-0.11.2_fix-setuptools-drop-2to3.patch" + "fail2ban-python310-server-action.patch" + "fail2ban-python310-server-actions.patch" + "fail2ban-python310-server-jails.patch" + "fail2ban-0.11.2_fix-test-suite.patch" + "fail2ban-0.11.2_CVE-2021-32749.patch" + "fail2ban-paths-guix-conf.patch")))) + (build-system python-build-system) + (arguments + '(#:phases (modify-phases %standard-phases + (add-before 'build 'invoke-2to3 + (lambda _ + (invoke "./fail2ban-2to3"))) + (add-before 'install 'fix-default-config + (lambda* (#:key outputs #:allow-other-keys) + (substitute* '("config/paths-common.conf" + "fail2ban/tests/utils.py" + "fail2ban/client/configreader.py" + "fail2ban/client/fail2bancmdline.py" + "fail2ban/client/fail2banregex.py") + (("/etc/fail2ban") + (string-append (assoc-ref outputs "out") + "/etc/fail2ban"))))) + (add-after 'fix-default-config 'set-action-dependencies + (lambda* (#:key inputs #:allow-other-keys) + ;; deleting things that are not feasible to fix + ;; or won't be used any way + (with-directory-excursion "config" + (for-each delete-file + '("paths-arch.conf" + "paths-debian.conf" + "paths-fedora.conf" + "paths-freebsd.conf" + "paths-opensuse.conf" + "paths-osx.conf"))) + (with-directory-excursion "config/action.d" + (for-each delete-file + '("apf.conf" + "bsd-ipfw.conf" + "dshield.conf" + "ipfilter.conf" + "ipfw.conf" + "firewallcmd-allports.conf" + "firewallcmd-common.conf" + "firewallcmd-ipset.conf" + "firewallcmd-multiport.conf" + "firewallcmd-new.conf" + "firewallcmd-rich-logging.conf" + "firewallcmd-rich-rules.conf" + "osx-afctl.conf" + "osx-ipfw.conf" + "pf.conf" + "nginx-block-map.conf" + "npf.conf" + "shorewall.conf" + "shorewall-ipset-proto6.conf" + "ufw.conf"))) + (let* ((lookup-cmd (lambda (i) + (search-input-file inputs i))) + (bin (lambda (i) + (lookup-cmd (string-append "/bin/" i)))) + (sbin (lambda (i) + (lookup-cmd (string-append "/sbin/" i)))) + (ip (sbin "ip")) + (sendmail (sbin "sendmail"))) + (substitute* (find-files "config/action.d" "\\.conf$") + ;; TODO: deal with geoiplookup .. + (("(awk|curl|dig|jq)" all cmd) + (bin cmd)) + (("(cat|echo|grep|head|printf|wc) " all + cmd) + (string-append (bin cmd) " ")) + ((" (date|rm|sed|tail|touch|tr) " all + cmd) + (string-append " " + (bin cmd) " ")) + (("cut -d") + (string-append (bin "cut") " -d")) + (("`date`") + (string-append "`" + (bin "date") "`")) + (("id -") + (string-append (bin "id") " -")) + (("ip -([46]) addr" all ver) + (string-append ip " -" ver " addr")) + (("ip route") + (string-append ip " route")) + (("ipset ") + (string-append (sbin "ipset") " ")) + (("(iptables|ip6tables) <" all cmd) + (string-append (sbin cmd) " <")) + (("/usr/bin/nsupdate") + (bin "nsupdate")) + (("mail -E") + (string-append sendmail " -E")) + (("nftables = nft") + (string-append "nftables = " (sbin "nft"))) + (("perl -e") + (string-append (bin "perl") " -e")) + (("/usr/sbin/sendmail") + sendmail) + (("test -e") + (string-append (bin "test") " -e")) + (("_whois = whois") + (string-append "_whois = " (bin "whois"))))) + (substitute* "config/jail.conf" + (("before = paths-debian.conf") + "before = paths-guix.conf")))) + (add-after 'install 'copy-man-pages + (lambda* (#:key outputs #:allow-other-keys) + (let* ((man (string-append (assoc-ref outputs "out") + "/man")) + (install-man (lambda (m) + (lambda (f) + (install-file (string-append f + "." m) + (string-append man + "/man" m))))) + (install-man1 (install-man "1")) + (install-man5 (install-man "5"))) + (with-directory-excursion "man" + (for-each install-man1 + '("fail2ban" + "fail2ban-client" + "fail2ban-python" + "fail2ban-regex" + "fail2ban-server" + "fail2ban-testcases")) + (for-each install-man5 + '("jail.conf"))))))))) + (inputs (list gawk + coreutils-minimal + curl + grep + jq + iproute + ipset + iptables + `(,isc-bind "utils") + nftables + perl + python-pyinotify + sed + sendmail + sqlite + whois)) + (home-page "http://www.fail2ban.org") + (synopsis "Daemon to ban hosts that cause multiple authentication errors") + (description + "Fail2Ban scans log files like @file{/var/log/auth.log} and bans IP +addresses conducting too many failed login attempts. It does this by updating +system firewall rules to reject new connections from those IP addresses, for a +configurable amount of time. Fail2Ban comes out-of-the-box ready to read many +standard log files, such as those for sshd and Apache, and is easily +configured to read any log file of your choosing, for any error you wish. + +Though Fail2Ban is able to reduce the rate of incorrect authentication +attempts, it cannot eliminate the risk presented by weak authentication. Set +up services to use only two factor, or public/private authentication +mechanisms if you really want to protect services.") + (license license:gpl2+))) |