initial import

fail2ban/PKGBUILD

@@ -0,0 +1,113 @@
+# Maintainer: Jesus E. <heckyel@riseup.net>
+
+pkgname=fail2ban
+pkgver=0.11.2
+_debver=$pkgver
+_debrel=2
+pkgrel=2
+pkgdesc="Bans IPs after too many failed authentication attempts"
+url='https://www.fail2ban.org/'
+license=('GPL-2')
+arch=('any')
+depends=('nftables' 'python-pyinotify' 'whois' 'sqlite' 'logrotate')
+makedepends=('python-setuptools' 'quilt')
+backup=(etc/fail2ban/fail2ban.conf
+        etc/fail2ban/jail.conf
+        etc/logrotate.d/fail2ban
+        etc/conf.d/fail2ban)
+source=("${pkgname}-${pkgver}.tar.gz::https://github.com/fail2ban/$pkgname/archive/${pkgver}.tar.gz"
+        "https://deb.debian.org/debian/pool/main/f/fail2ban/fail2ban_${_debver}-${_debrel}.debian.tar.xz"
+        "fail2ban-0.11.2_CVE-2021-32749.patch"
+        "fail2ban.confd"
+        "fail2ban.logrotate"
+        "fail2ban.initd"
+        "fail2ban.run"
+	"jail.conf.patch"
+        "ssh.jaild"
+        "sshd.filterd"
+        "sshd-ddos.filterd"
+        "paths-hyperbola.conf")
+sha512sums=('46b27abd947b00ea64106dbac563ef8afef38eec86684024d47d9a0e8c1969ff864ad6df7f4f8de2aa3eb1af6d769fb6796592d9f0e35521d5f95f17b8cade97'
+            '59229a28ee7bab521a1422b245f0dd970db172c8878346779340b6c574979b5bbd0cfbef1316c22d9546922c28029e3273159189974e4a3a53226b6e50149b91'
+            '994de8a4fdd4535607cd1b21553266de015b57bdb7f84f931973cb4b3cadd93fb2fda2d402a4ecccf505dffabf146cd9eae2cd0b635c3cb3dfa2d312539d41be'
+            'f23df51fe1d2ef89448529e16bca61a2acaa9967490724c2dab559d7d601784057fb77e84343687f36cf57dc035f01b84405d7e48f1706942f7671ab528be858'
+            'ee1c229db970239ebc707cd484a650fcf2347c70b411728ee2a4a35a72f4118cfccecf2a221275603320e0332efcc16e4979201933cec1aef1c5d5a082fc4940'
+            '5c3fad0a89b43853f00689a3ecafeeef889f3057999eafc66aceaaf92e8081ca9a126dadbf7f6724ba769436954f878e3a564479288cf8c4a606f1b1ac5342da'
+            '1b10bd72966f15512a8db7aec4025b3bd4e1d4065b6da4f3b9bc0f9e1e8fe09b1dbcffb81acc89151e54e8061bd79cc3f22af68e431a623dbec8456bd7c0bbd7'
+            '84d10adb43e68ea2786621b39ae5faa7425c7bff0bfc747528df54d1bb1f40cd62678afaaa794e5d4a3c2d22cdf3eb73f19f71c19206484f4cdf0294f2b253e0'
+            '5ed2c3641650bbf35962d7616e93649e82af48778d8eeca96f47cb50ede4cd81173454ca422c032809d79b317718c7b1e3386e6fbbf7e24df87e64a37cb552a5'
+            '3e8e08d5e349e857b51ce34a9d968f16661b34e1cec06bec0aa9a32723bbe9be5a9890dd479331a9cc860821d33b1bf3b8e995182e319dead5a3d434b1816304'
+            '36a81b771be0b36fe0dfb5ee4c72c9cb5b504e110618a8eb6f0f241b4e57d92df01dc5cc04b6b68d5bc6a5e6d68de1000092770285d7a328e5937e50b4b226a3'
+            '911178352bd41e1d2428097758278424c712ece8150de10abf9e0ade52a97ad975634342b3ff422ee4851364d61d7a1546e75a27fe7270bea88dc2b9d8dee99a')
+
+prepare() {
+  cd $pkgname-$pkgver
+
+  if [[ $pkgver = $_debver ]]; then
+    # Debian patches
+    export QUILT_PATCHES=debian/patches
+    export QUILT_REFRESH_ARGS='-p ab --no-timestamps --no-index'
+    export QUILT_DIFF_ARGS='--no-timestamps'
+
+    mv "$srcdir"/debian .
+
+    # Doesn't apply
+    rm -v debian/patches/deb_manpages_reportbug || true
+    rm -v debian/patches/deb_no_iptables_service || true
+    rm -v debian/patches/python3-test-suite.diff || true
+    rm -v debian/patches/fix-mail.patch || true
+
+    quilt push -av
+  fi
+
+  sed -i 's/^before = paths-debian.conf/before = paths-hyperbola.conf/' config/jail.conf
+  sed -i 's|self.install_dir|"/usr/bin"|' setup.py
+  patch -Np1 -i "$srcdir/fail2ban-0.11.2_CVE-2021-32749.patch"
+
+  # Use nftables by default
+  patch -Np1 -i "$srcdir/jail.conf.patch"
+}
+
+build() {
+  cd $pkgname-$pkgver
+  ./fail2ban-2to3
+  python setup.py build
+}
+
+package() {
+  cd $pkgname-$pkgver
+  python setup.py install --prefix /usr --root "$pkgdir" --optimize=1
+
+  install -Dm0755 "$srcdir"/fail2ban.run \
+    "$pkgdir"/etc/sv/fail2ban/run
+  install -Dm755 $srcdir/fail2ban.initd \
+    "$pkgdir"/etc/init.d/fail2ban
+  install -Dm644 "$srcdir"/fail2ban.confd \
+    "$pkgdir"/etc/conf.d/fail2ban
+  install -Dm644 "$srcdir"/fail2ban.logrotate \
+    "$pkgdir"/etc/logrotate.d/fail2ban
+  install -Dm644 files/bash-completion \
+    "$pkgdir"/usr/share/bash-completion/completions/fail2ban
+  install -Dm644 "$srcdir"/ssh.jaild \
+    "$pkgdir"/etc/fail2ban/jail.d/ssh.conf
+  install -Dm644 "$srcdir"/sshd.filterd \
+    "$pkgdir"/etc/fail2ban/filter.d/sshd.conf
+  install -Dm644 "$srcdir"/sshd-ddos.filterd \
+    "$pkgdir"/etc/fail2ban/filter.d/sshd-ddos.conf
+
+  chmod o+r "$pkgdir"/usr/lib/python3*/site-packages/fail2ban*.egg-info/*
+
+  install -Dm644 man/fail2ban.1 "$pkgdir"/usr/share/man/man1/fail2ban.1
+  install -Dm644 man/fail2ban-client.1 \
+    "$pkgdir"/usr/share/man/man1/fail2ban-client.1
+  install -Dm644 man/fail2ban-regex.1 \
+    "$pkgdir"/usr/share/man/man1/fail2ban-regex.1
+  install -Dm644 man/fail2ban-server.1 \
+    "$pkgdir"/usr/share/man/man1/fail2ban-server.1
+  install -Dm644 man/jail.conf.5 "$pkgdir"/usr/share/man/man5/jail.conf.5
+
+  cp "$srcdir"/paths-hyperbola.conf "$pkgdir"/etc/$pkgname
+  rm "$pkgdir"/etc/$pkgname/paths-{osx,debian,freebsd,arch,fedora,opensuse}.conf
+  rm -r "$pkgdir/run"
+  install -Dm644 COPYING -t $pkgdir/usr/share/licenses/$pkgname
+}

fail2ban/fail2ban-0.11.2_CVE-2021-32749.patch

@@ -0,0 +1,155 @@
+From 410a6ce5c80dd981c22752da034f2529b5eee844 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Mon, 21 Jun 2021 17:12:53 +0200
+Subject: [PATCH] fixed possible RCE vulnerability, unset escape variable
+ (default tilde) stops consider "~" char after new-line as composing escape
+ sequence
+
+---
+ config/action.d/complain.conf         | 2 +-
+ config/action.d/dshield.conf          | 2 +-
+ config/action.d/mail-buffered.conf    | 8 ++++----
+ config/action.d/mail-whois-lines.conf | 2 +-
+ config/action.d/mail-whois.conf       | 6 +++---
+ config/action.d/mail.conf             | 6 +++---
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
+index 3a5f882c9f..4d73b05859 100644
+--- a/config/action.d/complain.conf
++++ b/config/action.d/complain.conf
+@@ -102,7 +102,7 @@ logpath = /dev/null
+ # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+ # Values:  CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+ 
+ # Option:  mailargs
+ # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
+index c128bef348..3d5a7a53a9 100644
+--- a/config/action.d/dshield.conf
++++ b/config/action.d/dshield.conf
+@@ -179,7 +179,7 @@ tcpflags =
+ # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+ # Values:  CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+ 
+ # Option:  mailargs
+ # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
+index 325f185b2f..79b841049c 100644
+--- a/config/action.d/mail-buffered.conf
++++ b/config/action.d/mail-buffered.conf
+@@ -17,7 +17,7 @@ actionstart = printf %%b "Hi,\n
+               The jail <name> has been started successfully.\n
+               Output will be buffered until <lines> lines are available.\n
+               Regards,\n
+-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ 
+ # Option:  actionstop
+ # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -28,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
+                  These hosts have been banned by Fail2Ban.\n
+                  `cat <tmpfile>`
+                  Regards,\n
+-                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
++                 Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+                  rm <tmpfile>
+              fi
+              printf %%b "Hi,\n
+              The jail <name> has been stopped.\n
+              Regards,\n
+-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ 
+ # Option:  actioncheck
+ # Notes.:  command executed once before each actionban command
+@@ -55,7 +55,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+                 These hosts have been banned by Fail2Ban.\n
+                 `cat <tmpfile>`
+                 \nRegards,\n
+-                Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
++                Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
+                 rm <tmpfile>
+             fi
+ 
+diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
+index 3a3e56b2c7..d2818cb9b9 100644
+--- a/config/action.d/mail-whois-lines.conf
++++ b/config/action.d/mail-whois-lines.conf
+@@ -72,7 +72,7 @@ actionunban =
+ # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+ # Values:  CMD
+ #
+-mailcmd = mail -s
++mailcmd = mail -E 'set escape' -s
+ 
+ # Default name of the chain
+ #
+diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
+index 7fea34c40d..ab33b616dc 100644
+--- a/config/action.d/mail-whois.conf
++++ b/config/action.d/mail-whois.conf
+@@ -20,7 +20,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+               The jail <name> has been started successfully.\n
+               Regards,\n
+-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
++              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ 
+ # Option:  actionstop
+ # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -29,7 +29,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+              The jail <name> has been stopped.\n
+              Regards,\n
+-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ 
+ # Option:  actioncheck
+ # Notes.:  command executed once before each actionban command
+@@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n
+             Here is more information about <ip> :\n
+             `%(_whois_command)s`\n
+             Regards,\n
+-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+ 
+ # Option:  actionunban
+ # Notes.:  command executed when unbanning an IP. Take care that the
+diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
+index 5d8c0e154c..f4838ddcb6 100644
+--- a/config/action.d/mail.conf
++++ b/config/action.d/mail.conf
+@@ -16,7 +16,7 @@ norestored = 1
+ actionstart = printf %%b "Hi,\n
+               The jail <name> has been started successfully.\n
+               Regards,\n
+-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>
++              Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started  on <fq-hostname>" <dest>
+ 
+ # Option:  actionstop
+ # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+@@ -25,7 +25,7 @@ actionstart = printf %%b "Hi,\n
+ actionstop = printf %%b "Hi,\n
+              The jail <name> has been stopped.\n
+              Regards,\n
+-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
++             Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ 
+ # Option:  actioncheck
+ # Notes.:  command executed once before each actionban command
+@@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n
+             The IP <ip> has just been banned by Fail2Ban after
+             <failures> attempts against <name>.\n
+             Regards,\n
+-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
++            Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+ 
+ # Option:  actionunban
+ # Notes.:  command executed when unbanning an IP. Take care that the

fail2ban/fail2ban.confd

@@ -0,0 +1,8 @@
+# Config file for /etc/init.d/fail2ban
+#
+# For information on options, see "/usr/bin/fail2ban-client -h".
+
+FAIL2BAN_OPTIONS=""
+
+# Force execution of the server even if the socket already exists:
+#FAIL2BAN_OPTIONS="-x"

fail2ban/fail2ban.initd

@@ -0,0 +1,42 @@
+#!/sbin/openrc-run
+# Copyright 2016 Fail2Ban
+# Copyright 2018 Hyperbola Project
+# Distributed under the terms of the GNU General Public License v2
+
+extra_started_commands="reload showlog"
+
+FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"
+
+depend() {
+	need net
+	need logger
+	after nftables
+}
+
+start() {
+	ebegin "Starting fail2ban"
+	mkdir -p /var/run/fail2ban || return 1
+	# remove stalled sock file after system crash
+	# bug 347477
+	rm -f /var/run/fail2ban/fail2ban.sock || return 1
+	start-stop-daemon --start --pidfile /var/run/fail2ban/fail2ban.pid \
+	-- ${FAIL2BAN} start
+	eend $? "Failed to start fail2ban"
+}
+
+stop() {
+	ebegin "Stopping fail2ban"
+	start-stop-daemon --stop --pidfile /var/run/fail2ban/fail2ban.pid \
+	-- ${FAIL2BAN} stop
+	eend $? "Failed to stop fail2ban"
+}
+
+reload() {
+	ebegin "Reloading fail2ban"
+	${FAIL2BAN} reload
+	eend $? "Failed to reload fail2ban"
+}
+
+showlog(){
+	less /var/log/fail2ban.log
+}

fail2ban/fail2ban.logrotate

@@ -0,0 +1,11 @@
+/var/log/fail2ban.log {
+    daily
+    rotate 7
+    missingok
+    compress
+    postrotate
+	/usr/bin/fail2ban-client flushlogs 1>/dev/null || true
+	chown :wheel /var/log/fail2ban.log
+	chmod 640 /var/log/fail2ban.log
+    endscript
+}

fail2ban/fail2ban.run

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec fail2ban-server -xf

fail2ban/jail.conf.patch

@@ -0,0 +1,13 @@
+--- fail2ban-0.11.2/config/jail.conf	2021-09-03 15:31:47.314418681 +0200
++++ fail2ban-0.11.2/config/jail.conf	2021-09-03 15:32:02.510904273 +0200
+@@ -205,8 +205,8 @@
+ # iptables-multiport, shorewall, etc) It is used to define
+ # action_* variables. Can be overridden globally or per
+ # section within jail.local file
+-banaction = iptables-multiport
+-banaction_allports = iptables-allports
++banaction = nftables
++banaction_allports = nftables-allports
+ 
+ # The simplest action to take: ban only
+ action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

fail2ban/paths-hyperbola.conf

@@ -0,0 +1,11 @@
+# Hyperbola
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after  = paths-overrides.local
+
+[DEFAULT]
+
+sshd_log = /var/log/messages

fail2ban/ssh.jaild

@@ -0,0 +1,13 @@
+[sshd]
+enabled  = true
+filter   = sshd
+port     = ssh
+logpath	 = %(sshd_log)s
+maxretry = 10
+
+[sshd-ddos]
+enabled  = true
+filter   = sshd-ddos
+port     = ssh
+logpath  = %(sshd_log)s
+maxretry = 10

fail2ban/sshd-ddos.filterd

@@ -0,0 +1,26 @@
+# Fail2Ban ssh filter for at attempted exploit
+#
+# The regex here also relates to a exploit:
+#
+#  http://www.securityfocus.com/bid/17958/exploit
+#  The example code here shows the pushing of the exploit straight after
+#  reading the server version. This is where the client version string normally
+#  pushed. As such the server will read this unparsible information as
+#  "Did not receive identification string".
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = Did not receive identification string from <HOST>\s*$
+
+ignoreregex =
+
+[Init]
+

fail2ban/sshd.filterd

@@ -0,0 +1,29 @@
+# Fail2Ban filter for openssh for Alpine
+#
+# If you want to protect OpenSSH from being bruteforced by password
+# authentication then get public key authentication working before disabling
+# PasswordAuthentication in sshd_config.
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = Failed [-/\w]+ for .* from <HOST> port \d* ssh2
+            sshd\[.*\]: Invalid user .* from <HOST> port \d*
+            sshd\[.*\]: Received disconnect from <HOST> port \d*:[0-9]+:  \[preauth\]
+
+ignoreregex =
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10
+
+