Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fail2ban: 0.10.5 -> 0.11.1 #67931

Merged
merged 6 commits into from Jan 31, 2020
Merged

fail2ban: 0.10.5 -> 0.11.1 #67931

merged 6 commits into from Jan 31, 2020

Conversation

Izorkin
Copy link
Contributor

@Izorkin Izorkin commented Sep 2, 2019
edited

Motivation for this change

Update package to version 0.11.1.
Update service configuration and add options bantime-increment.

In PR created symlinks to files:

/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf
/etc/fail2ban/paths-common.conf
/etc/fail2ban/paths-debian.conf

And all changes are generated to files:

/etc/fail2ban/fail2ban/fail2ban.local
/etc/fail2ban/fail2ban/jail.local

See https://github.com/fail2ban/fail2ban/wiki/Proper-fail2ban-configuration

The result is a configuration example with nftables

  services.fail2ban = {
    enable = false;
    package = pkgs.fail2ban_0_11;
    packageFirewall = pkgs.nftables;
    banaction = "nftables-multiport";
    banaction-allports = "nftables-allport";
    bantime-increment.enable = true;
    ignoreIP = [ "192.168.0.0/16" ];
    daemonConfig = ''
      [Definition]
      loglevel     = DEBUG
      logtarget    = SYSLOG
      socket       = /run/fail2ban/fail2ban.sock
      pidfile      = /run/fail2ban/fail2ban.pid
      dbfile       = /var/lib/fail2ban/fail2ban.sqlite3
    '';
    jails = {
      sshd = ''
        maxretry = 2
        mode     = aggressive
      '';
    };
  };

Result
fail2ban-client status

Status
|- Number of jail:      1
`- Jail list:   sshd

nft list chain inet filter input

table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                tcp dport { 22 } ip saddr @f2b-sshd reject
...
        }
}

nft list set inet filter f2b-sshd

table inet filter {
        set f2b-sshd {
                type ipv4_addr
                elements = { 49.88.112.77, 49.88.112.85,
                             49.88.112.90, 51.75.64.86,
                             51.77.211.94, 92.63.194.26,
                             113.22.213.202, 183.131.82.99,
                             193.32.163.182, 218.98.26.168,
                             218.98.26.178, 218.98.40.142,
                             222.186.15.160, 222.186.30.165,
                             222.186.42.241, 222.186.52.124 }
        }
}
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@Izorkin Izorkin force-pushed the fail2ban branch 2 times, most recently from 2d85982 to 5773fee Compare September 3, 2019 18:44
@Izorkin Izorkin mentioned this pull request Sep 3, 2019
Merged
10 tasks
@Izorkin Izorkin mentioned this pull request Sep 4, 2019
Closed
@Mic92
Copy link
Member

Mic92 commented Sep 5, 2019

This seems to be an development version of fail2ban. I am not quite sure we need this in nixpkgs given the stable version is actively maintained: https://github.com/fail2ban/fail2ban/releases

@Izorkin
Copy link
Contributor Author

Izorkin commented Sep 5, 2019

@Mic92 fail2ban-0.11 need to use new feature bantime-increment. Version 0.10 not supported this feature.

yorickvP
yorickvP requested changes Dec 2, 2019
View reviewed changes
Copy link
Contributor

@yorickvP yorickvP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, these fixes will be useful. Please convince upstream to release 0.11 so we can proceed with merging this :). In the meantime I have provided some comments and nitpicks.

nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
pkgs/tools/security/fail2ban/default.nix Outdated Show resolved Hide resolved
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
pkgs/tools/security/fail2ban/0_10.nix Outdated Show resolved Hide resolved
@Izorkin
Copy link
Contributor Author

Izorkin commented Dec 2, 2019

@yorickvP thanks, updated PR.

yorickvP
yorickvP reviewed Dec 4, 2019
View reviewed changes
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
nixos/modules/services/security/fail2ban.nix Outdated Show resolved Hide resolved
@Izorkin Izorkin force-pushed the fail2ban branch 2 times, most recently from 6afdb4a to 1d31126 Compare December 4, 2019 10:17
@Izorkin Izorkin force-pushed the fail2ban branch 2 times, most recently from 464eaba to 9f1689c Compare December 29, 2019 06:42
@yorickvP yorickvP mentioned this pull request Jan 1, 2020
Closed
@Izorkin
Copy link
Contributor Author

Izorkin commented Jan 2, 2020

Updated and rebased.
Need this fix - #76814

@Izorkin Izorkin force-pushed the fail2ban branch 3 times, most recently from 9bb40a9 to 6e37e32 Compare January 2, 2020 18:12
@Izorkin Izorkin changed the title fail2ban: init at 0.11.dev3-2019-12-12 fail2ban: init at 0.11.dev3-2019-11-25 Jan 2, 2020
@yorickvP
Copy link
Contributor

@Izorkin https://github.com/fail2ban/fail2ban/releases/tag/0.11.1

@Izorkin Izorkin changed the title fail2ban: init at 0.11.dev3-2019-11-25 fail2ban: init at 0.11.1 Jan 12, 2020
@Izorkin
Copy link
Contributor Author

Izorkin commented Jan 12, 2020

Updated and rebased

@yorickvP
Copy link
Contributor

You bumped it to 0.10, not 0.11?

@yorickvP
Copy link
Contributor

I see. I don't think we require 0.10 now?

@Izorkin
Copy link
Contributor Author

Izorkin commented Jan 12, 2020

Need to keep only one version - 0.11.1? Drop 0.10?

@Izorkin
Copy link
Contributor Author

Izorkin commented Jan 15, 2020

сс @Mic92 @edolstra @lovek323 @fpletz

@yorickvP
Copy link
Contributor

Yeah, no need to keep 0.10.

@Izorkin Izorkin changed the title fail2ban: init at 0.11.1 fail2ban: 0.10.5 -> 0.11.1 Jan 29, 2020
@Izorkin
Copy link
Contributor Author

Izorkin commented Jan 29, 2020

Updated

@Mic92 Mic92 merged commit c23f10d into NixOS:master Jan 31, 2020
@Izorkin Izorkin deleted the fail2ban branch January 31, 2020 13:33
anna328p pushed a commit to anna328p/nixpkgs that referenced this pull request Feb 2, 2020
@Mic92 @anna328p
fail2ban: 0.10.5 -> 0.11.1 (NixOS#67931)
2d3d4c6 
fail2ban: 0.10.5 -> 0.11.1
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Feb 2, 2020
@Mic92 @dtzWill
fail2ban: 0.10.5 -> 0.11.1 (NixOS#67931)
ef0a4e3 
fail2ban: 0.10.5 -> 0.11.1
(cherry picked from commit c23f10d)
@Izorkin Izorkin mentioned this pull request Feb 8, 2020
Open
@Izorkin Izorkin mentioned this pull request Mar 17, 2020
Closed
@CRTified CRTified mentioned this pull request Mar 17, 2020
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fpletz fpletz Awaiting requested review from fpletz

@lovek323 lovek323 Awaiting requested review from lovek323

@edolstra edolstra Awaiting requested review from edolstra

@joachifm joachifm Awaiting requested review from joachifm

@yorickvP yorickvP Awaiting requested review from yorickvP

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 8.has: package (new) 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Izorkin @Mic92 @yorickvP