[PR PATCH] fail2ban: add filter for sshd with socklog

[PR PATCH] fail2ban: add filter for sshd with socklog

[dexgs]

[-- Attachment #1: Type: text/plain, Size: 1826 bytes --]

There is a new pull request by dexgs against master on the void-packages repository

https://github.com/dexgs/void-packages fail2ban
https://github.com/void-linux/void-packages/pull/44977

fail2ban: add filter for sshd with socklog
The sshd filter distributed with fail2ban does not work properly with socklog out of the box.

Ideally, socklog would have comprehensive support upstream, but the configuration to make it work with *just* sshd is very straighforward and the fail2ban package should be able to protect sshd out of the box with void's preferred syslog implementation.

This change doesn't override any of fail2ban's default configuration. It adds a new filter defined in `sshd-socklock.conf` which inherits from the default `sshd.conf` and overrides only what is needed to make it work.

<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->

<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64-musl
  - armv7l
  - armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/44977.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-fail2ban-44977.patch --]
[-- Type: text/x-diff, Size: 2185 bytes --]

From fb077616b6dd62e8c617574897da88143c73d0a2 Mon Sep 17 00:00:00 2001
From: Dexter Gaon-Shatford <dexter.gaonshatford@gmail.com>
Date: Mon, 10 Jul 2023 20:48:08 -0400
Subject: [PATCH] fail2ban: add filter for sshd with socklog

The sshd filter distributed with fail2ban does not work properly with
socklog out of the box.

Ideally, socklog would have comprehensive support upstream, but the
configuration to make it work with *just* sshd is very straighforward and
the fail2ban package should be able to protect sshd out of the box with
void's preferred syslog implementation.

This change doesn't override any of fail2ban's default configuration. It
adds a new filter defined in `sshd-socklock.conf` which inherits from
the default `sshd.conf` and overrides only what is needed to make it work.
---
 srcpkgs/fail2ban/files/filter.d/sshd-socklog.conf | 12 ++++++++++++
 srcpkgs/fail2ban/template                         |  3 ++-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/fail2ban/files/filter.d/sshd-socklog.conf

diff --git a/srcpkgs/fail2ban/files/filter.d/sshd-socklog.conf b/srcpkgs/fail2ban/files/filter.d/sshd-socklog.conf
new file mode 100644
index 000000000000..dc6cc6e05444
--- /dev/null
+++ b/srcpkgs/fail2ban/files/filter.d/sshd-socklog.conf
@@ -0,0 +1,12 @@
+# Fail2Ban filter for openssh, modified to work with socklog on Void Linux.
+#
+# The default logpath for sshd's output under socklog is
+# /var/log/socklog/secure/current
+
+[INCLUDES]
+before = sshd.conf
+
+[Definition]
+prefregex = ^ auth[a-z]*\.[a-z]+: \w{3} \d{2} \d{2}:\d{2}:\d{2} <F-MLFID><_daemon><__pid_re></F-MLFID>: <F-CONTENT>.+</F-CONTENT>$
+
+# Author: Dexter Gaon-Shatford
diff --git a/srcpkgs/fail2ban/template b/srcpkgs/fail2ban/template
index 6538155a42a4..1b9b021cfe57 100644
--- a/srcpkgs/fail2ban/template
+++ b/srcpkgs/fail2ban/template
@@ -1,7 +1,7 @@
 # Template file for 'fail2ban'
 pkgname=fail2ban
 version=1.0.2
-revision=1
+revision=2
 build_style=python3-module
 hostmakedepends="pkg-config python3"
 depends="python3"
@@ -25,4 +25,5 @@ pre_build() {
 
 post_install() {
 	vsv fail2ban
+	vcopy ${FILESDIR}/filter.d/*.conf etc/fail2ban/filter.d
 }

Re: fail2ban: add filter for sshd with socklog

[MeganerdNL]

[-- Attachment #1: Type: text/plain, Size: 468 bytes --]

New comment by MeganerdNL on void-packages repository

https://github.com/void-linux/void-packages/pull/44977#issuecomment-1631196982

Comment:
I am umable to test this, as I'm not currently using socklog.
I switched to rsyslog because there seems to be no working filters for socklog for the things I used with socklog (postfix/sasl, dovecot and sshd) because of the different logging style. This only solves sshd, so it's a beginning, but there might me many more.

Re: fail2ban: add filter for sshd with socklog

[MeganerdNL]

[-- Attachment #1: Type: text/plain, Size: 468 bytes --]

New comment by MeganerdNL on void-packages repository

https://github.com/void-linux/void-packages/pull/44977#issuecomment-1631196982

Comment:
I am unable to test this, as I'm not currently using socklog.
I switched to rsyslog because there seems to be no working filters for socklog for the things I used with socklog (postfix/sasl, dovecot and sshd) because of the different logging style. This only solves sshd, so it's a beginning, but there might me many more.

Re: fail2ban: add filter for sshd with socklog

[MeganerdNL]

[-- Attachment #1: Type: text/plain, Size: 468 bytes --]

New comment by MeganerdNL on void-packages repository

https://github.com/void-linux/void-packages/pull/44977#issuecomment-1631196982

Comment:
I am unable to test this, as I'm not currently using socklog.
I switched to rsyslog because there seems to be no working filters for socklog for the things I used with socklog (postfix/sasl, dovecot and sshd) because of the different logging style. This only solves sshd, so it's a beginning, but there might be many more.

Re: fail2ban: add filter for sshd with socklog

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 305 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/pull/44977#issuecomment-1754179828

Comment:
Pull Requests become stale 90 days after last activity and are closed 14 days after that.  If this pull request is still relevant bump it or assign it.

Re: [PR PATCH] [Closed]: fail2ban: add filter for sshd with socklog

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 1678 bytes --]

There's a closed pull request on the void-packages repository

fail2ban: add filter for sshd with socklog
https://github.com/void-linux/void-packages/pull/44977

Description:
The sshd filter distributed with fail2ban does not work properly with socklog out of the box.

Ideally, socklog would have comprehensive support upstream, but the configuration to make it work with *just* sshd is very straighforward and the fail2ban package should be able to protect sshd out of the box with void's preferred syslog implementation.

This change doesn't override any of fail2ban's default configuration. It adds a new filter defined in `sshd-socklock.conf` which inherits from the default `sshd.conf` and overrides only what is needed to make it work.

<!-- Uncomment relevant sections and delete options which are not applicable -->

#### Testing the changes
- I tested the changes in this PR: **YES**

<!--
#### New package
- This new package conforms to the [package requirements](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#package-requirements): **YES**|**NO**
-->

<!-- Note: If the build is likely to take more than 2 hours, please add ci skip tag as described in
https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration
and test at least one native build and, if supported, at least one cross build.
Ignore this section if this PR is not skipping CI.
-->
<!--
#### Local build testing
- I built this PR locally for my native architecture, (ARCH-LIBC)
- I built this PR locally for these architectures (if supported. mark crossbuilds):
  - aarch64-musl
  - armv7l
  - armv6l-musl
-->