Hi Upstream released a few days ago version 1.0.1, fixing bugs and improving stability in overall. https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog
ADVISORY NOTICE PROPOSAL ======================== New major version of fail2ban with increased performance, stability, filter and action updates. Description Fail2ban 1.0.1 increases performance, stability, filter and action updates. See the long ChangeLog for more information. References https://bugs.mageia.org/show_bug.cgi?id=30922 https://github.com/fail2ban/fail2ban/releases/tag/1.0.1 https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog SRPMS 8/core fail2ban-1.0.1-1.mga8.src.rpm PROVIDED PACKAGES: ================= NOARCH fail2ban-1.0.1-1.mga8.noarch.rpm
CC: (none) => sysadmin-bugsAssignee: chb0 => qa-bugs
Ready for QA. A PROPOSAL FOR TESTING ====================== You need 2 machines. One playing the server role and one playing the client role. Fail2ban is to be installed on the server. 1/open a console on the machine playing the server role su -p urpmi openssh-server urpmi fai2ban touch /var/log/messages edit /etc/fail2ban/jail.d/01-ssh.local and uncomment all the lines from [sshd] included until the end systemctl start sshd systemctl start fail2ban systemctl status sshd # check service is active systemctl status fail2ban # check service is active fail2ban-client status shoud return: Status |- Number of jail: 1 `- Jail list: sshd 2/find the server local IP via the network applet or ifconfig or whatever 3/ Move to the machine playing the client role. Open a console. ssh dummy@server_local_ip Strike Enter until you are disconnected because of Too many authentication failures If you try again ssh dummy@server_local_ip, you should not even get the prompt to enter the password. It will just wait for connection timed out. 4/come back to the server console, where you should still be connected as root Run still as root: fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 11 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: server_local_ip Run still as root: shorewall show bl It will confirm the Firewall is blocking the banned IP Shorewall 5.2.8 blacklist chains at cbct-desk - dim. 02 oct. 2022 16:20:59 CEST Chain dynamic (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * server_local_ip 0.0.0.0/0 To unban: fail2ban-client set sshd unbanip server_local_ip 5/Note: if you have a Mail Transport Agent like postfix installed on the server, you will also receive an email from Fail2ban informing about the banned IP.
Installed and tested without issues. System: Mageia 8, x86_64, AMD CPU. Tested on a workstation (and also a server) with Apache and sshd running with internet access. Other IP traffic is on a wireguard VPN. Have fail2ban configured with "action = iptables-ipset-proto6-allports" which is different from the default. # uname -a Linux jupiter 5.19.7-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Mon Sep 5 18:45:50 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux # # # rpm -q fail2ban fail2ban-1.0.1-1.mga8 # # # fail2ban-client status Status |- Number of jail: 2 `- Jail list: apache-auth, sshd # fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 28 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1240 |- Total banned: 1523 `- Banned IP list: <SNIP long list of IPv4> # # # iptables --numeric --list Chain INPUT (policy DROP) target prot opt source destination REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set f2b-sshd src reject-with icmp-port-unreachable <SNIP unrelated rules> # # # systemctl status fail2ban.service ● fail2ban.service - fail2ban attack scanner Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2022-10-03 12:00:47 WEST; 3h 26min ago TriggeredBy: ● fail2ban.timer Process: 19522 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 19526 (fail2ban-server) Tasks: 7 (limit: 37626) Memory: 12.8M CPU: 15.266s CGroup: /system.slice/fail2ban.service └─19526 /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /run/fail2ban/fail2ban.pid -x --loglevel INFO --logtarget SYSLOG --syslogsocket auto <SNIP log messages>
CC: (none) => mageia
MGA8 64 VM LXQt Installed and tested without issues. Tested with squid-f's procedure: # systemctl status fail2ban ● fail2ban.service - fail2ban attack scanner Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2022-10-04 20:42:13 CEST; 11min ago Process: 1997 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS) Main PID: 2000 (fail2ban-server) Tasks: 5 (limit: 3477) Memory: 15.5M CPU: 2.019s CGroup: /system.slice/fail2ban.service └─2000 /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x --loglevel INFO --logtarget /var/log/fail2ba> oct. 04 20:42:12 localhost systemd[1]: Starting fail2ban attack scanner... oct. 04 20:42:12 localhost fail2ban-client[1997]: 2022-10-04 20:42:12,936 fail2ban.configreader [1997]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto' oct. 04 20:42:13 localhost fail2ban-client[1997]: Server ready oct. 04 20:42:13 localhost systemd[1]: Started fail2ban attack scanner. # fail2ban-client status Status |- Number of jail: 1 `- Jail list: sshd # fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 11 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.1.5 # shorewall show bl Shorewall 5.2.8 blacklist chains at localhost - mar. 04 oct. 2022 20:56:15 CEST Chain dynamic (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 192.168.1.5 0.0.0.0/0 # fail2ban-client set sshd unbanip server my_IP 1 [root@localhost ~]# shorewall show bl Shorewall 5.2.8 blacklist chains at localhost - mar. 04 oct. 2022 20:57:20 CEST Chain dynamic (1 references) pkts bytes target prot opt in out source destination
CC: (none) => guillaume.royer
Hi I think it is enough for x86 test. I don't think i586 would add a lot more. What else is required to push the update?
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarmKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2022-0135.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Blocks: (none) => 30952
why did this update get validated? This package has breaking changes, was bleeding edge and did not fix any severe bugs! Why is this an update and not pushed via backports?
It was a mistake. This should have been a backport, not an update. Now that it's done though, I don't see rolling back as an option as if I'm reading the changelog correctly that would require users to delete/recreate the database.