Bug 227577

Summary:

security/py-fail2ban: writes '_ip_value' to /etc/hosts.deny instead of the banned IP address

Product:

Ports & Packages

Reporter:

Niels Bakker <niels=freebsd>

Component:

Individual Port(s)

Assignee:

Steve Wills <swills>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

python, swills, theis

Priority:

---

Keywords:

easy, needs-qa

Version:

Latest

Flags:

theis: maintainer-feedback+
koobs: merge-quarterly?

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch	theis: maintainer-approval+

Description Niels Bakker 2018-04-17 09:45:31 UTC

FreeBSD 10.3, amd64 and i386. Package versions installed:

py27-fail2ban-0.10.3.1         Scans log files and bans IP that makes too many password failures
python27-2.7.14_1              Interpreted object-oriented programming language

# tail -1 /etc/hosts.deny
ALL: <_ip_value>

Reverting this commit fixes the problem and will have IP addresses appended to /etc/hosts.deny agan, though it may re-break syntax for IPv6:

https://github.com/fail2ban/fail2ban/commit/92f19d06048282d7c95c9a003cd843989d22e8f6

Comment 1 theis 2018-04-17 10:40:36 UTC

I will have a look into it.
I don't like to rush out a change which will break IPv6 if the error may be upstream. In the meantime affected people could create an action.d/hostsdeny.local file with the reverted actionban and actionunban lines in.

Comment 2 theis 2018-04-17 17:17:10 UTC

I got a fix from upstream and will submit a patch later.

Comment 3 Niels Bakker 2018-04-17 18:01:38 UTC

Hi,

Thanks! I can confirm that upstream commit bba7a6c fixes the problem.

I indeed had to replace 'sed' with '/usr/local/bin/gsed' in hostsdeny.conf (and install textproc/gsed) before entries would get deleted upon shutdown or timeout.

Comment 4 theis 2018-04-18 14:11:56 UTC

Created attachment 192619 [details]
patch

Comment 5 theis 2018-04-18 14:21:07 UTC

Attached is a patch. 
Problem was that variables used in the fail2ban actions my not start with an "_". This was fixed upstream.

Other problems are differences between stock FreeBSD "sed" and Linux GNU "sed": they differ in the way arguments are applied and in regular expressions. Some of them could be solved upstream, some of them cannot. To make things more complicated FreeBSD ports have a GNU sed people may have installed. In order to avoid a dependency on ports gsed and avoid conflicts between stock and ports versions I changed "sed" to "/usr/bin/sed". If that is not the proper way to enforce using stock sed please tell me.

Comment 6 Niels Bakker 2018-04-22 23:09:37 UTC

Since the GNU sed port installs /usr/local/bin/gsed, there's no strict need for putting the full /usr/bin path in. Also, /usr/local/bin is probably not in $PATH when the daemon is started. So it's probably not necessary.

Comment 7 theis 2018-04-23 07:15:44 UTC

Maybe I was too cautious to pick the correct sed:
/usr/local/bin is in the PATH, but it comes after /usr/bin so stock sed would be picked before ports sed.

Comment 8 Niels Bakker 2018-04-28 18:45:58 UTC

Just wanted to report back that the latest version of the patch also works for me. Thanks again for your support!

Comment 9 theis 2018-05-16 12:51:58 UTC

Just a ping :)
If someone from FreeBSD could pick the patch for checkin. Or am I still missing something?

Comment 10 commit-hook freebsd_committer

2018-07-25 19:10:14 UTC

A commit references this bug:

Author: swills
Date: Wed Jul 25 19:09:50 UTC 2018
New revision: 475327
URL: https://svnweb.freebsd.org/changeset/ports/475327

Log:
  security/py-fail2ban: Fix writing /etc/hosts.deny entries

  PR:		227577
  Submitted by:	theis@gmx.at (maintainer)
  Reported by:	Niels Bakker <niels=freebsd@bakker.net>

Changes:
  head/security/py-fail2ban/Makefile
  head/security/py-fail2ban/files/patch-config_action.d_hostsdeny.conf

Comment 11 Steve Wills freebsd_committer

2018-07-25 19:11:02 UTC

Committed, thanks!