Bug 227577 - security/py-fail2ban: writes '_ip_value' to /etc/hosts.deny instead of the banned IP address
Summary: security/py-fail2ban: writes '_ip_value' to /etc/hosts.deny instead of the ba...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Steve Wills
Keywords: easy, needs-qa
Depends on:
Reported: 2018-04-17 09:45 UTC by Niels Bakker
Modified: 2018-07-25 19:11 UTC (History)
3 users (show)

See Also:
theis: maintainer-feedback+
koobs: merge-quarterly?

patch (1.91 KB, patch)
2018-04-18 14:11 UTC, theis
theis: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Niels Bakker 2018-04-17 09:45:31 UTC
FreeBSD 10.3, amd64 and i386. Package versions installed:

py27-fail2ban-         Scans log files and bans IP that makes too many password failures
python27-2.7.14_1              Interpreted object-oriented programming language

# tail -1 /etc/hosts.deny
ALL: <_ip_value>

Reverting this commit fixes the problem and will have IP addresses appended to /etc/hosts.deny agan, though it may re-break syntax for IPv6:

Comment 1 theis 2018-04-17 10:40:36 UTC
I will have a look into it.
I don't like to rush out a change which will break IPv6 if the error may be upstream. In the meantime affected people could create an action.d/hostsdeny.local file with the reverted actionban and actionunban lines in.
Comment 2 theis 2018-04-17 17:17:10 UTC
I got a fix from upstream and will submit a patch later.
Comment 3 Niels Bakker 2018-04-17 18:01:38 UTC

Thanks! I can confirm that upstream commit bba7a6c fixes the problem.

I indeed had to replace 'sed' with '/usr/local/bin/gsed' in hostsdeny.conf (and install textproc/gsed) before entries would get deleted upon shutdown or timeout.
Comment 4 theis 2018-04-18 14:11:56 UTC
Created attachment 192619 [details]
Comment 5 theis 2018-04-18 14:21:07 UTC
Attached is a patch. 
Problem was that variables used in the fail2ban actions my not start with an "_". This was fixed upstream.

Other problems are differences between stock FreeBSD "sed" and Linux GNU "sed": they differ in the way arguments are applied and in regular expressions. Some of them could be solved upstream, some of them cannot. To make things more complicated FreeBSD ports have a GNU sed people may have installed. In order to avoid a dependency on ports gsed and avoid conflicts between stock and ports versions I changed "sed" to "/usr/bin/sed". If that is not the proper way to enforce using stock sed please tell me.
Comment 6 Niels Bakker 2018-04-22 23:09:37 UTC
Since the GNU sed port installs /usr/local/bin/gsed, there's no strict need for putting the full /usr/bin path in. Also, /usr/local/bin is probably not in $PATH when the daemon is started. So it's probably not necessary.
Comment 7 theis 2018-04-23 07:15:44 UTC
Maybe I was too cautious to pick the correct sed:
/usr/local/bin is in the PATH, but it comes after /usr/bin so stock sed would be picked before ports sed.
Comment 8 Niels Bakker 2018-04-28 18:45:58 UTC
Just wanted to report back that the latest version of the patch also works for me. Thanks again for your support!
Comment 9 theis 2018-05-16 12:51:58 UTC
Just a ping :)
If someone from FreeBSD could pick the patch for checkin. Or am I still missing something?
Comment 10 commit-hook freebsd_committer 2018-07-25 19:10:14 UTC
A commit references this bug:

Author: swills
Date: Wed Jul 25 19:09:50 UTC 2018
New revision: 475327
URL: https://svnweb.freebsd.org/changeset/ports/475327

  security/py-fail2ban: Fix writing /etc/hosts.deny entries

  PR:		227577
  Submitted by:	theis@gmx.at (maintainer)
  Reported by:	Niels Bakker <niels=freebsd@bakker.net>

Comment 11 Steve Wills freebsd_committer 2018-07-25 19:11:02 UTC
Committed, thanks!