From patchwork Wed Aug 22 13:41:52 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Angelo Compagnucci <angelo@amarulasolutions.com>
X-Patchwork-Id: 960979
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.136; helo=silver.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=amarulasolutions.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=amarulasolutions.com
	header.i=@amarulasolutions.com header.b="WytGoFhl";
	dkim-atps=neutral
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41wTHM1rnhz9s5c
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Wed, 22 Aug 2018 23:42:06 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id 5BC3024C64;
	Wed, 22 Aug 2018 13:42:03 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id SOQmntTPpo41; Wed, 22 Aug 2018 13:42:01 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id EE18E24AF4;
	Wed, 22 Aug 2018 13:42:00 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	by ash.osuosl.org (Postfix) with ESMTP id EC3B61C0E17
	for <buildroot@lists.busybox.net>;
	Wed, 22 Aug 2018 13:41:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id EA2C724AF6
	for <buildroot@lists.busybox.net>;
	Wed, 22 Aug 2018 13:41:59 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id YKZRxG6aCM5e for <buildroot@lists.busybox.net>;
	Wed, 22 Aug 2018 13:41:58 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f44.google.com (mail-wm0-f44.google.com
	[74.125.82.44])
	by silver.osuosl.org (Postfix) with ESMTPS id 9A303215E5
	for <buildroot@buildroot.org>; Wed, 22 Aug 2018 13:41:58 +0000 (UTC)
Received: by mail-wm0-f44.google.com with SMTP id y139-v6so2066330wmc.2
	for <buildroot@buildroot.org>; Wed, 22 Aug 2018 06:41:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=amarulasolutions.com; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=qw2fJhrGBttUcdzpVU2keIPzOfs1oZRT3oFyKzM4CNU=;
	b=WytGoFhlbop3KwC370VKqKM8BwIb6QtioDaDNXRtCbUZZpWUeTPEAykrD5EBd6XGGg
	D7zHNsHGO+801ucqtTEoUjseRHit2gETweB5Zl3MgDUGRwvOMt8RCofkD1kVR3vJFxLi
	lVoJ2uB6g4g+jRImmGCJm3wmtSG2KNjecjXP0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=qw2fJhrGBttUcdzpVU2keIPzOfs1oZRT3oFyKzM4CNU=;
	b=eWYUeJt6CfBp5ouHxmSXcn8UABBnSLQv5UxikCx8Iyjf7rQ8nBUuK2VJKUkVGJEqyI
	ZUp1CHOKWL9SVrtOBR1IF8ZD4V8QovrCSeqaEIxn7/jkXBQDju5L5n1i6/LuWDCoxXrD
	uEocObZ3TJsU8LPRtOGFsn/M17p9Ptj9GvurlMxi2zrxCqAkklFNEi37unnbL26V7xNQ
	cfO5FS6o12uws0su2Q0C2zeUnGig2TdPrFI2sDR10JB+V+V7WZmqxDAL3EXwW3WXrcFS
	vVz2ak72HEY0W3xhWFVJQ//NVrN1mj0rFBOK2gAfgXx1ANZ/RK3lToD/jpFOTqQylN/A
	2wkQ==
X-Gm-Message-State: APzg51BdECpFQ/Zuloot0InPNoF45wcDpVX+AGZh8gcYky8N0vVO/doq
	w9LeBPAFidGPrDnTggEkl86ObwwPFgM=
X-Google-Smtp-Source: 
 ANB0VdZ7DopJE/5QwSiIVnX3w2srl0Dpvimlwd2sBThwPfQoBC0Tk+6fHW9wTqlTxyZs8y+dfvOg8A==
X-Received: by 2002:a1c:99c2:: with SMTP id
	b185-v6mr2264695wme.15.1534945316630;
	Wed, 22 Aug 2018 06:41:56 -0700 (PDT)
Received: from localhost.localdomain ([89.202.204.147])
	by smtp.gmail.com with ESMTPSA id
	m200-v6sm2249842wma.32.2018.08.22.06.41.55
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 22 Aug 2018 06:41:55 -0700 (PDT)
From: Angelo Compagnucci <angelo@amarulasolutions.com>
To: buildroot@buildroot.org
Date: Wed, 22 Aug 2018 15:41:52 +0200
Message-Id: <1534945312-25275-1-git-send-email-angelo@amarulasolutions.com>
X-Mailer: git-send-email 2.7.4
Subject: [Buildroot] [PATCH v2] package/fail2ban: new package
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.24
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Angelo Compagnucci <angelo@amarulasolutions.com>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fail2ban scans log files (e.g. /var/log/apache/error_log)
and bans IPs that show malicious behaviours.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
---
Changes:
v1->v2: 
* Adding sha256 for license file
* getting service file for systemd from source directory

 package/Config.in              |  1 +
 package/fail2ban/Config.in     | 14 ++++++++++++++
 package/fail2ban/S60fail2ban   | 23 +++++++++++++++++++++++
 package/fail2ban/fail2ban.hash |  3 +++
 package/fail2ban/fail2ban.mk   | 28 ++++++++++++++++++++++++++++
 5 files changed, 69 insertions(+)
 create mode 100644 package/fail2ban/Config.in
 create mode 100644 package/fail2ban/S60fail2ban
 create mode 100644 package/fail2ban/fail2ban.hash
 create mode 100644 package/fail2ban/fail2ban.mk

diff --git a/package/Config.in b/package/Config.in
index f5a1749..1783ab9 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1740,6 +1740,7 @@ menu "Networking applications"
 	source "package/ejabberd/Config.in"
 	source "package/ethtool/Config.in"
 	source "package/faifa/Config.in"
+	source "package/fail2ban/Config.in"
 	source "package/fastd/Config.in"
 	source "package/fcgiwrap/Config.in"
 	source "package/flannel/Config.in"
diff --git a/package/fail2ban/Config.in b/package/fail2ban/Config.in
new file mode 100644
index 0000000..cf82526
--- /dev/null
+++ b/package/fail2ban/Config.in
@@ -0,0 +1,14 @@
+config BR2_PACKAGE_FAIL2BAN
+	bool "fail2ban"
+	depends on BR2_PACKAGE_PYTHON
+	help
+	  Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs
+	  that show the malicious signs -- too many password failures, seeking
+	  for exploits, etc. Out of the box Fail2Ban comes with filters for
+	  various services (apache, courier, ssh, etc).
+
+	  Fail2Ban is able to reduce the rate of incorrect authentications
+	  attempts however it cannot eliminate the risk that weak authentication
+	  presents.
+
+	  https://www.fail2ban.org
diff --git a/package/fail2ban/S60fail2ban b/package/fail2ban/S60fail2ban
new file mode 100644
index 0000000..92559e9
--- /dev/null
+++ b/package/fail2ban/S60fail2ban
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+case "$1" in
+	start)
+		printf "Starting fail2ban: "
+		start-stop-daemon -S -q -m -p /run/fail2ban.pid \
+			-b -x fail2ban-server -- -xf start
+		[ $? = 0 ] && echo "OK" || echo "FAIL"
+		;;
+	stop)
+		printf "Stopping fail2ban: "
+		start-stop-daemon -K -q -p /run/fail2ban.pid
+		[ $? = 0 ] && echo "OK" || echo "FAIL"
+		;;
+	restart)
+		"$0" stop
+		sleep 1
+		"$0" start
+		;;
+	*)
+		echo "Usage: $0 {start|stop|restart}"
+		;;
+esac
diff --git a/package/fail2ban/fail2ban.hash b/package/fail2ban/fail2ban.hash
new file mode 100644
index 0000000..4b59091
--- /dev/null
+++ b/package/fail2ban/fail2ban.hash
@@ -0,0 +1,3 @@
+# sha256 locally computed
+sha256  7ee3fd0e94d58c94298718b25e6bcfa96932712b7aa683580e162403f68d40c8  fail2ban-0.10.3.1.tar.gz
+sha256  a75fec0260742fe6275d63ff6a5d97b924b28766558306b3fa4069763096929b  COPYING
diff --git a/package/fail2ban/fail2ban.mk b/package/fail2ban/fail2ban.mk
new file mode 100644
index 0000000..cc6961f
--- /dev/null
+++ b/package/fail2ban/fail2ban.mk
@@ -0,0 +1,28 @@
+################################################################################
+#
+# fail2ban
+#
+################################################################################
+
+FAIL2BAN_VERSION = 0.10.3.1
+FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION))
+FAIL2BAN_LICENSE = GPL-2.0+
+FAIL2BAN_LICENSE_FILES = COPYING
+FAIL2BAN_SETUP_TYPE = setuptools
+FAIL2BAN_INSTALL_TARGET_OPTS = --root=$(TARGET_DIR) --prefix=/usr
+
+define FAIL2BAN_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 755 package/fail2ban/S60fail2ban \
+		$(TARGET_DIR)/etc/init.d/S60fail2ban
+endef
+
+define FAIL2BAN_INSTALL_INIT_SYSTEMD
+	$(INSTALL) -D -m 0644 $(@D)/files/fail2ban.service.in \
+		$(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service
+	mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
+	ln -fs ../../../../usr/lib//systemd/system/fail2ban.service \
+		$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/fail2ban.service
+	$(SED) 's/@BINDIR@/\/usr\/bin/g' $(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service
+endef
+
+$(eval $(python-package))