git: d906503fb229 - main - security/py-fail2ban: Remove unneeded filter.d files

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <cy_at_FreeBSD.org>
Date: Thu, 14 Aug 2025 00:58:32 UTC
The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d906503fb22992a7a92d46365b9f2af31454dee6

commit d906503fb22992a7a92d46365b9f2af31454dee6
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-08-13 19:16:28 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-08-14 00:58:04 +0000

    security/py-fail2ban: Remove unneeded filter.d files
    
    There is some confusion whether to use the sshd.conf, bsd-sshd.conf.
    or the bsd-sshd-session.conf filters. bsd-sshd-session.conf is the
    correct and only filter to use on FreeBSD systems. Using the others
    will result in incorrect operation on a FreeBSD system with a supported
    sshd installed.
    
    PR:             288849
---
 UPDATING                                           |  8 ++++
 security/py-fail2ban/Makefile                      |  4 +-
 .../files/patch-config_filter.d_bsd-sshd.conf      | 44 ----------------------
 3 files changed, 11 insertions(+), 45 deletions(-)

diff --git a/UPDATING b/UPDATING
index 349081b7137d..6820e6f14eb7 100644
--- a/UPDATING
+++ b/UPDATING
@@ -6,6 +6,14 @@ You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
 
+20250813:
+  AFFECTS: users of security/py-fail2ban
+  AUTHOR: cy@FreeBSD.org
+
+  There has been some confusion which sshd filter to use on a FreeBSD system.
+  Only the bsd-sshd-session.conf should be used. The other sshd filters have
+  been removed.
+
 20250804:
   AFFECTS: users of databases/adminer
   AUTHOR: pkaipila@gmail.com
diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile
index 9cbaf89b9b2f..c571d8418ec6 100644
--- a/security/py-fail2ban/Makefile
+++ b/security/py-fail2ban/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	fail2ban
 DISTVERSION=	1.1.0
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	security python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
@@ -63,6 +63,7 @@ post-patch:
 		${MAN_FILES}
 	@${REINPLACE_CMD} -e 's, sed , ${SED} ,g' \
 		${WRKSRC}/config/action.d/hostsdeny.conf
+	@${RM} ${WRKSRC}/config/filter.d/sshd.conf
 
 	# XXX Ideally this should be in do-build but it only works in
 	# XXX post-patch
@@ -78,6 +79,7 @@ post-install:
 post-install-DOCS-on:
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
 	(cd ${WRKSRC}/ && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR})
+	@${RM} ${STAGEDIR}/${ETCDIR}/filter.d/selinux-sshd.conf
 
 do-test:
 	@cd ${WRKSRC} && ${PYTHON_CMD} ${PYDISTUTILS_SETUP} test
diff --git a/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd.conf b/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd.conf
deleted file mode 100644
index 153cdfb3bb3c..000000000000
--- a/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd.conf
+++ /dev/null
@@ -1,44 +0,0 @@
---- config/filter.d/bsd-sshd.conf.orig	2020-03-27 11:15:56 UTC
-+++ config/filter.d/bsd-sshd.conf
-@@ -0,0 +1,41 @@
-+# Fail2Ban configuration file
-+#
-+# Author: Cyril Jaquier
-+#
-+# $Revision: 663 $
-+#
-+
-+[INCLUDES]
-+
-+# Read common prefixes. If any customizations available -- read them from
-+# common.local
-+before = common.conf
-+
-+
-+[Definition]
-+
-+_daemon = sshd
-+
-+# Option:  failregex
-+# Notes.:  regex to match the password failures messages in the logfile. The
-+#          host must be matched by a group named "host". The tag "<HOST>" can
-+#          be used for standard IP/hostname matching and is only an alias for
-+#          (?:::f{4,6}:)?(?P<host>\S+)
-+# Values:  TEXT
-+#
-+failregex = ^%(__prefix_line)s(?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from <HOST>\s*$
-+            ^%(__prefix_line)sDid not receive identification string from <HOST>$
-+            ^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
-+            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
-+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
-+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST> port \d*$
-+            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
-+            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
-+            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
-+            ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] .* POSSIBLE BREAK-IN ATTEMPT!$
-+
-+# Option:  ignoreregex
-+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-+# Values:  TEXT
-+#
-+ignoreregex =