[Bug 220789] Review Request: fail2ban - Ban IPs that make too many password failures
bugzilla at redhat.com
bugzilla at redhat.com
Sat Dec 30 10:33:41 UTC 2006
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: fail2ban - Ban IPs that make too many password failures
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220789
------- Additional Comments From Axel.Thimm at ATrpms.net 2006-12-30 05:33 EST -------
> * Would you explain why you think that condrestart treatment of the
> service on %postun stage is unneeded?
Yes, I consider fail2ban in this respect to be as fragile as for example the
iptables or httpd services: I don't want to automate therestart, the sysadmin
should do that manually and watch for side effects.
> [ "${NETWORKING}" = "no" ] && exit 0
This is the typical snipplet used throught all FC packages:
$ grep -l '\[ "${NETWORKING}" = "no" \] && exit 0' /etc/init.d/* | tr '\n' ' '
/etc/init.d/bgpd /etc/init.d/btseed /etc/init.d/bttrack /etc/init.d/dhcdbd
/etc/init.d/fail2ban /etc/init.d/gkrellmd /etc/init.d/innd /etc/init.d/netfs
/etc/init.d/network /etc/init.d/nfs /etc/init.d/nfslock /etc/init.d/ospfd
/etc/init.d/postgresql /etc/init.d/ripd /etc/init.d/rpcgssd
/etc/init.d/rpcidmapd /etc/init.d/rpcsvcgssd /etc/init.d/sendmail /etc/init.d/zebra
> [ -f /etc/fail2ban.conf ] || exit 0
Same here
$ grep -l '\[ -f .* \] || exit 0' /etc/init.d/* | tr '\n' ' '
/etc/init.d/acpid /etc/init.d/anacron /etc/init.d/bgpd /etc/init.d/bootparamd
/etc/init.d/capi /etc/init.d/clamav /etc/init.d/cpuspeed /etc/init.d/dhcp6r
/etc/init.d/dhcp6s /etc/init.d/dhcpd /etc/init.d/dhcrelay /etc/init.d/dund
/etc/init.d/exim /etc/init.d/fail2ban /etc/init.d/gkrellmd /etc/init.d/hidd
/etc/init.d/hsqldb /etc/init.d/innd /etc/init.d/irda /etc/init.d/irqbalance
/etc/init.d/mdmonitor /etc/init.d/mdmpd /etc/init.d/netdump /etc/init.d/netfs
/etc/init.d/nscd /etc/init.d/ospf6d /etc/init.d/ospfd /etc/init.d/pand
/etc/init.d/portmap /etc/init.d/radiusd /etc/init.d/radvd
/etc/init.d/restorecond /etc/init.d/rgmanager /etc/init.d/rhnsd /etc/init.d/ripd
/etc/init.d/ripngd /etc/init.d/sendmail /etc/init.d/spamassassin
/etc/init.d/squid /etc/init.d/syslog /etc/init.d/winbind /etc/init.d/yppasswdd
/etc/init.d/ypserv /etc/init.d/ypxfrd /etc/init.d/zaptel /etc/init.d/zebra
> ---------------------------------------------
> should be "exit 1" or something else: exit code 0 is
> wrong IMO. Also some messages which tells why starting
> fail2ban failed should be printed out.
Well, it is obviously a Fedora convention not to do so. Whether it is right or
wrong is a different thing, but fail2ban has to blend in properly so the above
are correct. Anything else would have to be discussed with the FPC.
> * Still I think (strongly) that /usr/bin/fail2ban should
> be moved under
> /usr/sbin because this is a sysadmin tool
You can use fail2ban as a user, too.
> ... and /etc/fail2ban.conf should be /etc/sysconfig/fail2ban .
No, that's wrong, /etc/sysconfig carries config files for the init files
themselves (e.g. what arguments to use for calling a daemon), everything else is
defined by the application, e.g. check httpd, ntpd and so on.
> * And I think this package should own /var/log/fail2ban
Again no other packages caters for its logfile ownership, having fail2ban behave
differently is wrong. But I 100% with you on defining a general solution, just
not through a package submission. You're welcome to raise the issues at
fedora-packaging instead.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Fedora-package-review
mailing list