Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Review Request: fail2ban - Ban IPs that make too many password failures https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220789 ------- Additional Comments From Axel.Thimm@xxxxxxxxxx 2006-12-30 05:33 EST ------- > * Would you explain why you think that condrestart treatment of the > service on %postun stage is unneeded? Yes, I consider fail2ban in this respect to be as fragile as for example the iptables or httpd services: I don't want to automate therestart, the sysadmin should do that manually and watch for side effects. > [ "${NETWORKING}" = "no" ] && exit 0 This is the typical snipplet used throught all FC packages: $ grep -l '\[ "${NETWORKING}" = "no" \] && exit 0' /etc/init.d/* | tr '\n' ' ' /etc/init.d/bgpd /etc/init.d/btseed /etc/init.d/bttrack /etc/init.d/dhcdbd /etc/init.d/fail2ban /etc/init.d/gkrellmd /etc/init.d/innd /etc/init.d/netfs /etc/init.d/network /etc/init.d/nfs /etc/init.d/nfslock /etc/init.d/ospfd /etc/init.d/postgresql /etc/init.d/ripd /etc/init.d/rpcgssd /etc/init.d/rpcidmapd /etc/init.d/rpcsvcgssd /etc/init.d/sendmail /etc/init.d/zebra > [ -f /etc/fail2ban.conf ] || exit 0 Same here $ grep -l '\[ -f .* \] || exit 0' /etc/init.d/* | tr '\n' ' ' /etc/init.d/acpid /etc/init.d/anacron /etc/init.d/bgpd /etc/init.d/bootparamd /etc/init.d/capi /etc/init.d/clamav /etc/init.d/cpuspeed /etc/init.d/dhcp6r /etc/init.d/dhcp6s /etc/init.d/dhcpd /etc/init.d/dhcrelay /etc/init.d/dund /etc/init.d/exim /etc/init.d/fail2ban /etc/init.d/gkrellmd /etc/init.d/hidd /etc/init.d/hsqldb /etc/init.d/innd /etc/init.d/irda /etc/init.d/irqbalance /etc/init.d/mdmonitor /etc/init.d/mdmpd /etc/init.d/netdump /etc/init.d/netfs /etc/init.d/nscd /etc/init.d/ospf6d /etc/init.d/ospfd /etc/init.d/pand /etc/init.d/portmap /etc/init.d/radiusd /etc/init.d/radvd /etc/init.d/restorecond /etc/init.d/rgmanager /etc/init.d/rhnsd /etc/init.d/ripd /etc/init.d/ripngd /etc/init.d/sendmail /etc/init.d/spamassassin /etc/init.d/squid /etc/init.d/syslog /etc/init.d/winbind /etc/init.d/yppasswdd /etc/init.d/ypserv /etc/init.d/ypxfrd /etc/init.d/zaptel /etc/init.d/zebra > --------------------------------------------- > should be "exit 1" or something else: exit code 0 is > wrong IMO. Also some messages which tells why starting > fail2ban failed should be printed out. Well, it is obviously a Fedora convention not to do so. Whether it is right or wrong is a different thing, but fail2ban has to blend in properly so the above are correct. Anything else would have to be discussed with the FPC. > * Still I think (strongly) that /usr/bin/fail2ban should > be moved under > /usr/sbin because this is a sysadmin tool You can use fail2ban as a user, too. > ... and /etc/fail2ban.conf should be /etc/sysconfig/fail2ban . No, that's wrong, /etc/sysconfig carries config files for the init files themselves (e.g. what arguments to use for calling a daemon), everything else is defined by the application, e.g. check httpd, ntpd and so on. > * And I think this package should own /var/log/fail2ban Again no other packages caters for its logfile ownership, having fail2ban behave differently is wrong. But I 100% with you on defining a general solution, just not through a package submission. You're welcome to raise the issues at fedora-packaging instead. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review