how-to-patch-to-src.rpm.txt
update 2013.4.14

This document is how to built fail2ban-0.8.4-multi-line-check.patch into fail2ban-0.8.4-29.el5.src.rpm.
Then, you can use fail2ban with mulit-line check function.

This document & patch file is the following.
http://www.netosa.com/free-soft/fail2ban/

1.First,please download the fail2ban-0.8.4-29.el5.src.rpm file from epel-site.

2.Make install src.rpm to rpmbuild's folder.

#rpm -ivh fail2ban-0.8.4-29.el5.src.rpm

3.Copy fail2ban-0.8.4-multi-line-check2.patch  to /usr/src/redhat/SOURCES

#cp fail2ban-0.8.4-multi-line-check2.patch /usr/src/redhat/SOURCES

3.Edit fail2ban.spec file.

/usr/src/redhat/SPEC/fail2ban.spec

---------- fail2ban.spec -------------

Name: fail2ban
Version: 0.8.4
Release: 29%{?dist}  -> Release: 29.1%{?dist}


Patch8: fail2ban-0.8.4-notmp.patch
Patch9: pyinotify.patch
Patch10: fail2ban-0.8.4-examplemail.patch
Patch11: fail2ban-0.8.4-multi-line-check2.patch  <- add this line


%patch8 -p1 -b .notmp
#%patch9 -p1 -b .inotify
%patch10 -p1 -b .mail
%patch11 -p1  		<- add this line

---------- fail2ban.spec -------------

4. Build RPM & SRC.RPM

#rpmbuild -ba --define="dist .el5" --target x86_64 fail2ban.spec


5. Update fail2ban package

#service fail2ban stop  <---  If aleady fail2ban is running.
#rpm --checksig -v fail2ban-0.8.4-29.1.el5.noarch.rpm
#rpm -Fvh (--test) fail2ban-0.8.4-29.1.el5.noarch.rpm


6. Check filter file

example!

/etc/fail2ban/filter.d/sendmail.conf

failregex = \[<HOST>\] .*to MTA
            \[<HOST>\] \(may be forged\)
            \[<HOST>\], reject.*\.\.\. Relaying denied
#            (User unknown)\n* \[<HOST>\]              <-- I think,this is no good?
            (User unknown)\n.* \[<HOST>\]              <-- I think,this is good?
            badlogin: .* \[<HOST>\] plaintext .* SASL

7.Start fail2ban with mulit-line check

#service fail2ban start

8.Check /var/log/message

Can you see these few lines of log?

Apr 9 11:32:18 ns6x fail2ban.jail : INFO Creating new jail 'sendmail'
Apr 9 11:32:18 ns6x fail2ban.jail : INFO Jail 'sendmail' uses Gamin
Apr 9 11:32:19 ns6x fail2ban.filter : INFO Added logfile = /var/log/maillog
Apr 9 11:32:19 ns6x fail2ban.filter : INFO Set maxRetry = 4
Apr 9 11:32:19 ns6x fail2ban.filter : INFO Set findtime = 600
Apr 9 11:32:19 ns6x fail2ban.actions: INFO Set banTime = 600
Apr 9 11:32:19 ns6x fail2ban.filter : INFO addFailRegex set Mulit-line regex  <--- if failregex=xxxx  line  include '\n',you can see this log's line?  If you can, ok it's working!


9.Check active log?

#fail2ban-regex  /var/log/maillog /etc/fail2ban/filter.d/sendmail.conf

or

#fail2ban-regex  /var/log/maillog "(User unknown)\n.* \[<HOST>\]"


8.Attention!

This mulit-line's check function dose only work with a single line buffering or dobule lines buffering.

If failregex = xxx contains with "\n",it works with dobule lines buffering,
Nor,it works with a single line buffering.


Thanks!