Overview
Request 688767 accepted
- ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four
* https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog
- Fixes
* `filter.d/dovecot.conf`:
- failregex enhancement to catch sql password mismatch errors (gh-2153);
- disconnected with "proxy dest auth failed" (gh-2184);
* `filter.d/freeswitch.conf`:
- provide compatibility for log-format from gh-2193:
* extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
`YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
* more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
- extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
(see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
how to set it to mode `normal`.
* `filter.d/domino-smtp.conf`:
- recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
- failregex extended to catch connections rejected for policy reasons (gh-2228);
* `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected
and don't allowed in command-actions), see gh-2114;
* decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
- fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
`UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors;
- actions: avoid possible conversion errors on wrong-chars by replace tags;
- database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
- logging in fail2ban is process-wide exception-safe now.
* repaired start-time of initial seek to time (as well as other log-parsing related data),
if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
* systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
- New Features
* new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`,
`ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
* `ignorecommand` extended to use actions-similar replacement (capable to interpolate
all possible tags like ``, ``, ``, `F-USER` etc.)
- Enhancements
* `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
* since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
additionally option `-V` can be used to get version in normalized machine-readable short format.
- rebase patches
* fail2ban-opensuse-locations.patch
* fail2ban-opensuse-service.patch
- add signature file
- Updated to version 0.10.3.1. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10.3.1/ChangeLog
* fixed JSON serialization for the set-object within dump into database (gh-2103).
- Updated to version 0.10.3. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10.3/ChangeLog
- Fixes
* `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
* `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
* `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069;
* `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
- fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064);
* `filter.d/sshd.conf`:
- failregex got an optional space in order to match new log-format (see gh-2061);
- fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
- fixed root login refused regex (optional port before preauth, gh-2080);
- avoid banning of legitimate users when pam_unix used in combination with other password method, so
bypass pam_unix failures if accepted available for this user gh-2070;
- amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly);
- mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
it counts failure on closing connection within preauth-stage (gh-2085);
* `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);
* `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
* `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
* (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
- New Features
* several stability and performance optimizations, more effective filter parsing, etc;
* stable runnable within python versions 3.6 (as well as within 3.7-dev);
- Enhancements
* `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);
* `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);
* date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029);
* possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038);
the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line,
e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line.
* badips.py now uses https instead of plain http when requesting badips.com (gh-2057);
* add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056);
* Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG):
Usage `logtarget = target[padding=on|off]`
- Updated to version 0.10.2. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog
- rebased patch
- Incompatibility list (compared to v.0.9):
* Filter (or `failregex`) internal capture-groups:
- If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$"
- New internal groups (currently reserved for internal usage):
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
mapping from tag `` used in failregex (e. g. `user` by ``).
* v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
user configurations resp. `datepattern`.
* Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
IPv6-capable now.
- Incompatibility:
* The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.
- Fixes
* Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid
write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
* Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
(if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
* `action.d/pf.conf`:
- fixed syntax error in achnor definition (documentation, see gh-1919);
- enclose ports in braces for multiport jails (see gh-1925);
* `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
* `filter.d/sshd.conf`:
- extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
- fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
- New Features
* datedetector: extended default date-patterns (allows extra space between the date and time stamps);
introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
- %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
(corresponds %H, but allows space if not zero-padded).
- %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
(corresponds %I, but allows space if not zero-padded).
* `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
- New Actions:
* `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
nginx-location with map-file);
- Enhancements
* jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
* action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
* Introduced new parameters for logging within fail2ban-server (gh-1980).
Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
- `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
for the list of facilities);
- `datetime` - add date-time to the message (default on, ignored if `format` specified);
- `format` - specify own format how it will be logged, for example for short-log into STDOUT:
`fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
* Automatically recover or recreate corrupt persistent database (e. g. if failed to open with
'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
if repair fails - recreate new database (gh-1465, gh-2004).
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
- Updated to version 0.10.1. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog
- Removed 607568f.patch and 1783.patch
- New features:
* IPv6 support
- IP addresses are now handled as objects rather than strings capable for
handling both address types IPv4 and IPv6
- iptables related actions have been amended to support IPv6 specific actions
additionally
- hostsdeny and route actions have been tested to be aware of v4 and v6 already
- pf action for *BSD systems has been improved and supports now also v4 and v6
- name resolution is now working for either address type
- new conditional section functionality used in config resp. includes:
- [Init?family=inet4] - IPv4 qualified hosts only
- [Init?family=inet6] - IPv6 qualified hosts only
* Reporting via abuseipdb.com
- Bans can now be reported to abuseipdb
- Catagories must be set in the config
- Relevant log lines included in report
* Several commands extended and new commands introduced
* Implemented execution of `actionstart` on demand
* nftables actions are IPv6-capable now
* Introduced new filter option `prefregex` for pre-filtering using single regular expression
* Many times faster because of several optimizations
* Several filters optimized
* Introduced new jail option "ignoreself"
- Lots of fixes and internal improvements
- Incompatibitilities:
* Filter (or `failregex`) internal capture-groups:
- If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
Of course you can always your own capture-group (like below `_cond_ip_`) to do this.
```
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$"
```
- New internal groups (currently reserved for internal usage):
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
mapping from tag `` used in failregex (e. g. `user` by ``).
* v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
user configurations resp. `datepattern`.
* Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
IPv6-capable now.
- added 1783.patch from upstream: "Updated roundcube authentication filter"
- use tmpfiles_create macro
- added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP"
this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no
action as a result"
- Update to 0.9.7
* Fixed a systemd-journal handling in fail2ban-regex
(gh#fail2ban/fail2ban#1657)
* filter.d/sshd.conf
- Fixed non-anchored part of failregex (misleading match of colon inside
IPv6 address instead of `: ` in the reason-part by missing space,
gh#fail2ban/fail2ban#1658)
(0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479)
* config/pathes-freebsd.conf
- Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667)
* filter.d/exim.conf
- optional part `(...)` after host-name before `[IP]`
(gh#fail2ban/fail2ban#1751)
- new reason "Unrouteable address" for "rejected RCPT" regex
(gh#fail2ban/fail2ban#1762)
- match of complex time like `D=2m42s` in regex "no MAIL in SMTP
connection" (gh#fail2ban/fail2ban#1766)
* filter.d/sshd.conf
- new aggressive rules (gh#fail2ban/fail2ban#864):
- Connection reset by peer (multi-line rule during authorization process)
- No supported authentication methods available
- single line and multi-line expression optimized, added optional prefixes
and suffix (logged from several ssh versions), according
to gh#fail2ban/fail2ban#1206;
- fixed expression received disconnect auth fail (optional space after port
part, gh#fail2ban/fail2ban#1652)
and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206;
* filter.d/suhosin.conf
- greedy catch-all before `` fixed (potential vulnerability)
* filter.d/cyrus-imap.conf
- accept entries without login-info resp. hostname before IP address (#fail2ban/fail2ban#707)
* Filter tests extended with check of all config-regexp, that contains greedy catch-all
before ``, that is hard-anchored at end or precise sub expression after ``
* New Actions:
- action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh#fail2ban/fail2ban#1663)
* New Filters:
- filter.d/domino-smtp: IBM Domino SMTP task (gh#fail2ban/fail2ban#1603)
* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban
- Update to 0.9.6 (2016/12/10)
### Fixes
* Misleading add resp. enable of (already available) jail in database, that
induced a subsequent error: last position of log file will be never retrieved (gh-795)
* Fixed a distribution related bug within testReadStockJailConfForceEnabled
(e.g. test-cases faults on Fedora, see gh-1353)
* Fixed pythonic filters and test scripts (running via wrong python version,
uses "fail2ban-python" now);
* Fixed test case "testSetupInstallRoot" for not default python version (also
using direct call, out of virtualenv);
* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
* Monit config: scripting is not supported in path (gh-1556)
* `filter.d/apache-modsecurity.conf`
- Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
replaced for safer match, unneeded catch-all anchoring removed, non-capturing
* `filter.d/asterisk.conf`
- Fixed to match different asterisk log prefix (source file: method:)
* `filter.d/dovecot.conf`
- Fixed failregex ignores failures through some not relevant info (gh-1623)
* `filter.d/ignorecommands/apache-fakegooglebot`
- Fixed error within apache-fakegooglebot, that will be called
with wrong python version (gh-1506)
* `filter.d/assp.conf`
- Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
* `filter.d/postfix-sasl.conf`
- Allow for having no trailing space after 'failed:' (gh-1497)
* `filter.d/vsftpd.conf`
- Optional reason part in message after FAIL LOGIN (gh-1543)
* `filter.d/sendmail-reject.conf`
- removed mandatory double space (if dns-host available, gh-1579)
* filter.d/sshd.conf
- recognized "Failed publickey for" (gh-1477);
- optimized failregex to match all of "Failed any-method for ... from " (gh-1479)
- eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
- optional port part after host (see gh-1533, gh-1581)
### New Features
* New Actions:
- `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
* New Filters:
- `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
(gh-1586, gh-1606 and gh-1607)
### Enhancements
* DateTemplate regexp extended with the word-end boundary, additionally to
word-start boundary
* Introduces new command "fail2ban-python", as automatically created symlink to
python executable, where fail2ban currently installed (resp. its modules are located):
- allows to use the same version, fail2ban currently running, e.g. in
external scripts just via replace python with fail2ban-python:
```diff
-#!/usr/bin/env python
+#!/usr/bin/env fail2ban-python
```
- always the same pickle protocol
- the same (and also guaranteed available) fail2ban modules
- simplified stand-alone install, resp. stand-alone installation possibility
via setup (like gh-1487) is getting closer
* Several test cases rewritten using new methods assertIn, assertNotIn
* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
are test covered now
* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
examples:
- `backend = systemd[journalpath=/run/log/journal/machine-1]`
- `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
- `backend = systemd[journalflags=2]`
- rebase fail2ban-opensuse-locations.patch, fail2ban-opensuse-service.patch
- Update to version 0.9.5
New Features
* New Actions: action.d/firewallcmd-rich-rules and
action.d/firewallcmd-rich-logging (gh#fail2ban/fail2ban#1367)
* New filter: slapd - ban hosts, that were failed to connect with invalid
credentials: error code 49 (gh#fail2ban/fail2ban#1478)
Enhancements
* Extreme speedup of all sqlite database operations
(gh#fail2ban/fail2ban#1436), by using of following sqlite options:
- (synchronous = OFF) write data through OS without syncing
- (journal_mode = MEMORY) use memory for the transaction logging
- (temp_store = MEMORY) temporary tables and indices are kept in memory
* journald journalmatch for pure-ftpd (gh#fail2ban/fail2ban#1362)
* Added additional regex filter for dovecot ldap authentication
failures (gh#fail2ban/fail2ban#1370)
* filter.d/exim*conf
- Added additional regexes (gh#fail2ban/fail2ban#1371)
- Made port entry optional
Fixes
* filter.d/monit.conf
- Extended failregex with new monit "access denied" version
(gh#fail2ban/fail2ban#1355)
- failregex of previous monit version merged as single expression
* filter.d/postfix.conf, filter.d/postfix-sasl.conf
- Extended failregex daemon part, matching also postfix/smtps/smtpd now
(gh#fail2ban/fail2ban#1391)
* Fixed a grave bug within tags substitutions because of incorrect detection
of recursion in case of multiple inline substitutions of the same tag
(affected actions: bsd-ipfw, etc). Now tracks the actual list of the
already substituted tags (per tag instead of single list)
* filter.d/common.conf
- Unexpected extra regex-space in generic __prefix_line
(gh#fail2ban/fail2ban#1405)
- All optional spaces normalized in common.conf, test covered now
- Generic __prefix_line extended with optional brackets for the date ambit
(gh#fail2ban/fail2ban#1421), added new parameter __date_ambit
* gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon,
not argument of fail2ban (see gh#fail2ban/fail2ban#1434)
* filter.d/asterisk.conf
- Fixed security log support for PJSIP and Asterisk 13+
(gh#fail2ban/fail2ban#1456)
- Improved log support for PJSIP and Asterisk 13+ with different callID
(gh#fail2ban/fail2ban#1458)
- Mark /etc/fail2ban/fail2ban.conf as noreplace.
- Removed patch: fail2ban-exclude-dev-log-tests.patch
- Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
- rebased other patches
- Defined services which per default uses systemd logger
- Provide /usr/sbin/rcfail2ban also on systemd based distros
- All files in /etc/fail2ban/ except jail.local are now automatically replaced
upon installation of fail2ban
- The update to this versions allow to close boo#917818, as the logger-backends for
several services are now centrally set in /etc/fail2ban/paths-opensuse.conf
- Update to version 0.9.4
New Features:
* New interpolation feature for definition config readers - ``
(means last known init definition of filters or actions with name `parameter`).
This interpolation makes possible to extend a parameters of stock filter or
action directly in jail inside jail.local file, without creating a separately
filter.d/*.local file.
As extension to interpolation `%(known/parameter)s`, that does not works for
filter and action init parameters
* New actions:
- nftables-multiport and nftables-allports - filtering using nftables
framework. Note: it requires a pre-existing chain for the filtering rule.
* New filters:
- openhab - domotic software authentication failure with the
rest api and web interface (gh-1223)
- nginx-limit-req - ban hosts, that were failed through nginx by limit
request processing rate (ngx_http_limit_req_module)
- murmur - ban hosts that repeatedly attempt to connect to
murmur/mumble-server with an invalid server password or certificate.
- haproxy-http-auth - filter to match failed HTTP Authentications against a
HAProxy server
* New jails:
- murmur - bans TCP and UDP from the bad host on the default murmur port.
* sshd filter got new failregex to match "maximum authentication
attempts exceeded" (introduced in openssh 6.8)
* Added filter for Mac OS screen sharing (VNC) daemon
Enhancements:
* Do not rotate empty log files
* Added new date pattern with year after day (e.g.
http://bugs.debian.org/798923
* Added openSUSE path configuration (Thanks Johannes Weberhofer)
* Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
* Added a timeout (3 sec) to urlopen within badips.py action
(Thanks M. Maraun)
* Added check against atacker's Googlebot PTR fake records
(Thanks Pablo Rodriguez Fernandez)
* Enhance filter against atacker's Googlebot PTR fake records
(gh-1226)
* Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
* Added filter for openhab domotic software authentication failure with the
rest api and web interface (gh-1223)
* Add *_backend options for services to allow distros to set the default
backend per service, set default to systemd for Fedora as appropriate
* Performance improvements while monitoring large number of files (gh-1265).
Use associative array (dict) for monitored log files to speed up lookup
operations. Thanks @kshetragia
* Specified that fail2ban is PartOf iptables.service firewalld.service in
.service file -- would reload fail2ban if those services are restarted
* Provides new default `fail2ban_version` and interpolation variable
`fail2ban_agent` in jail.conf
* Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
and to support multiple instances of postfix having varying suffix (gh-1331)
(Thanks Tom Hendrikx)
* files/gentoo-initd to use start-stop-daemon to robustify restarting the service
Fixes:
* roundcube-auth jail typo for logpath
* Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
* filter.d/apache-badbots.conf
- Updated useragent string regex adding escape for `+`
* filter.d/mysqld-auth.conf
gg - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
* filter.d/sshd.conf
- Updated "Auth fail" regex for OpenSSH 5.9 and later
* Treat failed and killed execution of commands identically (only
different log messages), which addresses different behavior on different
exit codes of dash and bash (gh-1155)
* Fix jail.conf.5 man's section (gh-1226)
* Fixed default banaction for allports jails like pam-generic, recidive, etc
with new default variable `banaction_allports` (gh-1216)
* Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
for python version < 3.x (gh-1248)
* Use postfix_log logpath for postfix-rbl jail
* filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
* use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
* Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
* Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
* Removed compression and rotation count from logrotate (inherit them from
the global logrotate config)
- Require python-systemd for openSUSE 12.3+
- Cleaned up the spec file
- Added /run/fail2ban for openSUSE 13.2+
- Don't fail on test-errors
- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
to fix the former failing test and removed
fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
- Do not longer create test-package. Developers should not use the packaged
version of fail2ban.
- patches are no longer included conditionally
- fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch excludes the
ExecuteTimeoutWithNastyChildren test, as it doesn't run correctly on
openSUSE.
- fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for
older releases.
- Update to version 0.9.3
- IMPORTANT incompatible changes:
* filter.d/roundcube-auth.conf
- Changed logpath to 'errors' log (was 'userlogins')
* action.d/iptables-common.conf
- All calls to iptables command now use -w switch introduced in
iptables 1.4.20 (some distribution could have patched their
earlier base version as well) to provide this locking mechanism
useful under heavy load to avoid contesting on iptables calls.
If you need to disable, define 'action.d/iptables-common.local'
with empty value for 'lockingopt' in `[Init]` section.
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
actions now include by default only the first 1000 log lines in
the emails. Adjust to augment the behavior.
- Fixes:
* reload in interactive mode appends all the jails twice (gh-825)
* reload server/jail failed if database used (but was not changed) and
some jail active (gh-1072)
* filter.d/dovecot.conf - also match unknown user in passwd-file.
Thanks Anton Shestakov
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
* filter.d/asterisk.conf - fix security log support for Asterisk 12+
* filter.d/roundcube-auth.conf
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
- Added regex to work with 'userlogins' log
* action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
locale on systems with customized LC_ALL
* performance fix: minimizes connection overhead, close socket only at
communication end (gh-1099)
* unbanip always deletes ip from database (independent of bantime, also if
currently not banned or persistent)
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
* always set 'dbfile' before other database options (gh-1050)
* kill the entire process group of the child process upon timeout (gh-1129).
Otherwise could lead to resource exhaustion due to hanging whois
processes.
* resolve /var/run/fail2ban path in setup.py to help installation
on platforms with /var/run -> /run symlink (gh-1142)
- New Features:
* RETURN iptables target is now a variable:
* New type of operation: pass2allow, use fail2ban for "knocking",
opening a closed port by swapping blocktype and returntype
* New filters:
- froxlor-auth - Thanks Joern Muehlencord
- apache-pass - filter Apache access log for successful authentication
* New actions:
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
manual pre-configuration of the shorewall. See the action file for detail.
* New jails:
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
- Enhancements:
* action.d/cloudflare.conf - improved documentation on how to allow
multiple CF accounts, and jail.conf got new compound action
definition action_cf_mwl to submit cloudflare report.
* Check access to socket for more detailed logging on error (gh-595)
* fail2ban-testcases man page
* filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
HEAD method verb
* Revamp of Travis and coverage automated testing
* Added a space between IP address and the following colon
in notification emails for easier text selection
* Character detection heuristics for whois output via optional setting
in mail-whois*.conf. Thanks Thomas Mayer.
Not enabled by default, if _whois_command is set to be
%(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
it
- detects character set of whois output (which is undefined by
RFC 3912) via heuristics of the file command
- converts whois data to UTF-8 character set with iconv
- sends the whois output in UTF-8 character set to mail program
- avoids that heirloom mailx creates binary attachment for input with
unknown character set
- Note: fail2ban-issue_906-strptime.patch has been removed as it is already
integrated in the current version.
- Removed "backend" setting from paths-opensuse.conf
- Update to version 0.9.2 (requested in boo#917818)
Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog
Here are some notes to be read when updating existing installations:
The default log-backend for openssue 13.2+ is now systemd
* jail.conf was heavily refactored and now is similar to how it looked on
Debian systems:
- default action could be configured once for all jails
- jails definitions only provide customizations (port, logpath)
- no need to specify 'filter' if name matches jail name
* Added fail2ban persistent database
- default location at /var/lib/fail2ban/fail2ban.sqlite3
- allows active bans to be reinstated on restart
- log files read from last position after restart
* Added systemd journal backend
- Dependency on python-systemd
- New "journalmatch" option added to filter configs files
- New "systemd-journal" option added to fail2ban-regex
* Support %z (Timezone offset) and %f (sub-seconds) support for datedetector.
Enhanced existing date/time have been updated patterns to support these.
ISO8601 now defaults to localtime unless specified otherwise. Some filters
have been change as required to capture these elements in the right
timezone correctly.
* Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
* Optionally can read log files starting from "head" or "tail". See "logpath"
option in jail.conf(5) man page.
* Can now set log encoding for files per jail.Default uses systemd locale.
* iptables-common.conf replaced iptables-blocktype.conf
(iptables-blocktype.local should still be read) and now also provides
defaults for the chain, port, protocol and name tags
- Require whois
- Whereever possible, path-definitions have been moved paths-opensuse.conf
which has been submittet upstream
- Use default fail2ban.service including fail2ban-opensuse-service.patch
- Use default suse-initd from upstream
- Run test-cases during build
- run fdupes
- Tests have been moved to a seperate page
- Added rpmlintrc file to ignore some hidden files in the test package
- Must build arch-depended packages for SLES 11
- Removed two tests which can't run on the build server with openSUSE
before 13.3: fail2ban-exclude-dev-log-tests.patch
- Add missing dependency on ed (boo#926943)
- Fixed strptime thread safety issue.
fail2ban-issue_906-strptime.patch (bnc#914075 gh#fail2ban/fail2ban#906)
- Added syslog to requirements, as this version of fail2ban does not
work with systemd-logging: bnc#905733
- Recommend installation of the ordering package when all
constituing parts are installed
- Fixed check for %_unitdir to make fail2ban build under older systems, too.
- Changed /usr to %{_prefix} in the spec file
- update to 0.8.14
* minor fixes for claimed Python 2.4 and 2.5 compatibility
* Handle case when inotify watch is auto deleted on file deletion to stop
error messages
* tests - fixed few "leaky" file descriptors when files were not closed while
being removed physically
* grep in mail*-whois-lines.conf now also matches end of line to work with
the recidive filter
- add fail2ban-opensuse-locations.patch to fix default locations as suggested
in bnc#878028
- update to 0.8.13:
+ Fixes:
- action firewallcmd-ipset had non-working actioncheck. Removed.
redhat bug #1046816.
- filter pureftpd - added _daemon which got removed. Added
+ New Features:
- filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
- filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
+ Enhancements:
- filter asterisk now supports syslog format
- filter pureftpd - added all translations of "Authentication failed for
user"
- filter dovecot - lip= was optional and extended TLS errors can occur.
Thanks Noel Butler.
- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed
upstream
- split out nagios-plugins-fail2ban package
- Add a new subpackage to install systemd drop-ins that couple
SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf,
f2b-restart.conf.
Security note: The update to version 0.8.11 has fixed two additional security
issues: A remote unauthenticated attacker may cause arbitrary IP addresses to
be blocked by Fail2ban causing legitimate users to be blocked from accessing
services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176
(postfix)
- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816
- lsof was required for fail2ban's SysVinit scripts only. Not longer used for
newer versions of openSUSE
- Reviewed and fixed github references in the changelog
- Use new flushlogs syntax after logrotate
- Update to version 0.8.12
* Log rotation can now occur with the command "flushlogs" rather than
reloading fail2ban or keeping the logtarget settings consistent in
jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798).
* Added ignorecommand option for allowing dynamic determination as to ignore
and IP or not.
* Remove indentation of name and loglevel while logging to SYSLOG to resolve
syslog(-ng) parsing problems. (dep#730202). Log lines now also
report "[PID]" after the name portion too.
* Epoch dates can now be enclosed within []
* New actions: badips, firewallcmd-ipset, ufw, blocklist_de
* New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid,
ejabberd, openwebmail, groupoffice
* Filter improvements:
- apache-noscript now includes php cgi scripts
- exim-spam filter to match spamassassin log entry for option SAdevnull.
- Added to sshd filter expression for
"Received disconnect from : 3: Auth fail"
- Improved ACL-handling for Asterisk
- Added improper command pipelining to postfix filter.
* General fixes:
- Added lots of jail.conf entries for missing filters that creaped in
over the last year.
- synchat changed to use push method which verifies whether all data was
send. This ensures that all data is sent before closing the connection.
- Fixed python 2.4 compatibility (as sub-second in date patterns weren't
2.4 compatible)
- Complain/email actions fixed to only include relevant IPs to reporting
* Filter fixes:
- Added HTTP referrer bit of the apache access log to the apache filters.
- Apache 2.4 perfork regexes fixed
- Kernel syslog expression can have leading spaces
- allow for ",milliseconds" in the custom date format of proftpd.log
- recidive jail to block all protocols
- smtps not a IANA standard so may be missing from /etc/services. Due to
(still) common use 465 has been used as the explicit port number
- Filter dovecot reordered session and TLS items in regex with wider scope
for session characters
* Ugly Fixes (Potentially incompatible changes):
- Unfortunately at the end of last release when the action
firewall-cmd-direct-new was added it was too long and had a broken action
check. The action was renamed to firewallcmd-new to fit within jail name
name length. (gh#fail2ban/fail2ban#395).
- Last release added mysqld-syslog-iptables as a jail configuration. This
jailname was too long and it has been renamed to mysqld-syslog.
- Fixed formating of github references in changelog
- reformatted spec-file
- Update to version 0.8.11
- In light of CVE-2013-2178 that triggered our last release we have put a
significant effort into tightening all of the regexs of our filters to avoid
another similar vulnerability. We haven't examined all of these for a potential
DoS scenario however it is possible that another DoS vulnerability exists that
is fixed by this release. A large number of filters have been updated to
include more failure regexs supporting previously unbanned failures and support
newer application versions too. We have test cases for most of these now
however if you have other examples that demonstrate that a filter is
insufficient we welcome your feedback. During the tightening of the regexs to
avoid DoS vulnerabilities there is the possibility that we have inadvertently,
despite our best intentions, incorrectly allowed a failure to continue.
- Added systemd service file and systemd-tmpfiles configuration
- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered
by "bugs" in apache- filters. If you are relying on listed below apache-
filters, upgrade asap and seek your distributions to patch their fail2ban
distribution with [6ccd5781]. The bug's decription can be found in
https://vndh.net/note:fail2ban-089-denial-service
- Fixes
* [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
failregex at the beginning (and where applicable at the end).
Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710
* action.d/{route,shorewall}.conf - blocktype must be defined
within [Init]. Closes gh#fail2ban/fail2ban#232
- Enhancements
* jail.conf -- assure all jails have actions and remove unused
ports specifications
* config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
* files/suse-initd -- update to the copy from stock SUSE
* Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227,
gh#fail2ban/fail2ban#230.
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes
gh#fail2ban/fail2ban#244.
------------------------------------------------------------------
- Included logrotate configuration for fail2ban
- Init-Script does no longer require $syslog to be started as file-base logging
is the default. Synced with Debian script.
- Upgrade to version 0.8.9
- Fixes: Yaroslav Halchenko
* [6f4dad46] python-2.4 is the minimal version.
* [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the
bug report.
* [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
insight. Closes gh#fail2ban/fail2ban#103.
* [ab044b75] delay check for the existence of config directory until read.
* [3b4084d4] fixing up for handling of TAI64N timestamps.
* [154aa38e] do not shutdown logging until all jails stop.
* [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes
gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and
troubleshooting. Orion Poplawski
* [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
newly created directories.
Nicolas Collignon
* [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167.
Sergey Brester
* [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
sorting template list.
Steven Hiscocks
* [7a442f07] When changing log target with python2.{4,5} handle KeyError.
Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148.
* [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124.
Daniel Black
* [f0610c01] Allow more that a one word command when changing and Action via
the fail2ban-client. Closes gh#fail2ban/fail2ban#134.
* [945ad3d9] Fix dates on email actions to work in different locals. Closes
gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
blotus
* [96eb8986] ' and " should also be escaped in action tags Closes
gh#fail2ban/fail2ban#109
Christoph Theis, Nick Hilliard, Daniel Black
* [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
- New features:
Yaroslav Halchenko
* [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
to provide additional flexibility to system adminstrators. Thanks to
beilber for the idea. Closes gh#fail2ban/fail2ban#114.
* [3ce53e87] Add exim filter.
Erwan Ben Souiden
* [d7d5228] add nagios integration documentation and script to ensure
fail2ban is running. Closes gh#fail2ban/fail2ban#166.
Artur Penttinen
* [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152.
ArndRaphael Brandes
* [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117.
Michael Gebetsriother
* [f9b78ba] Add action route to block at routing level.
Teodor Micu & Yaroslav Halchenko
* [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
Daniel Black
* [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102.
Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
* [b6d0e8a] Add and enhance the bsd-ipfw action from
FreeBSD ports.
Soulard Morgan
* [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99.
Steven Hiscocks
* [..746c7d9] bash interactive shell completions for fail2ban-*'s
Nick Hilliard
* [0c5a9c5] Add pf action.
- Enhancements:
Enrico Labedzki
* [24a8d07] Added new date format for ASSP SMTP Proxy.
Steven Hiscocks
* [3d6791f] Ensure restart of Actions after a check fails occurs
consistently. Closes gh#fail2ban/fail2ban#172.
* [MANY] Improvements to test cases, travis, and code coverage (coveralls).
* [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124.
* [ce3ab34] Added ability to specify PID file.
Orion Poplawski
* [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
Closes gh#fail2ban/fail2ban#142.
Yaroslav Halchenko
* [MANY] Lots of improvements to log messages, man pages and test cases.
* [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger.
* [40c5a2d] adding more of diagnostic messages into -client while starting
the daemon.
* [8e63d4c] Compare against None with 'is' instead of '=='.
* [6fef85f] Strip CR and LF while analyzing the log line
Daniel Black
* [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143.
* [MANY] man page edits.
* [7cd6dab] Added help command to fail2ban-client.
* [c8c7b0b,23bbc60] Better logging of log file read errors.
* [3665e6d] Added code coverage to development process.
* [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
source. Also include BSD changes.
* [1d9abd1] Action files can have tags in definition that refer to other
tags.
* [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
unreachable rather than just a drop of the packet.
Pascal Borreli
* [a2b29b4] Fixed lots of typos in config files and documentation.
hamilton5
* [7ede1e8] Update dovecot filter config.
Romain Riviere
* [0ac8746] Enhance named-refused filter for views.
James Stout
* [..2143cdf] Solaris support enhancements:
- README.Solaris
- failregex'es tune ups (sshd.conf)
- hostsdeny: do not rely on support of '-i' in sed
One of the important changes is escaping of the content -- so if you
crafted some custom action which uses it -- you must upgrade, or you
would be at a significant security risk.
- Fixes:
Alan Jenkins
* [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64
Yaroslav Halchenko
* [83109bc] IMPORTANT: escape the content of (if used in
custom action files) since its value could contain arbitrary
symbols. Thanks for discovery go to the NBS System security
team
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes.
Close gh#fail2ban/fail2ban#83
* [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
* [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
in the console. Close gh#fail2ban/fail2ban#91
- New features:
David Engeset
* [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
the log file to take 'banip' or 'unbanip' in effect.
Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86
- Enhancements:
* [2d66f31] replaced uninformative "Invalid command" message with warning log
exception why command actually failed
* [958a1b0] improved failregex to "support" auth.backend = "htdigest"
* [9e7a3b7] until we make it proper module -- adjusted sys.path only if
system-wide run
* [f52ba99] downgraded "already banned" from WARN to INFO level.
Closes gh#fail2ban/fail2ban#79
* [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
for this gh#fail2ban/fail2ban#87)
* Various others: travis-ci integration, script to run tests
against all available Python versions, etc
- Fixed initscript as discussed in bnc#790557
- use Source URL pointing to github
- Do not longer replace main config-files
- Use variables for directories in spec file
- Added dependencies to python-pyinotifyi, python-gamin and iptables
- Upgraded to version 0.8.7.1
- Yaroslav Halchenko
* [e9762f3] Removed sneaked in comment on sys.path.insert
Tom Hendrikx & Jeremy Olexa
* [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
See http://forums.gentoo.org/viewtopic-t-899018.html
- Chris Reffett
* [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
rather than just one failure.
- Yaroslav Halchenko
* [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
* [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
* [ed16ecc] enforce "ip" field returned as str, not unicode so that log
message stays non-unicode. Close gh#fail2ban/fail2ban#32
* [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
already present in the pattern
* [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66)
* [80b191c] anchor grep regexp in actioncheck to not match partial names
of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
- New features:
- François Boulogne
* [a7cb20e..] add lighttpd-auth filter/jail
- Lee Clemens & Yaroslav Halchenko
* [e442503] pyinotify backend (default if backend='auto' and pyinotify
is available)
* [d73a71f,3989d24] usedns parameter for the jails to allow disabling
use of DNS
- Tom Hendrikx
* [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
repeated offenders. Close gh#fail2ban/fail2ban#19
- Xavier Devlamynck
* [7d465f9..] Add asterisk support
- Zbigniew Jedrzejewski-Szmek
* [de502cf..] allow running fail2ban as non-root user (disabled by
default) via xt_recent. See doc/run-rootless.txt
- Enhancements
- Lee Clemens
* [47c03a2] files/nagios - spelling/grammar fixes
* [b083038] updated Free Software Foundation's address
* [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
* [642d9af,3282f86] reformated printing of jail's name to be consistent
with init's info messages
* [3282f86] uniform use of capitalized Jail in the messages
- Leonardo Chiquitto
* [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
to reflect code
* [a7d47e8] Update Free Software Foundation's address
- Petr Voralek
* [4007751] catch failed ssh logins due to being listed in DenyUsers.
Close gh#fail2ban/fail2ban#47 (Closes: #669063)
- Yaroslav Halchenko
* [MANY] extended and robustified unittests: test different backends
* [d9248a6] refactored Filter's to avoid duplicate functionality
* [7821174] direct users to issues on github
* [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
default with -v to control verbosity
* [b4099da] adjusted header for config/*.conf to mention .local and way
to comment (Thanks Stefano Forli for the note)
* [6ad55f6] added failregex for wu-ftpd to match against syslog instead
of DoS-prone auth.log's rhost (Closes: #514239)
* [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
sshd filter (Closes: #648020)
- Yehuda Katz & Yaroslav Halchenko
* [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
- Adding to fail2ban.init remove of pid and sock files on stop
in case not removed before (prevents start fail)
- Update to version 0.8.6. containing various fixes and enhancements
- Update to version 0.8.5: many bug fixes, enhancements and, as
a bonus, drop two patches that are now upstream
- Update FSF address to silent rpmlint warnings
- Drop stale socket files on startup (bnc#537239, bnc#730044)
- Apply packaging guidelines (remove redundant/obsolete
tags/sections from specfile, etc.)
- Use /var/run/fail2ban instead of /tmp for temp files in
actions: see bugs.debian.org/544232, bnc#690853,
CVE-2009-5023
- Use $FAIL2BAN_OPTIONS when starting (bnc#662495)
- Clean up sysconfig file
- Use O_CLOEXEC on fds (patch from Fedora)
- Create /var/run/fail2ban during startup to support systems that
mount /var/run as tmpfs
- Build package as noarch
- Spec file cleanup: fix a couple of rpmlint warnings
- Init script: look for fail2ban-server when checking if the
daemon is running
- Update to version 0.8.4. Important changes:
* New "Ban IP" command
* New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve
* Fixed the 'unexpected communication error' problem
* Remove socket file on startup if fail2ban crashed (bnc#537239)
- Initial version: 0.8.3
Request History
weberho created request
- ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four
* https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog
- Fixes
* `filter.d/dovecot.conf`:
- failregex enhancement to catch sql password mismatch errors (gh-2153);
- disconnected with "proxy dest auth failed" (gh-2184);
* `filter.d/freeswitch.conf`:
- provide compatibility for log-format from gh-2193:
* extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
`YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
* more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
- extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
(see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
how to set it to mode `normal`.
* `filter.d/domino-smtp.conf`:
- recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
- failregex extended to catch connections rejected for policy reasons (gh-2228);
* `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected
and don't allowed in command-actions), see gh-2114;
* decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
- fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
`UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors;
- actions: avoid possible conversion errors on wrong-chars by replace tags;
- database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
- logging in fail2ban is process-wide exception-safe now.
* repaired start-time of initial seek to time (as well as other log-parsing related data),
if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
* systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
- New Features
* new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`,
`ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
* `ignorecommand` extended to use actions-similar replacement (capable to interpolate
all possible tags like ``, ``, ``, `F-USER` etc.)
- Enhancements
* `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
* since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
additionally option `-V` can be used to get version in normalized machine-readable short format.
- rebase patches
* fail2ban-opensuse-locations.patch
* fail2ban-opensuse-service.patch
- add signature file
- Updated to version 0.10.3.1. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10.3.1/ChangeLog
* fixed JSON serialization for the set-object within dump into database (gh-2103).
- Updated to version 0.10.3. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10.3/ChangeLog
- Fixes
* `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
* `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
* `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069;
* `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
- fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064);
* `filter.d/sshd.conf`:
- failregex got an optional space in order to match new log-format (see gh-2061);
- fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
- fixed root login refused regex (optional port before preauth, gh-2080);
- avoid banning of legitimate users when pam_unix used in combination with other password method, so
bypass pam_unix failures if accepted available for this user gh-2070;
- amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly);
- mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
it counts failure on closing connection within preauth-stage (gh-2085);
* `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);
* `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
* `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
* (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
- New Features
* several stability and performance optimizations, more effective filter parsing, etc;
* stable runnable within python versions 3.6 (as well as within 3.7-dev);
- Enhancements
* `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);
* `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);
* date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029);
* possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038);
the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line,
e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line.
* badips.py now uses https instead of plain http when requesting badips.com (gh-2057);
* add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056);
* Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG):
Usage `logtarget = target[padding=on|off]`
- Updated to version 0.10.2. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog
- rebased patch
- Incompatibility list (compared to v.0.9):
* Filter (or `failregex`) internal capture-groups:
- If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$"
- New internal groups (currently reserved for internal usage):
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
mapping from tag `` used in failregex (e. g. `user` by ``).
* v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
user configurations resp. `datepattern`.
* Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
IPv6-capable now.
- Incompatibility:
* The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.
- Fixes
* Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid
write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
* Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
(if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
* `action.d/pf.conf`:
- fixed syntax error in achnor definition (documentation, see gh-1919);
- enclose ports in braces for multiport jails (see gh-1925);
* `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
* `filter.d/sshd.conf`:
- extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
- fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
- New Features
* datedetector: extended default date-patterns (allows extra space between the date and time stamps);
introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
- %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
(corresponds %H, but allows space if not zero-padded).
- %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
(corresponds %I, but allows space if not zero-padded).
* `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
- New Actions:
* `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
nginx-location with map-file);
- Enhancements
* jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
* action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
* Introduced new parameters for logging within fail2ban-server (gh-1980).
Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
- `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
for the list of facilities);
- `datetime` - add date-time to the message (default on, ignored if `format` specified);
- `format` - specify own format how it will be logged, for example for short-log into STDOUT:
`fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
* Automatically recover or recreate corrupt persistent database (e. g. if failed to open with
'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
if repair fails - recreate new database (gh-1465, gh-2004).
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
- Updated to version 0.10.1. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog
- Removed 607568f.patch and 1783.patch
- New features:
* IPv6 support
- IP addresses are now handled as objects rather than strings capable for
handling both address types IPv4 and IPv6
- iptables related actions have been amended to support IPv6 specific actions
additionally
- hostsdeny and route actions have been tested to be aware of v4 and v6 already
- pf action for *BSD systems has been improved and supports now also v4 and v6
- name resolution is now working for either address type
- new conditional section functionality used in config resp. includes:
- [Init?family=inet4] - IPv4 qualified hosts only
- [Init?family=inet6] - IPv6 qualified hosts only
* Reporting via abuseipdb.com
- Bans can now be reported to abuseipdb
- Catagories must be set in the config
- Relevant log lines included in report
* Several commands extended and new commands introduced
* Implemented execution of `actionstart` on demand
* nftables actions are IPv6-capable now
* Introduced new filter option `prefregex` for pre-filtering using single regular expression
* Many times faster because of several optimizations
* Several filters optimized
* Introduced new jail option "ignoreself"
- Lots of fixes and internal improvements
- Incompatibitilities:
* Filter (or `failregex`) internal capture-groups:
- If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
Of course you can always your own capture-group (like below `_cond_ip_`) to do this.
```
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$"
```
- New internal groups (currently reserved for internal usage):
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
mapping from tag `` used in failregex (e. g. `user` by ``).
* v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
user configurations resp. `datepattern`.
* Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
IPv6-capable now.
- added 1783.patch from upstream: "Updated roundcube authentication filter"
- use tmpfiles_create macro
- added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP"
this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no
action as a result"
- Update to 0.9.7
* Fixed a systemd-journal handling in fail2ban-regex
(gh#fail2ban/fail2ban#1657)
* filter.d/sshd.conf
- Fixed non-anchored part of failregex (misleading match of colon inside
IPv6 address instead of `: ` in the reason-part by missing space,
gh#fail2ban/fail2ban#1658)
(0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479)
* config/pathes-freebsd.conf
- Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667)
* filter.d/exim.conf
- optional part `(...)` after host-name before `[IP]`
(gh#fail2ban/fail2ban#1751)
- new reason "Unrouteable address" for "rejected RCPT" regex
(gh#fail2ban/fail2ban#1762)
- match of complex time like `D=2m42s` in regex "no MAIL in SMTP
connection" (gh#fail2ban/fail2ban#1766)
* filter.d/sshd.conf
- new aggressive rules (gh#fail2ban/fail2ban#864):
- Connection reset by peer (multi-line rule during authorization process)
- No supported authentication methods available
- single line and multi-line expression optimized, added optional prefixes
and suffix (logged from several ssh versions), according
to gh#fail2ban/fail2ban#1206;
- fixed expression received disconnect auth fail (optional space after port
part, gh#fail2ban/fail2ban#1652)
and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206;
* filter.d/suhosin.conf
- greedy catch-all before `` fixed (potential vulnerability)
* filter.d/cyrus-imap.conf
- accept entries without login-info resp. hostname before IP address (#fail2ban/fail2ban#707)
* Filter tests extended with check of all config-regexp, that contains greedy catch-all
before ``, that is hard-anchored at end or precise sub expression after ``
* New Actions:
- action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh#fail2ban/fail2ban#1663)
* New Filters:
- filter.d/domino-smtp: IBM Domino SMTP task (gh#fail2ban/fail2ban#1603)
* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban
- Update to 0.9.6 (2016/12/10)
### Fixes
* Misleading add resp. enable of (already available) jail in database, that
induced a subsequent error: last position of log file will be never retrieved (gh-795)
* Fixed a distribution related bug within testReadStockJailConfForceEnabled
(e.g. test-cases faults on Fedora, see gh-1353)
* Fixed pythonic filters and test scripts (running via wrong python version,
uses "fail2ban-python" now);
* Fixed test case "testSetupInstallRoot" for not default python version (also
using direct call, out of virtualenv);
* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
* Monit config: scripting is not supported in path (gh-1556)
* `filter.d/apache-modsecurity.conf`
- Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
replaced for safer match, unneeded catch-all anchoring removed, non-capturing
* `filter.d/asterisk.conf`
- Fixed to match different asterisk log prefix (source file: method:)
* `filter.d/dovecot.conf`
- Fixed failregex ignores failures through some not relevant info (gh-1623)
* `filter.d/ignorecommands/apache-fakegooglebot`
- Fixed error within apache-fakegooglebot, that will be called
with wrong python version (gh-1506)
* `filter.d/assp.conf`
- Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
* `filter.d/postfix-sasl.conf`
- Allow for having no trailing space after 'failed:' (gh-1497)
* `filter.d/vsftpd.conf`
- Optional reason part in message after FAIL LOGIN (gh-1543)
* `filter.d/sendmail-reject.conf`
- removed mandatory double space (if dns-host available, gh-1579)
* filter.d/sshd.conf
- recognized "Failed publickey for" (gh-1477);
- optimized failregex to match all of "Failed any-method for ... from " (gh-1479)
- eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
- optional port part after host (see gh-1533, gh-1581)
### New Features
* New Actions:
- `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
* New Filters:
- `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
(gh-1586, gh-1606 and gh-1607)
### Enhancements
* DateTemplate regexp extended with the word-end boundary, additionally to
word-start boundary
* Introduces new command "fail2ban-python", as automatically created symlink to
python executable, where fail2ban currently installed (resp. its modules are located):
- allows to use the same version, fail2ban currently running, e.g. in
external scripts just via replace python with fail2ban-python:
```diff
-#!/usr/bin/env python
+#!/usr/bin/env fail2ban-python
```
- always the same pickle protocol
- the same (and also guaranteed available) fail2ban modules
- simplified stand-alone install, resp. stand-alone installation possibility
via setup (like gh-1487) is getting closer
* Several test cases rewritten using new methods assertIn, assertNotIn
* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
are test covered now
* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
examples:
- `backend = systemd[journalpath=/run/log/journal/machine-1]`
- `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
- `backend = systemd[journalflags=2]`
- rebase fail2ban-opensuse-locations.patch, fail2ban-opensuse-service.patch
- Update to version 0.9.5
New Features
* New Actions: action.d/firewallcmd-rich-rules and
action.d/firewallcmd-rich-logging (gh#fail2ban/fail2ban#1367)
* New filter: slapd - ban hosts, that were failed to connect with invalid
credentials: error code 49 (gh#fail2ban/fail2ban#1478)
Enhancements
* Extreme speedup of all sqlite database operations
(gh#fail2ban/fail2ban#1436), by using of following sqlite options:
- (synchronous = OFF) write data through OS without syncing
- (journal_mode = MEMORY) use memory for the transaction logging
- (temp_store = MEMORY) temporary tables and indices are kept in memory
* journald journalmatch for pure-ftpd (gh#fail2ban/fail2ban#1362)
* Added additional regex filter for dovecot ldap authentication
failures (gh#fail2ban/fail2ban#1370)
* filter.d/exim*conf
- Added additional regexes (gh#fail2ban/fail2ban#1371)
- Made port entry optional
Fixes
* filter.d/monit.conf
- Extended failregex with new monit "access denied" version
(gh#fail2ban/fail2ban#1355)
- failregex of previous monit version merged as single expression
* filter.d/postfix.conf, filter.d/postfix-sasl.conf
- Extended failregex daemon part, matching also postfix/smtps/smtpd now
(gh#fail2ban/fail2ban#1391)
* Fixed a grave bug within tags substitutions because of incorrect detection
of recursion in case of multiple inline substitutions of the same tag
(affected actions: bsd-ipfw, etc). Now tracks the actual list of the
already substituted tags (per tag instead of single list)
* filter.d/common.conf
- Unexpected extra regex-space in generic __prefix_line
(gh#fail2ban/fail2ban#1405)
- All optional spaces normalized in common.conf, test covered now
- Generic __prefix_line extended with optional brackets for the date ambit
(gh#fail2ban/fail2ban#1421), added new parameter __date_ambit
* gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon,
not argument of fail2ban (see gh#fail2ban/fail2ban#1434)
* filter.d/asterisk.conf
- Fixed security log support for PJSIP and Asterisk 13+
(gh#fail2ban/fail2ban#1456)
- Improved log support for PJSIP and Asterisk 13+ with different callID
(gh#fail2ban/fail2ban#1458)
- Mark /etc/fail2ban/fail2ban.conf as noreplace.
- Removed patch: fail2ban-exclude-dev-log-tests.patch
- Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
- rebased other patches
- Defined services which per default uses systemd logger
- Provide /usr/sbin/rcfail2ban also on systemd based distros
- All files in /etc/fail2ban/ except jail.local are now automatically replaced
upon installation of fail2ban
- The update to this versions allow to close boo#917818, as the logger-backends for
several services are now centrally set in /etc/fail2ban/paths-opensuse.conf
- Update to version 0.9.4
New Features:
* New interpolation feature for definition config readers - ``
(means last known init definition of filters or actions with name `parameter`).
This interpolation makes possible to extend a parameters of stock filter or
action directly in jail inside jail.local file, without creating a separately
filter.d/*.local file.
As extension to interpolation `%(known/parameter)s`, that does not works for
filter and action init parameters
* New actions:
- nftables-multiport and nftables-allports - filtering using nftables
framework. Note: it requires a pre-existing chain for the filtering rule.
* New filters:
- openhab - domotic software authentication failure with the
rest api and web interface (gh-1223)
- nginx-limit-req - ban hosts, that were failed through nginx by limit
request processing rate (ngx_http_limit_req_module)
- murmur - ban hosts that repeatedly attempt to connect to
murmur/mumble-server with an invalid server password or certificate.
- haproxy-http-auth - filter to match failed HTTP Authentications against a
HAProxy server
* New jails:
- murmur - bans TCP and UDP from the bad host on the default murmur port.
* sshd filter got new failregex to match "maximum authentication
attempts exceeded" (introduced in openssh 6.8)
* Added filter for Mac OS screen sharing (VNC) daemon
Enhancements:
* Do not rotate empty log files
* Added new date pattern with year after day (e.g.
http://bugs.debian.org/798923
* Added openSUSE path configuration (Thanks Johannes Weberhofer)
* Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
* Added a timeout (3 sec) to urlopen within badips.py action
(Thanks M. Maraun)
* Added check against atacker's Googlebot PTR fake records
(Thanks Pablo Rodriguez Fernandez)
* Enhance filter against atacker's Googlebot PTR fake records
(gh-1226)
* Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
* Added filter for openhab domotic software authentication failure with the
rest api and web interface (gh-1223)
* Add *_backend options for services to allow distros to set the default
backend per service, set default to systemd for Fedora as appropriate
* Performance improvements while monitoring large number of files (gh-1265).
Use associative array (dict) for monitored log files to speed up lookup
operations. Thanks @kshetragia
* Specified that fail2ban is PartOf iptables.service firewalld.service in
.service file -- would reload fail2ban if those services are restarted
* Provides new default `fail2ban_version` and interpolation variable
`fail2ban_agent` in jail.conf
* Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
and to support multiple instances of postfix having varying suffix (gh-1331)
(Thanks Tom Hendrikx)
* files/gentoo-initd to use start-stop-daemon to robustify restarting the service
Fixes:
* roundcube-auth jail typo for logpath
* Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
* filter.d/apache-badbots.conf
- Updated useragent string regex adding escape for `+`
* filter.d/mysqld-auth.conf
gg - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
* filter.d/sshd.conf
- Updated "Auth fail" regex for OpenSSH 5.9 and later
* Treat failed and killed execution of commands identically (only
different log messages), which addresses different behavior on different
exit codes of dash and bash (gh-1155)
* Fix jail.conf.5 man's section (gh-1226)
* Fixed default banaction for allports jails like pam-generic, recidive, etc
with new default variable `banaction_allports` (gh-1216)
* Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
for python version < 3.x (gh-1248)
* Use postfix_log logpath for postfix-rbl jail
* filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
* use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
* Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
* Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
* Removed compression and rotation count from logrotate (inherit them from
the global logrotate config)
- Require python-systemd for openSUSE 12.3+
- Cleaned up the spec file
- Added /run/fail2ban for openSUSE 13.2+
- Don't fail on test-errors
- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
to fix the former failing test and removed
fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
- Do not longer create test-package. Developers should not use the packaged
version of fail2ban.
- patches are no longer included conditionally
- fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch excludes the
ExecuteTimeoutWithNastyChildren test, as it doesn't run correctly on
openSUSE.
- fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for
older releases.
- Update to version 0.9.3
- IMPORTANT incompatible changes:
* filter.d/roundcube-auth.conf
- Changed logpath to 'errors' log (was 'userlogins')
* action.d/iptables-common.conf
- All calls to iptables command now use -w switch introduced in
iptables 1.4.20 (some distribution could have patched their
earlier base version as well) to provide this locking mechanism
useful under heavy load to avoid contesting on iptables calls.
If you need to disable, define 'action.d/iptables-common.local'
with empty value for 'lockingopt' in `[Init]` section.
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
actions now include by default only the first 1000 log lines in
the emails. Adjust to augment the behavior.
- Fixes:
* reload in interactive mode appends all the jails twice (gh-825)
* reload server/jail failed if database used (but was not changed) and
some jail active (gh-1072)
* filter.d/dovecot.conf - also match unknown user in passwd-file.
Thanks Anton Shestakov
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
* filter.d/asterisk.conf - fix security log support for Asterisk 12+
* filter.d/roundcube-auth.conf
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
- Added regex to work with 'userlogins' log
* action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
locale on systems with customized LC_ALL
* performance fix: minimizes connection overhead, close socket only at
communication end (gh-1099)
* unbanip always deletes ip from database (independent of bantime, also if
currently not banned or persistent)
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
* always set 'dbfile' before other database options (gh-1050)
* kill the entire process group of the child process upon timeout (gh-1129).
Otherwise could lead to resource exhaustion due to hanging whois
processes.
* resolve /var/run/fail2ban path in setup.py to help installation
on platforms with /var/run -> /run symlink (gh-1142)
- New Features:
* RETURN iptables target is now a variable:
* New type of operation: pass2allow, use fail2ban for "knocking",
opening a closed port by swapping blocktype and returntype
* New filters:
- froxlor-auth - Thanks Joern Muehlencord
- apache-pass - filter Apache access log for successful authentication
* New actions:
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
manual pre-configuration of the shorewall. See the action file for detail.
* New jails:
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
- Enhancements:
* action.d/cloudflare.conf - improved documentation on how to allow
multiple CF accounts, and jail.conf got new compound action
definition action_cf_mwl to submit cloudflare report.
* Check access to socket for more detailed logging on error (gh-595)
* fail2ban-testcases man page
* filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
HEAD method verb
* Revamp of Travis and coverage automated testing
* Added a space between IP address and the following colon
in notification emails for easier text selection
* Character detection heuristics for whois output via optional setting
in mail-whois*.conf. Thanks Thomas Mayer.
Not enabled by default, if _whois_command is set to be
%(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
it
- detects character set of whois output (which is undefined by
RFC 3912) via heuristics of the file command
- converts whois data to UTF-8 character set with iconv
- sends the whois output in UTF-8 character set to mail program
- avoids that heirloom mailx creates binary attachment for input with
unknown character set
- Note: fail2ban-issue_906-strptime.patch has been removed as it is already
integrated in the current version.
- Removed "backend" setting from paths-opensuse.conf
- Update to version 0.9.2 (requested in boo#917818)
Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog
Here are some notes to be read when updating existing installations:
The default log-backend for openssue 13.2+ is now systemd
* jail.conf was heavily refactored and now is similar to how it looked on
Debian systems:
- default action could be configured once for all jails
- jails definitions only provide customizations (port, logpath)
- no need to specify 'filter' if name matches jail name
* Added fail2ban persistent database
- default location at /var/lib/fail2ban/fail2ban.sqlite3
- allows active bans to be reinstated on restart
- log files read from last position after restart
* Added systemd journal backend
- Dependency on python-systemd
- New "journalmatch" option added to filter configs files
- New "systemd-journal" option added to fail2ban-regex
* Support %z (Timezone offset) and %f (sub-seconds) support for datedetector.
Enhanced existing date/time have been updated patterns to support these.
ISO8601 now defaults to localtime unless specified otherwise. Some filters
have been change as required to capture these elements in the right
timezone correctly.
* Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
* Optionally can read log files starting from "head" or "tail". See "logpath"
option in jail.conf(5) man page.
* Can now set log encoding for files per jail.Default uses systemd locale.
* iptables-common.conf replaced iptables-blocktype.conf
(iptables-blocktype.local should still be read) and now also provides
defaults for the chain, port, protocol and name tags
- Require whois
- Whereever possible, path-definitions have been moved paths-opensuse.conf
which has been submittet upstream
- Use default fail2ban.service including fail2ban-opensuse-service.patch
- Use default suse-initd from upstream
- Run test-cases during build
- run fdupes
- Tests have been moved to a seperate page
- Added rpmlintrc file to ignore some hidden files in the test package
- Must build arch-depended packages for SLES 11
- Removed two tests which can't run on the build server with openSUSE
before 13.3: fail2ban-exclude-dev-log-tests.patch
- Add missing dependency on ed (boo#926943)
- Fixed strptime thread safety issue.
fail2ban-issue_906-strptime.patch (bnc#914075 gh#fail2ban/fail2ban#906)
- Added syslog to requirements, as this version of fail2ban does not
work with systemd-logging: bnc#905733
- Recommend installation of the ordering package when all
constituing parts are installed
- Fixed check for %_unitdir to make fail2ban build under older systems, too.
- Changed /usr to %{_prefix} in the spec file
- update to 0.8.14
* minor fixes for claimed Python 2.4 and 2.5 compatibility
* Handle case when inotify watch is auto deleted on file deletion to stop
error messages
* tests - fixed few "leaky" file descriptors when files were not closed while
being removed physically
* grep in mail*-whois-lines.conf now also matches end of line to work with
the recidive filter
- add fail2ban-opensuse-locations.patch to fix default locations as suggested
in bnc#878028
- update to 0.8.13:
+ Fixes:
- action firewallcmd-ipset had non-working actioncheck. Removed.
redhat bug #1046816.
- filter pureftpd - added _daemon which got removed. Added
+ New Features:
- filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
- filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
+ Enhancements:
- filter asterisk now supports syslog format
- filter pureftpd - added all translations of "Authentication failed for
user"
- filter dovecot - lip= was optional and extended TLS errors can occur.
Thanks Noel Butler.
- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed
upstream
- split out nagios-plugins-fail2ban package
- Add a new subpackage to install systemd drop-ins that couple
SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf,
f2b-restart.conf.
Security note: The update to version 0.8.11 has fixed two additional security
issues: A remote unauthenticated attacker may cause arbitrary IP addresses to
be blocked by Fail2ban causing legitimate users to be blocked from accessing
services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176
(postfix)
- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816
- lsof was required for fail2ban's SysVinit scripts only. Not longer used for
newer versions of openSUSE
- Reviewed and fixed github references in the changelog
- Use new flushlogs syntax after logrotate
- Update to version 0.8.12
* Log rotation can now occur with the command "flushlogs" rather than
reloading fail2ban or keeping the logtarget settings consistent in
jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798).
* Added ignorecommand option for allowing dynamic determination as to ignore
and IP or not.
* Remove indentation of name and loglevel while logging to SYSLOG to resolve
syslog(-ng) parsing problems. (dep#730202). Log lines now also
report "[PID]" after the name portion too.
* Epoch dates can now be enclosed within []
* New actions: badips, firewallcmd-ipset, ufw, blocklist_de
* New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid,
ejabberd, openwebmail, groupoffice
* Filter improvements:
- apache-noscript now includes php cgi scripts
- exim-spam filter to match spamassassin log entry for option SAdevnull.
- Added to sshd filter expression for
"Received disconnect from : 3: Auth fail"
- Improved ACL-handling for Asterisk
- Added improper command pipelining to postfix filter.
* General fixes:
- Added lots of jail.conf entries for missing filters that creaped in
over the last year.
- synchat changed to use push method which verifies whether all data was
send. This ensures that all data is sent before closing the connection.
- Fixed python 2.4 compatibility (as sub-second in date patterns weren't
2.4 compatible)
- Complain/email actions fixed to only include relevant IPs to reporting
* Filter fixes:
- Added HTTP referrer bit of the apache access log to the apache filters.
- Apache 2.4 perfork regexes fixed
- Kernel syslog expression can have leading spaces
- allow for ",milliseconds" in the custom date format of proftpd.log
- recidive jail to block all protocols
- smtps not a IANA standard so may be missing from /etc/services. Due to
(still) common use 465 has been used as the explicit port number
- Filter dovecot reordered session and TLS items in regex with wider scope
for session characters
* Ugly Fixes (Potentially incompatible changes):
- Unfortunately at the end of last release when the action
firewall-cmd-direct-new was added it was too long and had a broken action
check. The action was renamed to firewallcmd-new to fit within jail name
name length. (gh#fail2ban/fail2ban#395).
- Last release added mysqld-syslog-iptables as a jail configuration. This
jailname was too long and it has been renamed to mysqld-syslog.
- Fixed formating of github references in changelog
- reformatted spec-file
- Update to version 0.8.11
- In light of CVE-2013-2178 that triggered our last release we have put a
significant effort into tightening all of the regexs of our filters to avoid
another similar vulnerability. We haven't examined all of these for a potential
DoS scenario however it is possible that another DoS vulnerability exists that
is fixed by this release. A large number of filters have been updated to
include more failure regexs supporting previously unbanned failures and support
newer application versions too. We have test cases for most of these now
however if you have other examples that demonstrate that a filter is
insufficient we welcome your feedback. During the tightening of the regexs to
avoid DoS vulnerabilities there is the possibility that we have inadvertently,
despite our best intentions, incorrectly allowed a failure to continue.
- Added systemd service file and systemd-tmpfiles configuration
- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered
by "bugs" in apache- filters. If you are relying on listed below apache-
filters, upgrade asap and seek your distributions to patch their fail2ban
distribution with [6ccd5781]. The bug's decription can be found in
https://vndh.net/note:fail2ban-089-denial-service
- Fixes
* [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
failregex at the beginning (and where applicable at the end).
Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710
* action.d/{route,shorewall}.conf - blocktype must be defined
within [Init]. Closes gh#fail2ban/fail2ban#232
- Enhancements
* jail.conf -- assure all jails have actions and remove unused
ports specifications
* config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
* files/suse-initd -- update to the copy from stock SUSE
* Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227,
gh#fail2ban/fail2ban#230.
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes
gh#fail2ban/fail2ban#244.
------------------------------------------------------------------
- Included logrotate configuration for fail2ban
- Init-Script does no longer require $syslog to be started as file-base logging
is the default. Synced with Debian script.
- Upgrade to version 0.8.9
- Fixes: Yaroslav Halchenko
* [6f4dad46] python-2.4 is the minimal version.
* [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the
bug report.
* [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
insight. Closes gh#fail2ban/fail2ban#103.
* [ab044b75] delay check for the existence of config directory until read.
* [3b4084d4] fixing up for handling of TAI64N timestamps.
* [154aa38e] do not shutdown logging until all jails stop.
* [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes
gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and
troubleshooting. Orion Poplawski
* [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
newly created directories.
Nicolas Collignon
* [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167.
Sergey Brester
* [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
sorting template list.
Steven Hiscocks
* [7a442f07] When changing log target with python2.{4,5} handle KeyError.
Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148.
* [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124.
Daniel Black
* [f0610c01] Allow more that a one word command when changing and Action via
the fail2ban-client. Closes gh#fail2ban/fail2ban#134.
* [945ad3d9] Fix dates on email actions to work in different locals. Closes
gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
blotus
* [96eb8986] ' and " should also be escaped in action tags Closes
gh#fail2ban/fail2ban#109
Christoph Theis, Nick Hilliard, Daniel Black
* [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
- New features:
Yaroslav Halchenko
* [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
to provide additional flexibility to system adminstrators. Thanks to
beilber for the idea. Closes gh#fail2ban/fail2ban#114.
* [3ce53e87] Add exim filter.
Erwan Ben Souiden
* [d7d5228] add nagios integration documentation and script to ensure
fail2ban is running. Closes gh#fail2ban/fail2ban#166.
Artur Penttinen
* [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152.
ArndRaphael Brandes
* [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117.
Michael Gebetsriother
* [f9b78ba] Add action route to block at routing level.
Teodor Micu & Yaroslav Halchenko
* [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
Daniel Black
* [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102.
Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
* [b6d0e8a] Add and enhance the bsd-ipfw action from
FreeBSD ports.
Soulard Morgan
* [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99.
Steven Hiscocks
* [..746c7d9] bash interactive shell completions for fail2ban-*'s
Nick Hilliard
* [0c5a9c5] Add pf action.
- Enhancements:
Enrico Labedzki
* [24a8d07] Added new date format for ASSP SMTP Proxy.
Steven Hiscocks
* [3d6791f] Ensure restart of Actions after a check fails occurs
consistently. Closes gh#fail2ban/fail2ban#172.
* [MANY] Improvements to test cases, travis, and code coverage (coveralls).
* [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124.
* [ce3ab34] Added ability to specify PID file.
Orion Poplawski
* [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
Closes gh#fail2ban/fail2ban#142.
Yaroslav Halchenko
* [MANY] Lots of improvements to log messages, man pages and test cases.
* [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger.
* [40c5a2d] adding more of diagnostic messages into -client while starting
the daemon.
* [8e63d4c] Compare against None with 'is' instead of '=='.
* [6fef85f] Strip CR and LF while analyzing the log line
Daniel Black
* [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143.
* [MANY] man page edits.
* [7cd6dab] Added help command to fail2ban-client.
* [c8c7b0b,23bbc60] Better logging of log file read errors.
* [3665e6d] Added code coverage to development process.
* [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
source. Also include BSD changes.
* [1d9abd1] Action files can have tags in definition that refer to other
tags.
* [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
unreachable rather than just a drop of the packet.
Pascal Borreli
* [a2b29b4] Fixed lots of typos in config files and documentation.
hamilton5
* [7ede1e8] Update dovecot filter config.
Romain Riviere
* [0ac8746] Enhance named-refused filter for views.
James Stout
* [..2143cdf] Solaris support enhancements:
- README.Solaris
- failregex'es tune ups (sshd.conf)
- hostsdeny: do not rely on support of '-i' in sed
One of the important changes is escaping of the content -- so if you
crafted some custom action which uses it -- you must upgrade, or you
would be at a significant security risk.
- Fixes:
Alan Jenkins
* [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64
Yaroslav Halchenko
* [83109bc] IMPORTANT: escape the content of (if used in
custom action files) since its value could contain arbitrary
symbols. Thanks for discovery go to the NBS System security
team
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes.
Close gh#fail2ban/fail2ban#83
* [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
* [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
in the console. Close gh#fail2ban/fail2ban#91
- New features:
David Engeset
* [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
the log file to take 'banip' or 'unbanip' in effect.
Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86
- Enhancements:
* [2d66f31] replaced uninformative "Invalid command" message with warning log
exception why command actually failed
* [958a1b0] improved failregex to "support" auth.backend = "htdigest"
* [9e7a3b7] until we make it proper module -- adjusted sys.path only if
system-wide run
* [f52ba99] downgraded "already banned" from WARN to INFO level.
Closes gh#fail2ban/fail2ban#79
* [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
for this gh#fail2ban/fail2ban#87)
* Various others: travis-ci integration, script to run tests
against all available Python versions, etc
- Fixed initscript as discussed in bnc#790557
- use Source URL pointing to github
- Do not longer replace main config-files
- Use variables for directories in spec file
- Added dependencies to python-pyinotifyi, python-gamin and iptables
- Upgraded to version 0.8.7.1
- Yaroslav Halchenko
* [e9762f3] Removed sneaked in comment on sys.path.insert
Tom Hendrikx & Jeremy Olexa
* [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
See http://forums.gentoo.org/viewtopic-t-899018.html
- Chris Reffett
* [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
rather than just one failure.
- Yaroslav Halchenko
* [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
* [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
* [ed16ecc] enforce "ip" field returned as str, not unicode so that log
message stays non-unicode. Close gh#fail2ban/fail2ban#32
* [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
already present in the pattern
* [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66)
* [80b191c] anchor grep regexp in actioncheck to not match partial names
of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
- New features:
- François Boulogne
* [a7cb20e..] add lighttpd-auth filter/jail
- Lee Clemens & Yaroslav Halchenko
* [e442503] pyinotify backend (default if backend='auto' and pyinotify
is available)
* [d73a71f,3989d24] usedns parameter for the jails to allow disabling
use of DNS
- Tom Hendrikx
* [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
repeated offenders. Close gh#fail2ban/fail2ban#19
- Xavier Devlamynck
* [7d465f9..] Add asterisk support
- Zbigniew Jedrzejewski-Szmek
* [de502cf..] allow running fail2ban as non-root user (disabled by
default) via xt_recent. See doc/run-rootless.txt
- Enhancements
- Lee Clemens
* [47c03a2] files/nagios - spelling/grammar fixes
* [b083038] updated Free Software Foundation's address
* [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
* [642d9af,3282f86] reformated printing of jail's name to be consistent
with init's info messages
* [3282f86] uniform use of capitalized Jail in the messages
- Leonardo Chiquitto
* [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
to reflect code
* [a7d47e8] Update Free Software Foundation's address
- Petr Voralek
* [4007751] catch failed ssh logins due to being listed in DenyUsers.
Close gh#fail2ban/fail2ban#47 (Closes: #669063)
- Yaroslav Halchenko
* [MANY] extended and robustified unittests: test different backends
* [d9248a6] refactored Filter's to avoid duplicate functionality
* [7821174] direct users to issues on github
* [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
default with -v to control verbosity
* [b4099da] adjusted header for config/*.conf to mention .local and way
to comment (Thanks Stefano Forli for the note)
* [6ad55f6] added failregex for wu-ftpd to match against syslog instead
of DoS-prone auth.log's rhost (Closes: #514239)
* [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
sshd filter (Closes: #648020)
- Yehuda Katz & Yaroslav Halchenko
* [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
- Adding to fail2ban.init remove of pid and sock files on stop
in case not removed before (prevents start fail)
- Update to version 0.8.6. containing various fixes and enhancements
- Update to version 0.8.5: many bug fixes, enhancements and, as
a bonus, drop two patches that are now upstream
- Update FSF address to silent rpmlint warnings
- Drop stale socket files on startup (bnc#537239, bnc#730044)
- Apply packaging guidelines (remove redundant/obsolete
tags/sections from specfile, etc.)
- Use /var/run/fail2ban instead of /tmp for temp files in
actions: see bugs.debian.org/544232, bnc#690853,
CVE-2009-5023
- Use $FAIL2BAN_OPTIONS when starting (bnc#662495)
- Clean up sysconfig file
- Use O_CLOEXEC on fds (patch from Fedora)
- Create /var/run/fail2ban during startup to support systems that
mount /var/run as tmpfs
- Build package as noarch
- Spec file cleanup: fix a couple of rpmlint warnings
- Init script: look for fail2ban-server when checking if the
daemon is running
- Update to version 0.8.4. Important changes:
* New "Ban IP" command
* New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve
* Fixed the 'unexpected communication error' problem
* Remove socket file on startup if fail2ban crashed (bnc#537239)
- Initial version: 0.8.3
factory-auto added repo-checker as a reviewer
Please review build success
factory-auto accepted review
Check script succeeded
origin-manager added leap-reviewers as a reviewer
Changing to a lower priority origin.
origin: openSUSE:Factory
origin_old: openSUSE:Leap:15.0:Update
origin-manager accepted review
origin: openSUSE:Factory
origin_old: openSUSE:Leap:15.0:Update
repo-checker accepted review
ok
staging-bot added as a reviewer
Being evaluated by staging project "openSUSE:Leap:15.1:Staging:adi:6"
staging-bot accepted review
Picked openSUSE:Leap:15.1:Staging:adi:6
lnussel accepted review
lnussel_factory accepted review
ready to accept
lnussel_factory approved review
ready to accept
lnussel_factory accepted request
Accept to openSUSE:Leap:15.1
