vcswatch reports that
this package seems to have a new changelog entry (version
0.10.2-3, distribution
UNRELEASED) and new commits
in its VCS. You should consider whether it's time to make
an upload.
Here are the relevant commit messages:
commit a602a61cba34749e0b7c7c23ae3ccb94ce700ea8
Merge: 99296679 c819a18a
Author: sebres <info@sebres.de>
Date: Mon Feb 11 23:28:50 2019 +0100
Merge branch '0.10' into debian
commit c819a18a0a0fa4eafcaadd6edcdcab8732b930c6
Author: Sergey G. Brester <serg.brester@sebres.de>
Date: Mon Feb 11 19:15:11 2019 +0100
Update ChangeLog
commit e651bc7866f7c0cc32db1fe01d7c93abebd303c5
Author: sebres <serg.brester@sebres.de>
Date: Mon Feb 11 11:54:58 2019 +0100
amend to #1622: jail-reader supports now multi-line option for multi-line action parameter:
logpath = a.log
b.log
c.log
action = ban[...]
= log[logpath="%(logpath)s"]
closes gh-2341, ultimate fix for gh-976
commit 99296679d665f93d27a3c20695609c61671430fe
Merge: ba9643de 89c61106
Author: sebres <serg.brester@sebres.de>
Date: Mon Feb 11 10:03:31 2019 +0100
Merge branch '0.10' into wc/debian
commit 89c611064db13caf485c13e6464fff52bb8f8056
Author: sebres <serg.brester@sebres.de>
Date: Mon Jan 14 19:00:42 2019 +0100
test-cases: be sure the test-files always written with new-line at end
commit 4108e04ab404cc9b2965669d0c9cab0909ecc018
Author: Sergey G. Brester <github@sebres.de>
Date: Mon Jan 7 01:50:44 2019 +0100
Update ChangeLog
commit a13fdcf4f7ae0f1660ad047dddda3b92e25dcae2
Author: sebres <info@sebres.de>
Date: Mon Jan 7 01:34:12 2019 +0100
closes gh-2314: extended regex for mysql 8.0.13 if used logging with details (e. g. log-error-verbosity = 3, so log output has few additional words enclosed in brackets after "[Note]").
commit 67247999ff9aeb38ef376f53faffcc4c74a0919f
Author: Sergey G. Brester <github@sebres.de>
Date: Sun Jan 6 17:03:09 2019 +0100
closes #2313: missing dependency to nftables.service
commit c9ba695ba349db84fd4302e0c089e0d9a4423d3b
Author: sebres <info@sebres.de>
Date: Fri Dec 28 00:04:15 2018 +0100
minor, no cover for 3.x (2.6 only)
commit 4a4780be0456ec958c93833f9c2beb02dd08e5e2
Author: sebres <info@sebres.de>
Date: Thu Dec 27 18:10:09 2018 +0100
test-cases: prevent sporadic timing errors (unban if ban still not occurred)
commit 0298c8a31e666e789583f350f27e718724a3591b
Author: sebres <info@sebres.de>
Date: Thu Dec 27 18:07:23 2018 +0100
closes gh-2277: fixed cache-object clean-up process (if max-size reached) used multi-threaded (del can throw KeyError if get/unset changes the list);
additionally OrderedDict is used now for cache (if available, so >= 2.7) - avoids (slow) search of expired items in full cache and always prefers older objects to remove (like FIFO).
commit df9b352baca7b492f73581899a2a82637f5c15b7
Author: Alexander Koeppe <format_c@online.de>
Date: Tue Dec 18 20:21:36 2018 +0100
Update information reg. ipdns.py as successor for dnsutils.py
commit c1ccabc1f922506a8f01fbe9551762e15f965068
Merge: 555b29e8 9b96a7de
Author: sebres <serg.brester@sebres.de>
Date: Tue Dec 11 15:43:25 2018 +0100
fixed read of included config-files (`.local` overwrites options of `.conf` for config-files included with before/after)
commit 9b96a7de89e1d3c75b2057627ce58b394101797d
Author: sebres <serg.brester@sebres.de>
Date: Tue Dec 11 15:39:43 2018 +0100
fix of SafeConfigParserWithIncludes
commit 0245777c845315d2cc3e716d897059091ee91b22
Author: sebres <serg.brester@sebres.de>
Date: Tue Dec 11 14:48:48 2018 +0100
SafeConfigParserWithIncludes: fixed read of included config-files (expands with localized version, so `inc.local` overwrites options of `inc.conf` for config-files included with before/after);
added new test to cover this case.
commit 555b29e8e6fa10b72ec37b181b87ac4d63cf0d55
Merge: c40e4c7b 189c3f96
Author: sebres <serg.brester@sebres.de>
Date: Wed Nov 21 13:05:42 2018 +0100
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
commit c40e4c7bad39d40bd99e3c2d14f88d78a54700e5
Merge: 657b147c 0ac5c894
Author: Sergey G. Brester <github@sebres.de>
Date: Wed Nov 21 11:50:32 2018 +0100
Merge pull request #2279 from sebres/sshd-filter-gh-2239
sshd filter enhancements (gh-2239)
commit 0ac5c8941c5ddab69bd7b251c70d714d5eafe3be
Author: Sergey G. Brester <github@sebres.de>
Date: Tue Nov 20 12:39:38 2018 +0100
Update ChangeLog
commit 1c1d2cc435d6e8f1eb4a1b60c935a1385a82e295
Author: sebres <serg.brester@sebres.de>
Date: Mon Nov 19 21:19:57 2018 +0100
introduces new failregex-flag tag `<F-MLFGAINED>` signaled that the access to service was gained (ATM used similar to <F-NOFAIL>, but does not added to matches);
filter.d/sshd.conf: extended with new rules:
- Disconnecting ...: Change of username or service not allowed
- Disconnected from ... [preauth] (extra/aggressive mode only)
commit 189c3f964bbb776891e597a76fe7cc698cafa1c5
Merge: 43db4411 0df221b5
Author: Sergey G. Brester <github@sebres.de>
Date: Thu Nov 15 21:47:33 2018 +0100
Merge pull request #2276 from dienteperro/patch-1
"be" instead of "me" in shorewall.conf
commit 0df221b54b170ac6fbd204c0e6cf1c7b80f54e67
Author: dienteperro <dienteperro1207@yahoo.com>
Date: Thu Nov 15 14:34:51 2018 -0500
"be" instead of "me" in shorewall.conf
commit 657b147c0d7830f3600f3dc7feaa4815a7e19fde
Author: sebres <serg.brester@sebres.de>
Date: Wed Oct 10 12:25:53 2018 +0200
fixed dependency issue if setup invoked using python 3.x: invocation of 2to3 takes place after setup (and __init__.py) loaded;
closes gh-2255.
commit e99635650af10da80eca55872d69b38a5badeb91
Author: sebres <serg.brester@sebres.de>
Date: Tue Oct 9 18:24:50 2018 +0200
dnsToIp and other DNSUtils primitives uses sets instead of lists now (speed-up search of ip, e. g. ignoreself/ignoreip check process)
commit 0ae02ba2a1d7ab842278a8bb8d5f5481c8d04bf5
Author: sebres <serg.brester@sebres.de>
Date: Thu Oct 4 11:57:56 2018 +0200
version bump (back to dev-version)
commit ba9643de45a52becb1fcc3d4690d5c756070bebb
Merge: f5303485 d7070f31
Author: Sergey G. Brester <github@sebres.de>
Date: Fri Sep 14 07:49:05 2018 +0200
Merge pull request #2221 from jelmer/vcs-field-uses-insecure-uri
Use secure URI in Vcs control header.
commit d7070f31ed5a228e4742d09a04217302bac32aba
Author: Jelmer Vernooij <jelmer@jelmer.uk>
Date: Fri Sep 14 01:06:16 2018 +0100
Use secure URI in Vcs control header.
Fixes lintian: vcs-field-uses-insecure-uri
See https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html for more details.
commit f530348562b8755d452b0636bf2cfcee74b06acf
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed Apr 4 01:12:18 2018 -0400
minor typo fix, thanks lintian
commit 2c4e7772164fcde77e3b12c69282bd821b4bf43c
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed Apr 4 01:06:14 2018 -0400
BF: B-Depend on python3-setuptools and dh-python, Fixed up hardcoded path to the .build-ed package for testing
Will require tune ups for backports later on
commit 450b890fb1194027b7852bfe8d7678eead9482d9
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed Apr 4 00:49:28 2018 -0400
BF: remove all non-existing services from PartOf of fail2ban.service.
Should resolve inability to restart firewalld (its .service is
left in PartOf) upon upgrades.
commit 75a11a4a92c3b57740a76022705b6b1386604497
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sat Mar 10 08:34:41 2018 -0500
make nftables alternative recommend to iptables
commit b67dc5e908c426434ac48b4f6dcc08053ec927bc
Author: Arturo Borrero Gonzalez <arturo@debian.org>
Date: Fri Mar 9 13:00:03 2018 +0100
d/control: add nftables references
The nftables framework replaces iptables. The fail2ban software already
includes support for nftables, so reflect that in the packaging.
Also, no need to `Recommends: iptables`, since is installed by default in every
Debian system. Instead, do `Recommends: nftables`.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
commit 400b260a32acbf46ed94e2a0076463ec4b9483bb
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Mar 9 09:48:26 2018 -0500
A note on incorrect changelog record
commit b9facb80d25e4e7d7bdc46ab36426f23042237a7
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Jan 22 10:38:48 2018 -0500
debian/README.Debian - Instructions on how to establish correct startup/shutdown sequence in systemd for shorewall (Closes: #847728)
final recipe
commit 071023526fce040ec58570212529ca83825c7360
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Jan 22 10:04:52 2018 -0500
updated the patch for elderly systems to use python2
commit 11911c0ccd751b08a4dc5ed6bd5c62a8dbeaf4ce
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Jan 22 10:00:13 2018 -0500
information about new "mode" setting and new filters/actions into changelog
commit 1c283f12f7ec990e5977b70a11769ced1f48c780
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Jan 21 23:31:17 2018 -0500
debian/control - sqlite3 is now needed for some tests, thus added to build-depends and suggests
commit 0f24d53730242342938aeb53f9ffb9f0e5bb9468
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Jan 21 22:45:32 2018 -0500
Boost policy to 4.1.3, obey lintian and demand recent debhelper (or dh-systemd), VCS fields to provide a branch
commit 2cccd24ce639e0081bab0e2c8fa42c1ce4792d5d
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Jan 21 22:35:12 2018 -0500
NEWS entry
commit f5134ae47917a32268bc61c1d4da23ace6770a8d
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Jan 21 22:21:03 2018 -0500
changlog tune up
commit c7986a108902b199bbdfabe0069cae5b76b6c900
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Jan 21 22:10:00 2018 -0500
Fixed up paths to systemd file and create monit/monitorc.d
commit 2bc71e9f4b89cf317d85a65a544ca6214479efde
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Jan 21 22:03:27 2018 -0500
One more patch to please fakeroot
commit 404dbc98d3817968c96401803c757e217e9da6a4
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Jan 21 21:49:14 2018 -0500
One more relative path in test configs + tests from upstream PR
commit b2688c6c11016feae3ec5b33ed6a18981c0f5cf5
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Jan 21 19:27:05 2018 -0500
verbose debian build and verbose tests
commit 1aa4522cd35ea26738771f205ec849d75f93655b
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Jan 21 00:27:00 2018 -0500
refreshed the patch
commit 70f2b5c5505fa06b2bb97897fee41c494a10c6af
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sat Jan 20 22:11:15 2018 -0500
initial changelog for 0.10.2-1
commit e9c1b5d6faf7b0810a470746c65da899ad49e0f9
Merge: f3b3a416 a4548846
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sat Jan 20 21:59:34 2018 -0500
Merge tag '0.10.2' into debian
* tag '0.10.2': (623 commits)
prepare release: bump version, update ChangeLog, man's and MANIFEST etc.
ChangeLog update
action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now).
regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name
nginx-http-auth: match usernames with spaces
regex updated using non-capturing groups
extended test-cases to cover new log-format (http_auth -> mod_auth)
Update lighttpd-auth.conf
file-filter's: provide stop function in order to explicitly delete/stop monitoring of each file.
Remove annoying error-message "rm_watch: cannot remove WD=2, Errno=Invalid argument (EINVAL)", logged from pyinotify-module if rm_watch called with non-existing watch file descriptor (probably multi-threaded issue by dual-remove). Closes gh-1865
should fix sporadic coverage decrease (don't cover "return", because too sporadic to get idle in pyinotify-callback);
fixed restoring sane environment (via stop/start) if invariant check failed: bypass possible errors in stop (if start/check succeeded hereafter); test cases extended to cover such situation. Closes gh-1997
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now.
micro-fix: delete temporary file (forgotten in test-case `test_move_dir` by reassign to directory)
Update ChangeLog
stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).
filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
test cases extended in order to cover `firewallcmd-ipset` with `allports`
Update ChangeLog
firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage:
...
commit f3b3a41639e2a06f021a7c46b1708327451f17c6
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Oct 27 17:31:41 2017 -0400
changelog on the change of location
commit 67706bebb388c79ee65eca84c13e9c6192f08bf5
Merge: 8c218d56 c88f5e90
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Oct 27 17:30:04 2017 -0400
Merge commit 'github_szepeviktor_fail2ban/patch-9^' into debian
* commit 'github_szepeviktor_fail2ban/patch-9^':
Monit files are moved
commit c88f5e9038136cca4db1c433de5d2300788fd3e7
Author: Viktor Szépe <viktor@szepe.net>
Date: Thu Aug 10 15:18:49 2017 +0200
Monit files are moved
/etc/monitrc.d -> /etc/monit/conf-available
http://anonscm.debian.org/cgit/collab-maint/monit.git/commit/?id=0bcc9189cb4f43863f08b2423cc54097a3e124ef
Was #896
commit 8c218d566b660fd8f2e0307f75f9737145cc87bb
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu Aug 3 22:50:58 2017 -0400
changelog to upload to unstable
commit abb2feafe7e186833221e27fe2ddeb87d7080ef0
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed May 10 23:27:49 2017 -0400
added patch to fix rel symlink for tests to be ran out of source
commit 1561d5fb14cf0a180933df45cb128be6a8c38bac
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed May 10 22:11:27 2017 -0400
changelog and dropping absorbed patch
commit 96323b1da016cfbfd4cd6b865b6d7f3e6044434a
Merge: 7e0e9cda 35280044
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed May 10 21:39:51 2017 -0400
Merge tag '0.9.7' into debian
ver. 0.9.7 (2017/05/11) - awaiting-victory
-----------
0.9.x line is no longer heavily developed. If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.
* Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
* filter.d/sshd.conf
- Fixed non-anchored part of failregex (misleading match of colon inside
IPv6 address instead of `: ` in the reason-part by missing space, gh-1658)
(0.10th resp. IPv6 relevant only, amend for gh-1479)
* config/pathes-freebsd.conf
- Fixed filenames for apache and nginx log files (gh-1667)
* filter.d/exim.conf
- optional part `(...)` after host-name before `[IP]` (gh-1751)
- new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
- match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh-1766)
* filter.d/sshd.conf
- new aggressive rules (gh-864):
- Connection reset by peer (multi-line rule during authorization process)
- No supported authentication methods available
- single line and multi-line expression optimized, added optional prefixes
and suffix (logged from several ssh versions), according to gh-1206;
- fixed expression received disconnect auth fail (optional space after port
part, gh-1652)
and suffix (logged from several ssh versions), according to gh-1206;
* filter.d/suhosin.conf
- greedy catch-all before `<HOST>` fixed (potential vulnerability)
* filter.d/cyrus-imap.conf
- accept entries without login-info resp. hostname before IP address (gh-1707)
* Filter tests extended with check of all config-regexp, that contains greedy catch-all
before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`
* New Actions:
- action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)
* New Filters:
- filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)
* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
* tag '0.9.7': (33 commits)
Preparing for 0.9.7 release
Added newly added files to MANIFEST
update ChangeLog
filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address
try to fix travis integration of pypy3: setuptools recently dropped support for Python 3.0 - 3.2, but old pypy3 based on Python 3.2.5
filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)
Update ChangeLog #1757
filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing
Update ChangeLog
amend resp. restore of change from 59c35bc44a175a672e084bc30511dfa3436ff052 (gh-129): - logging of "Log rotation detected" with new MSG level - introduces new log-level MSG (as INFO-2, 18)
Update mysqld-auth.conf
Update ChangeLog
filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address
evil symlink removed: does not supported by some file systems (e. g. development over net share)
sshd-amend: optional space after port part
suhosin.conf: removed greedy match
sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652)
change log update after rebase
sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117)
...
commit 7e0e9cda50b1b513c1dc21a15fd5009355ea956b
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Apr 17 10:28:43 2017 -0400
changelog for the patch
commit 0f3217f352cad465a78bb3cddb0f664fcec19ddb
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Apr 17 10:24:30 2017 -0400
"cherry-pick" a639f0b083c213bde4ff3dcfbbb9fbcab0dd55f8 (BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing)
commit eec7c9bbca86edb4a4b66012738911afe9609cc8
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Dec 9 09:45:47 2016 -0500
remove generated symlink under bin/fail2ban-python
commit 6de7c2a127545ab1a1bab2ca52f77efbe2c1292e
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Dec 9 09:40:24 2016 -0500
changelog entry
commit 623bb39ca6feb048602e9f570d9d5a30fe4dedef
Merge: 8f42580c 36051559
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Dec 9 09:37:33 2016 -0500
Merge branch 'enh-rel0.9.6' into debian
* enh-rel0.9.6: (60 commits)
updated man pages
ENH: prep for 0.9.6 release (as of tomorrow)
BF: added missing entires into MANIFEST
Update ChangeLog
ChangeLog entry added + jail.conf review
code review, makes the test cases workable, added dev-notes
ChangeLog update
`filter.d/apache-modsecurity.conf` - fixed for newer version (one space, closes gh-1626) reviewed and optimized: - non-greedy catch-all replaced for safer match - unneeded catch-all anchoring removed - non-capturing groups
filter.d/dovecot.conf update: - fixes failregex, that ignores failures through some irrelevant info (closes #1623); - ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)` - review, IPv6 compatibility fix, non-capturing groups
Update jail.conf
Use Fedora's backend-settings for openSUSE
amend after code review of merge gh-1581
Make changes and add test file
Add Mongodb-auth filter and jail
Update FILTERS
filter.d/sshd.conf: Match 'Invalid user' with 'port \d*'
ChangeLog entry added
filter.d/sendmail-reject.conf: double space (should be by missing dns-host only) Closes #1578
Update Changelog to reflect the new np.conf action
Create npf.conf for the NPF packet filter
...
commit 8f42580c050fd2d229ba598afbb0c2e3718c0b3e
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Jul 15 09:00:29 2016 -0400
some typos and TODOs -- thanks lintian
commit 1a86683beaaea772c3e13776ebd76ee4ffe5b63c
Merge: 944c24f2 dca5ff44
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu Jul 14 22:25:40 2016 -0400
Merge tag '0.9.5' into debian
ver. 0.9.5 (2016/07/15) - old-not-obsolete
-----------
0.9.x line is no longer heavily developed. If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.
* `filter.d/monit.conf`
- Extended failregex with new monit "access denied" version (gh-1355)
- failregex of previous monit version merged as single expression
* `filter.d/postfix.conf`, `filter.d/postfix-sasl.conf`
- Extended failregex daemon part, matching also `postfix/smtps/smtpd`
now (gh-1391)
* Fixed a grave bug within tags substitutions because of incorrect
detection of recursion in case of multiple inline substitutions
of the same tag (affected actions: `bsd-ipfw`, etc). Now tracks
the actual list of the already substituted tags (per tag instead
of single list)
* `filter.d/common.conf`
- Unexpected extra regex-space in generic `__prefix_line` (gh-1405)
- All optional spaces normalized in `common.conf`, test covered now
- Generic `__prefix_line` extended with optional brackets for the
date ambit (gh-1421), added new parameter `__date_ambit`
* `gentoo-initd` fixed `--pidfile` bug: `--pidfile` is option of
`start-stop-daemon`, not argument of fail2ban (see gh-1434)
* `filter.d/asterisk.conf`
- Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
- Improved log support for PJSIP and Asterisk 13+ with different
callID (gh-1458)
* New Actions:
- `action.d/firewallcmd-rich-rules` and `action.d/firewallcmd-rich-logging`
(gh-1367)
* New filters:
- slapd - ban hosts, that were failed to connect with invalid
credentials: error code 49 (gh-1478)
* Extreme speedup of all sqlite database operations (gh-1436),
by using of following sqlite options:
- (synchronous = OFF) write data through OS without syncing
- (journal_mode = MEMORY) use memory for the transaction logging
- (temp_store = MEMORY) temporary tables and indices are kept in memory
* journald journalmatch for pure-ftpd (gh-1362)
* Added additional regex filter for dovecot ldap authentication failures (gh-1370)
* `filter.d/exim*conf`
- Added additional regexes (gh-1371)
- Made port entry optional
* tag '0.9.5':
Added missing files to MANIFEST
BF: do not rely on long relative path to upstairs config - symlink common.conf
commit 944c24f2d162e9804317a59a6abb3d66811c500f
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu Jul 14 21:46:14 2016 -0400
debian/watch -- not using githubredir service any longer
commit 9a1960369cb2ab464842a0aa3e56e083d3287486
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu Jul 14 21:42:40 2016 -0400
CPed patch dropped now
commit 401173c2a6269c4f0fcfd52ffa5720af77babb3a
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu Jul 14 21:41:48 2016 -0400
changelog
commit bbbe592788237858b25587a5554462217f80ae1d
Merge: 27a3997f 5714ac20
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu Jul 14 21:36:59 2016 -0400
Merge tag '0.9.5' into debian
ver. 0.9.5 (2016/07/15) - old-not-obsolete
-----------
0.9.x line is no longer heavily developed. If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.
* `filter.d/monit.conf`
- Extended failregex with new monit "access denied" version (gh-1355)
- failregex of previous monit version merged as single expression
* `filter.d/postfix.conf`, `filter.d/postfix-sasl.conf`
- Extended failregex daemon part, matching also `postfix/smtps/smtpd`
now (gh-1391)
* Fixed a grave bug within tags substitutions because of incorrect
detection of recursion in case of multiple inline substitutions
of the same tag (affected actions: `bsd-ipfw`, etc). Now tracks
the actual list of the already substituted tags (per tag instead
of single list)
* `filter.d/common.conf`
- Unexpected extra regex-space in generic `__prefix_line` (gh-1405)
- All optional spaces normalized in `common.conf`, test covered now
- Generic `__prefix_line` extended with optional brackets for the
date ambit (gh-1421), added new parameter `__date_ambit`
* `gentoo-initd` fixed `--pidfile` bug: `--pidfile` is option of
`start-stop-daemon`, not argument of fail2ban (see gh-1434)
* `filter.d/asterisk.conf`
- Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
- Improved log support for PJSIP and Asterisk 13+ with different
callID (gh-1458)
* New Actions:
- `action.d/firewallcmd-rich-rules` and `action.d/firewallcmd-rich-logging`
(gh-1367)
* New filters:
- slapd - ban hosts, that were failed to connect with invalid
credentials: error code 49 (gh-1478)
* Extreme speedup of all sqlite database operations (gh-1436),
by using of following sqlite options:
- (synchronous = OFF) write data through OS without syncing
- (journal_mode = MEMORY) use memory for the transaction logging
- (temp_store = MEMORY) temporary tables and indices are kept in memory
* journald journalmatch for pure-ftpd (gh-1362)
* Added additional regex filter for dovecot ldap authentication failures (gh-1370)
* `filter.d/exim*conf`
- Added additional regexes (gh-1371)
- Made port entry optional
* tag '0.9.5': (70 commits)
DOC: preparations for 0.9.5 release
Added missing files to MANIFEST
another variant of regex
add trailing anchor to failregex
DOC: Reformatted ChangeLog into legit Markdown (Closes #962)
DOC: tuned up ChangeLog entries for 0.9.5
add PR id to ChangeLog
improved failregex according to @sebres recomendations
Improved changes of gh-1458: `[^']*` after callid was wrong, changed to `[^\)]*`; regexp anchored at the end; almost the same regex grouped to one;
Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458) Change the asterisk pjsip filter to don't take the callId part Add optional part between "Request" and "from" Listed all log message from asterisk
* add `__prefix_line` to regex * fix time in log file
add info to log file
added sample log lines for slapd
adding openldap slapd filter
badip timeout option introduced, set to 30 seconds in our test cases (#1463)
DOC: changelog for recent exim filters tune up
Asterisk pjsip (#1456)
BF: finalize that sample log line for exim4
amend for new option of `usedns=raw` - forgotten validation fix inside setUseDns
RF: for consistency use (?:XXX)? instead of (?:|XXX)
...
commit 27a3997f190ea7fb78df79aaa698a5b00d1d9dc1
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Mar 7 22:46:45 2016 -0500
added a patch to use CONFIG_DIR variable which listens to envrion
commit c188acd8ef9fe30967078a1eb4c24dd603994d70
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Mar 7 21:55:17 2016 -0500
policy boost
commit a525a24cb161ef1f9383cf2ea3d7493a0f459e00
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Mar 7 21:55:02 2016 -0500
changelog entry
commit 45dce3cab0f86eb66bd6e7fcb46d1b0df5076836
Merge: d67f502f 0298ba2c
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Mar 7 21:50:47 2016 -0500
Merge tag '0.9.4' into debian
ver. 0.9.4 (2016/03/08) - for-you-ladies
-----------
- Fixes:
* roundcube-auth jail typo for logpath
* Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
* filter.d/apache-badbots.conf
- Updated useragent string regex adding escape for `+`
* filter.d/mysqld-auth.conf
- Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
* filter.d/sshd.conf
- Updated "Auth fail" regex for OpenSSH 5.9 and later
* Treat failed and killed execution of commands identically (only
different log messages), which addresses different behavior on different
exit codes of dash and bash (gh-1155)
* Fix jail.conf.5 man's section (gh-1226)
* Fixed default banaction for allports jails like pam-generic, recidive, etc
with new default variable `banaction_allports` (gh-1216)
* Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
for python version < 3.x (gh-1248)
* Use postfix_log logpath for postfix-rbl jail
* filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
* use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
* Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
* Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
* Removed compression and rotation count from logrotate (inherit them from
the global logrotate config)
- New Features:
* New interpolation feature for definition config readers - `<known/parameter>`
(means last known init definition of filters or actions with name `parameter`).
This interpolation makes possible to extend a parameters of stock filter or
action directly in jail inside jail.local file, without creating a separately
filter.d/*.local file.
As extension to interpolation `%(known/parameter)s`, that does not works for
filter and action init parameters
* New actions:
- nftables-multiport and nftables-allports - filtering using nftables
framework. Note: it requires a pre-existing chain for the filtering rule.
* New filters:
- openhab - domotic software authentication failure with the
rest api and web interface (gh-1223)
- nginx-limit-req - ban hosts, that were failed through nginx by limit
request processing rate (ngx_http_limit_req_module)
- murmur - ban hosts that repeatedly attempt to connect to
murmur/mumble-server with an invalid server password or certificate.
- haproxy-http-auth - filter to match failed HTTP Authentications against a
HAProxy server
* New jails:
- murmur - bans TCP and UDP from the bad host on the default murmur port.
* sshd filter got new failregex to match "maximum authentication
attempts exceeded" (introduced in openssh 6.8)
* Added filter for Mac OS screen sharing (VNC) daemon
- Enhancements:
* Do not rotate empty log files
* Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59)
http://bugs.debian.org/798923
* Added openSUSE path configuration (Thanks Johannes Weberhofer)
* Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
* Added a timeout (3 sec) to urlopen within badips.py action
(Thanks M. Maraun)
* Added check against atacker's Googlebot PTR fake records
(Thanks Pablo Rodriguez Fernandez)
* Enhance filter against atacker's Googlebot PTR fake records
(gh-1226)
* Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
* Added filter for openhab domotic software authentication failure with the
rest api and web interface (gh-1223)
* Add *_backend options for services to allow distros to set the default
backend per service, set default to systemd for Fedora as appropriate
* Performance improvements while monitoring large number of files (gh-1265).
Use associative array (dict) for monitored log files to speed up lookup
operations. Thanks @kshetragia
* Specified that fail2ban is PartOf iptables.service firewalld.service in
.service file -- would reload fail2ban if those services are restarted
* Provides new default `fail2ban_version` and interpolation variable
`fail2ban_agent` in jail.conf
* Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
and to support multiple instances of postfix having varying suffix (gh-1331)
(Thanks Tom Hendrikx)
* files/gentoo-initd to use start-stop-daemon to robustify restarting the service
* tag '0.9.4': (138 commits)
MANIFEST RELEASE and man pages updates
Changes for the 0.9.4 release
datedetector: epoch time expression fix (now 10-11 chars, only whole number - anchored ^...\b or by special case within [], audit()) + test cases extended (positive/negative)
changelog about gentoo initd
added wp-admin
ENH(TST): a hypothetical example to show/test needing trailing anchoring
ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
Changelog for the recent PR and added Tom to THANKS
mysqld: failregex fixed (accepts different log level, more secure expression now); closes #1332
Add support for matching postfix multi-instance daemon names by default
DOC: removed Nick from listed as FreeBSD maintainer
DOC: adjusted ISSUE_TEMPLATE.md picking on @sebres's version
ENH: github templates for issues and PRs
ENH: add codecov support to travis.yml and bandge to README.md
gentoo-initd: Use start-stop-daemon in order to handle crashes better
regexp rewritten (few vulnerable as previous) + test case added
Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number. Closes #1309
Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command
Remove compression and count from logrotate
gentoo-initd: do not hide useful output
...
commit d67f502ff5dde5aa1a365d18610177cbb2d2650b
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Jul 31 21:57:34 2015 -0400
Tuned up removal of /run within package installation -- now in the root as well
commit dce6e1cd3ab8c909b3935d42e69374ba7ac7fbf9
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Jul 31 21:50:00 2015 -0400
Changelog and adjusted debian/control description to describe recommends
commit bceb35ab34e7d4cbee499826dd7827b2e603d431
Merge: 77ea6e62 70ba5cb0
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Jul 31 21:34:06 2015 -0400
Merge tag '0.9.3' into debian
ver. 0.9.3 (2015/08/01) - lets-all-stay-friends
----------
- IMPORTANT incompatible changes:
* filter.d/roundcube-auth.conf
- Changed logpath to 'errors' log (was 'userlogins')
* action.d/iptables-common.conf
- All calls to iptables command now use -w switch introduced in
iptables 1.4.20 (some distribution could have patched their
earlier base version as well) to provide this locking mechanism
useful under heavy load to avoid contesting on iptables calls.
If you need to disable, define 'action.d/iptables-common.local'
with empty value for 'lockingopt' in `[Init]` section.
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
actions now include by default only the first 1000 log lines in
the emails. Adjust <grepopts> to augment the behavior.
- Fixes:
* reload in interactive mode appends all the jails twice (gh-825)
* reload server/jail failed if database used (but was not changed) and
some jail active (gh-1072)
* filter.d/dovecot.conf - also match unknown user in passwd-file.
Thanks Anton Shestakov
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
* filter.d/asterisk.conf - fix security log support for Asterisk 12+
* filter.d/roundcube-auth.conf
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
- Added regex to work with 'userlogins' log
* action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
locale on systems with customized LC_ALL
* performance fix: minimizes connection overhead, close socket only at
communication end (gh-1099)
* unbanip always deletes ip from database (independent of bantime, also if
currently not banned or persistent)
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
* always set 'dbfile' before other database options (gh-1050)
* kill the entire process group of the child process upon timeout (gh-1129).
Otherwise could lead to resource exhaustion due to hanging whois
processes.
* resolve /var/run/fail2ban path in setup.py to help installation
on platforms with /var/run -> /run symlink (gh-1142)
- New Features:
* RETURN iptables target is now a variable: <returntype>
* New type of operation: pass2allow, use fail2ban for "knocking",
opening a closed port by swapping blocktype and returntype
* New filters:
- froxlor-auth - Thanks Joern Muehlencord
- apache-pass - filter Apache access log for successful authentication
* New actions:
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
manual pre-configuration of the shorewall. See the action file for detail.
* New jails:
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
- Enhancements:
* action.d/cloudflare.conf - improved documentation on how to allow
multiple CF accounts, and jail.conf got new compound action
definition action_cf_mwl to submit cloudflare report.
* Check access to socket for more detailed logging on error (gh-595)
* fail2ban-testcases man page
* filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
HEAD method verb
* Revamp of Travis and coverage automated testing
* Added a space between IP address and the following colon
in notification emails for easier text selection
* Character detection heuristics for whois output via optional setting
in mail-whois*.conf. Thanks Thomas Mayer.
Not enabled by default, if _whois_command is set to be
%(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
it
- detects character set of whois output (which is undefined by
RFC 3912) via heuristics of the file command
- converts whois data to UTF-8 character set with iconv
- sends the whois output in UTF-8 character set to mail program
- avoids that heirloom mailx creates binary attachment for input with
unknown character set
* tag '0.9.3': (99 commits)
Release changes (too much of manual "labor"! ;))
BF: realpath for /var/run/fail2ban Closes #1142
Changelog entry for killpg fix
Changelog entries for Serge's fixes
bug fix: option 'dbpurgeage' was never set (always default) by start of fail2ban, because of invalid sorting of options ('dbfile' should be always set before other database options) / closes #1048, closes #1050
BF: guarantee order of dbfile to be before dbpurgeage (Closes #1048)
DOC: Changelog for shorewall-ipset-proto6.conf + adjusted its description
DOC: moved and adjusted changelog entry from 0.9.2 within 0.9.3 to come
TST: test to verify killing stuck children processes
BF: kill the entire process group upon timeout (Close #1129)
Limit the number of log lines in *-lines.conf actions
ipjailmatches is on one line with its description in man jail.conf
DOC: Changelog for iptables -w change
Remove self.printlog() call
Remove literal "TODO" from method's name
BF: do not wrap iptables into itself. Thanks Lee
Added a space between IP address and the following colon
BF: symbiosis-blacklist-allports now also requires iptables-common.conf
RF: use <iptables> to take effect of it being a parameter
ENH: added lockingopt option for iptables actions, made iptables cmd itself a parameter
...
commit 77ea6e62b4e78d3865775cd2c44ed43a5b018aea
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed Apr 29 00:00:17 2015 -0400
update datestamp
commit 39147397d8d255d71f28e8b797a3442ab562a977
Merge: d530240c acc4c2d1
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue Apr 28 23:59:34 2015 -0400
Merge tag '0.9.2' into debian
Long delayed
ver. 0.9.2 (2015/04/29) - better-quick-now-than-later
----------
- Fixes:
* Fix ufw action commands
* infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
Thanks TonyThompson
* port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
(fnerdwq)
* $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
* grep'ing for IP in *mail-whois-lines.conf should now match also
at the beginning and EOL. Thanks Dean Lee
* jail.conf
- php-url-fopen: separate logpath entries by newline
* failregex declared direct in jail was joined to single line (specifying of
multiple expressions was not possible).
* filters.d/exim.conf - cover different settings of exim logs
details. Thanks bes.internal
* filter.d/postfix-sasl.conf - failregex is now case insensitive
* filters.d/postfix.conf - add 'Client host rejected error message' failregex
* fail2ban/__init__.py - add strptime thread safety hack-around
* recidive uses iptables-allports banaction by default now.
Avoids problems with iptables versions not understanding 'all' for
protocols and ports
* filter.d/dovecot.conf
- match pam_authenticate line from EL7
- match unknown user line from EL7
* Use use_poll=True for Python 2.7 and >=3.4 to overcome "Bad file
descriptor" msgs issue (gh-161)
* filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore
system authentication issues
* fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
(gh-954)
* firewallcmd-* actions: split output into separate lines for grepping (gh-908)
* Guard unicode encode/decode issues while storing records in the database.
Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
for reporting
* filter.d/sshd added regex for matching openSUSE ssh authentication failure
* filter.d/asterisk.conf:
- Dropped "Sending fake auth rejection" failregex since it incorrectly
targets the asterisk server itself
- match "hacking attempt detected" logs
- New Features:
- New filters:
- postfix-rbl Thanks Lee Clemens
- apache-fakegooglebot.conf Thanks Lee Clemens
- nginx-botsearch Thanks Frantisek Sumsal
- drupal-auth Thanks Lee Clemens
- New recursive embedded substitution feature added:
- `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
- `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
- New interpolation feature for config readers - `%(known/parameter)s`.
(means last known option with name `parameter`). This interpolation makes
possible to extend a stock filter or jail regexp in .local file
(opposite to simply set failregex/ignoreregex that overwrites it),
see gh-867.
- Monit config for fail2ban in files/monit/
- New actions:
- action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt
- action.d/sendmail-geoip-lines.conf
- action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean
- New status argument for fail2ban-client -- flavor:
fail2ban-client status <jail> [flavor]
- empty or "basic" works as-is
- "cymru" additionally prints (ASN, Country RIR) per banned IP
(requires dnspython or dnspython3)
- Flush log at USR1 signal
- Enhancements:
* Enable multiport for firewallcmd-new action. Closes gh-834
* files/debian-initd migrated from the debian branch and should be
suitable for manual installations now (thanks Juan Karlo de Guzman)
* Define empty ignoreregex in filters which didn't have it to avoid
warnings (gh-934)
* action.d/{sendmail-*,xarf-login-attack}.conf - report local
timezone not UTC time/zone. Closes gh-911
* Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
* Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
* Added syslogsocket configuration to fail2ban.conf
* Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964)
* tag '0.9.2':
Hope for release tomorrow
BF: if no /dev/log on Linux -- don't expect setting syslog to work
Fix actions in ufw.conf
Add drupal-auth filter and jail
commit d530240c9950311dd4a4a297ffc31e679102bca8
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed Apr 29 03:56:08 2015 +0000
BF: enforce C.UTF-8 LC_ALL while running tests
commit b9890273290f12894404b8592b3523e3e0e63186
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Apr 26 22:03:47 2015 -0400
refreshed backport patch
commit 5b33e57053b1cdd83c980a3281a7ad926171bb50
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Apr 26 22:00:24 2015 -0400
refreshed patches
commit d8469b39732ccf970f2819211e13c3bab414330b
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Apr 26 21:59:21 2015 -0400
Added regular python to Recommends since apache-fakegooglebot still python2
commit fc70f0922c67d472e0dbf48017a82a64f290d58b
Merge: 5a8d39fc 0f75ed5e
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Apr 26 21:57:40 2015 -0400
Merge tag '0.9.2' into debian
commit 5a8d39fc223948d08273e4a314764b6493fb3cdc
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Apr 26 21:52:01 2015 -0400
updated changelog
commit a1dbfdb4782cf6e4ed7b1428fe1945d7bab128ff
Merge: 3b4bf59c 1784205f
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Apr 26 21:51:19 2015 -0400
Merge tag '0.9.2' into debian
Long delayed and possibly incomplete 0.9.2 release:
ver. 0.9.2 (2015/04/26) - better-quick-now-than-later
----------
- Fixes:
* infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
Thanks TonyThompson
* port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
(fnerdwq)
* $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
* grep'ing for IP in *mail-whois-lines.conf should now match also
at the beginning and EOL. Thanks Dean Lee
* jail.conf
- php-url-fopen: separate logpath entries by newline
* failregex declared direct in jail was joined to single line (specifying of
multiple expressions was not possible).
* filters.d/exim.conf - cover different settings of exim logs
details. Thanks bes.internal
* filter.d/postfix-sasl.conf - failregex is now case insensitive
* filters.d/postfix.conf - add 'Client host rejected error message' failregex
* fail2ban/__init__.py - add strptime thread safety hack-around
* recidive uses iptables-allports banaction by default now.
Avoids problems with iptables versions not understanding 'all' for
protocols and ports
* filter.d/dovecot.conf
- match pam_authenticate line from EL7
- match unknown user line from EL7
* Use use_poll=True for Python 2.7 and >=3.4 to overcome "Bad file
descriptor" msgs issue (gh-161)
* filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore
system authentication issues
* fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
(gh-954)
* firewallcmd-* actions: split output into separate lines for grepping (gh-908)
* Guard unicode encode/decode issues while storing records in the database.
Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
for reporting
* filter.d/sshd added regex for matching openSUSE ssh authentication failure
* filter.d/asterisk.conf:
- Dropped "Sending fake auth rejection" failregex since it incorrectly
targets the asterisk server itself
- match "hacking attempt detected" logs
- New Features:
- New filters:
- postfix-rbl Thanks Lee Clemens
- apache-fakegooglebot.conf Thanks Lee Clemens
- nginx-botsearch Thanks Frantisek Sumsal
- New recursive embedded substitution feature added:
- `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
- `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
- New interpolation feature for config readers - `%(known/parameter)s`.
(means last known option with name `parameter`). This interpolation makes
possible to extend a stock filter or jail regexp in .local file
(opposite to simply set failregex/ignoreregex that overwrites it),
see gh-867.
- Monit config for fail2ban in files/monit/
- New actions:
- action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt
- action.d/sendmail-geoip-lines.conf
- action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean
- New status argument for fail2ban-client -- flavor:
fail2ban-client status <jail> [flavor]
- empty or "basic" works as-is
- "cymru" additionally prints (ASN, Country RIR) per banned IP
(requires dnspython or dnspython3)
- Flush log at USR1 signal
- Enhancements:
* Enable multiport for firewallcmd-new action. Closes gh-834
* files/debian-initd migrated from the debian branch and should be
suitable for manual installations now (thanks Juan Karlo de Guzman)
* Define empty ignoreregex in filters which didn't have it to avoid
warnings (gh-934)
* action.d/{sendmail-*,xarf-login-attack}.conf - report local
timezone not UTC time/zone. Closes gh-911
* Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
* Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
* Added syslogsocket configuration to fail2ban.conf
* Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964)
* tag '0.9.2': (140 commits)
DOC: Slight tune up to RELEASE doc -- no need for PYTHONPATH to run tests
MANIFEST: updated for some new files, sorted all entries, removed some duplicates
Initial changes for the release -- simplified ChangeLog header etc
added \s after host
replaced .* before rhost with regex matching all the previous fields
Fixed typo in filter description authentification instead of authentication
Fixed the UTC -> CEST difference...
Added changes to ChangeLog & updated sample test cases
updated filter.d/sshd.conf
Do not run smtp tests if no_network set
BF: if install pypy -- come back to original directory
BF(OSX): apparently exceptions could not be compared for identity, use repr
very long time resolving IP for address "abcdef" on some PDC, under NAT etc. - replaced via "abcdef.abcdef" to prevent searching in local domains;
fix test for invalid IP (use TEST-NET-1 according to RFC 5737): since fef031b3cd41c99a4843d5d5b52217b7694eff72 failed, because on some platforms like vm:debian 10.0.0.0 returns 'localhost' (intern network).
Match hacking attempt IP instead of asterisk server IP (closes #1000)
BF: fixing up version comparison for pypy. Issue appeared in 2.5.0
ENH: minor formatting, no functional changes
BF: do not expect setting logtarget to SYSLOG to work on non-Linuxes
Added a comment about systemd backend for jails with logs outside of journal (Closes #959)
DOC: make a warning for recidive jail to increase dbpurgeage (Closes #964)
...
commit 3b4bf59c6a8e975ad52c78163f04c3dd16f7e9d4
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Apr 26 13:17:01 2015 -0400
Moved python3-systemd to Recommends from Suggests given that systemd is the default init system now. Should help people upgrading on Ubuntu 15.04 as well
commit 12dd23004e3949563abfcc02c1bdaa5d8d74cc17
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue Dec 30 18:33:06 2014 -0500
Install monit configuration
commit dacd6c4155f2493a5d28d8c646d576b1f7452b20
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue Dec 30 18:23:42 2014 -0500
move jail.d ssh default customization into debian/files to please lintian
commit 3f390f1ea1d42cc1d5b408998eb5053d3890f596
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue Dec 30 16:59:07 2014 -0500
just a patch refresh
commit 67e79a14624c496f740ed3c63ae28788c6e3b346
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue Dec 30 16:50:46 2014 -0500
changelog and now we will use upstream's init for debian
commit bfadd0100b17f103dfc78e70c8a87951e517d91d
Merge: 47f331ef d65c4f8f
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue Dec 30 16:46:11 2014 -0500
Merge commit '0.9.1-44-gd65c4f8' into debian
* commit '0.9.1-44-gd65c4f8': (31 commits)
moved debian's initd file to files/debian-initd from debian branch
Update ChangeLog
Monit config
BF: adjusted for new IP of example.com
downcase example
Added an item to "Fixes"
postfix-sasl failregex case insensitive
clean all after test setup (removes a build directory in current root of fail2ban)
exim filter: correct failregex for exim with extended log options
small fix: no cover for failed case
testSetupInstallRoot will be always skipped, because of "wrong" location of 'setup.py';
better and scalable solution for gh-867 (and gh-868), using only name convention like %(known/failregex)s to add custom expressions, so no interface changes in jail.conf are necessary (for example see test-known-interp in test cases);
Changelog entry for preceding fix
Separate php-url-fopen logpath by newline
python 2.6 compatibility: preventing RuntimeError: dictionary changed size during iteration.
interpolation of config readers extended with `%(known/parameter)s`. (means last known option with name `parameter`).
test cases extended (now correct)
BF: failregex declared direct in jail was joined to single line, (specifying of multiple expressions was not possible); feature request (gh-867): new options for jail introduced addfailregex/addignoreregex: extends regex specified in filter (opposite to failregex/ignoreregex that overwrites it);
Add ignoreregex to avoid warning on start
Add ignoreregex to avoid warning on start
...
commit 47f331ef2866fda72f25d170085a0aca8abd737c
Author: ItsAdventureTime <ItsAdventureTime@users.noreply.github.com>
Date: Thu Nov 13 16:14:07 2014 +0800
Fixed the fail2ban init file issue.
Fixed some issues with the DAEMON's path and the SOCKFILE's location.
commit 6c8cfca5d5ea19f99ba74e86eaa4aa7be6df00d8
Merge: 408bed54 0e92c5b4
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue Nov 11 23:43:07 2014 -0500
Merge pull request #856 from calestyo/debian-do-not-install-other-distros-files
do not install foreign distro/OS config files
commit 0e92c5b42a84ad87951af89800c63f44b2186f5a
Author: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Date: Wed Nov 12 05:15:15 2014 +0100
do not install foreign distro/OS config files
• Do not install the following configuration files which are not used within the
Debian package of fail2ban:
/etc/fail2ban/paths-fedora.conf
/etc/fail2ban/paths-freebsd.conf
/etc/fail2ban/paths-osx.conf
Closes: Debian bug #767123 (https://bugs.debian.org/767123).
Signed-off-by: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
commit 408bed546476dbecb68be452a7a3179506d021b3
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Oct 27 22:15:31 2014 -0400
preliminary patch for backports to wheezy etc (systemd support "disabled")
also removing obsolete patch for lucid -- will just not build for it any longer
commit 4e543da4ba7d6b6d7c697f1685cf48fa285dcdc3
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Oct 27 22:02:23 2014 -0400
changelog + policy boost
commit b1d7c3f3ffeb7831ee8f57091ed14d67cb92fcd3
Merge: fbce1219 a0115ee4
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon Oct 27 21:52:39 2014 -0400
Merge tag '0.9.1' into debian
What aught to be a bugfix release delayed into a featured release 0.9.1
ver. 0.9.1 (2014/10/29) - better, faster, stronger
----------
- Refactoring (IMPORTANT -- Please review your setup and configuration):
* iptables-common.conf replaced iptables-blocktype.conf
(iptables-blocktype.local should still be read) and now also
provides defaults for the chain, port, protocol and name tags
- Fixes:
* start of file2ban aborted (on slow hosts, systemd considers the server has
been timed out and kills him), see gh-824
* UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
* systemd backend error on bad utf-8 in python3
* badips.py action error when logging HTTP error raised with badips request
* fail2ban-regex failed to work in python3 due to space/tab mix
* recidive regex samples incorrect log level
* journalmatch for recidive incorrect PRIORITY
* loglevel couldn't be changed in fail2ban.conf
* Handle case when no sqlite library is available for persistent database
* Only reban once per IP from database on fail2ban restart
* Nginx filter to support missing server_name. Closes gh-676
* fail2ban-regex assertion error caused by miscount missed lines with
multiline regex
* Fix actions failing to execute for Python 3.4.0. Workaround for
http://bugs.python.org/issue21207
* Database now returns persistent bans on restart (bantime < 0)
* Recursive action tags now fully processed. Fixes issue with bsd-ipfw
action
* Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
Thanks Serg G. Brester
* Correct times for non-timezone date times formats during DST
* Pass a copy of, not original, aInfo into actions to avoid side-effects
* Per-distribution paths to the exim's main log
* Ignored IPs are no longer banned when being restored from persistent
database
* Manually unbanned IPs are now removed from persistent database, such they
wont be banned again when Fail2Ban is restarted
* Pass "bantime" parameter to the actions in default jail's action
definition(s)
* filters.d/sieve.conf - fixed typo in _daemon. Thanks Jisoo Park
* cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
Debian bug #755173
* postfix-sasl - added journalmatch. Thanks Luc Maisonobe
* postfix* - match with a new daemon string (postfix/submission/smtpd).
Closes gh-804 . Thanks Paul Traina
* apache - added filter for AH01630 client denied by server configuration.
- New features:
- New filters:
- monit Thanks Jason H Martin
- directadmin Thanks niorg
- apache-shellshock Thanks Eugene Hopkinson (SlowRiot)
- New actions:
- symbiosis-blacklist-allports for Bytemark symbiosis firewall
- fail2ban-client can fetch the running server version
- Added Cloudflare API action
- Enhancements
* Start performance of fail2ban-client (and tests) increased, start time
and cpu usage rapidly reduced. Introduced a shared storage logic, to
bypass reading lots of config files (see gh-824).
Thanks to Joost Molenaar for good catch (reported gh-820).
* Fail2ban-regex - add print-all-matched option. Closes gh-652
* Suppress fail2ban-client warnings for non-critical config options
* Match non "Bye Bye" disconnect messages for sshd locked account regex
* courier-smtp filter:
- match lines with user names
- match lines containing "535 Authentication failed" attempts
* Add <chain> tag to iptables-ipsets
* Realign fail2ban log output with white space to improve readability. Does
not affect SYSLOG output
* Log unhandled exceptions
* cyrus-imap: catch "user not found" attempts
* Add support for Portsentry
* tag '0.9.1': (36 commits)
ENH: additional versioning changes
Refreshed manpages
ENH: fail early in generate-man + provide PYTHONPATH upstairs
Changes for the 0.9.1 release versioning
Populated MANIFEST with more entries which were preiously missed or duplicated. Sorted within each "section"
Add portsentry to changelog
ConfigReader.touch renamed into protected _create_unshared
DOC: documentation about available vagrantfile setup
Added myself into THANKS
DOC: adjust docs in mytime to place docs into docstrings
ENH: do use @staticmethod (we are well beyond support of 2.4 now)
testExecuteTimeout fixed: give a test still 1 second, because system could be too busy
coverage: no cover (for failed except)
fix: fail2ban-regex with filter file failed (after merging #824, because test case missing); test case for 'readexplicit' added;
ENH: remove obsolete code for python < 2.6 (we support >= 2.6)
DOC: very minor (tabs/spaces)
We better check that installation doesn't cause any errors as well
code review, change log entries added;
reset share/cache storage (if we use 'reload' in client with interactive mode)
normalize tabs/spaces in docstrings;
...
commit fbce121967d90b69181f9d7f78b16c1a8516b34a
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Oct 12 16:45:57 2014 -0400
adjusted changelog revision, apparently I fell into a trap of unannotated tag for 0.9.0 release
commit 6f4e542eff9bb4d153307c432b0d09627c41d241
Merge: a33207bf 47441d13
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Oct 12 16:45:30 2014 -0400
Merge commit '0.9.0-252-g47441d1' into debian-releases/experimental
* commit '0.9.0-252-g47441d1':
BF: made tests util digest.py friendly to python3
commit a33207bf87261fa426d19398a5296f60bfda8f69
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Oct 12 10:31:48 2014 -0400
changelog
commit eb6cc726ff8b68f76863e4bec6bdcaf3251a3531
Merge: cb662e23 97e01985
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Oct 12 10:26:48 2014 -0400
Merge branch 'debian-release/experimental' of https://github.com/schaal/fail2ban into debian-releases/experimental
* 'debian-release/experimental' of https://github.com/schaal/fail2ban:
Switch debian packaging to use python3
commit cb662e2368cf333e7fe453ad357b7916866a2927
Merge: 8b2f0678 98dc0844
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun Oct 12 10:26:36 2014 -0400
Merge commit '0.9.0a2-814-g98dc084' into debian-releases/experimental
* commit '0.9.0a2-814-g98dc084':
tests: define CONFIG_DIR in utils.
forgot to add test case to last commit
adding test case, changelog and thanks entries for apache shellshock filter
adding jail conf for shellshock filter
adding filter to detect Shellshock attack attempts against bash scripts through apache. See http://seclists.org/oss-sec/2014/q3/650
Add apache filter for AH01630 client denied by server configuration
RF: moving logwatch setup/sample logs under files/logwatch
DOC: Changelog and THANKS for previous changes
RF: remove those two additional failregexes for the postfix
ENH: add empty ignoreregex to avoid a warning (Close #805)
Update test cases and also suport smtps per request.
Add support for postfix/submission/smtpd matching.
ENH: print rebans stats even if no "Failures" are logged, and reduce indentation in output
ENH: untabified and reindented entire script for sane formatting (no functional changes)
BF: logwatch -- fixing up regex for 'already banned'
Sample logfiles to test logwatch services script
Adjusting fail2ban logwatch script to match lines from 0.9 as well
commit 97e01985a85b29e98bbfc6ecac09be34dcc7d8b3
Merge: 3f9859a1 05fcb1f1
Author: Daniel Schaal <farbing@web.de>
Date: Fri Oct 3 17:56:12 2014 +0200
Merge remote-tracking branch 'origin/master' into debian-release/experimental
commit 3f9859a127bc000a9bb9fba0aca5da22d0bf32ed
Author: Daniel Schaal <farbing@web.de>
Date: Fri Sep 12 07:08:56 2014 +0200
Switch debian packaging to use python3
commit 8b2f0678a7494a92113df40e17a97cc5024853f8
Merge: 87703c4c 1864f75b
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri Sep 12 14:14:24 2014 -0400
Merge commit '0.9.0a2-792-g1864f75' into debian-releases/experimental
* commit '0.9.0a2-792-g1864f75': (113 commits)
Credits and notes from #806
fixed encoding
fixed encoding
ENH: Ignore errors while unbaning in symbiosis firewall
ENH: just a bit more descriptive exception ;-)
ENH/BF(TST): making permissions restrictive is not sufficient -- really remove file to test
changelog entry for postfix-sasl fix
added systemd configuration for postfix-sasl.conf
1.5 version of Fail2ban logwatch file
minor typo
Fxi jail.conf to use more syslog macros
ENH: symbiosis-blacklist-allports action
Fix typos.
changelog and thanks for the preceding fix
Added entry for Cloudflare action
ChangeLog Added and entry about Cloudflare action
Changed to Cloudflare JSON API
Fix sieve filter to use correct option
changelog entries for already merged and upcoming merge
Update courier-smtp.conf
...
![[bug history graph]](https://qa.debian.org/data/bts/graphs/f/fail2ban.png){kind=link}