fail2ban/ChangeLog

                         __      _ _ ___ _
                        / _|__ _(_) |_  ) |__  __ _ _ _
                       |  _/ _` | | |/ /| '_ \/ _` | ' \
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|

Fail2Ban: Changelog
===================

ver. 0.10.0 (2016/XX/XXX) - gonna-be-released-some-time-shining
-----------

TODO: implementing of options resp. other tasks from PR #1346

### Fixes
* [Grave] memory leak's fixed (gh-1277, gh-1234)
* Tricky bug fix: last position of log file will be never retrieved (gh-795),
  because of CASCADE all log entries will be deleted from logs table together with jail, 
  if used "INSERT OR REPLACE" statement
* Asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
* testSocket: sporadical bug repaired - wait for server thread starts a socket (listener)
* testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid file inside bash,
  kill tree in any case (gh-1155)
* Fixed high-load of pyinotify-backend,
  see https://github.com/fail2ban/fail2ban/issues/885#issuecomment-248964591
* Database: stability fix - repack cursor iterator as long as locked
* File filter backends: stability fix for sporadically errors - always close file
  handle, otherwise may be locked (prevent log-rotate, etc.)
* Pyinotify-backend: stability fix for sporadically errors in multi-threaded
  environment (without lock)
* Fixed sporadically error in testCymruInfoNxdomain, because of unsorted values

### New Features
* IPv6 support:
    - IP addresses are now handled as objects rather than strings capable for 
      handling both address types IPv4 and IPv6
    - iptables related actions have been amended to support IPv6 specific actions
      additionally
    - hostsdeny and route actions have been tested to be aware of v4 and v6 already
    - pf action for *BSD systems has been improved and supports now also v4 and v6
    - name resolution is now working for either address type
    - new conditional section functionality used in config resp. includes:
      - [Init?family=inet4] - IPv4 qualified hosts only
      - [Init?family=inet6] - IPv6 qualified hosts only
* New reload functionality (now totally without restart, unbanning/rebanning, etc.),
  see gh-1557
* Several commands extended and new commands introduced:
  - `restart [--unban] [--if-exists] <JAIL>` - restarts the jail \<JAIL\>
    (alias for `reload --restart ... <JAIL>`)
  - `reload [--restart] [--unban] [--all]` - reloads the configuration without restarting
    of the server, the option `--restart` activates completely restarting of affected jails,
    thereby can unban IP addresses (if option `--unban` specified)
  - `reload [--restart] [--unban] [--if-exists] <JAIL>` - reloads the jail \<JAIL\>,
    or restarts it (if option `--restart` specified), at the same time unbans all IP addresses
    banned in this jail, if option `--unban` specified
  - `unban --all` - unbans all IP addresses (in all jails and database)
  - `unban <IP> ... <IP>` - unbans \<IP\> (in all jails and database) (see gh-1388)
* New command action parameter `actionrepair` - command executed in order to restore
  sane environment in error case of `actioncheck`.

### Enhancements
* Huge increasing of fail2ban performance and especially test-cases performance (see gh-1109)
* Datedetector: in-place reordering using hits and last used time: 
  matchTime, template list etc. rewritten because of performance degradation
* Prevent out of memory situation if many IP's makes extremely many failures (maxEntries)
* Introduced string to seconds (str2seconds) for configuration entries with time,
  use `1h` instead of `3600`, `1d` instead of `86400`, etc
* seekToTime - prevent completely read of big files first time (after start of service), 
  initial seek to start time using half-interval search algorithm (see issue gh-795)
* Ticket and some other modules prepared to easy merge with newest version of 'ban-time-incr'
* Cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name,
  especially for wrong dns or lazy dns-system
* FailManager memory-optimization: increases performance, 
  prevents memory leakage, because don't copy failures list on some operations
* fail2ban-testcases - new options introduced:
    - `-f`, `--fast` to decrease wait intervals, avoid passive waiting, and skip
      few very slow test cases (implied memory database, see `-m` and no gamin tests `-g`)
    - `-g`, `--no-gamin` to prevent running of tests that require the gamin (slow)
    - `-m`, `--memory-db` - run database tests using memory instead of file
    - `-i`, `--ignore` - negate [regexps] filter to ignore tests matched specified regexps
* Background servicing: prevents memory leak on some platforms/python versions, using forced GC
  in periodic intervals (latency and threshold)
* executeCmd partially moved from action to new module utils
* Several functionality of class `DNSUtils` moved to new class `IPAddr`, 
  both classes moved to new module `ipdns`
* Pseudo-conditional section introduced, for conditional substitution resp. 
  evaluation of parameters for different family qualified hosts, 
  syntax `[Section?family=inet6]` (currently use for IPv6-support only).
* All the backends were rewritten to get reload-possibility, performance increased,
  so fewer greedy regarding cpu- resp. system-load now
* Numeric log-level allowed now in server (resp. fail2ban.conf);
* Implemented better error handling in some multi-threaded routines; shutdown of jails
  rewritten (faster and safer, does not breaks shutdown process if some error occurred)
* Possibility for overwriting some configuration options (read with config-readers)
  with command line option, e. g.:
```bash
## start server with DEBUG log-level (ignore level read from fail2ban.conf):
fail2ban-client --loglevel DEBUG start
## or
fail2ban-server -c /cfg/path --loglevel DEBUG start
## keep server log-level by reload (without restart it)
fail2ban-client --loglevel DEBUG reload
## switch log-level back to INFO:
fail2ban-client set loglevel INFO
```
* Optimized BanManager: increase performance, fewer system load, try to prevent
  memory leakage:
  - better ban/unban handling within actions (e.g. used dict instead of list)
  - don't copy bans resp. its list on some operations;
  - added new unbantime handling to relieve unBanList (prevent permanent
    searching for tickets to unban)
  - prefer failure-ID as identifier of the ticket to its IP (most of the time
    the same, but it can be something else e.g. user name in some complex jails,
    as introduced in 0.10)
* Regexp enhancements:
  - build replacement of `<HOST>` substitution corresponding parameter
    `usedns` - dns-part will be added only if `usedns` is not `no`,
    also using fail2ban-regex
  - new replacement for `<ADDR>` in opposition to `<HOST>`, for separate
    usage of 2 address groups only (regardless of `usedns`), `ip4` and `ip6`
    together, without host (dns)
* fail2ban-testcases:
  - `assertLogged` extended with parameter wait (to wait up to specified timeout,
    before we throw assert exception) + test cases rewritten using that
  - added `assertDictEqual` for compatibility to early python versions (< 2.7);
  - new `with_foreground_server_thread` decorator to test several client/server commands


ver. 0.9.6 (2016/XX/XX) - wanna-be-released
-----------

0.9.x line is no longer heavily developed.  If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.

### Fixes
* Misleading add resp. enable of (already available) jail in database, that
  induced a subsequent error: last position of log file will be never retrieved (gh-795)
* Fixed a distribution related bug within testReadStockJailConfForceEnabled
  (e.g. test-cases faults on Fedora, see gh-1353)
* Fixed pythonic filters and test scripts (running via wrong python version, 
  uses "fail2ban-python" now);
* Fixed test case "testSetupInstallRoot" for not default python version (also
  using direct call, out of virtualenv);
* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
* Monit config: scripting is not supported in path (gh-1556)
* `filter.d/asterisk.conf`
    - Fixed to match different asterisk log prefix (source file: method:)
* `filter.d/ignorecommands/apache-fakegooglebot`
    - Fixed error within apache-fakegooglebot, that will be called 
      with wrong python version (gh-1506)
* `filter.d/assp.conf`
    - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
* `filter.d/postfix-sasl.conf`
    - Allow for having no trailing space after 'failed:' (gh-1497)
* `filter.d/vsftpd.conf`
    - Optional reason part in message after FAIL LOGIN (gh-1543)


### New Features

### Enhancements
* DateTemplate regexp extended with the word-end boundary, additionally to 
  word-start boundary
* Introduces new command "fail2ban-python", as automatically created symlink to 
  python executable, where fail2ban currently installed (resp. its modules are located):
    - allows to use the same version, fail2ban currently running, e.g. in 
      external scripts just via replace python with fail2ban-python:
      ```diff
      -#!/usr/bin/env python
      +#!/usr/bin/env fail2ban-python
      ```
    - always the same pickle protocol
    - the same (and also guaranteed available) fail2ban modules
    - simplified stand-alone install, resp. stand-alone installation possibility
      via setup (like gh-1487) is getting closer
* Several test cases rewritten using new methods assertIn, assertNotIn
* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
  Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
  are test covered now
* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
  examples:
    - `backend = systemd[journalpath=/run/log/journal/machine-1]`
    - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
    - `backend = systemd[journalflags=2]`


ver. 0.9.5 (2016/07/15) - old-not-obsolete
-----------

### Fixes
* `filter.d/monit.conf`
    - Extended failregex with new monit "access denied" version (gh-1355)
    - failregex of previous monit version merged as single expression
* `filter.d/postfix.conf`, `filter.d/postfix-sasl.conf`
    - Extended failregex daemon part, matching also `postfix/smtps/smtpd`
      now (gh-1391)
* Fixed a grave bug within tags substitutions because of incorrect
  detection of recursion in case of multiple inline substitutions
  of the same tag (affected actions: `bsd-ipfw`, etc).  Now tracks
  the actual list of the already substituted tags (per tag instead
  of single list)
* `filter.d/common.conf`
    - Unexpected extra regex-space in generic `__prefix_line` (gh-1405)
    - All optional spaces normalized in `common.conf`, test covered now
    - Generic `__prefix_line` extended with optional brackets for the
     date ambit (gh-1421), added new parameter `__date_ambit`
* `gentoo-initd` fixed `--pidfile` bug: `--pidfile` is option of
  `start-stop-daemon`, not argument of fail2ban (see gh-1434)
* `filter.d/asterisk.conf`
    - Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
    - Improved log support for PJSIP and Asterisk 13+ with different
      callID (gh-1458)

### New Features
* New Actions:
    - `action.d/firewallcmd-rich-rules` and `action.d/firewallcmd-rich-logging`
	(gh-1367)
* New filters:
    - slapd - ban hosts, that were failed to connect with invalid
	credentials: error code 49 (gh-1478)


### Enhancements
* Extreme speedup of all sqlite database operations (gh-1436),
  by using of following sqlite options:
    - (synchronous = OFF) write data through OS without syncing
    - (journal_mode = MEMORY) use memory for the transaction logging
    - (temp_store = MEMORY) temporary tables and indices are kept in memory
* journald journalmatch for pure-ftpd (gh-1362)
* Added additional regex filter for dovecot ldap authentication failures (gh-1370)
* `filter.d/exim*conf`
    - Added additional regexes (gh-1371)
    - Made port entry optional


ver. 0.9.4 (2016/03/08) - for-you-ladies
-----------

### Fixes
* `roundcube-auth` jail typo for logpath
* Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
* `filter.d/apache-badbots.conf`
    - Updated useragent string regex adding escape for `+`
* `filter.d/mysqld-auth.conf`
    - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
* `filter.d/sshd.conf`
    - Updated "Auth fail" regex for OpenSSH 5.9 and later
* Treat failed and killed execution of commands identically (only
  different log messages), which addresses different behavior on different
  exit codes of dash and bash (gh-1155)
* Fix jail.conf.5 man's section (gh-1226)
* Fixed default banaction for allports jails like pam-generic, recidive, etc
  with new default variable `banaction_allports` (gh-1216)
* Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
  for python version < 3.x (gh-1248)
* Use postfix_log logpath for postfix-rbl jail
* `filters.d/postfix.conf` - add 'Sender address rejected: Domain not found' failregex
* use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
* Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
* Changed `filter.d/asterisk` regex for "Call from ..." (few vulnerable now)
* Removed compression and rotation count from logrotate (inherit them from
  the global logrotate config)

### New Features
* New interpolation feature for definition config readers - `<known/parameter>`
  (means last known init definition of filters or actions with name `parameter`).
  This interpolation makes possible to extend a parameters of stock filter or
  action directly in jail inside jail.local file, without creating a separately
  `filter.d/*.local` file.
  As extension to interpolation `%(known/parameter)s`, that does not works for
  filter and action init parameters
* New actions:
    - `nftables-multiport` and `nftables-allports` - filtering using nftables
      framework. Note: it requires a pre-existing chain for the filtering rule.
* New filters:
    - `openhab` - domotic software authentication failure with the
      rest api and web interface (gh-1223)
    - `nginx-limit-req` - ban hosts, that were failed through nginx by limit
      request processing rate (ngx_http_limit_req_module)
    - `murmur` - ban hosts that repeatedly attempt to connect to
      murmur/mumble-server with an invalid server password or certificate.
    - `haproxy-http-auth` - filter to match failed HTTP Authentications against a
      HAProxy server
* New jails:
    - `murmur` - bans TCP and UDP from the bad host on the default murmur port.
* `sshd` filter got new failregex to match "maximum authentication
  attempts exceeded" (introduced in openssh 6.8)
* Added filter for Mac OS screen sharing (VNC) daemon

### Enhancements
* Do not rotate empty log files
* Added new date pattern with year after day (e.g. `Sun Jan 23 2005 21:59:59`)
  http://bugs.debian.org/798923
* Added openSUSE path configuration (Thanks Johannes Weberhofer)
* Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
* Added a timeout (3 sec) to urlopen within badips.py action
  (Thanks M. Maraun)
* Added check against atacker's Googlebot PTR fake records
  (Thanks Pablo Rodriguez Fernandez)
* Enhance filter against atacker's Googlebot PTR fake records
  (gh-1226)
* Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
* Added filter for openhab domotic software authentication failure with the
  rest api and web interface (gh-1223)
* Add `*_backend` options for services to allow distros to set the default
  backend per service, set default to systemd for Fedora as appropriate
* Performance improvements while monitoring large number of files (gh-1265).
  Use associative array (dict) for monitored log files to speed up lookup
  operations. Thanks @kshetragia
* Specified that fail2ban is PartOf iptables.service `firewalld.service` in
  `.service` file -- would reload fail2ban if those services are restarted
* Provides new default `fail2ban_version` and interpolation variable
  `fail2ban_agent` in jail.conf
* Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
  and to support multiple instances of postfix having varying suffix (gh-1331)
  (Thanks Tom Hendrikx)
* `files/gentoo-initd` to use `start-stop-daemon` to robustify restarting the service


ver. 0.9.3 (2015/08/01) - lets-all-stay-friends
----------

### IMPORTANT incompatible changes
* `filter.d/roundcube-auth.conf`
    - Changed logpath to 'errors' log (was 'userlogins')
* `action.d/iptables-common.conf`
    - All calls to iptables command now use -w switch introduced in
      iptables 1.4.20 (some distribution could have patched their
      earlier base version as well) to provide this locking mechanism
      useful under heavy load to avoid contesting on iptables calls.
      If you need to disable, define `action.d/iptables-common.local`
      with empty value for 'lockingopt' in `[Init]` section.
* `mail-whois-lines`, `sendmail-geoip-lines` and `sendmail-whois-lines`
  actions now include by default only the first 1000 log lines in
  the emails.  Adjust `<grepopts>` to augment the behavior.

### Fixes
* reload in interactive mode appends all the jails twice (gh-825)
* reload server/jail failed if database used (but was not changed) and
  some jail active (gh-1072)
* `filter.d/dovecot.conf` - also match unknown user in passwd-file.
  Thanks Anton Shestakov
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
* `filter.d/asterisk.conf` - fix security log support for Asterisk 12+
* `filter.d/roundcube-auth.conf`
     - Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
     - Added regex to work with 'userlogins' log
* `action.d/sendmail*.conf` - use LC_ALL (superseeding LC_TIME) to override
  locale on systems with customized LC_ALL
* performance fix: minimizes connection overhead, close socket only at
  communication end (gh-1099)
* unbanip always deletes ip from database (independent of bantime, also if
  currently not banned or persistent)
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
* always set 'dbfile' before other database options (gh-1050)
* kill the entire process group of the child process upon timeout (gh-1129).
  Otherwise could lead to resource exhaustion due to hanging whois
  processes.
* resolve `/var/run/fail2ban` path in setup.py to help installation
  on platforms with `/var/run` -> /run symlink (gh-1142)

### New Features
* RETURN iptables target is now a variable: `<returntype>`
* New type of operation: pass2allow, use fail2ban for "knocking",
  opening a closed port by swapping blocktype and returntype
* New filters:
     - froxlor-auth - Thanks Joern Muehlencord
     - apache-pass - filter Apache access log for successful authentication
* New actions:
     - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
	   manual pre-configuration of the shorewall. See the action file for detail.
* New jails:
     - pass2allow-ftp - allows FTP traffic after successful HTTP authentication

### Enhancements
* `action.d/cloudflare.conf` - improved documentation on how to allow
  multiple CF accounts, and jail.conf got new compound action
  definition action_cf_mwl to submit cloudflare report.
* Check access to socket for more detailed logging on error (gh-595)
* fail2ban-testcases man page
* `filter.d/apache-badbots.conf`, `filter.d/nginx-botsearch.conf` - add
  HEAD method verb
* Revamp of Travis and coverage automated testing
* Added a space between IP address and the following colon
  in notification emails for easier text selection
* Character detection heuristics for whois output via optional setting
  in mail-whois*.conf. Thanks Thomas Mayer.
  Not enabled by default, if _whois_command is set to be
  %(_whois_convert_charset)s (e.g. in `action.d/mail-whois-common.local`),
  it
     - detects character set of whois output (which is undefined by
       RFC 3912) via heuristics of the file command
     - converts whois data to UTF-8 character set with iconv
     - sends the whois output in UTF-8 character set to mail program
     - avoids that heirloom mailx creates binary attachment for input with
       unknown character set


ver. 0.9.2 (2015/04/29) - better-quick-now-than-later
----------

### Fixes
* Fix ufw action commands
* infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
  Thanks TonyThompson
* port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
  (fnerdwq)
* $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
* grep'ing for IP in *mail-whois-lines.conf should now match also
  at the beginning and EOL.  Thanks Dean Lee
* `jail.conf`
     - `php-url-fopen`: separate logpath entries by newline
* failregex declared direct in jail was joined to single line (specifying of
  multiple expressions was not possible).
* `filters.d/exim.conf` - cover different settings of exim logs
  details. Thanks bes.internal
* `filter.d/postfix-sasl.conf` - failregex is now case insensitive
* `filters.d/postfix.conf` - add 'Client host rejected error message' failregex
* `fail2ban/__init__.py` - add strptime thread safety hack-around
* recidive uses `iptables-allports` banaction by default now.
  Avoids problems with iptables versions not understanding 'all' for
  protocols and ports
* `filter.d/dovecot.conf`
     - match pam_authenticate line from EL7
     - match unknown user line from EL7
* Use `use_poll=True` for Python 2.7 and >=3.4 to overcome "Bad file
  descriptor" msgs issue (gh-161)
* `filter.d/postfix-sasl.conf` - tweak failregex and add ignoreregex to ignore
  system authentication issues
* fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
  (gh-954)
* firewallcmd-* actions: split output into separate lines for grepping (gh-908)
* Guard unicode encode/decode issues while storing records in the database.
  Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
  for reporting
* `filter.d/sshd` added regex for matching openSUSE ssh authentication failure
* `filter.d/asterisk.conf`:
     - Dropped "Sending fake auth rejection" failregex since it incorrectly
	   targets the asterisk server itself
     - match "hacking attempt detected" logs

### New Features
* New filters:
    - postfix-rbl  Thanks Lee Clemens
    - apache-fakegooglebot.conf  Thanks Lee Clemens
    - nginx-botsearch  Thanks Frantisek Sumsal
    - drupal-auth  Thanks Lee Clemens
* New recursive embedded substitution feature added:
    - `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
    - `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
* New interpolation feature for config readers - `%(known/parameter)s`.
  (means last known option with name `parameter`). This interpolation makes
  possible to extend a stock filter or jail regexp in .local file
  (opposite to simply set failregex/ignoreregex that overwrites it),
  see gh-867.
* Monit config for fail2ban in `files/monit/`
* New actions:
    - `action.d/firewallcmd-multiport` and `action.d/firewallcmd-allports` Thanks Donald Yandt
    - `action.d/sendmail-geoip-lines.conf`
    - `action.d/nsupdate` to update DNSBL. Thanks Andrew St. Jean
* New status argument for fail2ban-client -- flavor:
  `fail2ban-client status <jail> [flavor]`
    - empty or "basic" works as-is
    - "cymru" additionally prints (ASN, Country RIR) per banned IP
      (requires dnspython or dnspython3)
* Flush log at USR1 signal

### Enhancements
* Enable multiport for firewallcmd-new action.  Closes gh-834
* files/debian-initd migrated from the debian branch and should be
  suitable for manual installations now (thanks Juan Karlo de Guzman)
* Define empty ignoreregex in filters which didn't have it to avoid
  warnings (gh-934)
* `action.d/{sendmail-*,xarf-login-attack}.conf` - report local
  timezone not UTC time/zone. Closes gh-911
* Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
* Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
* Added syslogsocket configuration to fail2ban.conf
* Note in the `jail.conf` for the recidive jail to increase dbpurgeage (gh-964)


ver. 0.9.1 (2014/10/29) - better, faster, stronger
----------

### Refactoring (IMPORTANT -- Please review your setup and configuration)
* `iptables-common.conf` replaced `iptables-blocktype.conf`
  (`iptables-blocktype.local` should still be read) and now also
  provides defaults for the chain, port, protocol and name tags

### Fixes
* start of file2ban aborted (on slow hosts, systemd considers the server has
  been timed out and kills him), see gh-824
* UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
* systemd backend error on bad utf-8 in python3
* badips.py action error when logging HTTP error raised with badips request
* fail2ban-regex failed to work in python3 due to space/tab mix
* recidive regex samples incorrect log level
* journalmatch for recidive incorrect PRIORITY
* loglevel couldn't be changed in fail2ban.conf
* Handle case when no sqlite library is available for persistent database
* Only reban once per IP from database on fail2ban restart
* Nginx filter to support missing server_name. Closes gh-676
* fail2ban-regex assertion error caused by miscount missed lines with
  multiline regex
* Fix actions failing to execute for Python 3.4.0. Workaround for
  http://bugs.python.org/issue21207
* Database now returns persistent bans on restart (bantime < 0)
* Recursive action tags now fully processed. Fixes issue with bsd-ipfw
  action
* Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
  Thanks Serg G. Brester
* Correct times for non-timezone date times formats during DST
* Pass a copy of, not original, aInfo into actions to avoid side-effects
* Per-distribution paths to the exim's main log
* Ignored IPs are no longer banned when being restored from persistent
  database
* Manually unbanned IPs are now removed from persistent database, such they
  wont be banned again when Fail2Ban is restarted
* Pass "bantime" parameter to the actions in default jail's action
  definition(s)
* `filters.d/sieve.conf` - fixed typo in _daemon.  Thanks Jisoo Park
* cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
  Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
  Debian bug #755173
* postfix-sasl - added journalmatch.  Thanks Luc Maisonobe
* postfix* - match with a new daemon string (postfix/submission/smtpd).
  Closes gh-804 .  Thanks Paul Traina
* apache - added filter for AH01630 client denied by server configuration.

### New Features
* New filters:
    - monit  Thanks Jason H Martin
    - directadmin  Thanks niorg
    - apache-shellshock  Thanks Eugene Hopkinson (SlowRiot)
* New actions:
    - symbiosis-blacklist-allports  for Bytemark symbiosis firewall
    - fail2ban-client can fetch the running server version
    - Added Cloudflare API action

### Enhancements
* Start performance of fail2ban-client (and tests) increased, start time
  and cpu usage rapidly reduced. Introduced a shared storage logic, to
  bypass reading lots of config files (see gh-824).
  Thanks to Joost Molenaar for good catch (reported gh-820).
* Fail2ban-regex - add print-all-matched option. Closes gh-652
* Suppress fail2ban-client warnings for non-critical config options
* Match non "Bye Bye" disconnect messages for sshd locked account regex
* courier-smtp filter:
    - match lines with user names
    - match lines containing "535 Authentication failed" attempts
* Add `<chain>` tag to iptables-ipsets
* Realign fail2ban log output with white space to improve readability. Does
  not affect SYSLOG output
* Log unhandled exceptions
* cyrus-imap: catch "user not found" attempts
* Add support for Portsentry


ver. 0.9.0 (2014/03/14) - beta
----------

Carries all fixes, features and enhancements from 0.8.13 (unreleased) with
major changes.

The minimum supported python version is now 2.6. If you have python-2.4 or 2.5
you can use the 0.8.12 version of fail2ban.

Please take note of release notes:
https://github.com/fail2ban/fail2ban/releases/tag/0.9.0

Please test your configuration before relying on it.

Nearly all development is thanks to Steven Hiscocks (THANKS!), merging,
testcases and timezone support from Daniel Black, and code-review and minor
additions from Yaroslav Halchenko.

### Refactoring (IMPORTANT -- Please review your setup and configuration):
* [..bddbf1e] jail.conf was heavily refactored and now is similar
  to how it looked on Debian systems:
     - default action could be configured once for all jails
     - jails definitions only provide customizations (port, logpath)
     - no need to specify 'filter' if name matches jail name
* [..5aef036] Core functionality moved into fail2ban/ module.
  Closes gh-26
     - tests included in module to aid testing and debugging
* Added fail2ban persistent database
     - default location at `/var/lib/fail2ban/fail2ban.sqlite3`
     - allows active bans to be reinstated on restart
     - log files read from last position after restart
* Added systemd journal backend
     - Dependency on python-systemd
     - New "journalmatch" option added to filter configs files
     - New "systemd-journal" option added to fail2ban-regex
* Added python3 support
* Support %z (Timezone offset) and %f (sub-seconds) support for
  datedetector. Enhanced existing date/time have been updated patterns to
  support these. ISO8601 now defaults to localtime unless specified otherwise.
  Some filters have been change as required to capture these elements in the
  right timezone correctly.
* Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
     - Log level INFO is now more verbose
* Optionally can read log files starting from "head" or "tail".
     - See "logpath" option in jail.conf(5) man page.
* Can now set log encoding for files per jail.
     - Default uses systemd locale.

### New Features
* [..c7ae460] Multiline failregex. Close gh-54
* [8af32ed] Guacamole filter and support for Apache Tomcat date
  format
* [..b6059f4] 'timeout' option for actions Close gh-60 and Debian
  bug #410077.  Also it would now capture and include stdout and stderr
  into logging messages in case of error or at DEBUG loglevel.
* Added action xarf-login-attack to report formatted attack messages
  according to the XARF standard (v0.2). Close gh-105
* Support PyPy
* Add filter for apache-botsearch
* Add filter for kerio. Thanks Tony Lawrence for blog of regexs and
  providing samples. Close gh-120
* Filter for stunnel
* Filter for Counter Strike 1.6. Thanks to onorua for logs.
  Close gh-347
* Filter for squirrelmail. Close gh-261
* Filter for tine20. Close gh-583
* Custom date formats (strptime) can now be set in filters and jail.conf
* Python based actions can now be created.
     - SMTP action for sending emails on jail start, stop and ban.
* Added action to use badips.com reporting and blacklist
     - Requires Python 2.7+

### Enhancements
* Fail2ban-regex - don't accumulate lines if not printing them.
  add options to suppress output of missed/ignored lines. Close gh-644
* Asterisk now supports syslog format
* Jail names increased to 26 characters and iptables prefix reduced
  from fail2ban- to f2b- as suggested by buanzo in gh-462.
* Multiline filter for sendmail-spam. Close gh-418
* Multiline regex for Disconnecting: Too many authentication failures for
  root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]
* Multiline regex for Disconnecting: Connection from 61.XX.XX.XX port
  51353\nToo many authentication failures for root [preauth]. Thanks
  Helmut Grohne. Close gh-457
* Replacing use of deprecated API (.warning, .assertEqual, etc)
* [..a648cc2] Filters can have options now too which are substituted into
  failregex / ignoreregex
* [..e019ab7] Multiple instances of the same action are allowed in the
  same jail -- use actname option to disambiguate.
* Add honeypot email address to exim-spam filter as argument
* Properties and methods of actions accessible from fail2ban-client
     - Use of properties replaces command actions "cinfo" interface

ver. 0.8.13 (2014/03/15) - maintenance-only-from-now-on
-----------

### Fixes
  - action firewallcmd-ipset had non-working actioncheck. Removed.
    redhat bug #1046816.
  - filter pureftpd - added _daemon which got removed. Added

### New Features
  - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
  - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).

### Enhancements
  - filter asterisk now supports syslog format
  - filter pureftpd - added all translations of "Authentication failed for
    user"
  - filter dovecot - lip= was optional and extended TLS errors can occur.
    Thanks Noel Butler.

ver. 0.8.12 (2014/01/22) - things-can-only-get-better
----------

- IMPORTANT incompatible changes:
  - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name
    name length. As per gh-395
  - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog.
    Part of gh-447.

### Fixes
  - allow for ",milliseconds" in the custom date format of proftpd.log
  - allow for ", referer ..." in apache-* filter for apache error logs.
  - allow for spaces at the beginning of kernel messages. Closes gh-448
  - recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias
  - smtps not a IANA standard and has been removed from Arch. Replaced with
    465. Thanks Stefan. Closes gh-447
  - add 'flushlogs' command to allow logrotation without clobbering logtarget
    settings. Closes gh-458, Debian bug #697333, Redhat bug #891798.
  - complain action - ensure where not matching other IPs in log sample.
    Closes gh-467
  - Fix firewall-cmd actioncheck - patch from Adam Tkac. Redhat Bug #979622
  - Fix apache-common for apache-2.4 log file format. Thanks Mark White.
    Closes gh-516
  - Asynchat changed to use push method which verifys whether all data was
    send. This ensures that all data is sent before closing the connection.
  - Removed unnecessary reference to as yet undeclared $jail_name when checking
    a specific jail in nagios script.
  - Filter dovecot reordered session and TLS items in regex with wider scope
    for session characters. Thanks Ivo Truxa. Closes gh-586
  - A single bad failregex or command syntax in configuration files won't stop
    fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585.

### Enhancements
  - long names on jails documented based on iptables limit of 30 less
    len("fail2ban-").
  - remove indentation of name and loglevel while logging to SYSLOG to
    resolve syslog(-ng) parsing problems. Closes Debian bug #730202.
  - updated check_fail2ban to return performance data for all jails.
  - filter apache-noscript now includes php cgi scripts.
    Thanks dani. Closes gh-503
  - exim-spam filter to match spamassassin log entry for option SAdevnull.
    Thanks Ivo Truxa. Closes gh-533
  - `filter.d/nsd.conf` -- also amended Unix date template to match nsd format
  - Added to sshd filter expression for `Received disconnect from <HOST>: 3:
    ...: Auth fail`. Thanks Marcel Dopita. Closes gh-289
  - loglines now also report "[PID]" after the name portion
  - Added `filter.d/ejabberd-auth`
  - Improved ACL-handling for Asterisk
  - loglines now also report "[PID]" after the name portion
  - Added improper command pipelining to postfix filter.

### New Features

  - `filter.d/solid-pop3d` -- added thanks to Jacques Lav!gnotte on mailinglist.
  - Add filter for apache-modsecurity.
  - `filter.d/nsd.conf` -- also amended Unix date template to match nsd format
  - Added openwebmail filter thanks Ivo Truxa. Closes gh-543
  - Added filter for freeswitch. Thanks Jim and editors and authors of
    http://wiki.freeswitch.org/wiki/Fail2ban
  - Added groupoffice filter thanks to logs from Merijn Schering.
    Closes gh-566
  - Added filter for horde
  - Added filter for squid. Thanks Roman Gelfand.
  - Added filter for ejabberd-auth.
  - Added `filter.d/openwebmail` filter thanks Ivo Truxa. Closes gh-543
  - Added `filter.d/groupoffice` filter thanks to logs from Merijn Schering.
    Closes gh-566
  - Added `action.d/badips`. Thanks to Amy for making a nice API.
  - Added firewallcmd-ipset action.
  - Added ufw action. Thanks Guilhem Lettron. lp-#701522
  - Added blocklist_de action.


ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes
----------

In light of CVE-2013-2178 that triggered our last release we have put
a significant effort into tightening all of the regexs of our filters
to avoid another similar vulnerability. All filters have been updated
and some to catch more login/authentication failures and to support
for newer application versions. There are test cases for most log
cases of failures now.

As usual, if you have other examples that demonstrate that a filter is
insufficient, or if we have inadvertently introduced a regression,
please provide us with example log lines on the github issue tracker
http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in
some obscure corner of the Internet.

Many thanks to our contributors for this release Daniel Black, Yaroslav
Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski,
Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François
Boulogne and others who have helped on IRC and mailing list, logged issues
and bug requests.

### IMPORTANT incompatible changes

Filter name changes:
    * 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
    * 'sasl' has been renamed to 'postfix-sasl'
    * 'exim' spam catching failregexes was split out into 'exim-spam'
These changes will require changing jail.{conf,local} if any of
those filters were used.

### Fixes
- Jonathan Lanning
    * `filter.d/asterisk` -- identified another regex for blocking. Also channel
      ID is hex not decimal as noted in sample logs provided.
- Daniel Black & Marcel Dopita
    * `filter.d/apache-auth` -- fixed and apache auth samples provide. Closes gh-286
- Yaroslav Halchenko
    * `filter.d/common.conf` -- make colon after [daemon] optional. Closes gh-267
    * `filter.d/apache-common.conf` -- support apache 2.4 more detailed error
      log format.  Closes gh-268
    * Backends changes detection and parsing. Close gh-223 and gh-103:
        - Polling backend: detect changes in the files not only based on
          mtime, but also on the size and inode.  It should allow for
          better detection of changes and log rotations on busy servers,
          older python 2.4, and file systems with precision of mtime only
          up to a second (e.g. ext3).
        - All backends, possible race condition: do not read from a file
          initially reported empty.  Originally could have lead to
          accounting for detected log lines multiple times.
        - Do not crash if executing a command in fail2ban-client interactive
          mode has failed (e.g. due to incorrect syntax). Closes gh-353
- Daniel Black & Мернов Георгий
    * `filter.d/dovecot.conf` -- Fix when no TLS enabled - line doesn't end in ,
- Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
    * `filter.d/exim.conf` -- regex hardening and extra failure examples in
      sample logs
    * `filter.d/named-refused.conf` - BIND 9.9.3 regex changes
- Daniel Black & Sebastian Arcus
    * `filter.d/asterisk` -- more regexes
- Daniel Black
    * `action.d/hostsdeny` -- NOTE: new dependency 'ed'. Switched to use 'ed' across
      all platforms to ensure permissions are the same before and after a ban.
      Closes gh-266. hostsdeny supports daemon_list now too.
    * `action.d/bsd-ipfw` - action option unused. Change blocktype to port unreach
      instead of deny for consistancy.
    * `filter.d/dovecot` - added to support different dovecot failure
      "..disallowed plaintext auth". Closes Debian bug #709324
    * `filter.d/roundcube-auth` - timezone offset can be positive or negative
    * `action.d/bsd-ipfw` - action option unused. Fixed to blocktype for
      consistency. default to port unreach instead of deny
    * `filter.d/dropbear` - fix regexs to match standard dropbear and the patched
      http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch
      and add PAM is it in dropbear-2013.60 source code.
    * `filter.d/{asterisk,assp,dovecot,proftpd}.conf` -- regex hardening
      and extra failure examples in sample logs
    * `filter.d/apache-auth` - added expressions for mod_authz, mod_auth and
      mod_auth_digest failures.
    * `filter.d/recidive` -- support f2b syslog target and anchor regex at start
    * `filter.d/mysqld-auth.conf` - mysql can use syslog
    * `filter.d/sshd` - regex enhancements to support openssh-6.3. Closes Debian
      bug #722970. Thanks Colin Watson for the regex analysis.
    * `filter.d/wuftpd` - regex enhancements to support pam and wuftpd. Closes
      Debian bug #665925
- Rolf Fokkens
    * `action.d/dshield.conf` and complain.conf -- reorder mailx arguments.
      https://bugzilla.redhat.com/show_bug.cgi?id=998020
- John Doe (ache)
    * `action.d/bsd-ipfw.conf` - invert actionstop logic to make exist status 0.
      Closes gh-343.
- JP Espinosa (Reviewed by O.Poplawski)
    * files/redhat-initd - rewritten to use stock init.d functions thus
      avoiding problems with getpid.  Also $network and iptables moved
      to Should- rc init fields
- Rick Mellor
    * `filter.d/vsftp` - fix capture with tty=ftp

### New Features
- Edgar Hoch
    * `action.d/firewall-cmd-direct-new.conf` - action for firewalld
      from https://bugzilla.redhat.com/show_bug.cgi?id=979622
      NOTE: requires firewalld-0.3.8+
- Andy Fragen and Daniel Black
    * `filter.d/osx-ipfw.conf` - ipfw action for OSX based on random rule
      numbers.
- Anonymous:
    * `action.d/osx-afctl` - an action based on afctl for osx
- Daniel Black & ykimon
    * `filter.d/3proxy.conf` -- filter added
    * fail2ban-regex - now generates http://www.debuggex.com urls for debugging
      regular expressions with the -D parameter.
- Daniel Black
    * `filter.d/exim-spam.conf` -- a splitout of exim's spam regexes
      with additions for greater control over filtering spam.
    * add date expression for apache-2.4 - milliseconds
    * `filter.d/nginx-http-auth` -- filter added for http basic authentication
      failures in nginx. Partially fulfills gh-405.
- Christophe Carles & Daniel Black
    * `filter.d/perdition.conf` -- filter added
- Mark McKinstry
    * `action.d/apf.conf` - add action for Advanced Policy Firewall (apf)
- Amir Caspi and kjohnsonecl
    * `filter.d/uwimap-auth` - filter for uwimap-auth IMAP/POP server
- Steven Hiscocks and Daniel Black
    * `filter.d/selinux-{common,ssh`} -- add SELinux date and ssh filter

### Enhancements
- François Boulogne and Frédéric
    * `filter.d/lighttpd` - auth regexs for lighttpd-1.4.31
- Daniel Black
    * reorder parsing of jail.conf, `jail.d/*.conf`, `jail.local`, `jail.d/*.local`
      and likewise for `fail2ban.{conf|local|d/*.conf|d/*.local`}. Closes gh-392
    * jail.conf now has asterisk jail - no need for asterisk-tcp and
      asterisk-udp. Users should replace existing jails with asterisk to
      reduce duplicate parsing of the asterisk log file.
    * `filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin`}- regex anchor at
      start
    * `filter.d/vsftpd` - anchored regex at start. disable old pam format regex
    * `filter.d/pam-generic` - added syslog prefix. Disabled support for
      linux-pam before version 0.99.2.0 (2005)
    * `filter.d/postfix-sasl` - renamed from sasl, anchor at start and base on
      syslog
    * `filter.d/qmail` - rewrote regex to anchor at start. Added regex for
      another "in the wild" patch to rblsmtp.
- Yaroslav Halchenko
    * fail2ban-regex -- refactored to provide more details (missing and
      ignored lines, control over logging, etc) while maintaining look&feel
    * fail2ban-client -- log to standard error. Closes gh-264
    * Fail to configure if not a single log file was found for an
      enabled jail. Closes gh-63
    * `<HOST>` is now enforced to end with an alphanumeric
    * `filter.d/roundcube-auth.conf` -- anchored version
    * date matching - for standard asctime formats prefer more detailed
      first (thus use year if available)
    * files/gen_badbots was added and `filter.d/apache-badbots.conf` was
      regenerated to get updated (although now still an old) list of
      "bad" bots
- Alexander Dietrich
    * `action.d/sendmail-common.conf` -- added common sendmail settings file
      and made the sender display name configurable
- Steven Hiscocks
    * `filter.d/dovecot` - Addition of session, time values and possible blank
      user
- Zurd and Daniel Black
    * `filter.d/named-refused` - added refused on zone transfer
    * `filter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd`} - General
      regex improvements
- Zurd
    * `filter.d/postfix` - add filter for VRFY failures. Closes gh-322.
- Orion Poplawski
    * `fail2ban.d/` and `jail.d/` directories are added to `etc/fail2ban` to facilitate
      their use

ver. 0.8.10 (2013/06/12) - wanna-be-secure
-----------

Primarily bugfix and enhancements release, triggered by "bugs" in
apache- filters.  If you are relying on listed below apache- filters,
upgrade asap and seek your distributions to patch their fail2ban
distribution with [6ccd5781].

### Fixes
- Yaroslav Halchenko
    * [6ccd5781] `filter.d/apache-{auth,nohome,noscript,overflows`} - anchor
      failregex at the beginning (and where applicable at the end).
      Addresses a possible DoS. Closes gh-248
    * `action.d/{route,shorewall}.conf` - blocktype must be defined
      within [Init].  Closes gh-232
### Enhancements
- Yaroslav Halchenko
    * jail.conf -- assure all jails have actions and remove unused
      ports specifications
- Terence Namusonge
    * `filter.d/roundcube-auth.conf` -- support roundcube 0.9+
- Daniel Black
    * `files/suse-initd` -- update to the copy from stock SUSE
      silviogarbes & Daniel Black
    * Updates to asterisk filter. Closes gh-227/gh-230.
- Carlos Alberto Lopez Perez
    * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.

ver. 0.8.9 (2013/05/13) - wanna-be-stable
----------

Originally targeted as a bugfix release, it incorporated many new
enhancements, few new features, and more importantly -- quite extended
tests battery with current 94% coverage (from 56% of 0.8.8).

This release introduces over 200 of non-merge commits from 16
contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki,
ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.

Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
Hendrikx, Yehuda Katz and other TBN heroes supporting users on
fail2ban-users mailing list and IRC.

### Fixes
- Yaroslav Halchenko
    * [6f4dad46] python-2.4 is the minimal version.
    * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
      on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
    * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
      insight. Closes gh-103.
    * [ab044b75] delay check for the existence of config directory until read.
    * [3b4084d4] fixing up for handling of TAI64N timestamps.
    * [154aa38e] do not shutdown logging until all jails stop.
    * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184.
      Thanks to Jon Foster for report and troubleshooting.
- Orion Poplawski
    * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
      newly created directories.
- Nicolas Collignon
    * [39667ff6] Avoid leaking file descriptors. Closes gh-167.
- Sergey Brester
    * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
      sorting template list.
- Steven Hiscocks
    * [7a442f07] When changing log target with python2.{4,5} handle KeyError.
      Closes gh-147, gh-148.
    * [b6a68f51] Fix delaction on server side. Closes gh-124.
- Daniel Black
    * [f0610c01] Allow more that a one word command when changing and Action via
      the fail2ban-client. Closes gh-134.
    * [945ad3d9] Fix dates on email actions to work in different locals. Closes
      gh-70. Thanks to iGeorgeX for the idea.
- blotus
    * [96eb8986] ' and " should also be escaped in action tags Closes gh-109
- Christoph Theis, Nick Hilliard, Daniel Black
    * [b3bd877d,cde71080] Make `syslog -v` and `syslog -vv` formats work on FreeBSD

### New Features
- Yaroslav Halchenko
    * [9ba27353] Add support for `jail.d/{confilefile}` and `fail2ban.d/{configfile}`
      to provide additional flexibility to system adminstrators. Thanks to
      beilber for the idea. Closes gh-114.
    * [3ce53e87] Add exim filter.
- Erwan Ben Souiden
    * [d7d5228] add nagios integration documentation and script to ensure
      fail2ban is running. Closes gh-166.
- Artur Penttinen
    * [29d0df5] Add mysqld filter. Closes gh-152.
- ArndRaphael Brandes
    * [bba3fd8] Add Sogo filter. Closes gh-117.
- Michael Gebetsriother
    * [f9b78ba] Add action route to block at routing level.
- Teodor Micu & Yaroslav Halchenko
    * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
- Daniel Black
    * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
- Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
    * [b6d0e8a] Add and enhance the bsd-ipfw action from
      FreeBSD ports.
- Soulard Morgan
    * [f336d9f] Add filter for webmin. Closes gh-99.
- Steven Hiscocks
    * [..746c7d9] bash interactive shell completions for fail2ban-*'s
- Nick Hilliard
    * [0c5a9c5] Add pf action.

### Enhancements
- Enrico Labedzki
    * [24a8d07] Added new date format for ASSP SMTP Proxy.
- Steven Hiscocks
    * [3d6791f] Ensure restart of Actions after a check fails occurs
      consistently. Closes gh-172.
    * [MANY] Improvements to test cases, travis, and code coverage (coveralls).
    * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
    * [ce3ab34] Added ability to specify PID file.
- Orion Poplawski
    * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
      Closes gh-142.
- Yaroslav Halchenko
    * [MANY] Lots of improvements to log messages, man pages and test cases.
    * [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
      Closes gh-126. Bug report by Michael Heuberger.
    * [40c5a2d] adding more of diagnostic messages into -client while starting
      the daemon.
    * [8e63d4c] Compare against None with 'is' instead of '=='.
    * [6fef85f] Strip CR and LF while analyzing the log line
- Daniel Black
    * [3aeb1a9] Add jail.conf manual page. Closes gh-143.
    * [MANY] man page edits.
    * [7cd6dab] Added help command to fail2ban-client.
    * [c8c7b0b,23bbc60] Better logging of log file read errors.
    * [3665e6d] Added code coverage to development process.
    * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
      source. Also include BSD changes.
    * [1d9abd1] Action files can have tags in definition that refer to other
      tags.
    * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
      unreachable rather than just a drop of the packet.
- Pascal Borreli
    * [a2b29b4] Fixed lots of typos in config files and documentation.
- hamilton5
    * [7ede1e8] Update dovecot filter config.
- Romain Riviere
    * [0ac8746] Enhance named-refused filter for views.
- James Stout
    * [..2143cdf] Solaris support enhancements:
        - `README.Solaris`
        - failregex'es tune ups (`sshd.conf`)
        - hostsdeny: do not rely on support of '-i' in sed

ver. 0.8.8 (2012/12/06) - stable
----------
### Fixes
- Alan Jenkins
    * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
      banning due to misconfigured DNS. Closes gh-64
- Yaroslav Halchenko
    * [83109bc] IMPORTANT: escape the content of <matches> (if used in
      custom action files) since its value could contain arbitrary
      symbols.  Thanks for discovery go to the NBS System security
      team
    * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83
    * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
    * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
      in the console. Closes gh-91

### New Features
- David Engeset
    * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
      the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86

### Enhancements
* [2d66f31] replaced uninformative "Invalid command" message with warning log
  exception why command actually failed
* [958a1b0] improved failregex to "support" auth.backend = "htdigest"
* [9e7a3b7] until we make it proper module -- adjusted sys.path only if
  system-wide run
* [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79
* [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
  for this gh-87)
* Various others: travis-ci integration, script to run tests
  against all available Python versions, etc

ver. 0.8.7.1 (2012/07/31) - stable
----------

### Fixes
* [e9762f3] Removed sneaked in comment on sys.path.insert

ver. 0.8.7 (2012/07/31) - stable
----------

### Fixes
- Tom Hendrikx & Jeremy Olexa
    * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
      See http://forums.gentoo.org/viewtopic-t-899018.html
- Chris Reffett
    * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
      rather than just one failure.
- Yaroslav Halchenko
    * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
    * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
    * [ed16ecc] enforce "ip" field returned as str, not unicode so that log
      message stays non-unicode. Close gh-32
    * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
      already present in the pattern
    * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
      friend to developers stuck with Windows (Closes gh-66)
    * [80b191c] anchor grep regexp in actioncheck to not match partial names
      of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
### New Features
- François Boulogne
    * [a7cb20e..] add lighttpd-auth filter/jail
- Lee Clemens & Yaroslav Halchenko
    * [e442503] pyinotify backend (default if backend='auto' and pyinotify
      is available)
    * [d73a71f,3989d24] usedns parameter for the jails to allow disabling
      use of DNS
- Tom Hendrikx
    * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
      repeated offenders. Close gh-19
- Xavier Devlamynck
    * [7d465f9..] Add asterisk support
- Zbigniew Jędrzejewski-Szmek
    * [de502cf..] allow running fail2ban as non-root user (disabled by
      default) via xt_recent. See doc/run-rootless.txt
### Enhancements
- Lee Clemens
    * [47c03a2] files/nagios - spelling/grammar fixes
    * [b083038] updated Free Software Foundation's address
    * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
    * [642d9af,3282f86] reformated printing of jail's name to be consistent
      with init's info messages
    * [3282f86] uniform use of capitalized Jail in the messages
- Leonardo Chiquitto
    * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
      to reflect code
    * [a7d47e8] Update Free Software Foundation's address
- Petr Voralek
    * [4007751] catch failed ssh logins due to being listed in DenyUsers.
      Close gh-47 (Closes: #669063)
- Yaroslav Halchenko
    * [MANY]    extended and robustified unittests: test different backends
    * [d9248a6] refactored Filter's to avoid duplicate functionality
    * [7821174] direct users to issues on github
    * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
      default with -v to control verbosity
    * [b4099da] adjusted header for config/*.conf to mention .local and way
      to comment (Thanks Stefano Forli for the note)
    * [6ad55f6] added failregex for wu-ftpd to match against syslog instead
      of DoS-prone auth.log's rhost (Closes: #514239)
    * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
      sshd filter (Closes: #648020)
- Yehuda Katz & Yaroslav Halchenko
    * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers

ver. 0.8.6 (2011/11/28) - stable
----------
### Fixes
- Markos Chandras & Yaroslav Halchenko
    * [492d8e5,bd658fc] Use hashlib (instead of deprecated md5) where available
- Robert Trace & Michael Lorant
    * [c48c2b1] gentoo-initd cleanup and fixes: assure `/var/run` + remove stale
      sock file
- Michael Saavedra
    * [3a58d0e] Lock server's executeCmd to prevent racing among iptables calls:
      see http://bugs.debian.org/554162
- Yaroslav Halchenko
    * [3eb5e3b] Allow for trailing spaces in sasl logs
    * [1632244] Stop server-side communication before stopping the
      jails (prevents lockup if actions use fail2ban-client upon
      unban): see https://github.com/fail2ban/fail2ban/issues/7
    * [5a2d518] Various changes to reincarnate unittests
- Yehuda Katz
    * Wiki was cleaned from SPAM

### Enhancements
- Adam Spiers
    * [3152afb] Recognise time-stamped kernel messages
- Guido Bozzetto
    * [713fea6] Added ipmasq rule file to restart fail2ban when iptables are
      wiped out: see http://bugs.debian.org/461417
- Łukasz
    * [5f23542] Matching of month names in Polish (thanks michaelberg79
      for QA)
- Tom Hendrikx
    * [9fa54cf] Added Date: header for sendmail*.conf actions
- Yaroslav Halchenko & Tom Hendrikx
    * [b52d420..22b7007] <matches> in action files now can be used
      to provide matched loglines which triggered action
- Yaroslav Halchenko
    * [ed0bf3a] Removed duplicate entry for DataCha0s/2\.0 in badbots:
      see http://bugs.debian.org/519557
    * [dad91f7] sshd.conf: allow user names to have spaces and
      trailing spaces in the line
    * [a9be451] removed expansions for few Date and Revision SVN keywords
    * [a33135c] set/getFile for ticket.py -- found in source distribution
      of 0.8.4
    * [fbce415] additional logging while stopping the jails

ver. 0.8.5 (2011/07/28) - stable
----------
- Fix: use addfailregex instead of failregex while processing per-jail
  "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to
  Marat Khayrullin for the patch and Daniel T Chen for forwarding to
  Debian.
- Fix: use os.path.join to generate full path - fixes includes in configs
  given local filename (5 weeks ago) [yarikoptic]
- Fix: allowed for trailing spaces in proftpd logs
- Fix: escaped () in pure-ftpd filter. Thanks to Teodor
- Fix: allowed space in the trailing of failregex for sasl.conf:
  see http://bugs.debian.org/573314
- Fix: use `/var/run/fail2ban` instead of `/tmp` for temp files in actions:
  see http://bugs.debian.org/544232
- Fix: Tai64N stores time in GMT, needed to convert to local time before
  returning
- Fix: disabled named-refused-udp jail entirely with a big fat warning
- Fix: added time module. Bug reported in buanzo's blog:
  see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
- Fix: Patch to make log file descriptors cloexec to stop leaking file
  descriptors on fork/exec. Thanks to Jonathan Underwood:
  see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24
- Enhancement: added author for dovecot filter and pruned unneeded space
  in the regexp
- Enhancement: proftpd filter -- if login failed -- count regardless of the
  reason for failure
- Enhancement: added <chain> to `action.d/iptables*`. Thanks to Matthijs Kooijman:
  see http://bugs.debian.org/515599
- Enhancement: added `filter.d/dovecot.conf` from Martin Waschbuesch
- Enhancement: made `filter.d/apache-overflows.conf` catch more:
  see http://bugs.debian.org/574182
- Enhancement: added dropbear filter from Francis Russell and Zak B. Elep:
  see http://bugs.debian.org/546913
- Enhancement: changed default ignoreip to ignore entire loopback zone (/8):
  see http://bugs.debian.org/598200
- Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer
- Few minor cosmetic changes

ver. 0.8.4 (2009/09/07) - stable
----------
- Check the inode number for rotation in addition to checking the first line of
  the file. Thanks to Jonathan Kamens. Red Hat #503852. Tracker #2800279.
- Moved the shutdown of the logging subsystem out of Server.quit() to
  the end of Server.start(). Fixes the 'cannot release un-acquired lock'
  error.
- Added "Ban IP" command. Thanks to Arturo 'Buanzo' Busleiman.
- Added two new filters: lighttpd-fastcgi and php-url-fopen.
- Fixed the 'unexpected communication error' problem by means of
  use_poll=False in Python >= 2.6.
- Merged patches from Debian package. Thanks to Yaroslav Halchenko.
- Use current day and month instead of Jan 1st if both are not available in the
  log. Thanks to Andreas Itzchak Rehberg.
- Try to match the regex even if the line does not contain a valid date/time.
  Described in Debian #491253. Thanks to Yaroslav Halchenko.
- Added/improved filters and date formats.
- Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to
  Russell Odom.
- Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to
  Detlef Reichelt.
- Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
- Added nagios script. Thanks to Sebastian Mueller.
- Added CPanel date format. Thanks to David Collins. Tracker #1967610.
- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
- Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115.
- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
- Changed `<HOST>` template to be more restrictive. Debian bug #514163.
- Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct
  fix but seems to work. Tracker #2500276.
- Made the named-refused regex a bit less restrictive in order to match logs
  with "view". Thanks to Stephen Gildea.
- Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714

ver. 0.8.3 (2008/07/17) - stable
----------
- Process failtickets as long as failmanager is not empty.
- Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav
  Halchenko.
- Fixed socket path in redhat and suse init script. Thanks to Jim Wight.
- Fixed PID file while started in daemon mode. Thanks to Christian Jobic who
  submitted a similar patch.
- Fixed `fail2ban-client get <jail> logpath`. Bug #1916986.
- Added gssftpd filter. Thanks to Kevin Zembower.
- Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis
  Winter.
- Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber.
- Added ISO 8601 date/time format.
- Added and changed some logging level and messages.
- Added missing ignoreregex to filters. Thanks to Klaus Lehmann.
- Use poll instead of select in asyncore.loop. This should solve the "Unknown
  error 514". Thanks to Michael Geiger and Klaus Lehmann.

ver. 0.8.2 (2008/03/06) - stable
----------
- Fixed named filter. Thanks to Yaroslav Halchenko
- Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines
- Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be
  possible to create stronger failregex against log injection
- Fixed ipfw action script. Thanks to Nick Munger
- Removed date from logging message when using SYSLOG. Thanks to Iain Lea
- Fixed "ignore IPs". Only the first value was taken into account. Thanks to
  Adrien Clerc
- Moved socket to `/var/run/fail2ban`.
- Rewrote the communication server.
- Refactoring. Reduced number of files.
- Removed Python 2.4. Minimum required version is now Python 2.3.
- New log rotation detection algorithm.
- Print monitored files in status.
- Create a PID file in `/var/run/fail2ban/`. Thanks to Julien Perez.
- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks
  to Yaroslav Halchenko for the fix.
- `reload <jail>` reloads a single jail and the parameters in fail2ban.conf.
- Added Mac OS/X startup script. Thanks to Bill Heaton.
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
- Replaced "echo" with "printf" in actions. Fix #1839673
- Replaced "reject" with "drop" in shorwall action. Fix #1854875
- Fixed Debian bug #456567, #468477, #462060, #461426
- readline is now optional in fail2ban-client (not needed in fail2ban-server).

ver. 0.8.1 (2007/08/14) - stable
----------
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
- Improved regular expressions. Thanks to Yaroslav Halchenko and others
- Added sendmail actions. The action started with "mail" are now deprecated.
  Thanks to Raphaël Marichez
- Added "ignoreregex" support to fail2ban-regex
- Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch
- Tightening up the pid check in redhat-initd. Thanks to David Nutter
- Added webmin authentication filter. Thanks to Guillaume Delvit
- Removed textToDns() which is not required anymore. Thanks to Yaroslav
  Halchenko
- Added new action iptables-allports. Thanks to Yaroslav Halchenko
- Added "named" date format to date detector. Thanks to Yaroslav Halchenko
- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko

ver. 0.8.0 (2007/05/03) - stable
----------
- Fixed RedHat init script. Thanks to Jonathan Underwood
- Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner

ver. 0.7.9 (2007/04/19) - release candidate
----------
- Close opened handlers. Thanks to Yaroslav Halchenko
- Fixed "reload" bug. Many many thanks to Yaroslav Halchenko
- Added date format for asctime without year
- Modified filters config. Thanks to Michael C. Haller
- Fixed a small bug in mail-buffered.conf

ver. 0.7.8 (2007/03/21) - release candidate
----------
- Fixed asctime pattern in datedetector.py
- Added new filters/actions. Thanks to Yaroslav Halchenko
- Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch
- Moved every locking statements in a try..finally block

ver. 0.7.7 (2007/02/08) - release candidate
----------
- Added signal handling in fail2ban-client
- Added a wonderful visual effect when waiting on the server
- fail2ban-client returns an error code if configuration is not valid
- Added new filters/actions. Thanks to Yaroslav Halchenko
- Call Python interpreter directly (instead of using "env")
- Added file support to fail2ban-regex. Benchmark feature has been removed
- Added cacti script and template.
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier

ver. 0.7.6 (2007/01/04) - beta
----------
- Added a "sleep 1" in redhat-initd. Thanks to Jim Wight
- Use `/dev/log` for SYSLOG output. Thanks to Joerg Sommrey
- Use numeric output for iptables in "actioncheck"
- Fixed removal of host in hosts.deny. Thanks to René Berber
- Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI
- Several "failregex" and "ignoreregex" are now accepted. Creation of rules
  should be easier now.
- Added license in COPYING. Thanks to Axel Thimm
- Allow comma in action options. The value of the option must be escaped with "
  or '. Thanks to Yaroslav Halchenko
- Now Fail2ban goes in `/usr/share/fail2ban` instead of `/usr/lib/fail2ban`. This is
  more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko

ver. 0.7.5 (2006/12/07) - beta
----------
- Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko
- The supported tags in "action(un)ban" are `<ip>`, `<failures>` and `<time>`
- Fixed refactoring bug (getLastcommand -> getLastAction)
- Added option "ignoreregex" in filter scripts and `jail.conf`.
  Feature Request #1283304
- Fixed a bug in user defined time regex/pattern
- Improved documentation
- Moved `version.py` and `protocol.py` to `common/`
- Merged "maxtime" option with "findtime"
- Added `<HOST>` tag support in failregex which matches default IP
  address/hostname. `(?P<host>\S)` is still valid and supported
- Fixed exception when calling fail2ban-server with unknown option
- Fixed Debian bug 400162. The "socket" option is now handled correctly by
  `fail2ban-client`
- Fixed RedHat init script. Thanks to Justin Shore
- Changed timeout to 30 secondes before assuming the server cannot be started.
  Thanks to Joël Bertrand

ver. 0.7.4 (2006/11/01) - beta
----------
- Improved configuration files. Thanks to Yaroslav Halchenko
- Added man page for "fail2ban-regex"
- Moved ban/unban messages from "info" level to "warn"
- Added "-s" option to specify the socket path and "socket" option in
  "fail2ban.conf"
- Added "backend" option in "jail.conf"
- Added more filters/actions and jail samples. Thanks to Nick Munger, Christoph
  Haas
- Improved testing framework
- Fixed a bug in the return code handling of the executed commands. Thanks to
  Yaroslav Halchenko
- Signal handling. There is a bug with join() and signal in Python
- Better debugging output for "fail2ban-regex"
- Added support for more date format
- cPickle does not work with Python 2.5. Use pickle instead (performance is not
  a problem in our case)

ver. 0.7.3 (2006/09/28) - beta
----------
- Added man pages. Thanks to Yaroslav Halchenko
- Added wildcard support for "logpath"
- Added Gamin (file and directory monitoring system) support
- (Re)added "ignoreip" option
- Added more concurrency protection
- First attempt at solving bug #1457620 (locale issue)
- Performance improvements
- (Re)added permanent banning with banTime < 0
- Added DNS support to "ignoreip". Feature Request #1285859

ver. 0.7.2 (2006/09/10) - beta
----------
- Refactoring and code cleanup
- Improved client output
- Added more get/set commands
- Added more configuration templates
- Removed "logpath" and "maxretry" from filter templates. They must be defined
  in jail.conf now
- Added interactive mode. Use "-i"
- Added a date detector. "timeregex" and "timepattern" are no more needed
- Added "fail2ban-regex". This is a tool to help finding "failregex"
- Improved server communication. Start a new thread for each incoming request.
  Fail2ban is not really thread-safe yet

ver. 0.7.1 (2006/08/23) - alpha
----------
- Fixed daemon mode bug
- Added Gentoo init.d script
- Fixed path bug when trying to start "fail2ban-server"
- Fixed reload command

ver. 0.7.0 (2006/08/23) - alpha
----------
- Almost a complete rewrite :) Fail2ban design is really better (IMHO). There is
  a lot of new features
- Client/Server architecture
- Multithreading. Each jail has its own threads: one for the log reading and
  another for the actions
- Execute several actions
- Split configuration files. They are more readable and easy to use
- failregex uses group (<host>) now. This feature was already present in the
  Debian package
- lots of things...

ver. 0.6.1 (2006/03/16) - stable
----------
- Added permanent banning. Set banTime to a negative value to enable this
  feature (-1 is perfect). Thanks to Mannone
- Fixed locale bug. Thanks to Fernando José
- Fixed crash when time format does not match data
- Propagated patch from Debian to fix fail2ban search path addition to the path
  search list: now it is added first. Thanks to Nick Craig-Wood
- Added SMTP authentification for mail notification. Thanks to Markus Hoffmann
- Removed debug mode as it is confusing for people
- Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark
  Edgington
- Added patch #1382936 (Default formatted syslog logging). Thanks to Patrick
  Börjesson
- Removed 192.168.0.0/16 from ignoreip. Attacks could also come from the local
  network.
- Robust startup: if iptables module does not get fully initialized after
  startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its
  own firewall. It will sleep between attempts for "polltime" number of seconds
  (closes Debian: #334272). Thanks to Yaroslav Halchenko
- Added "interpolations" in fail2ban.conf. This is provided by the ConfigParser
  module. Old configuration files still work. Thanks to Yaroslav Halchenko
- Added initial support for hosts.deny and shorewall. Need more testing. Please
  test. Thanks to kojiro from Gentoo forum for hosts.deny support
- Added support for vsftpd. Thanks to zugeschmiert

ver. 0.6.0 (2005/11/20) - stable
----------
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
  * Added an option to report local time (including timezone) or GMT in mail
    notification.

ver. 0.5.5 (2005/10/26) - beta
----------
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
  * Introduced fwcheck option to verify consistency of the chains. Implemented
    automatic restart of fail2ban main function in case check of fwban or
    fwunban command failed (closes: #329163, #331695). (Introduced patch was
    further adjusted by upstream author).
  * Added -f command line parameter for [findtime].
  * Added a cleanup of firewall rules on emergency shutdown when unknown
    exception is catched.
  * Fail2ban should not crash now if a wrong file name is specified in config.
  * reordered code a bit so that log targets are setup right after background
    and then only loglevel (verbose, debug) is processed, so the warning could
    be seen in the logs
  * Added a keyword `<section>` in parsing of the subject and the body of an email
    sent out by fail2ban (closes: #330311)

ver. 0.5.4 (2005/09/13) - beta
----------
- Fixed bug #1286222.
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
  * Fixed handling of SYSLOG logging target. Now it can log to any SYSLOG target
    and facility as directed by the config
  * Format of SYSLOG entries fixed to look closer to standard
  * Fixed errata in config/gentoo-confd
  * Introduced findtime configuration variable to control the lifetime of caught
    "failed" log entries

ver. 0.5.3 (2005/09/08) - beta
----------
- Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav
  Halchenko
- Added more debug output if an error occurs when sending mail. Thanks to
  Stephen Gildea
- Renamed "maxretry" to "maxfailures" and changed default value to 5. Thanks to
  Stephen Gildea
- Hopefully fixed bug #1256075
- Fixed bug #1262345
- Fixed exception handling in PIDLock
- Removed warning when using "-V" or "-h" with no config file. Thanks to
  Yaroslav Halchenko
- Removed "-i eth0" from config file. Thanks to Yaroslav Halchenko

ver. 0.5.2 (2005/08/06) - beta
----------
- Better PID lock file handling. Should close #1239562
- Added man pages
- Removed log4py dependency. Use logging module instead
- "maxretry" and "bantime" can be overridden in each section
- Fixed bug #1246278 (excessive memory usage)
- Fixed crash on wrong option value in configuration file
- Changed custom chains to lowercase

ver. 0.5.1 (2005/07/23) - beta
----------
- Fixed bugs #1241756, #1239557
- Added log targets in configuration file. Removed -l option
- Changed iptables rules in order to create a separated chain for each section
- Fixed static banList in firewall.py
- Added an initd script for Debian. Thanks to Yaroslav Halchenko
- Check for obsolete files after install

ver. 0.5.0 (2005/07/12) - beta
----------
- Added support for CIDR mask in ignoreip
- Added mail notification support
- Fixed bug #1234699
- Added tags replacement in rules definition. Should allow a clean solution for
  Feature Request #1229479
- Removed "interface" and "firewall" options
- Added start and end commands in the configuration file. Thanks to Yaroslav
  Halchenko
- Added firewall rules definition in the configuration file
- Cleaned fail2ban.py
- Added an initd script for RedHat/Fedora. Thanks to Andrey G. Grozin

ver. 0.4.1 (2005/06/30) - stable
----------
- Fixed textToDNS method which generated wrong matches for "rhost=12-xyz...".
  Thanks to Tom Pike
- `fail2ban.conf` modified for readability. Thanks to Iain Lea
- Added an initd script for Gentoo
- Changed default PID lock file location from `/tmp` to `/var/run`

ver. 0.4.0 (2005/04/24) - stable
----------
- Fixed textToDNS which did not recognize strings like
  "12-345-67-890.abcd.mnopqr.xyz"

ver. 0.3.1 (2005/03/31) - beta
----------
- Corrected level of messages
- Added DNS lookup support
- Improved parsing speed. Only parse the new log messages
- Added a second verbose level (-vv)

ver. 0.3.0 (2005/02/24) - beta
----------
- Re-writting of parts of the code in order to handle several log files with
  different rules
- Removed `sshd.py` because it is no more needed
- Fixed a bug when exiting with IP in the ban list
- Added PID lock file
- Improved some parts of the code
- Added `ipfw-start-rule` option (thanks to Robert Edeker)
- Added -k option which kills a currently running Fail2Ban

ver. 0.1.2 (2004/11/21) - beta
----------
- Add ipfw and ipfwadm support. The rules are taken from BlockIt. Thanks to
  Robert Edeker
- Add -e option which allows to set the interface. Thanks to Robert Edeker who
  reminded me this
- Small code cleaning

ver. 0.1.1 (2004/10/23) - beta
----------
- Add SIGTERM handler in order to exit nicely when in daemon mode
- Add -r option which allows to set the maximum number of login failures
- Remove the Metalog class as the log file are not so syslog daemon specific
- Rewrite log reader to be service centered. Sshd support added. Match "Failed
  password" and "Illegal user"
- Add `/etc/fail2ban.conf` configuration support
- Code documentation

ver. 0.1.0 (2004/10/12) - alpha
----------
- Initial release