MRG: from 0.9

2014-01-12 20:15:34 +11:00 · 2014-01-12 20:15:34 +11:00 · 1e8ed55a36
parent 359210f224 e73090d040
commit 1e8ed55a36
222 changed files with 7230 additions and 2778 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@ htmlcov
 *.orig
 *.rej
 *.bak
 __pycache__
--- a/.travis.yml
+++ b/.travis.yml
@ -2,11 +2,11 @@
 # travis-ci.org definition for Fail2Ban build
 language: python
 python:
  - "2.5"
  - "2.6"
  - "2.7"
  - "3.2"
  - "3.3"
  - "pypy"
 before_install:
  - sudo apt-get update -qq
 install:
--- a/293
+++ b/293
@ -4,55 +4,167 @@
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
 ================================================================================
-Fail2Ban (version 0.9.0a1)                                            20??/??/??
+Fail2Ban (version 0.9.0a2)                                            2014/??/??
 ================================================================================
-ver. 0.9.0 (2013/??/??) - alpha
+ver. 0.9.0 (2014/??/??) - alpha
 ----------
-Carries all fixes in 0.8.9 and new features and enhancements.  Nearly
+Carries all fixes, features and enhancements from 0.8.12 with major changes.
-all development is thanks to Steven Hiscocks (THANKS!) with only
+Nearly all development is thanks to Steven Hiscocks (THANKS!), merging,
-code-review and minor additions from Yaroslav Halchenko.
+testcases and timezone support from Daniel Black, and code-review and minor
 additions from Yaroslav Halchenko.
 The minimum supported python version is now 2.6. If you have python-2.4 or 2.5
 you can use the 0.8.12 version of fail2ban.
 Major changes have occured since version 0.8.12. Please test your
 configuration before relying on it.
 - Refactoring (IMPORTANT -- Please review your setup and configuration):
  Yaroslav Halchenko
   * [..bddbf1e] jail.conf was heavily refactored and now is similar
     to how it looked on Debian systems:
     - default action could be configured once for all jails
     - jails definitions only provide customizations (port, logpath)
     - no need to specify 'filter' if name matches jail name
  Steven Hiscocks
   * [..5aef036] Core functionality moved into fail2ban/ module.
     Closes gh-26
- New features:
+   * Added fail2ban persistent database
-  Steven Hiscocks
+     - default location at /var/lib/fail2ban/fail2ban.sqlite3
-   * [..c7ae460] Multiline failregex. Close gh-54
+     - allows active bans to be reinstated on restart
-   * [8af32ed] Guacamole filter and support for Apache Tomcat date
+     - log files read from last position after restart
-     format
+   * Added systemd journal backend
-   * [..4869186] Python3 support
+     - Dependency on python-systemd
-   * [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug
+     - New "journalmatch" option added to filter configs files
-     #410077.  Also it would now capture and include stdout and stderr
+     - New "systemd-journal" option added to fail2ban-regex
-     into logging messages in case of error or at DEBUG loglevel.
+   * Added python3 support
 - Enhancements
  Steven Hiscocks
   * Replacing use of deprecated API (.warning, .assertEqual, etc)
   * [..a648cc2] Filters can have options now too
   * [..e019ab7] Multiple instances of the same action are allowed in the
     same jail -- use actname option to disambiguate.
  Daniel Black
   * Support %z (Timezone offset) and %f (sub-seconds) support for
     datedetector. Enhanced existing date/time have been updated patterns to
     support these. ISO8601 now defaults to localtime unless specified otherwise.
     Some filters have been change as required to capture these elements in the
     right timezone correctly.
-ver. 0.8.11 (2013/XX/XXX) - loves-unittests
+- New features:
   * [..c7ae460] Multiline failregex. Close gh-54
   * [8af32ed] Guacamole filter and support for Apache Tomcat date
     format
   * [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug
     #410077.  Also it would now capture and include stdout and stderr
     into logging messages in case of error or at DEBUG loglevel.
   * Added action xarf-login-attack to report formatted attack messages
     according to the XARF standard (v0.2). Close gh-105
   * Support PyPy
   * Add filter for apache-botsearch
   * Filter for stunnel
   * Filter for Counter Strike 1.6. Thanks to onorua for logs.
     Close gh-347
 - Enhancements
   * Jail names increased to 26 characters and iptables prefix reduced
     from fail2ban- to f2b- as suggested by buanzo in gh-462.
   * Multiline filter for sendmail-spam. Close gh-418
   * Multiline regex for Disconnecting: Too many authentication failures for
     root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]
   * Replacing use of deprecated API (.warning, .assertEqual, etc)
   * [..a648cc2] Filters can have options now too which are substituted into
     failregex / ignoreregex
   * [..e019ab7] Multiple instances of the same action are allowed in the
     same jail -- use actname option to disambiguate.
   * Add honeypot email address to exim-spam filter as argument
 ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
 -----------
 - IMPORTANT incompatible changes:
 - Fixes:
  - Rename firewall-cmd-direct-new to firewall-cmd-new to fit within jail name
    name length. As per gh-395
  - allow for ",milliseconds" in the custom date format of proftpd.log
  - allow for ", referer ..." in apache-* filter for apache error logs.
  - allow for spaces at the beginning of kernel messages. Closes gh-448
  - recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias
  - smtps not a IANA standard and has been removed from Arch. Replaced with
    465. Thanks Stefan. Closes gh-447
  - mysqld-syslog-iptables rule was too long. Part of gh-447.
  - add 'flushlogs' command to allow logrotation without clobbering logtarget
    settings. Closes gh-458, Debian bug #697333, Redhat bug #891798.
  - complain action - ensure where not matching other IPs in log sample.
    Closes gh-467
  - Fix firewall-cmd actioncheck - patch from Adam Tkac. Redhat Bug #979622
  - Fix apache-common for apache-2.4 log file format. Thanks Mark White.
    Closes gh-516
  - Asynchat changed to use push method which verifys whether all data was
 	  send. This ensures that all data is sent before closing the connection.
  - Removed unnecessary reference to as yet undeclared $jail_name when checking
    a specific jail in nagios script.
 - Enhancements:
  - added firewallcmd-ipset action
  - long names on jails documented based on iptables limit of 30 less
    len("fail2ban-").
  - remove indentation of name and loglevel while logging to SYSLOG to
    resolve syslog(-ng) parsing problems. Closes Debian bug #730202.
  - added squid filter. Thanks Roman Gelfand.
  - updated check_fail2ban to return performance data for all jails.
  - filter apache-noscript now includes php cgi scripts.
    Thanks dani. Closes gh-503
  - added ufw action. Thanks Guilhem Lettron. lp-#701522
  - exim-spam filter to match spamassassin log entry for option SAdevnull.
    Thanks Ivo Truxa. Closes gh-533
  - filter.d/nsd.conf -- also amended Unix date template to match nsd format
  - Added to sshd filter expression for "Received disconnect from <HOST>: 3:
    ...: Auth fail". Thanks Marcel Dopita. Closes gh-289
  - loglines now also report "[PID]" after the name portion
 - New Features:
  - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
  - Add filter for apache-modsecurity
  - filter.d/nsd.conf -- also amended Unix date template to match nsd format
  - Added openwebmail filter thanks Ivo Truxa. Closes gh-543
  - Added filter for freeswitch. Thanks Jim and editors and authors of 
    http://wiki.freeswitch.org/wiki/Fail2ban
  - Added groupoffice filter thanks to logs from Merijn Schering.
    Closes gh-566
  - Added filter for horde
 ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes
 In light of CVE-2013-2178 that triggered our last release we have put
 a significant effort into tightening all of the regexs of our filters
 to avoid another similar vulnerability. All filters have been updated
 and some to catch more login/authentication failures and to support
 for newer application versions. There are test cases for most log
 cases of failures now.
 As usual, if you have other examples that demonstrate that a filter is
 insufficient, or if we have inadvertently introduced a regression,
 please provide us with example log lines on the github issue tracker
 http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in
 some obscure corner of the Internet.
 Many thanks to our contributors for this release Daniel Black, Yaroslav
 Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski,
 Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François
 Boulogne and others who have helped on IRC and mailing list, logged issues
 and bug requests.
 - IMPORTANT incompatible changes:
  Filter name changes:
   * 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
   * 'sasl' has been renamed to 'postfix-sasl'
   * 'exim' spam catching failregexes was split out into 'exim-spam'
  These changes will require changing jail.{conf,local} if any of
  those filters were used.
 - Fixes:
  Jonathan Lanning
   * filter.d/asterisk -- identified another regex for blocking. Also channel
     ID is hex not decimal as noted in sample logs provided.
  Daniel Black & Marcel Dopita
-   * filter.d/apache-auth -- fixed and apache auth samples provide. closes #286
+   * filter.d/apache-auth -- fixed and apache auth samples provide. Closes gh-286
  Yaroslav Halchenko
   * filter.d/common.conf -- make colon after [daemon] optional. Closes gh-267
   * filter.d/apache-common.conf -- support apache 2.4 more detailed error
@ -66,52 +178,100 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
     - All backends, possible race condition: do not read from a file
       initially reported empty.  Originally could have lead to
       accounting for detected log lines multiple times.
     - Do not crash if executing a command in fail2ban-client interactive
       mode has failed (e.g. due to incorrect syntax). Closes gh-353
  Daniel Black & Мернов Георгий
   * filter.d/dovecot.conf -- Fix when no TLS enabled - line doesn't end in ,
  Daniel Black
   * action.d/hostsdeny -- NOTE: new dependancy 'ed'. Switched to use 'ed' across
     all platforms to ensure permissions are the same before and after a ban -
     closes gh-266. hostsdeny supports daemon_list now too.
   * filter.d/roundcube-auth - timezone offset can be positive or negative
   * action.d/bsd-ipfw - action option unsed. Fixed to blocktype for
     consistency. default to port unreach instead of deny
  Rolf Fokkens
   * action.d/dshield.conf and complain.conf -- reorder mailx arguments.
     https://bugzilla.redhat.com/show_bug.cgi?id=998020
  John Doe (ache)
   * action.d/bsd-ipfw.conf - invert actionstop logic to make exist status 0.
     closes gh-343.
  JP Espinosa (Reviewed by O.Poplawski)
   * files/redhat-initd - rewritten to use stock init.d functions thus
     avoiding problems with getpid.  Also $network and iptables moved
     to Should- rc init fields
 - New Features:
  Andy Fragen and Daniel Black
 	 * filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule
     numbers.
  Daniel Black & ykimon
   * filter.d/3proxy.conf -- filter added
  Daniel Black
   * filter.d/exim-spam.conf -- a splitout of exim's spam regexes
     with additions for greater control over filtering spam.
   * add date expression for apache-2.4 - milliseconds
  Christophe Carles & Daniel Black
   * filter.d/perdition.conf -- filter added
 - Enhancements:
  François Boulogne and Frédéric
   * filter.d/lighttpd - auth regexs for lighttpd-1.4.31
  Daniel Black
   * filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
     and extra failure examples in sample logs
 	 * filter.d/apache-auth - added expressions for mod_authz, mod_auth and
     mod_auth_digest failures.
  Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
   * filter.d/exim.conf -- regex hardening and extra failure examples in
     sample logs
   * filter.d/named-refused.conf - BIND 9.9.3 regex changes
  Daniel Black & Sebastian Arcus
   * filter.d/asterisk -- more regexes
  Daniel Black
   * action.d/hostsdeny -- NOTE: new dependancy 'ed'. Switched to use 'ed' across
     all platforms to ensure permissions are the same before and after a ban.
     Closes gh-266. hostsdeny supports daemon_list now too.
   * action.d/bsd-ipfw - action option unsed. Change blocktype to port unreach
     instead of deny for consistancy.
   * filter.d/dovecot - added to support different dovecot failure
     "..disallowed plaintext auth". Closes Debian bug #709324
   * filter.d/roundcube-auth - timezone offset can be positive or negative
   * action.d/bsd-ipfw - action option unsed. Fixed to blocktype for
     consistency. default to port unreach instead of deny
   * filter.d/dropbear - fix regexs to match standard dropbear and the patched
     http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch
     and add PAM is it in dropbear-2013.60 source code.
   * filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
     and extra failure examples in sample logs
   * filter.d/apache-auth - added expressions for mod_authz, mod_auth and
     mod_auth_digest failures.
   * filter.d/recidive -- support f2b syslog target and anchor regex at start
   * filter.d/mysqld-auth.conf - mysql can use syslog
   * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
     bug #722970. Thanks Colin Watson for the regex analysis.
   * filter.d/wuftpd - regex enhancements to support pam and wuftpd. Closes
     Debian bug #665925
  Rolf Fokkens
   * action.d/dshield.conf and complain.conf -- reorder mailx arguments.
     https://bugzilla.redhat.com/show_bug.cgi?id=998020
  John Doe (ache)
   * action.d/bsd-ipfw.conf - invert actionstop logic to make exist status 0.
     Closes gh-343.
  JP Espinosa (Reviewed by O.Poplawski)
   * files/redhat-initd - rewritten to use stock init.d functions thus
     avoiding problems with getpid.  Also $network and iptables moved
     to Should- rc init fields
  Rick Mellor
   * filter.d/vsftp - fix capture with tty=ftp
 - New Features:
  Edgar Hoch
   * action.d/firewall-cmd-direct-new.conf - action for firewalld
     from https://bugzilla.redhat.com/show_bug.cgi?id=979622
     NOTE: requires firewalld-0.3.8+
  Andy Fragen and Daniel Black
   * filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule
     numbers.
  Anonymous:
   * action.d/osx-afctl - an action based on afctl for osx
  Daniel Black & ykimon
   * filter.d/3proxy.conf -- filter added
   * fail2ban-regex - now generates http://www.debuggex.com urls for debugging
     regular expressions with the -D parameter.
  Daniel Black
   * filter.d/exim-spam.conf -- a splitout of exim's spam regexes
     with additions for greater control over filtering spam.
   * add date expression for apache-2.4 - milliseconds
   * filter.d/nginx-http-auth -- filter added for http basic authentication
     failures in nginx. Partially fulfills gh-405.
  Christophe Carles & Daniel Black
   * filter.d/perdition.conf -- filter added
  Mark McKinstry
   * action.d/apf.conf - add action for Advanced Policy Firewall (apf)
  Amir Caspi and kjohnsonecl
   * filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server
  Steven Hiscocks and Daniel Black
   * filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter
 - Enhancements:
  François Boulogne and Frédéric
   * filter.d/lighttpd - auth regexs for lighttpd-1.4.31
  Daniel Black
   * reorder parsing of jail.conf, jail.d/*.conf, jail.local, jail.d/*.local
     and likewise for fail2ban.{conf|local|d/*.conf|d/*.local}. Closes gh-392
   * jail.conf now has asterisk jail - no need for asterisk-tcp and
     asterisk-udp. Users should replace existing jails with asterisk to
     reduce duplicate parsing of the asterisk log file.
   * filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin}- regex anchor at
     start
   * filter.d/vsftpd - anchored regex at start. disable old pam format regex
   * filter.d/pam-generic - added syslog prefix. Disabled support for
     linux-pam before version 0.99.2.0 (2005)
   * filter.d/postfix-sasl - renamed from sasl, anchor at start and base on
     syslog
   * filter.d/qmail - rewrote regex to anchor at start. Added regex for
     another "in the wild" patch to rblsmtp.
  Yaroslav Halchenko
   * fail2ban-regex -- refactored to provide more details (missing and
     ignored lines, control over logging, etc) while maintaining look&feel
@ -122,6 +282,9 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
   * filter.d/roundcube-auth.conf -- anchored version
   * date matching - for standard asctime formats prefer more detailed
     first (thus use year if available)
   * files/gen_badbots was added and filter.d/apache-badbots.conf was
     regenerated to get updated (although now still an old) list of
     "bad" bots
  Alexander Dietrich
   * action.d/sendmail-common.conf -- added common sendmail settings file
     and made the sender display name configurable
@ -132,10 +295,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
   * filter/named-refused - added refused on zone transfer
   * filter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd} - General
     regex impovements
   * IMPORTANT: 'lighttpd-fastcgi' filter has been renamed to 'suhosin', which
     will require changing in jail.{conf,local} if using this filter.
  Zurd
-   * filter.d/postfix - add filter for VRFY failures. closes gh-322.
+   * filter.d/postfix - add filter for VRFY failures. Closes gh-322.
  Orion Poplawski
   * fail2ban.d/ and jail.d/ directories are added to etc/fail2ban to facilitate
     their use
--- a/243
+++ b/243
@ -26,7 +26,7 @@ Pull Requests
 When submitting pull requests on GitHub we ask you to:
 * Clearly describe the problem you're solving;
-* Don't introduce regressions that will make it hard for systems adminstrators 
+* Don't introduce regressions that will make it hard for systems administrators
  to update;
 * If adding a major feature rebase your changes on master and get to a single commit;
 * Include test cases (see below);
@ -34,128 +34,7 @@ When submitting pull requests on GitHub we ask you to:
 * Include a change to the relevant section of the ChangeLog; and
 * Include yourself in THANKS if not already there.
-Filters
+If you are developing filters see the FILTERS file for documentation.
 =======
 * Include sample logs with 1.2.3.4 used for IP addresses and 
  example.com/example.org used for DNS names
 * Ensure sample log is provided in testcases/files/logs/ with same name as the
  filter. Each log line should include match meta data for time & IP above
  every line (see other sample log files for examples)
 * Ensure regexs start with a ^ and are restrictive as possible. E.g. not .* if
  \d+ is sufficient
 * Use the functionality of regexs http://docs.python.org/2/library/re.html
 * Take a look at the source code of the application. You may see optional or
  extra log messages, or parts there of, that need to form part of your regex.
 If you only have a basic knowledge of regular repressions read
 http://docs.python.org/2/library/re.html first.
 Filter Security
 ---------------
 Poor filter regular expressions are suseptable to DoS attacks.
 When a remote user has the ability to introduce text that will match the 
 filter regex, such that the inserted text matches the <HOST> part, they have the
 ability to deny any host they choose.
 So the <HOST> part must be anchored on text generated by the application, and not
 the user, to a sufficient extent that the user cannot insert the entire text.
 Filters are matched against the log line with their date removed.
 Ideally filter regex should anchor to the beginning and end of the log line
 however as more applications log at the beginning than the end, achoring the
 beginning is more important. If the log file used by the application is shared
 with other applications, like system logs, ensure the other application that
 use that log file do not log user generated text at the beginning of the line,
 or, if they do, ensure the regexs of the filter are sufficient to mitigate the
 risk of insertion.
 When creating a regex that extends back to the begining remember the date part
 has been removed within fail2ban so theres no need to match that. If the format
 is like '<date...> error 1.2.3.4 is evil' then you will need to match the < at
 the start so here the regex would start like '^<> <HOST> is evil$'.
 Some applications log spaces at the end. If you're not sure add \s*$ as the
 end part of the regex.
 Examples of poor filters
 ------------------------
 1. Too restrictive
 We find a log message:
    Apr-07-13 07:08:36 Invalid command fial2ban from 1.2.3.4
 We make a failregex
    ^Invalid command \S+ from <HOST>
 Now think evil. The user does the command 'blah from 1.2.3.44'
 The program diliently logs:
    Apr-07-13 07:08:36 Invalid command blah from 1.2.3.44 from 1.2.3.4
 And fail2ban matches 1.2.3.44 as the IP that it ban. A DoS attack was successful.
 The fix here is that the command can be anything so .* is approprate.
    ^Invalid command .* from <HOST>
 Here the .* will match until the end of the string. Then realise it has more to
 match, i.e. "from <HOST>" and go back until it find this. Then it will ban
 1.2.3.4 correctly. Since the <HOST> is always at the end, end the regex with a $.
    ^Invalid command .* from <HOST>$
 Note if we'd just had the expression:
    ^Invalid command \S+ from <HOST>$
 Then provided the user put a space in their command they would have never been
 banned.
 2. Filter regex can match other user injected data
 From the apache vulnerability CVE-2013-2178
 ( original ref: https://vndh.net/note:fail2ban-089-denial-service ).
 An example bad regex for apache:
    failregex = [[]client <HOST>[]] user .* not found
 Since the user can do a get request on:
    GET /[client%20192.168.0.1]%20user%20root%20not%20found HTTP/1.0
 Host: remote.site
 Now the log line will be:
    [Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found
 As this log line doesn't match other expressions hence it matches the above
 regex and blocks 192.168.33.1 as a denial of service from the HTTP requester.
 3. Applicaiton generates two identical log messages with different meanings
 If the application generates the following two messages under different
 circmstances:
    client <IP>: authentication failed
    client <USER>: authentication failed
 Then it's obvious that a regex of "^client <HOST>: authentication
 failed$" will still cause problems if the user can trigger the second
 log message with a <USER> of 123.1.1.1.
 Here there's nothing to do except request/change the application so it logs
 messages differently.
 Code Testing
 ============
@ -270,7 +149,7 @@ Design
 Fail2Ban was initially developed with Python 2.3 (IIRC). It should
 still be compatible with Python 2.4 and such compatibility assurance
 makes code ... old-fashioned in many places (RF-Note).  In 0.7 the
-design went through major refactoring into client/server,
+design went through major re-factoring into client/server,
 a-thread-per-jail design which made it a bit difficult to follow.
 Below you can find a sketchy description of the main components of the
 system to orient yourself better.
@ -381,7 +260,7 @@ one way or another provide
 		except FailManagerEmpty:
 			self.failManager.cleanup(MyTime.time())
-thus channeling "ban tickets" from their failManager to the
+thus channelling "ban tickets" from their failManager to the
 corresponding jail.
 action.py
@ -406,35 +285,54 @@ Releasing
  * https://github.com/fail2ban/fail2ban/issues?sort=updated&state=open
  * http://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=fail2ban
  * https://bugs.launchpad.net/ubuntu/+source/fail2ban
  * http://bugs.sabayon.org/buglist.cgi?quicksearch=net-analyzer%2Ffail2ban
  * https://bugs.archlinux.org/?project=5&cat%5B%5D=33&string=fail2ban
  * https://bugs.gentoo.org/buglist.cgi?query_format=advanced&short_desc=fail2ban&bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=IN_PROGRESS&short_desc_type=allwords
  * https://bugzilla.redhat.com/buglist.cgi?query_format=advanced&bug_status=NEW&bug_status=ASSIGNED&component=fail2ban&classification=Red%20Hat&classification=Fedora
  * http://www.freebsd.org/cgi/query-pr-summary.cgi?text=fail2ban
  * https://bugs.mageia.org/buglist.cgi?quicksearch=fail2ban
  * https://build.opensuse.org/package/requests/openSUSE:Factory/fail2ban
-# Provide a release sample to distributors
+# Make sure the tests pass
-  * Debian: Yaroslav Halchenko <debian@onerussian.com>
+  ./fail2ban-testcases-all
            http://packages.qa.debian.org/f/fail2ban.html
  * FreeBSD: Christoph Theis theis@gmx.at>, Nick Hilliard <nick@foobar.org>
            http://svnweb.freebsd.org/ports/head/security/py-fail2ban/Makefile?view=markup
  * Fedora: Axel Thimm <Axel.Thimm@atrpms.net>
            https://apps.fedoraproject.org/packages/fail2ban
  * Gentoo: netmon@gentoo.org
            http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/metadata.xml?view=markup
  * openSUSE: Stephan Kulow <coolo@suse.com>
            https://build.opensuse.org/package/users?package=fail2ban&project=openSUSE%3AFactory
  * Mac Ports: @Malbrouck on github (gh-49)
            https://trac.macports.org/browser/trunk/dports/security/fail2ban/Portfile
-# Wait for feedback from distributors
+# Ensure the version is correct
-# Ensure the version is correct in ./common/version.py
+  in:
  * ./common/version.py
  * top of ChangeLog
  * README.md
 # Ensure the MANIFEST is complete
 Run:
  python setup.py sdist
 Look for errors like:
 'testcases/files/logs/mysqld.log' not a regular file -- skipping
 Which indicates that testcases/files/logs/mysqld.log has been moved or is a directory
  tar -C /tmp -jxf dist/fail2ban-0.9.0.tar.bz2
 # clean up current direcory
  diff -rul --exclude \*.pyc . /tmp/fail2ban-0.9.0/
  # Only differences should be files that you don't want distributed.
 # Ensure the tests work from the tarball
  cd /tmp/fail2ban-0.9.0/ && ./fail2ban-testcases-all
 # Add/finalize the corresponding entry in the ChangeLog
  To generate a list of committers use e.g.
-  git shortlog -sn 0.8.8.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g'
+  git shortlog -sn 0.8.11.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g'
  Ensure the top of the ChangeLog has the right version and current date.
@ -443,23 +341,66 @@ Releasing
 # Update man pages
  (cd man ; ./generate-man )
-  git commit -m 'update man pages for release' man/*
+  git commit -m 'DOC/ENH: update man pages for release' man/*
-# Make sure the tests pass
+# Prepare source and rpm binary distributions
  ./fail2ban-testcases-all
 # Prepare/upload source and rpm binary distributions
  python setup.py check
  python setup.py sdist
  python setup.py bdist_rpm
  python setup.py upload
-# Run the following and update the wiki with output:
+# Provide a release sample to distributors
  * Arch Linux:
            https://www.archlinux.org/packages/community/any/fail2ban/
  * Debian: Yaroslav Halchenko <debian@onerussian.com>
            http://packages.qa.debian.org/f/fail2ban.html
  * FreeBSD: Christoph Theis theis@gmx.at>, Nick Hilliard <nick@foobar.org>
            http://svnweb.freebsd.org/ports/head/security/py-fail2ban/Makefile?view=markup
            http://www.freebsd.org/cgi/query-pr-summary.cgi?text=fail2ban
  * Fedora: Axel Thimm <Axel.Thimm@atrpms.net>
            https://apps.fedoraproject.org/packages/fail2ban
            http://pkgs.fedoraproject.org/cgit/fail2ban.git
            https://admin.fedoraproject.org/pkgdb/acls/bugs/fail2ban
  * Gentoo: netmon@gentoo.org
            http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/metadata.xml?view=markup
            https://bugs.gentoo.org/buglist.cgi?quicksearch=fail2ban
  * openSUSE: Stephan Kulow <coolo@suse.com>
            https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban
  * Mac Ports: @Malbrouck on github (gh-49)
            https://trac.macports.org/browser/trunk/dports/security/fail2ban/Portfile
  * Mageia:
            https://bugs.mageia.org/buglist.cgi?quicksearch=fail2ban
  An potentially to the fail2ban-users directory.
 # Wait for feedback from distributors
 # Prepare a release notice https://github.com/fail2ban/fail2ban/releases/new
  Upload the source/binaries from the dist directory and tag the release using the URL
 # Upload source/binaries to sourceforge http://sourceforge.net/projects/fail2ban/
 # Run the following and update the wiki with output:
  python -c 'import fail2ban.protocol; fail2ban.protocol.printWiki()'
  page: http://www.fail2ban.org/wiki/index.php/Commands
 * Update:
  http://www.fail2ban.org/wiki/index.php?title=Template:Fail2ban_Versions&action=edit
  http://www.fail2ban.org/wiki/index.php?title=Template:Fail2ban_News&action=edit
  move old bits to:
  http://www.fail2ban.org/wiki/index.php?title=Template:Fail2ban_OldNews&action=edit
  http://www.fail2ban.org/wiki/index.php?title=Template:Fail2ban_Versions&action=edit
  http://www.fail2ban.org/wiki/index.php/ChangeLog
  http://www.fail2ban.org/wiki/index.php/Requirements (Check requirement)
  http://www.fail2ban.org/wiki/index.php/Features
 * See if any filters are upgraded:
  http://www.fail2ban.org/wiki/index.php/Special:AllPages
 # Email users and development list of release
 # notify distributors
@ -469,7 +410,7 @@ Post Release
 Add the following to the top of the ChangeLog
-ver. 0.8.12 (2013/XX/XXX) - wanna-be-released
+ver. 0.9.1 (2014/XX/XXX) - wanna-be-released
 -----------
 - Fixes:
@ -478,6 +419,8 @@ ver. 0.8.12 (2013/XX/XXX) - wanna-be-released
 - Enhancements:
 Alter the git shortlog command in the previous section to refer to the just
 released version.
 and adjust common/version.py to carry .dev suffix to signal
 a version under development.
--- a/469
+++ b/469
@ -0,0 +1,469 @@
                         __      _ _ ___ _
                        / _|__ _(_) |_  ) |__  __ _ _ _
                       |  _/ _` | | |/ /| '_ \/ _` | ' \
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
 ================================================================================
 Developing Filters
 ================================================================================
 Filters
 =======
 Filters are tricky. They need to:
 * work with a variety of the versions of the software that generates the logs;
 * work with the range of logging configuration options available in the
  software;
 * work with multiple operating systems;
 * not make assumptions about the log format in excess of the software
  (e.g. do not assume a username doesn't contain spaces and use \S+ unless
  you've checked the source code);
 * account for how future versions of the software will log messages
  (e.g. guess what would happen to the log message if different authentication
  types are added);
 * not be susceptible to DoS vulnerabilities (see Filter Security below); and
 * match intended log lines only.
 Please follow the steps from Filter Test Cases to Developing Filter Regular
 Expressions and submit a GitHub pull request (PR) afterwards. If you get stuck,
 you can push your unfinished changes and still submit a PR -- describe
 what you have done, what is the hurdle, and we'll attempt to help (PR
 will be automagically updated with future commits you would push to
 complete it).
 Filter test cases
 -----------------
 Purpose:
 Start by finding the log messages that the application generates related to
 some form of authentication failure. If you are adding to an existing filter
 think about whether the log messages are of a similar importance and purpose
 to the existing filter. If you were a user of Fail2Ban, and did a package
 update of Fail2Ban that started matching new log messages, would anything
 unexpected happen?  Would the bantime/findtime for the jail be appropriate for
 the new log messages?  If it doesn't, perhaps it needs to be in a separate
 filter definition, for example like exim filter aims at authentication failures
 and exim-spam at log messages related to spam.
 Even if it is a new filter you may consider separating the log messages into
 different filters based on purpose.
 Cause:
 Are some of the log lines a result of the same action? For example, is a PAM
 failure log message, followed by an application specific failure message the
 result of the same user/script action?  If you add regular expressions for
 both you would end up with two failures for a single action.
 Therefore, select the most appropriate log message and document the other log
 message) with a test case not to match it and a description as to why you chose
 one over another.
 With the selected log lines consider what action has caused those log
 messages and whether they could have been generated by accident? Could
 the log message be occurring due to the first step towards the application
 asking for authentication? Could the log messages occur often? If some of
 these are true make a note of this in the jail.conf example that you provide.
 Samples:
 It is important to include log file samples so any future change in the regular
 expression will still work with the log lines you have identified.
 The sample log messages are provided in a file under testcases/files/logs/
 named identically as the corresponding filter (but without .conf extension).
 Each log line should be preceded by a line with failJSON metadata (so the logs
 lines are tested in the test suite) directly above the log line. If there is
 any specific information about the log message, such as version or an
 application configuration option that is needed for the message to occur,
 include this in a comment (line beginning with #) above the failJSON metadata.
 Log samples should include only one, definitely not more than 3, examples of
 log messages of the same form. If log messages are different in different
 versions of the application log messages that show this are encouraged.
 Also attempt to inject an IP into the application (e.g. by specifying
 it as a username) so that Fail2Ban possibly detects the IP
 from user input rather than the true origin. See the Filter Security section
 and the top example in testcases/files/logs/apache-auth as to how to do this.
 One you have discovered that this is possible, correct the regex so it doesn't
 match and provide this as a test case with "match": false (see failJSON below).
 If the mechanism to create the log message isn't obvious provide a
 configuration and/or sample scripts testcases/files/config/{filtername} and
 reference these in the comments above the log line.
 FailJSON metadata:
 A failJSON metadata is a comment immediately above the log message. It will
 look like:
 # failJSON: { "time": "2013-06-10T10:10:59", "match": true , "host": "93.184.216.119" }
 Time should match the time of the log message. It is in a specific format of
 Year-Month-Day'T'Hour:minute:Second.  If your log message does not include a
 year, like the example below, the year should be listed as 2005, if before Sun
 Aug 14 10am UTC, and 2004 if afterwards.  Here is an example failJSON
 line preceding a sample log line:
 # failJSON: { "time": "2005-03-24T15:25:51", "match": true , "host": "198.51.100.87" }
 Mar 24 15:25:51 buffalo1 dropbear[4092]: bad password attempt for 'root' from 198.51.100.87:5543
 The "host" in failJSON should contain the IP or domain that should be blocked.
 For long lines that you do not want to be matched (e.g. from log injection
 attacks) and any log lines to be excluded (see "Cause" section above), set
 "match": false in the failJSON and describe the reason in the comment above.
 After developing regexes, the following command will test all failJSON metadata
 against the log lines in all sample log files
 ./fail2ban-testcases testSampleRegex
 Developing Filter Regular Expressions
 -------------------------------------
 Date/Time:
 At the moment, Fail2Ban depends on log lines to have time stamps.  That is why
 before starting to develop failregex, check if your log line format known to
 Fail2Ban.  Copy the time component from the log line and append an IP address to
 test with following command:
 ./fail2ban-regex "2013-09-19 02:46:12 1.2.3.4" "<HOST>"
 Output of such command should contain something like:
 Date template hits:
 |- [# of hits] date format
 |  [1] Year-Month-Day Hour:Minute:Second
 Ensure that the template description matches time/date elements in your log line
 time stamp.  If there is no matched format then date template needs to be added
 to server/datedetector.py.  Ensure that a new template is added in the order
 that more specific matches occur first and that there is no confusion between a
 Day and a Month.
 Filter file:
 The filter is specified in a config/filter.d/{filtername}.conf file. Filter file
 can have sections INCLUDES (optional) and Definition as follows:
 [INCLUDES]
 before = common.conf
 after = filtername.local
 [Definition]
 failregex = ....
 ignoreregex = ....
 This is also documented in the man page jail.conf (section 5). Other definitions
 can be added to make failregex's more readable and maintainable to be used
 through string Interpolations (see http://docs.python.org/2.7/library/configparser.html)
 General rules:
 Use "before" if you need to include a common set of rules, like syslog or if
 there is a common set of regexes for multiple filters.
 Use "after" if you wish to allow the user to overwrite a set of customisations
 of the current filter. This file doesn't need to exist.
 Try to avoid using ignoreregex mainly for performance reasons. The case when you
 would use it is if in trying to avoid using it, you end up with an unreadable
 failregex.
 Syslog:
 If your application logs to syslog you can take advantage of log line prefix
 definitions present in common.conf.  So as a base use:
 [INCLUDES]
 before = common.conf
 [Definition]
 _daemon = app
 failregex = ^%(__prefix_line)s
 In this example common.conf defines __prefix_line which also contains the
 _daemon name (in syslog terms the service) you have just specified. _daemon
 can also be a regex.
 For example, to capture following line _daemon should be set to "dovecot"
 Dec 12 11:19:11 dunnart dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=190.210.136.21, lip=113.212.99.193
 and then ^%(__prefix_line)s would match "Dec 12 11:19:11 dunnart dovecot:
 ". Note it matches the trailing space(s) as well.
 Substitutions (AKA string interpolations):
 We have used string interpolations in above examples.  They are useful for
 making the regexes more readable, reuse generic patterns in multiple failregex
 lines, and also to refer definition of regex parts to specific filters or even
 to the user.  General principle is that value of a _name variable replaces
 occurrences of %(_name)s within the same section or anywhere in the config file
 if defined in [DEFAULT] section.
 Regular Expressions:
 Regular expressions (failregex, ignoreregex) assume that the date/time has been
 removed from the log line (this is just how fail2ban works internally ATM).
 If the format is like '<date...> error 1.2.3.4 is evil' then you need to match
 the < at the start so regex should be similar to '^<> <HOST> is evil$' using
 <HOST> where the IP/domain name appears in the log line.
 The following general rules apply to regular expressions:
 * ensure regexes start with a ^ and are as restrictive as possible. E.g. do not
  use .* if \d+ is sufficient;
 * use functionality of Python regexes defined in the standard Python re library
  http://docs.python.org/2/library/re.html;
 * make regular expressions readable (as much as possible). E.g.
  (?:...) represents a non-capturing regex but (...) is more readable, thus
  preferred.
 If you have only a basic knowledge of regular repressions we advise to read
 http://docs.python.org/2/library/re.html first.  It doesn't take long and would
 remind you e.g. which characters you need to escape and which you don't.
 Developing/testing a regex:
 You can develop a regex in a file or using command line depending on your
 preference. You can also use samples you have already created in the test cases
 or test them one at a time.
 The general tool for testing Fail2Ban regexes is fail2ban-regex. To see how to
 use it run:
 ./fail2ban-regex --help
 Take note of  -l heavydebug  / -l debug  and -v as they might be very useful.
 TIP: Take a look at the source code of the application you are developing
     failregex for. You may see optional or extra log messages, or parts there
     of, that need to form part of your regex.  It may also reveal how some
     parts are constrained and different formats depending on configuration or
     less common usages.
 TIP: For looking through source code - http://sourcecodebrowser.com/ . It has
     call graphs and can browse different versions.
 TIP: Some applications log spaces at the end. If you are not sure add \s*$ as
     the end part of the regex.
 If your regex is not matching, http://www.debuggex.com/?flavor=python can help
 to tune it.  fail2ban-regex -D ...  will present Debuggex URLs for the regexs
 and sample log files that you pass into it.
 In general use when using regex debuggers for generating fail2ban filters:
 * use regex from the ./fail2ban-regex output (to ensure all substitutions are
 done)
 * replace <HOST> with (?&.ipv4)
 * make sure that regex type set to Python
 * for the test data put your log output with the date/time removed
 When you have fixed the regex put it back into your filter file.
 Please spread the good word about Debuggex - Serge Toarca is kindly continuing
 its free availability to Open Source developers.
 Finishing up:
 If you've added a new filter, add a new entry in config/jail.conf. The theory
 here is that a user will create a jail.local with [filtername]\nenable=true to
 enable your jail.
 So more specifically in the [filter] section in jail.conf:
 * ensure that you have "enabled = false" (users will enable as needed);
 * use "filter =" set to your filter name;
 * use a typical action to disable ports associated with the application;
 * set "logpath" to the usual location of application log file;
 * if the default findtime or bantime isn't appropriate to the filter, specify
  more appropriate choices (possibly with a brief comment line).
 Submit github pull request (See "Pull Requests" above) for
 github.com/fail2ban/fail2ban containing your great work.
 Filter Security
 ---------------
 Poor filter regular expressions are susceptible to DoS attacks.
 When a remote user has the ability to introduce text that would match filter's
 failregex, while matching inserted text to the <HOST> part, they have the
 ability to deny any host they choose.
 So the <HOST> part must be anchored on text generated by the application, and
 not the user, to an extent sufficient to prevent user inserting the entire text
 matching this or any other failregex.
 Ideally filter regex should anchor at the beginning and at the end of log line.
 However as more applications log at the beginning than the end, anchoring the
 beginning is more important. If the log file used by the application is shared
 with other applications, like system logs, ensure the other application that use
 that log file do not log user generated text at the beginning of the line, or,
 if they do, ensure the regexes of the filter are sufficient to mitigate the risk
 of insertion.
 Examples of poor filters
 ------------------------
 1. Too restrictive
 We find a log message:
    Apr-07-13 07:08:36 Invalid command fial2ban from 1.2.3.4
 We make a failregex
    ^Invalid command \S+ from <HOST>
 Now think evil. The user does the command 'blah from 1.2.3.44'
 The program diligently logs:
    Apr-07-13 07:08:36 Invalid command blah from 1.2.3.44 from 1.2.3.4
 And fail2ban matches 1.2.3.44 as the IP that it ban. A DoS attack was successful.
 The fix here is that the command can be anything so .* is appropriate.
    ^Invalid command .* from <HOST>
 Here the .* will match until the end of the string. Then realise it has more to
 match, i.e. "from <HOST>" and go back until it find this. Then it will ban
 1.2.3.4 correctly. Since the <HOST> is always at the end, end the regex with a $.
    ^Invalid command .* from <HOST>$
 Note if we'd just had the expression:
    ^Invalid command \S+ from <HOST>$
 Then provided the user put a space in their command they would have never been
 banned.
 2. Unanchored regex can match other user injected data
 From the Apache vulnerability CVE-2013-2178
 ( original ref: https://vndh.net/note:fail2ban-089-denial-service ).
 An example bad regex for Apache:
    failregex = [[]client <HOST>[]] user .* not found
 Since the user can do a get request on:
    GET /[client%20192.168.0.1]%20user%20root%20not%20found HTTP/1.0
 Host: remote.site
 Now the log line will be:
    [Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found
 As this log line doesn't match other expressions hence it matches the above
 regex and blocks 192.168.33.1 as a denial of service from the HTTP requester.
 3.  Over greedy pattern matching
 From: https://github.com/fail2ban/fail2ban/pull/426
 An example ssh log (simplified)
    Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 port 20000 ssh1: ruser remoteuser
 As we assume username can include anything including spaces its prudent to put
 .* here. The remote user can also exist as anything so lets not make assumptions again.
    failregex = ^%(__prefix_line)sFailed \S+ for .* from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$
 So this works. The problem is if the .* after remote user is injected by the
 user to be 'from 1.2.3.4'. The resultant log line is.
    Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 port 20000 ssh1: ruser from 1.2.3.4
 Testing with:
    fail2ban-regex -v 'Sep 29 17:15:02 Failed password for user from 127.0.0.1 port 20000 ssh1: ruser from 1.2.3.4' '^ Failed \S+ for .* from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$'
 TIP: I've removed the bit that matches __prefix_line from the regex and log.
 Shows:
    1) [1] ^ Failed \S+ for .* from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$
       1.2.3.4  Sun Sep 29 17:15:02 2013
 It should of matched 127.0.0.1. So the first greedy part of the greedy regex
 matched until the end of the string. The was no "from <HOST>" so the regex
 engine worked backwards from the end of the string until this was matched.
 The result was that 1.2.3.4 was matched, injected by the user, and the wrong IP
 was banned.
 The solution here is to make the first .* non-greedy with .*?. Here it matches
 as little as required and the fail2ban-regex tool shows the output:
    fail2ban-regex -v 'Sep 29 17:15:02 Failed password for user from 127.0.0.1 port 20000 ssh1: ruser from 1.2.3.4' '^ Failed \S+ for .*? from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$'
    1) [1] ^ Failed \S+ for .*? from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$
       127.0.0.1  Sun Sep 29 17:15:02 2013
 So the general case here is a log line that contains:
    (fixed_data_1)<HOST>(fixed_data_2)(user_injectable_data)
 Where the regex that matches fixed_data_1 is gready and matches the entire
 string, before moving backwards and user_injectable_data can match the entire
 string.
 Another case:
 ref: https://www.debuggex.com/r/CtAbeKMa2sDBEfA2/0
 A webserver logs the following without URL escaping:
    [error] 2865#0: *66647 user "xyz" was not found in "/file", client: 1.2.3.1, server: www.host.com, request: "GET ", client: 3.2.1.1, server: fake.com, request: "GET exploited HTTP/3.3", host: "injected.host", host: "www.myhost.com"
 regex:
    failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (?:password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ .+ HTTP/\d+\.\d+", host: "\S+"
 The .* matches to the end of the string. Finds that it can't continue to match
 ", client ... so it moves from the back and find that the user injected web URL:
    ", client: 3.2.1.1, server: fake.com, request: "GET exploited HTTP/3.3", host: "injected.host
 In this case there is a fixed host: "www.myhost.com" at the end so the solution
 is to anchor the regex at the end with a $.
 If this wasn't the case then first .* needed to be made so it didn't capture
 beyond <HOST>.
 4. Application generates two identical log messages with different meanings
 If the application generates the following two messages under different
 circumstances:
    client <IP>: authentication failed
    client <USER>: authentication failed
 Then it's obvious that a regex of "^client <HOST>: authentication
 failed$" will still cause problems if the user can trigger the second
 log message with a <USER> of 123.1.1.1.
 Here there's nothing to do except request/change the application so it logs
 messages differently.
--- a/138
+++ b/138
@ -5,12 +5,15 @@ TODO
 THANKS
 COPYING
 DEVELOP
-doc/run-rootless.txt
+FILTERS
 fail2ban-2to3
 fail2ban-testcases-all
 fail2ban-testcases-all-python3
 bin/fail2ban-client
 bin/fail2ban-server
 bin/fail2ban-testcases
 bin/fail2ban-regex
 doc/run-rootless.txt
 fail2ban/client/configreader.py
 fail2ban/client/configparserinc.py
 fail2ban/client/jailreader.py
@ -23,6 +26,7 @@ fail2ban/client/__init__.py
 fail2ban/client/configurator.py
 fail2ban/client/csocket.py
 fail2ban/server/asyncserver.py
 fail2ban/server/database.py
 fail2ban/server/filter.py
 fail2ban/server/filterpyinotify.py
 fail2ban/server/filtergamin.py
@ -45,45 +49,113 @@ fail2ban/server/banmanager.py
 fail2ban/server/datetemplate.py
 fail2ban/server/mytime.py
 fail2ban/server/failregex.py
 fail2ban/server/database.py
 fail2ban/tests/banmanagertestcase.py
 fail2ban/tests/failmanagertestcase.py
 fail2ban/tests/clientreadertestcase.py
 fail2ban/tests/filtertestcase.py
 fail2ban/tests/__init__.py
 fail2ban/tests/dummyjail.py
 fail2ban/tests/samplestestcase.py
 fail2ban/tests/datedetectortestcase.py
 fail2ban/tests/actiontestcase.py
 fail2ban/tests/servertestcase.py
 fail2ban/tests/sockettestcase.py
 fail2ban/tests/utils.py
 fail2ban/tests/misctestcase.py
 fail2ban/tests/databasetestcase.py
 fail2ban/tests/config/jail.conf
 fail2ban/tests/config/fail2ban.conf
 fail2ban/tests/config/filter.d/simple.conf
 fail2ban/tests/config/action.d/brokenaction.conf
 fail2ban/tests/files/config/apache-auth/digest/.htaccess
 fail2ban/tests/files/config/apache-auth/digest/.htpasswd
 fail2ban/tests/files/config/apache-auth/digest_time/.htaccess
 fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd
 fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess
 fail2ban/tests/files/config/apache-auth/basic/authz_owner/cant_get_me.html
 fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
 fail2ban/tests/files/config/apache-auth/basic/file/.htaccess
 fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd
 fail2ban/tests/files/config/apache-auth/digest.py
 fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess
 fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
 fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess
 fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd
 fail2ban/tests/files/config/apache-auth/README
 fail2ban/tests/files/config/apache-auth/noentry/.htaccess
 fail2ban/tests/files/database_v1.db
 fail2ban/tests/files/ignorecommand.py
 fail2ban/tests/files/filter.d/substition.conf
 fail2ban/tests/files/filter.d/testcase-common.conf
 fail2ban/tests/files/filter.d/testcase01.conf
 fail2ban/tests/files/testcase01.log
 fail2ban/tests/files/testcase02.log
 fail2ban/tests/files/testcase03.log
 fail2ban/tests/files/testcase04.log
 fail2ban/tests/files/testcase-usedns.log
 fail2ban/tests/files/testcase-journal.log
 fail2ban/tests/files/testcase-multiline.log
 fail2ban/tests/files/logs/bsd/syslog-plain.txt
 fail2ban/tests/files/logs/bsd/syslog-v.txt
 fail2ban/tests/files/logs/bsd/syslog-vv.txt
 fail2ban/tests/files/logs/3proxy
 fail2ban/tests/files/logs/apache-auth
 fail2ban/tests/files/logs/apache-badbots
 fail2ban/tests/files/logs/apache-botscripts
 fail2ban/tests/files/logs/apache-modsecurity
 fail2ban/tests/files/logs/apache-nohome
 fail2ban/tests/files/logs/apache-noscript
 fail2ban/tests/files/logs/apache-overflows
 fail2ban/tests/files/logs/assp
 fail2ban/tests/files/logs/asterisk
 fail2ban/tests/files/logs/counter-strike
 fail2ban/tests/files/logs/courier-auth
 fail2ban/tests/files/logs/courier-smtp
 fail2ban/tests/files/logs/cyrus-imap
 fail2ban/tests/files/logs/dovecot
 fail2ban/tests/files/logs/dropbear
 fail2ban/tests/files/logs/ejabberd-auth
 fail2ban/tests/files/logs/exim
-fail2ban/tests/files/logs/lighttpd
+fail2ban/tests/files/logs/exim-spam
-fail2ban/tests/files/logs/mysqld.log
+fail2ban/tests/files/logs/freeswitch
 fail2ban/tests/files/logs/groupoffice
 fail2ban/tests/files/logs/gssftpd
 fail2ban/tests/files/logs/guacamole
 fail2ban/tests/files/logs/lighttpd-auth
 fail2ban/tests/files/logs/mysqld-auth
 fail2ban/tests/files/logs/nsd
 fail2ban/tests/files/logs/perdition
 fail2ban/tests/files/logs/php-url-fopen
 fail2ban/tests/files/logs/postfix-sasl
 fail2ban/tests/files/logs/named-refused
 fail2ban/tests/files/logs/nginx-http-auth
 fail2ban/tests/files/logs/pam-generic
 fail2ban/tests/files/logs/postfix
 fail2ban/tests/files/logs/proftpd
 fail2ban/tests/files/logs/pure-ftpd
 fail2ban/tests/files/logs/qmail
 fail2ban/tests/files/logs/recidive
 fail2ban/tests/files/logs/roundcube-auth
-fail2ban/tests/files/logs/sasl
+fail2ban/tests/files/logs/selinux-ssh
 fail2ban/tests/files/logs/sendmail-spam
 fail2ban/tests/files/logs/sieve
 fail2ban/tests/files/logs/squid
 fail2ban/tests/files/logs/stunnel
 fail2ban/tests/files/logs/suhosin
 fail2ban/tests/files/logs/sogo-auth
 fail2ban/tests/files/logs/solid-pop3d
 fail2ban/tests/files/logs/sshd
 fail2ban/tests/files/logs/sshd-ddos
 fail2ban/tests/files/logs/vsftpd
 fail2ban/tests/files/logs/webmin-auth
-fail2ban/tests/files/logs/wu-ftpd
+fail2ban/tests/files/logs/wuftpd
 fail2ban/tests/files/logs/uwimap-auth
 fail2ban/tests/files/logs/xinetd-fail
 fail2ban/tests/config/jail.conf
 fail2ban/tests/config/fail2ban.conf
 fail2ban/tests/config/filter.d/simple.conf
 fail2ban/tests/config/action.d/brokenaction.conf
 setup.py
 setup.cfg
 fail2ban/__init__.py
@ -91,30 +163,43 @@ fail2ban/exceptions.py
 fail2ban/helpers.py
 fail2ban/version.py
 fail2ban/protocol.py
 setup.py
 setup.cfg
 kill-server
 config/jail.conf
 config/fail2ban.conf
 config/filter.d/common.conf
 config/filter.d/apache-auth.conf
 config/filter.d/apache-badbots.conf
 config/filter.d/apache-botsearch.conf
 config/filter.d/apache-nohome.conf
 config/filter.d/apache-noscript.conf
 config/filter.d/apache-overflows.conf
-config/filter.d/courierlogin.conf
+config/filter.d/nginx-http-auth.conf
-config/filter.d/couriersmtp.conf
+config/filter.d/counter-strike.conf
 config/filter.d/courier-auth.conf
 config/filter.d/courier-smtp.conf
 config/filter.d/cyrus-imap.conf
 config/filter.d/exim.conf
 config/filter.d/gssftpd.conf
 config/filter.d/suhosin.conf
 config/filter.d/named-refused.conf
 config/filter.d/openwebmail.conf
 config/filter.d/pam-generic.conf
 config/filter.d/php-url-fopen.conf
 config/filter.d/postfix-sasl.conf
 config/filter.d/pam-generic.conf
 config/filter.d/php-url-fopen.conf
 config/filter.d/postfix-sasl.conf
 config/filter.d/postfix.conf
 config/filter.d/proftpd.conf
 config/filter.d/pure-ftpd.conf
 config/filter.d/qmail.conf
 config/filter.d/pam-generic.conf
 config/filter.d/php-url-fopen.conf
 config/filter.d/sasl.conf
 config/filter.d/sieve.conf
 config/filter.d/solid-pop3d.conf
 config/filter.d/sshd.conf
 config/filter.d/sshd-ddos.conf
 config/filter.d/stunnel.conf
 config/filter.d/vsftpd.conf
 config/filter.d/webmin-auth.conf
 config/filter.d/wuftpd.conf
@ -126,10 +211,32 @@ config/filter.d/lighttpd-auth.conf
 config/filter.d/recidive.conf
 config/filter.d/roundcube-auth.conf
 config/filter.d/assp.conf
 config/filter.d/mysqld-auth.conf
 config/filter.d/sogo-auth.conf
 config/filter.d/mysqld-auth.conf
 config/filter.d/selinux-common.conf
 config/filter.d/selinux-ssh.conf
 config/filter.d/3proxy.conf
 config/filter.d/apache-common.conf
 config/filter.d/exim-common.conf
 config/filter.d/exim-spam.conf
 config/filter.d/freeswitch.conf
 config/filter.d/groupoffice.conf
 config/filter.d/perdition.conf
 config/filter.d/uwimap-auth.conf
 config/filter.d/courier-auth.conf
 config/filter.d/courier-smtp.conf
 config/filter.d/ejabberd-auth.conf
 config/filter.d/guacamole.conf
 config/filter.d/sendmail-spam.conf
 config/action.d/apf.conf
 config/action.d/osx-afctl.conf
 config/action.d/osx-ipfw.conf
 config/action.d/sendmail-common.conf
 config/action.d/bsd-ipfw.conf
 config/action.d/dummy.conf
 config/action.d/firewallcmd-new.conf
 config/action.d/firewallcmd-ipset.conf
 config/action.d/iptables-ipset-proto6-allports.conf
 config/action.d/iptables-blocktype.conf
 config/action.d/iptables-ipset-proto4.conf
 config/action.d/iptables-ipset-proto6.conf
@ -153,10 +260,13 @@ config/action.d/mynetwatchman.conf
 config/action.d/pf.conf
 config/action.d/sendmail.conf
 config/action.d/sendmail-buffered.conf
 config/action.d/sendmail-whois-ipmatches.conf
 config/action.d/sendmail-whois.conf
 config/action.d/sendmail-whois-lines.conf
 config/action.d/shorewall.conf
-config/fail2ban.conf
+config/action.d/xarf-login-attack.conf
 config/action.d/ufw.conf
 doc/run-rootless.txt
 man/fail2ban-client.1
 man/fail2ban.1
 man/jail.conf.5
@ -178,9 +288,9 @@ files/cacti/fail2ban_stats.sh
 files/cacti/cacti_host_template_fail2ban.xml
 files/cacti/README
 files/nagios/check_fail2ban
-files/nagios/f2ban.txt
+files/nagios/README
 files/bash-completion
 files/fail2ban-tmpfiles.conf
 files/fail2ban.service
 files/ipmasq-ZZZzzz_fail2ban.rul
-files/nagios/README
+files/gen_badbots
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@
                        / _|__ _(_) |_  ) |__  __ _ _ _  
                       |  _/ _` | | |/ /| '_ \/ _` | ' \ 
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
-                       v0.9.0a0                2013/??/??
+                       v0.9.0a2                2014/??/??
 ## Fail2Ban: ban hosts that cause multiple authentication errors
@ -21,7 +21,7 @@ Installation:
 this case, you should use it instead.**
 Required:
- [Python2 >= 2.4 or Python3 >= 3.2](http://www.python.org)
+- [Python2 >= 2.6 or Python3 >= 3.2](http://www.python.org) or [PyPy](http://pypy.org)
 Optional:
 - [pyinotify >= 0.8.3](https://github.com/seb-m/pyinotify)
@ -31,8 +31,8 @@ Optional:
 To install, just do:
-    tar xvfj fail2ban-0.8.10.tar.bz2
+    tar xvfj fail2ban-0.9.0.tar.bz2
-    cd fail2ban-0.8.10
+    cd fail2ban-0.9.0
    python setup.py install
 This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
--- a/38
+++ b/38
@ -1,22 +1,32 @@
-Fail2Ban is an open source project with many contributions from its
+Fail2Ban is an open source project which was conceived and originally
-users community. Below is an alphabetically sorted partial list of the
+developed by Cyril Jaquier until 2010.  Since then Fail2Ban grew into
-contributors to the project.  If you have been left off, please let us
+a community-driven project with many contributions from its users.
-know (preferably send a pull request on github with the "fix") and you
+Below is an alphabetically sorted partial list of the contributors to
-will be added
+the project.  If you have been left off, please let us know
 (preferably send a pull request on github with the "fix") and you will
 be added
 Adam Tkac
 Adrien Clerc
 ache
 ag4ve (Shawn)
 Alasdair D. Campbell
 Amir Caspi
 Andrey G. Grozin
 Andy Fragen
 Arturo 'Buanzo' Busleiman
 Axel Thimm
 Bas van den Dikkenberg
 Beau Raines
 Bill Heaton
 Carlos Alberto Lopez Perez
 Christian Rauch
 Christophe Carles
 Christoph Haas
 Christos Psonis
 Cyril Jaquier
 Daniel B. Cid
 Daniel B.
 Daniel Black
 David Nutter
 Eric Gerbier
@ -25,41 +35,59 @@ ftoppi
 François Boulogne
 Frédéric
 Georgiy Mernov
 Guilhem Lettron
 Guillaume Delvit
 Hanno 'Rince' Wagner
 Iain Lea
 Ivo Truxa
 John Thoe
 Jacques Lav!gnotte
 Ioan Indreias
 Jonathan Kamens
 Jonathan Lanning
 Jonathan Underwood
 Joël Bertrand
 JP Espinosa
 Justin Shore
 Kévin Drapel
 kjohnsonecl
 kojiro
 Lee Clemens
 Manuel Arostegui Ramirez
 Marcel Dopita
 Mark Edgington
 Mark McKinstry
 Mark White
 Markus Hoffmann
 Marvin Rouge
 mEDI
 Мернов Георгий
 Merijn Schering
 Michael C. Haller
 Michael Hanselmann
 Nick Munger
 onorua
 Patrick Börjesson
 Raphaël Marichez
 RealRancor
 René Berber
 Robert Edeker
 Rolf Fokkens
 Roman Gelfand
 Russell Odom
 Sebastian Arcus
 Sireyessire
 silviogarbes
 Stefan Tatschner
 Stephen Gildea
 Steven Hiscocks
 TESTOVIK
 Tom Pike
 Tyler
 Vaclav Misek
 Vincent Deffontaines
 Yaroslav Halchenko
 Winston Smith
 ykimon
 Yehuda Katz
 zugeschmiert
--- a/bin/fail2ban-client
+++ b/bin/fail2ban-client
@ -147,7 +147,8 @@ class Fail2banClient:
 					if showRet:
 						print beautifier.beautify(ret[1])
 				else:
-					logSys.debug("NOK: " + `ret[1].args`)
+					logSys.error("NOK: " + `ret[1].args`)
 					if showRet:
 						print beautifier.beautifyError(ret[1])
 					return False
 			except socket.error:
@ -375,7 +376,10 @@ class Fail2banClient:
 						if cmd == "help":
 							self.dispUsage()
 						elif not cmd == "":
 							try:
 								self.__processCommand(shlex.split(cmd))
 							except Exception, e:
 								logSys.error(e)
 			except (EOFError, KeyboardInterrupt):
 				print
 				return True
--- a/bin/fail2ban-regex
+++ b/bin/fail2ban-regex
@ -23,15 +23,13 @@ and bans the corresponding IP addresses using firewall rules.
 This tools can test regular expressions for "fail2ban".
 Report bugs to https://github.com/fail2ban/fail2ban/issues
 """
 __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2013 Yaroslav Halchenko"
 __license__ = "GPL"
-import getopt, sys, time, logging, os, locale, shlex
+import getopt, sys, time, logging, os, locale, shlex, urllib
 from optparse import OptionParser, Option
 from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError
@ -43,7 +41,7 @@ except ImportError:
 	journal = None
 from fail2ban.version import version
-from fail2ban.client.configparserinc import SafeConfigParserWithIncludes
+from fail2ban.client.filterreader import FilterReader
 from fail2ban.server.filter import Filter
 from fail2ban.server.failregex import RegexException
@ -51,6 +49,12 @@ from fail2ban.tests.utils import FormatterWithTraceBack
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban")
 def debuggexURL(sample, regex):
 	q = urllib.urlencode({ 're': regex.replace('<HOST>', '(?&.ipv4)'),
 							'str': sample,
 							'flavor': 'python' })
 	return 'http://www.debuggex.com/?' + q
 def shortstr(s, l=53):
 	"""Return shortened string
 	"""
@ -103,6 +107,15 @@ REGEX:
 IGNOREREGEX:
    string                  a string representing an 'ignoreregex'
    filename                path to a filter file (filter.d/sshd.conf)
 Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
 Copyright of modifications held by their respective authors.
 Licensed under the GNU General Public License v2 (GPL).
 Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
 Many contributions by Yaroslav O. Halchenko and Steven Hiscocks.
 Report bugs to https://github.com/fail2ban/fail2ban/issues
 """,
 				version="%prog " + version)
@ -116,14 +129,15 @@ IGNOREREGEX:
 		Option("-m", "--journalmatch",
 			   help="journalctl style matches overriding filter file. "
 			   "\"systemd-journal\" only"),
 		Option("-v", "--verbose", action='store_true',
 			   help="Be verbose in output"),
 		Option('-l', "--log-level", type="choice",
 			   dest="log_level",
 			   choices=('heavydebug', 'debug', 'info', 'warning', 'error', 'fatal'),
 			   default=None,
 			   help="Log level for the Fail2Ban logger to use"),
 		Option("-v", "--verbose", action='store_true',
 			   help="Be verbose in output"),
 		Option("-D", "--debuggex", action='store_true',
 			   help="Produce debuggex.com urls for debugging there"),
 		Option("--print-all-missed", action='store_true',
 			   help="Either to print all missed lines"),
 		Option("--print-all-ignored", action='store_true',
@ -132,7 +146,6 @@ IGNOREREGEX:
 			   help="Enrich log-messages with compressed tracebacks"),
 		Option("--full-traceback", action='store_true',
 			   help="Either to make the tracebacks full, not compressed (as by default)"),
 		])
 	return p
@ -171,7 +184,9 @@ class LineStats(object):
 	def __init__(self):
 		self.tested = self.matched = 0
 		self.missed_lines = []
 		self.missed_lines_timeextracted = []
 		self.ignored_lines = []
 		self.ignored_lines_timeextracted = []
 	def __str__(self):
 		return "%(tested)d lines, %(ignored)d ignored, %(matched)d matched, %(missed)d missed" % self
@ -191,10 +206,9 @@ class LineStats(object):
 class Fail2banRegex(object):
 	CONFIG_DEFAULTS = {'configpath' : "/etc/fail2ban/"}
 	def __init__(self, opts):
 		self._verbose = opts.verbose
 		self._debuggex = opts.debuggex
 		self._print_all_missed = opts.print_all_missed
 		self._print_all_ignored = opts.print_all_ignored
 		self._maxlines_set = False		  # so we allow to override maxlines in cmdline
@ -223,7 +237,9 @@ class Fail2banRegex(object):
 		if not self._datepattern_set:
 			self._filter.setDatePattern(pattern)
 			self._datepattern_set = True
-			print "Use      datepattern : %s" % self._filter.getDatePattern()[1]
+			if pattern is not None:
 				print "Use      datepattern : %s" % (
 					self._filter.getDatePattern()[1], )
 	def setMaxLines(self, v):
 		if not self._maxlines_set:
@ -239,46 +255,37 @@ class Fail2banRegex(object):
 		assert(regextype in ('fail', 'ignore'))
 		regex = regextype + 'regex'
 		if os.path.isfile(value):
 			reader = SafeConfigParserWithIncludes(defaults=self.CONFIG_DEFAULTS)
 			try:
 				reader.read(value)
 			print "Use %11s file : %s" % (regex, value)
-				# TODO: reuse functionality in client
+			reader = FilterReader(value, 'fail2ban-regex-jail', {})
-				regex_values = [
+			reader.setBaseDir(None)
 					RegexStat(m)
 					for m in reader.get("Definition", regex).split('\n')
 					if m != ""]
 			except NoSectionError:
 				print "No [Definition] section in %s" % value
 				return False
 			except NoOptionError:
 				print "No %s option in %s" % (regex, value)
 				return False
 			except MissingSectionHeaderError:
 				print "No section headers in %s" % value
 				return False
 			if reader.readexplicit():
 				reader.getOptions(None)
 				readercommands = reader.convert()
 				regex_values = [
 					RegexStat(m[3])
 					for m in filter(
 						lambda x: x[0] == 'set' and x[2] == "add%sregex" % regextype,
 						readercommands)]
 				# Read out and set possible value of maxlines
-			try:
+				for command in readercommands:
-				maxlines = reader.get("Init", "maxlines")
+					if command[2] == "maxlines":
-			except (NoSectionError, NoOptionError):
+						maxlines = int(command[3])
 				# No [Init].maxlines found.
 				pass
 			else:
 						try:
 							self.setMaxLines(maxlines)
 						except ValueError:
 							print "ERROR: Invalid value for maxlines (%(maxlines)r) " \
 								  "read from %(value)s" % locals()
 							return False
-			# Read out and set possible value for journalmatch
+					elif command[2] == 'addjournalmatch':
-			try:
+						journalmatch = command[3]
 				journalmatch = reader.get("Init", "journalmatch")
 			except (NoSectionError, NoOptionError):
 				# No [Init].journalmatch found.
 				pass
 			else:
 						self.setJournalMatch(shlex.split(journalmatch))
 					elif command[2] == 'datepattern':
 						datepattern = command[3]
 						self.setDatePattern(datepattern)
 			else:
 				print "ERROR: failed to read %s" % value
 				return False
 		else:
 			print "Use %11s line : %s" % (regex, shortstr(value))
 			regex_values = [RegexStat(value)]
@ -293,7 +300,7 @@ class Fail2banRegex(object):
 	def testIgnoreRegex(self, line):
 		found = False
 		try:
-			ret = self._filter.ignoreLine(line)
+			ret = self._filter.ignoreLine([(line, "", "")])
 			if ret is not None:
 				found = True
 				regex = self._ignoreregex[ret].inc()
@ -302,11 +309,11 @@ class Fail2banRegex(object):
 			return False
 		return found
-	def testRegex(self, line):
+	def testRegex(self, line, date=None):
 		orgLineBuffer = self._filter._Filter__lineBuffer
 		fullBuffer = len(orgLineBuffer) >= self._filter.getMaxLines()
 		try:
-			ret = self._filter.processLine(line, checkAllRegex=True)
+			line, ret = self._filter.processLine(line, date, checkAllRegex=True)
 			for match in ret:
 				# Append True/False flag depending if line was matched by
 				# more than one regex
@ -318,59 +325,78 @@ class Fail2banRegex(object):
 			print e
 			return False
 		except IndexError:
-			print "Sorry, but no <host> found in regex"
+			print "Sorry, but no <HOST> found in regex"
 			return False
 		for bufLine in orgLineBuffer[int(fullBuffer):]:
 			if bufLine not in self._filter._Filter__lineBuffer:
-				if self.removeMissedLine(bufLine):
+				try:
 					self._line_stats.matched += 1
 		return len(ret) > 0
 	def removeMissedLine(self, line):
 		"""Remove `line` from missed lines, by comparing without time match"""
 		for n, missed_line in \
 				enumerate(reversed(self._line_stats.missed_lines)):
 			timeMatch = self._filter.dateDetector.matchTime(
 				missed_line, incHits=False)
 			if timeMatch:
 				logLine = (missed_line[:timeMatch.start()] +
 					missed_line[timeMatch.end():])
 			else:
 				logLine = missed_line
 			if logLine.rstrip("\r\n") == line:
 					self._line_stats.missed_lines.pop(
-					len(self._line_stats.missed_lines) - n - 1)
+						self._line_stats.missed_lines.index("".join(bufLine)))
-				return True
+					self._line_stats.missed_lines_timeextracted.pop(
-		return False
+						self._line_stats.missed_lines_timeextracted.index(
 							"".join(bufLine[::2])))
 				except ValueError:
 					pass
 				else:
 					self._line_stats.matched += 1
 		return line, ret
 	def process(self, test_lines):
 		for line_no, line in enumerate(test_lines):
-			if line.startswith('#') or not line.strip():
+			if isinstance(line, tuple):
 				line_datetimestripped, ret = fail2banRegex.testRegex(
 					line[0], line[1])
 				line = "".join(line[0])
 			else:
 				line = line.rstrip('\r\n')
 				if line.startswith('#') or not line:
 					# skip comment and empty lines
 					continue
-			is_ignored = fail2banRegex.testIgnoreRegex(line)
+				line_datetimestripped, ret = fail2banRegex.testRegex(line)
 			is_ignored = fail2banRegex.testIgnoreRegex(line_datetimestripped)
 			if is_ignored:
 				self._line_stats.ignored_lines.append(line)
 				self._line_stats.ignored_lines_timeextracted.append(line_datetimestripped)
-			if fail2banRegex.testRegex(line):
+			if len(ret) > 0:
 				assert(not is_ignored)
 				self._line_stats.matched += 1
 			else:
 				if not is_ignored:
 					self._line_stats.missed_lines.append(line)
 					self._line_stats.missed_lines_timeextracted.append(line_datetimestripped)
 			self._line_stats.tested += 1
-			if line_no % 10 == 0:
+			if line_no % 10 == 0 and self._filter.dateDetector is not None:
 				self._filter.dateDetector.sortTemplate()
 	def printLines(self, ltype):
 		lstats = self._line_stats
 		assert(len(lstats.missed_lines) == lstats.tested - (lstats.matched + lstats.ignored))
 		l = lstats[ltype + '_lines']
 		if len(l):
 			header = "%s line(s):" % (ltype.capitalize(),)
-			if len(l) < 20 or getattr(self, '_print_all_' + ltype):
+			if self._debuggex:
 				if ltype == 'missed':
 					regexlist = self._failregex
 				else:
 					regexlist = self._ignoreregex
 				l = lstats[ltype + '_lines_timeextracted']
 				lines = len(l)*len(regexlist)
 				if lines < 20 or getattr(self, '_print_all_' + ltype):
 					ans = [[]]
 					for arg in [l, regexlist]:
 					    ans = [ x + [y] for x in ans for y in arg ]
 					b = map(lambda a: a[0] +  ' | ' + a[1].getFailRegex() + ' |  ' + debuggexURL(a[0], a[1].getFailRegex()), ans)
 					pprint_list([x.rstrip() for x in b], header)
 				else:
 					print "%s: too many to print.  Use --print-all-%s " \
 						  "to print all %d lines" % (header, ltype, lines)
 			elif len(l) < 20 or getattr(self, '_print_all_' + ltype):
 				pprint_list([x.rstrip() for x in l], header)
 			else:
 				print "%s: too many to print.  Use --print-all-%s " \
@ -398,7 +424,7 @@ class Fail2banRegex(object):
 							"    %s  %s%s" % (
 								ip[1],
 								timeString,
-								ip[3] and " (multiple regex matched)" or ""))
+								ip[-1] and " (multiple regex matched)" or ""))
 			print "\n%s: %d total" % (title, total)
 			pprint_list(out, " #) [# of hits] regular expression")
@ -409,11 +435,13 @@ class Fail2banRegex(object):
 		_ = print_failregexes("Ignoreregex", self._ignoreregex)
 		if self._filter.dateDetector is not None:
 			print "\nDate template hits:"
 			out = []
 			for template in self._filter.dateDetector.getTemplates():
 				if self._verbose or template.getHits():
-				out.append("[%d] %s" % (template.getHits(), template.getName()))
+					out.append("[%d] %s" % (
 						template.getHits(), template.getName()))
 			pprint_list(out, "[# of hits] date format")
 		print "\nLines: %s" % self._line_stats
@ -493,7 +521,7 @@ if __name__ == "__main__":
 			sys.exit(-1)
 		myjournal = journal.Reader(converters={'__CURSOR': lambda x: x})
 		journalmatch = fail2banRegex._journalmatch
-		fail2banRegex.setDatePattern("ISO8601")
+		fail2banRegex.setDatePattern(None)
 		if journalmatch:
 			try:
 				for element in journalmatch:
--- a/bin/fail2ban-testcases
+++ b/bin/fail2ban-testcases
@ -48,7 +48,7 @@ def get_opt_parser():
 	p.add_options([
 		Option('-l', "--log-level", type="choice",
 			   dest="log_level",
-			   choices=('heavydebug', 'debug', 'info', 'warn', 'error', 'fatal'),
+			   choices=('heavydebug', 'debug', 'info', 'warning', 'error', 'fatal'),
 			   default=None,
 			   help="Log level for the logger to use during running tests"),
 		Option('-n', "--no-network", action="store_true",
@ -72,7 +72,7 @@ parser = get_opt_parser()
 logSys = logging.getLogger("fail2ban")
 # Numerical level of verbosity corresponding to a log "level"
-verbosity = {'heavydebug': 3,
+verbosity = {'heavydebug': 4,
 			 'debug': 3,
 			 'info': 2,
 			 'warning': 1,
--- a/config/action.d/apf.conf
+++ b/config/action.d/apf.conf
@ -0,0 +1,25 @@
 # Fail2Ban configuration file
 # https://www.rfxn.com/projects/advanced-policy-firewall/
 #
 # Note: APF doesn't play nicely with other actions. It has been observed to
 # remove bans created by other iptables based actions. If you are going to use
 # this action, use it for all of your jails.
 #
 # DON'T MIX APF and other IPTABLES based actions
 [Definition]
 actionstart = 
 actionstop = 
 actioncheck = 
 actionban = apf --deny <ip> "banned by Fail2Ban <name>"
 actionunban = apf --remove <ip>
 [Init]
 # Name used in APF configuration
 #
 name = default
 # DEV NOTES:
 #
 # Author: Mark McKinstry
--- a/config/action.d/blocklist_de.conf
+++ b/config/action.d/blocklist_de.conf
@ -0,0 +1,86 @@
 # Fail2Ban configuration file
 #
 # Author: Steven Hiscocks
 #
 #
 # Action to report IP address to blocklist.de
 # Blocklist.de must be signed up to at www.blocklist.de
 # Once registered, one or more servers can be added.
 # This action requires the server 'email address' and the assoicate apikey.
 #
 # From blocklist.de:
 #   www.blocklist.de is a free and voluntary service provided by a
 #   Fraud/Abuse-specialist, whose servers are often attacked on SSH-,
 #   Mail-Login-, FTP-, Webserver- and other services.
 #   The mission is to report all attacks to the abuse deparments of the
 #   infected PCs/servers to ensure that the responsible provider can inform
 #   the customer about the infection and disable them
 #
 # IMPORTANT: 
 # 
 # Reporting an IP of abuse is a serious complaint. Make sure that it is
 # serious. Fail2ban developers and network owners recommend you only use this
 # action for:
 #   * The recidive where the IP has been banned multiple times
 #   * Where maxretry has been set quite high, beyond the normal user typing
 #     password incorrectly.
 #   * For filters that have a low likelyhood of receiving human errors
 #
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop =
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = curl --fail --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=<matches>' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban =
 [Init]
 # Option:  email
 # Notes    server email address, as per blocklise.de account
 # Values:  STRING  Default: None
 #
 #email =
 # Option:  apikey
 # Notes    your user blocklist.de user account apikey
 # Values:  STRING  Default: None
 #
 #apikey =
 # Option:  service
 # Notes    service name you are reporting on, typically aligns with filter name
 #          see http://www.blocklist.de/en/httpreports.html for full list
 # Values:  STRING  Default: None
 #
 #service =
--- a/config/action.d/complain.conf
+++ b/config/action.d/complain.conf
@ -58,7 +58,7 @@ actioncheck =
 actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
 	    IP=<ip>
            if [ ! -z "$ADDRESSES" ]; then
-                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '<ip>' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
+                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
            fi
 # Option:  actionunban
@ -78,7 +78,7 @@ logpath = /dev/null
 # Option:  mailcmd
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
-# Values:  CMD  Default: mail -s
+# Values:  CMD
 #
 mailcmd = mail -s
@ -89,7 +89,7 @@ mailcmd = mail -s
 #          Appear to come from a different address - the '--' indicates
 #          arguments to be passed to Sendmail:
 #              -- -f me@example.com
-# Values:  [ STRING ]  Default: (empty)
+# Values:  [ STRING ]
 #
 mailargs =
--- a/config/action.d/dshield.conf
+++ b/config/action.d/dshield.conf
@ -106,7 +106,7 @@ actionunban = if [ -f <tmpfile>.first ]; then
 # Option:  port
 # Notes.:  The target port for the attack (numerical). MUST be provided in the
 #          jail config, as it cannot be detected here.
-# Values:  [ NUM ]  Default: ???
+# Values:  [ NUM ]
 #
 port = ???
@ -114,7 +114,7 @@ port = ???
 # Notes.:  Your DShield user ID. Should be provided either in the jail config or
 #          in a .local file.
 #          Register at https://secure.dshield.org/register.html
-# Values:  [ NUM ]  Default: 0
+# Values:  [ NUM ]
 #
 userid = 0
@ -137,7 +137,7 @@ protocol = tcp
 # Notes.:  How many lines to buffer before making a report. Regardless of this,
 #          reports are sent a minimum of <minreportinterval> apart, or if the
 #          buffer contains an event over <maxbufferage> old, or on shutdown
-# Values:  [ NUM ]  Default: 50
+# Values:  [ NUM ]
 #
 lines = 50
@ -145,7 +145,7 @@ lines = 50
 # Notes.:  Minimum period (in seconds) that must elapse before we submit another
 #          batch of reports. DShield request a minimum of 1 hour (3600 secs)
 #          between reports.
-# Values:  [ NUM ]  Default: 3600
+# Values:  [ NUM ]
 #
 minreportinterval = 3600
@ -154,27 +154,27 @@ minreportinterval = 3600
 #          submit the batch, even if we haven't reached <lines> yet. Note that
 #          this is only checked on each ban/unban, and that we always send
 #          anything in the buffer on shutdown. Must be greater than
-# Values:  [ NUM ]  Default: 21600 (6 hours)
+# Values:  [ NUM ]
 #
 maxbufferage = 21600
 # Option:  srcport
 # Notes.:  The source port of the attack. You're unlikely to have this info, so
 #          you can leave the default
-# Values:  [ NUM ]  Default: ???
+# Values:  [ NUM ]
 #
 srcport = ???
 # Option:  tcpflags
 # Notes.:  TCP flags on attack. You're unlikely to have this info, so you can
 #          leave empty
-# Values:  [ STRING ]  Default: (empty)
+# Values:  [ STRING ]
 #
 tcpflags =
 # Option:  mailcmd
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
-# Values:  CMD  Default: mail -s
+# Values:  CMD
 #
 mailcmd = mail -s
@ -186,19 +186,19 @@ mailcmd = mail -s
 #          the one configured at DShield - the '--' indicates arguments to be
 #          passed to Sendmail):
 #              -- -f me@example.com
-# Values:  [ STRING ]  Default: (empty)
+# Values:  [ STRING ]
 #
 mailargs =
 # Option:  dest
 # Notes.:  Destination e-mail address for reports
-# Values:  [ STRING ]  Default: reports@dshield.org
+# Values:  [ STRING ]
 #
 dest = reports@dshield.org
 # Option:  tmpfile
 # Notes.:  Base name of temporary files used for buffering
-# Values:  [ STRING ]  Default: /var/run/fail2ban/tmp-dshield
+# Values:  [ STRING ]
 #
 tmpfile = /var/run/fail2ban/tmp-dshield
--- a/config/action.d/firewallcmd-ipset.conf
+++ b/config/action.d/firewallcmd-ipset.conf
@ -0,0 +1,69 @@
 # Fail2Ban action file for firewall-cmd/ipset
 #
 # This requires:
 # ipset (package: ipset)
 # firewall-cmd (package: firewalld)
 #
 # This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
 # Use ipset -V to see the protocol and version.
 #
 # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
 #
 # If you are running on an older kernel you make need to patch in external
 # modules.
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
              firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
 actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
             ipset flush fail2ban-<name>
             ipset destroy fail2ban-<name>
 actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$'
 actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
 actionunban = ipset del fail2ban-<name> <ip> -exist
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ]
 #
 protocol = tcp
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
 # Values:  [ STRING ]
 #
 chain = INPUT_direct
 # Option: bantime
 # Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
 # Values:  [ NUM ]  Default: 600
 bantime = 600
 # DEV NOTES:
 #
 # Author: Edgar Hoch and Daniel Black
 # firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
--- a/config/action.d/firewallcmd-new.conf
+++ b/config/action.d/firewallcmd-new.conf
@ -0,0 +1,72 @@
 # Fail2Ban configuration file
 #
 # Because of the --remove-rules in stop this action requires firewalld-0.3.8+
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b-<name>
              firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 1000 -j RETURN
              firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
 actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
             firewall-cmd --direct --remove-rules ipv4 filter f2b-<name>
             firewall-cmd --direct --remove-chain ipv4 filter f2b-<name>
 actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'f2b-<name>$'
 actionban = firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
 actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
 [Init]
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ]
 #
 protocol = tcp
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
 # Values:  [ STRING ]
 #
 chain = INPUT_direct
 # DEV NOTES:
 #
 # Author: Edgar Hoch
 # Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
 #  It uses "firewall-cmd" instead of "iptables".
 #
 # Output:
 # 
 # $ firewall-cmd --direct --add-chain ipv4 filter fail2ban-name
 # success
 # $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN
 # success
 # $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp --dport 22 -j fail2ban-name
 # success
 # $ firewall-cmd --direct --get-chains ipv4 filter
 # fail2ban-name
 # $ firewall-cmd --direct --get-chains ipv4 filter  | od -h
 # 0000000 6166 6c69 6232 6e61 6e2d 6d61 0a65
 # $ firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-name( |$)' ; echo $?
 # 0
 # $ firewall-cmd -V
 # 0.3.8
--- a/config/action.d/ipfw.conf
+++ b/config/action.d/ipfw.conf
@ -43,7 +43,7 @@ actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
+actionunban = ipfw delete `ipfw list | grep -i "[^0-9]<ip>[^0-9]" | awk '{print $1;}'`
 [Init]
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@ -17,23 +17,23 @@ before = iptables-blocktype.conf
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = iptables -N f2b-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              iptables -A f2b-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> -j f2b-<name>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -j f2b-<name>
-             iptables -F fail2ban-<name>
+             iptables -F f2b-<name>
-             iptables -X fail2ban-<name>
+             iptables -X f2b-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -41,7 +41,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -49,7 +49,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
--- a/config/action.d/iptables-ipset-proto4.conf
+++ b/config/action.d/iptables-ipset-proto4.conf
@ -11,12 +11,11 @@
 # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
 #
 # If you are running on an older kernel you make need to patch in external
-# modules.
+# modules. Debian squeeze can do this with:
-#
+#   apt-get install xtables-addons-source 
 # On Debian machines this can be done with:
 #
 # apt-get install ipset xtables-addons-source 
 #   module-assistant auto-install xtables-addons
 #
 # Debian wheezy and above uses protocol 6
 [INCLUDES]
@ -28,16 +27,16 @@ before = iptables-blocktype.conf
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = ipset --create fail2ban-<name> iphash
+actionstart = ipset --create f2b-<name> iphash
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
-             ipset --flush fail2ban-<name>
+             ipset --flush f2b-<name>
-             ipset --destroy fail2ban-<name>
+             ipset --destroy f2b-<name>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -45,7 +44,7 @@ actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = ipset --test fail2ban-<name> <ip> ||  ipset --add fail2ban-<name> <ip>
+actionban = ipset --test f2b-<name> <ip> ||  ipset --add f2b-<name> <ip>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -53,7 +52,7 @@ actionban = ipset --test fail2ban-<name> <ip> ||  ipset --add fail2ban-<name> <i
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = ipset --test fail2ban-<name> <ip> && ipset --del fail2ban-<name> <ip>
+actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
 [Init]
--- a/config/action.d/iptables-ipset-proto6-allports.conf
+++ b/config/action.d/iptables-ipset-proto6-allports.conf
@ -0,0 +1,64 @@
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
 #
 # This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
 # Use ipset -V to see the protocol and version. Version 4 should use
 # iptables-ipset-proto4.conf.
 #
 # This requires the program ipset which is normally in package called ipset.
 #
 # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
 #
 # If you are running on an older kernel you make need to patch in external
 # modules which probably won't be protocol version 6.
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
              iptables -I INPUT -m set --match-set f2b-<name> src -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = iptables -D INPUT -m set --match-set f2b-<name> src -j <blocktype>
             ipset flush f2b-<name>
             ipset destroy f2b-<name>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = ipset del f2b-<name> <ip> -exist
 [Init]
 # Default name of the ipset
 #
 name = default
 # Option: bantime
 # Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
 # Values:  [ NUM ]  Default: 600
 bantime = 600
--- a/config/action.d/iptables-ipset-proto6.conf
+++ b/config/action.d/iptables-ipset-proto6.conf
@ -12,11 +12,6 @@
 #
 # If you are running on an older kernel you make need to patch in external
 # modules.
 #
 # On Debian machines this can be done with:
 #
 # apt-get install ipset xtables-addons-source 
 # module-assistant auto-install xtables-addons
 [INCLUDES]
@ -29,16 +24,16 @@ before = iptables-blocktype.conf
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
+              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
-             ipset flush fail2ban-<name>
+             ipset flush f2b-<name>
-             ipset destroy fail2ban-<name>
+             ipset destroy f2b-<name>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -46,7 +41,7 @@ actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -54,7 +49,7 @@ actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = ipset del fail2ban-<name> <ip> -exist
+actionunban = ipset del f2b-<name> <ip> -exist
 [Init]
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@ -3,9 +3,9 @@
 # Author: Guido Bozzetto
 # Modified: Cyril Jaquier
 #
-# make "fail2ban-<name>" chain to match drop IP
+# make "f2b-<name>" chain to match drop IP
-# make "fail2ban-<name>-log" chain to log and drop
+# make "f2b-<name>-log" chain to log and drop
-# insert a jump to fail2ban-<name> from -I <chain> if proto/port match
+# insert a jump to f2b-<name> from -I <chain> if proto/port match
 #
 #
@ -19,28 +19,28 @@ before = iptables-blocktype.conf
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = iptables -N f2b-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              iptables -A f2b-<name> -j RETURN
-              iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
-              iptables -N fail2ban-<name>-log
+              iptables -N f2b-<name>-log
-              iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+              iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
-              iptables -A fail2ban-<name>-log -j <blocktype>
+              iptables -A f2b-<name>-log -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-             iptables -F fail2ban-<name>
+             iptables -F f2b-<name>
-             iptables -F fail2ban-<name>-log
+             iptables -F f2b-<name>-log
-             iptables -X fail2ban-<name>
+             iptables -X f2b-<name>
-             iptables -X fail2ban-<name>-log
+             iptables -X f2b-<name>-log
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
+actioncheck = iptables -n -L f2b-<name>-log >/dev/null
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -48,7 +48,7 @@ actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
+actionban = iptables -I f2b-<name> 1 -s <ip> -j f2b-<name>-log
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -56,7 +56,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
+actionunban = iptables -D f2b-<name> -s <ip> -j f2b-<name>-log
 [Init]
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@ -14,23 +14,23 @@ before = iptables-blocktype.conf
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = iptables -N f2b-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              iptables -A f2b-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-             iptables -F fail2ban-<name>
+             iptables -F f2b-<name>
-             iptables -X fail2ban-<name>
+             iptables -X f2b-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -38,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -46,7 +46,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@ -17,23 +17,23 @@ before = iptables-blocktype.conf
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = iptables -N f2b-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              iptables -A f2b-<name> -j RETURN
-              iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+              iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
-             iptables -F fail2ban-<name>
+             iptables -F f2b-<name>
-             iptables -X fail2ban-<name>
+             iptables -X f2b-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -41,7 +41,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -49,7 +49,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
--- a/config/action.d/iptables-xt_recent-echo.conf
+++ b/config/action.d/iptables-xt_recent-echo.conf
@ -23,29 +23,29 @@ before = iptables-blocktype.conf
 # iptables-persistent package).
 # 
 # Explanation of the rule below:
-#    Check if any packets coming from an IP on the fail2ban-<name>
+#    Check if any packets coming from an IP on the f2b-<name>
 #    list have been seen in the last 3600 seconds. If yes, update the
 #    timestamp for this IP and drop the packet. If not, let the packet
 #    through.
 #
-#    Fail2ban inserts blacklisted hosts into the fail2ban-<name> list
+#    Fail2ban inserts blacklisted hosts into the f2b-<name> list
 #    and removes them from the list after some time, according to its
 #    own rules. The 3600 second timeout is independent and acts as a
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
-actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>
+actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = echo / > /proc/net/xt_recent/fail2ban-<name>
+actionstop = echo / > /proc/net/xt_recent/f2b-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = test -e /proc/net/xt_recent/fail2ban-<name>
+actioncheck = test -e /proc/net/xt_recent/f2b-<name>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -53,7 +53,7 @@ actioncheck = test -e /proc/net/xt_recent/fail2ban-<name>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = echo +<ip> > /proc/net/xt_recent/fail2ban-<name>
+actionban = echo +<ip> > /proc/net/xt_recent/f2b-<name>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -61,7 +61,7 @@ actionban = echo +<ip> > /proc/net/xt_recent/fail2ban-<name>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = echo -<ip> > /proc/net/xt_recent/fail2ban-<name>
+actionunban = echo -<ip> > /proc/net/xt_recent/f2b-<name>
 [Init]
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@ -14,23 +14,23 @@ before = iptables-blocktype.conf
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = iptables -N f2b-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              iptables -A f2b-<name> -j RETURN
-              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> --dport <port> -j f2b-<name>
-             iptables -F fail2ban-<name>
+             iptables -F f2b-<name>
-             iptables -X fail2ban-<name>
+             iptables -X f2b-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -38,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -46,7 +46,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
--- a/config/action.d/mail-buffered.conf
+++ b/config/action.d/mail-buffered.conf
@ -14,7 +14,7 @@ actionstart = printf %%b "Hi,\n
              The jail <name> has been started successfully.\n
              Output will be buffered until <lines> lines are available.\n
              Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -25,13 +25,13 @@ actionstop = if [ -f <tmpfile> ]; then
                 These hosts have been banned by Fail2Ban.\n
                 `cat <tmpfile>`
                 Regards,\n
-                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
+                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from `uname -n`" <dest>
                 rm <tmpfile>
             fi
             printf %%b "Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
--- a/config/action.d/mail-whois-lines.conf
+++ b/config/action.d/mail-whois-lines.conf
@ -13,7 +13,7 @@
 actionstart = printf %%b "Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -22,7 +22,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@ -39,12 +39,12 @@ actioncheck =
 actionban = printf %%b "Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
-            Here are more information about <ip>:\n
+            Here is more information about <ip>:\n
-            `whois <ip>`\n\n
+            `whois <ip> || echo missing whois program`\n\n
            Lines containing IP:<ip> in <logpath>\n
-            `grep '\<<ip>\>' <logpath>`\n\n
+            `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
            Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from  `uname -n`" <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
--- a/config/action.d/mail-whois.conf
+++ b/config/action.d/mail-whois.conf
@ -13,7 +13,7 @@
 actionstart = printf %%b "Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -22,7 +22,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@ -39,10 +39,10 @@ actioncheck =
 actionban = printf %%b "Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
-            Here are more information about <ip>:\n
+            Here is more information about <ip>:\n
-            `whois <ip>`\n
+            `whois <ip> || echo missing whois program`\n
            Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
--- a/config/action.d/mail.conf
+++ b/config/action.d/mail.conf
@ -13,7 +13,7 @@
 actionstart = printf %%b "Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started  on `uname -n`" <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -22,7 +22,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@ -40,7 +40,7 @@ actionban = printf %%b "Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n
            Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
--- a/config/action.d/osx-afctl.conf
+++ b/config/action.d/osx-afctl.conf
@ -0,0 +1,16 @@
 # Fail2Ban configuration file for using afctl on Mac OS X Server 10.5
 #
 # Anonymous author
 # http://www.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.5)&diff=prev&oldid=4081
 #
 # Ref: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/afctl.8.html
 [Definition]
 actionstart = 
 actionstop = 
 actioncheck = 
 actionban = /usr/libexec/afctl -a <ip> -t <bantime>
 actionunban = /usr/libexec/afctl -r <ip>
 [Init]
 bantime = 2880
--- a/config/action.d/pf.conf
+++ b/config/action.d/pf.conf
@ -56,7 +56,7 @@ actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
 [Init]
 # Option:  tablename
 # Notes.:  The pf table name.
-# Values:  [ STRING ]  Default: fail2ban
+# Values:  [ STRING ]
 #
 tablename = fail2ban
--- a/config/action.d/sendmail-buffered.conf
+++ b/config/action.d/sendmail-buffered.conf
@ -14,7 +14,7 @@ before = sendmail-common.conf
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
@ -28,7 +28,7 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
 # Values:  CMD
 #
 actionstop = if [ -f <tmpfile> ]; then
-                 printf %%b "Subject: [Fail2Ban] <name>: summary
+                 printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
                 From: <sendername> <<sender>>
                 To: <dest>\n
                 Hi,\n
@ -38,7 +38,7 @@ actionstop = if [ -f <tmpfile> ]; then
                 Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
                 rm <tmpfile>
             fi
-             printf %%b "Subject: [Fail2Ban] <name>: stopped
+             printf %%b "Subject: [Fail2Ban] <name>: stopped  on `uname -n`
             From: Fail2Ban <<sender>>
             To: <dest>\n
             Hi,\n
@ -61,7 +61,7 @@ actioncheck =
 actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
            LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
            if [ $LINE -ge <lines> ]; then
-                printf %%b "Subject: [Fail2Ban] <name>: summary
+                printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
                From: <sendername> <<sender>>
                To: <dest>\n
                Hi,\n
--- a/config/action.d/sendmail-common.conf
+++ b/config/action.d/sendmail-common.conf
@ -8,6 +8,56 @@
 after = sendmail-common.local
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: <sendername> <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = 
 [Init]
 # Recipient mail address
--- a/config/action.d/sendmail-whois-ipjailmatches.conf
+++ b/config/action.d/sendmail-whois-ipjailmatches.conf
@ -0,0 +1,37 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
 #
 #
 [INCLUDES]
 before = sendmail-common.conf
 [Definition]
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `/usr/bin/whois <ip>`\n\n
            Matches for <name> with <ipjailfailures> failures IP:<ip>\n
            <ipjailmatches>\n\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 [Init]
 # Default name of the chain
 #
 name = default
--- a/config/action.d/sendmail-whois-ipmatches.conf
+++ b/config/action.d/sendmail-whois-ipmatches.conf
@ -0,0 +1,37 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
 #
 #
 [INCLUDES]
 before = sendmail-common.conf
 [Definition]
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `/usr/bin/whois <ip>`\n\n
            Matches with <ipfailures> failures IP:<ip>\n
            <ipmatches>\n\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 [Init]
 # Default name of the chain
 #
 name = default
--- a/config/action.d/sendmail-whois-lines.conf
+++ b/config/action.d/sendmail-whois-lines.conf
@ -10,66 +10,26 @@ before = sendmail-common.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: <sendername> <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
-            Here are more information about <ip>:\n
+            Here is more information about <ip>:\n
-            `/usr/bin/whois <ip>`\n\n
+            `/usr/bin/whois <ip> || echo missing whois program`\n\n
            Lines containing IP:<ip> in <logpath>\n
-            `grep '\<<ip>\>' <logpath>`\n\n
+            `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = 
 [Init]
 # Default name of the chain
--- a/config/action.d/sendmail-whois-matches.conf
+++ b/config/action.d/sendmail-whois-matches.conf
@ -0,0 +1,37 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
 #
 #
 [INCLUDES]
 before = sendmail-common.conf
 [Definition]
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `/usr/bin/whois <ip>`\n\n
            Matches:\n
            <matches>\n\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 [Init]
 # Default name of the chain
 #
 name = default
--- a/config/action.d/sendmail-whois.conf
+++ b/config/action.d/sendmail-whois.conf
@ -10,64 +10,24 @@ before = sendmail-common.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: <sendername> <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
-            Here are more information about <ip>:\n
+            Here is more information about <ip>:\n
-            `/usr/bin/whois <ip>`\n
+            `/usr/bin/whois <ip> || echo missing whois program`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = 
 [Init]
 # Default name of the chain
--- a/config/action.d/sendmail.conf
+++ b/config/action.d/sendmail.conf
@ -10,45 +10,13 @@ before = sendmail-common.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: <sendername> <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
            From: <sendername> <<sender>>
            To: <dest>\n
@ -58,14 +26,6 @@ actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = 
 [Init]
 # Default name of the chain
--- a/config/action.d/smtp.py
+++ b/config/action.d/smtp.py
@ -0,0 +1,225 @@
 # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
 # vi: set ft=python sts=4 ts=4 sw=4 noet :
 # This file is part of Fail2Ban.
 #
 # Fail2Ban is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # Fail2Ban is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 import sys
 import socket
 import smtplib
 from email.mime.text import MIMEText
 from email.utils import formatdate, formataddr
 from fail2ban.server.actions import ActionBase, CallingMap
 messages = {}
 messages['start'] = \
 """Hi,
 The jail %(jailname)s has been started successfully.
 Regards,
 Fail2Ban"""
 messages['stop'] = \
 """Hi,
 The jail %(jailname)s has been stopped.
 Regards,
 Fail2Ban"""
 messages['ban'] = {}
 messages['ban']['head'] = \
 """Hi,
 The IP %(ip)s has just been banned for %(bantime)s seconds
 by Fail2Ban after %(failures)i attempts against %(jailname)s.
 """
 messages['ban']['tail'] = \
 """
 Regards,
 Fail2Ban"""
 messages['ban']['matches'] = \
 """
 Matches for this ban:
 %(matches)s
 """
 messages['ban']['ipmatches'] = \
 """
 Matches for %(ip)s:
 %(ipmatches)s
 """
 messages['ban']['ipjailmatches'] = \
 """
 Matches for %(ip)s for jail %(jailname)s:
 %(ipjailmatches)s
 """
 class SMTPAction(ActionBase):
 	"""Fail2Ban action which sends emails to inform on jail starting,
 	stopping and bans.
 	"""
 	def __init__(
 		self, jail, name, host="localhost", user=None, password=None,
 		sendername="Fail2Ban", sender="fail2ban", dest="root", matches=None):
 		"""Initialise action.
 		Parameters
 		----------
 		jail : Jail
 			The jail which the action belongs to.
 		name : str
 			Named assigned to the action.
 		host : str, optional
 			SMTP host, of host:port format. Default host "localhost" and
 			port "25"
 		user : str, optional
 			Username used for authentication with SMTP server.
 		password : str, optional
 			Password used for authentication with SMTP server.
 		sendername : str, optional
 			Name to use for from address in email. Default "Fail2Ban".
 		sender : str, optional
 			Email address to use for from address in email.
 			Default "fail2ban".
 		dest : str, optional
 			Email addresses of intended recipient(s) in comma delimited
 			format. Default "root".
 		matches : str, optional
 			Type of matches to be included from ban in email. Can be one
 			of "matches", "ipmatches" or "ipjailmatches". Default None
 			(see man jail.conf.5).
 		"""
 		super(SMTPAction, self).__init__(jail, name)
 		self.host = host
 		#TODO: self.ssl = ssl
 		self.user = user
 		self.password =password
 		self.fromname = sendername
 		self.fromaddr = sender
 		self.toaddr = dest
 		self.matches = matches
 		self.message_values = CallingMap(
 			jailname = self._jail.getName(), # Doesn't change
 			hostname = socket.gethostname,
 			bantime = self._jail.actions.getBanTime,
 			)
 	def _sendMessage(self, subject, text):
 		"""Sends message based on arguments and instance's properties.
 		Parameters
 		----------
 		subject : str
 			Subject of the email.
 		text : str
 			Body of the email.
 		Raises
 		------
 		SMTPConnectionError
 			Error on connecting to host.
 		SMTPAuthenticationError
 			Error authenticating with SMTP server.
 		SMTPException
 			See Python `smtplib` for full list of other possible
 			exceptions.
 		"""
 		msg = MIMEText(text)
 		msg['Subject'] = subject
 		msg['From'] = formataddr((self.fromname, self.fromaddr))
 		msg['To'] = self.toaddr
 		msg['Date'] = formatdate()
 		smtp = smtplib.SMTP()
 		try:
 			self._logSys.debug("Connected to SMTP '%s', response: %i: %s",
 				self.host, *smtp.connect(self.host))
 			if self.user and self.password:
 				smtp.login(self.user, self.password)
 			failed_recipients = smtp.sendmail(
 				self.fromaddr, self.toaddr, msg.as_string())
 		except smtplib.SMTPConnectError:
 			self._logSys.error("Error connecting to host '%s'", self.host)
 			raise
 		except smtplib.SMTPAuthenticationError:
 			self._logSys.error(
 				"Failed to authenticate with host '%s' user '%s'",
 				self.host, self.user)
 			raise
 		except smtplib.SMTPException:
 			self._logSys.error(
 				"Error sending mail to host '%s' from '%s' to '%s'",
 				self.host, self.fromaddr, self.toaddr)
 			raise
 		else:
 			if failed_recipients:
 				self._logSys.warning(
 					"Email to '%s' failed to following recipients: %r",
 					self.toaddr, failed_recipients)
 			self._logSys.debug("Email '%s' successfully sent", subject)
 		finally:
 			try:
 				self._logSys.debug("Disconnected from '%s', response %i: %s",
 					self.host, *smtp.quit())
 			except smtplib.SMTPServerDisconnected:
 				pass # Not connected
 	def start(self):
 		"""Sends email to recipients informing that the jail has started.
 		"""
 		self._sendMessage(
 			"[Fail2Ban] %(jailname)s: started on %(hostname)s" %
 				self.message_values,
 			messages['start'] % self.message_values)
 	def stop(self):
 		"""Sends email to recipients informing that the jail has stopped.
 		"""
 		self._sendMessage(
 			"[Fail2Ban] %(jailname)s: stopped on %(hostname)s" %
 				self.message_values,
 			messages['stop'] % self.message_values)
 	def ban(self, aInfo):
 		"""Sends email to recipients informing that ban has occurred.
 		Parameters
 		----------
 		aInfo : dict
 			Dictionary which includes information in relation to
 			the ban.
 		"""
 		aInfo.update(self.message_values)
 		message = "".join([
 			messages['ban']['head'],
 			messages['ban'].get(self.matches, ""),
 			messages['ban']['tail']
 			])
 		self._sendMessage(
 			"[Fail2Ban] %(jailname)s: banned %(ip)s from %(hostname)s" %
 				aInfo,
 			message % aInfo)
 Action = SMTPAction
--- a/config/action.d/ufw.conf
+++ b/config/action.d/ufw.conf
@ -0,0 +1,40 @@
 # Fail2Ban action configuration file for ufw
 #
 # You are required to run "ufw enable" before this will have an effect.
 #
 # The insert position should be approprate to block the required traffic.
 # A number after an allow rule to the application won't be much use.
 [Definition]
 actionstart = 
 actionstop = 
 actioncheck = 
 actionban = [ -n "<application>" ] && app="app <application>" ; ufw insert <insertpos> <blocktype> from <ip> to <destination> $app
 actionunban = [ -n "<application>" ] && app="app <application>" ; ufw delete <blocktype> from <ip> to <destination> $app
 [Init]
 # Option: insertpos
 # Notes.:  The postition number in the firewall list to insert the block rule
 insertpos = 1
 # Option: blocktype
 # Notes.: reject or deny
 blocktype = reject
 # Option: destination
 # Notes.: The destination address to block in the ufw rule
 destination = any
 # Option: application
 # Notes.: application from sudo ufw app list
 application = 
 # DEV NOTES:
 # 
 # Author: Guilhem Lettron
 # Enhancements: Daniel Black
--- a/config/action.d/xarf-login-attack.conf
+++ b/config/action.d/xarf-login-attack.conf
@ -0,0 +1,125 @@
 # Fail2Ban action for sending xarf Login-Attack messages to IP owner
 #
 # IMPORTANT: 
 # 
 # Emailing a IP owner of abuse is a serious complain. Make sure that it is
 # serious. Fail2ban developers and network owners recommend you only use this
 # action for:
 #   * The recidive where the IP has been banned multiple times
 #   * Where maxretry has been set quite high, beyond the normal user typing
 #     password incorrectly.
 #   * For filters that have a low likelyhood of receiving human errors
 #
 # DEPENDANCIES:
 #
 # This requires the dig command from bind-utils
 #
 # This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
 #
 # XARF is a specification for sending a formatted response
 # for non-messaging based abuse including:
 #
 # Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
 #
 # For details see:
 # https://github.com/abusix/xarf-specification
 # http://www.x-arf.org/schemata.html
 #
 # Author: Daniel Black
 # Based on complain written by Russell Odom <russ@gloomytrousers.co.uk>
 #
 #
 [Definition]
 actionstart =
 actionstop =
 actioncheck =
 actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP} ;ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
            IP=<ip>
            FROM=<sender>
            SERVICE=<service>
            FAILURES=<failures>
            MATCHES='<matches>'
            REPORTID=<time>@`uname -n`
            TLP=<tlp>
            PORT=<port>
            DATE=`LC_TIME=C date -u --date=@<time> +"%%a, %%d %%h %%Y %%T +0000"`
            if [ ! -z "$ADDRESSES" ]; then
                (printf -- %%b "<header>\n<message>\n<report>\n${MATCHES}\n";
                 date '+Note: Local timezone is %%z (%%Z)';
                 printf -- %%b "<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
            fi
 actionunban =
 [Init]
 # Option: header
 # Notes:  This is really a fixed value
 header  = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n  boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
 # Option: footer
 # Notes:  This is really a fixed value and needs to match the report and header
 #         mime delimiters
 footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
 # Option: report
 # Notes:  Intended to be fixed
 report =  --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
 # Option: Message
 # Notes:  This can be modified by the users 
 message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
 # Option:  loglines
 # Notes.:  The number of log lines to search for the IP for the report
 loglines = 9000
 # Option:  mailcmd
 # Notes.:  Your system mail command. It is passed the recipient
 # Values:  CMD
 #
 mailcmd =  /usr/sbin/sendmail
 # Option:  mailargs
 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
 #          CC reports to another address:
 #              -c me@example.com
 #          Appear to come from a different address - the '--' indicates
 #          arguments to be passed to Sendmail:
 #              -- -f me@example.com
 # Values:  [ STRING ]
 #
 mailargs = -f <sender>
 # Option:  tlp
 # Notes.:  Traffic light protocol defining the sharing of this information.
 #          http://www.trusted-introducer.org/ISTLPv11.pdf
 #          green is share to those involved in network security but it is not 
 #          to be released to the public.
 tlp = green
 # ALL of the following parameters should be set so the report contains
 # meaningful information
 # Option: service
 # Notes.: This is the service type that was attacked. e.g. ssh, pop3
 service = unspecified
 # Option:  logpath
 # Notes:   Path to the log files which contain relevant lines for the abuser IP
 # Values:  Filename(s) space separated and can contain wildcards (these are
 #          greped for the IP so make sure these aren't too long
 logpath = /dev/null
 # Option:  sender
 # Notes.:  This is the sender that is included in the XARF report
 sender = fail2ban@`uname -n`
 # Option:  port
 # Notes.:  This is the port number that received the login-attack
 port = 0
--- a/config/fail2ban.conf
+++ b/config/fail2ban.conf
@ -17,7 +17,7 @@
 #         2 = WARN
 #         3 = INFO
 #         4 = DEBUG
-# Values:  NUM  Default:  3
+# Values: [ NUM ]  Default: 1
 #
 loglevel = 3
@ -28,7 +28,7 @@ loglevel = 3
 #         using logrotate -- also adjust or disable rotation in the
 #         corresponding configuration file
 #         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
-# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
+# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
 #
 logtarget = /var/log/fail2ban.log
@ -36,14 +36,26 @@ logtarget = /var/log/fail2ban.log
 # Notes.: Set the socket file. This is used to communicate with the daemon. Do
 #         not remove this file when Fail2ban runs. It will not be possible to
 #         communicate with the server afterwards.
-# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
 #
 socket = /var/run/fail2ban/fail2ban.sock
 # Option: pidfile
 # Notes.: Set the PID file. This is used to store the process ID of the
 #         fail2ban server.
-# Values: FILE  Default:  /var/run/fail2ban/fail2ban.pid
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
 #
 pidfile = /var/run/fail2ban/fail2ban.pid
 # Options: dbfile
 # Notes.: Set the file for the fail2ban persistent data to be stored.
 #         A value of ":memory:" means database is only stored in memory 
 #         and data is lost once fail2ban is stops.
 #         A value of "None" disables the database.
 # Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
 dbfile = /var/lib/fail2ban/fail2ban.sqlite3
 # Options: dbpurgeage
 # Notes.: Sets age at which bans should be purged from the database
 # Values: [ SECONDS ] Default: 86400 (24hours)
 dbpurgeage = 86400
--- a/config/filter.d/3proxy.conf
+++ b/config/filter.d/3proxy.conf
@ -1,18 +1,18 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for 3proxy
 #
 # Author: Daniel Black
 #
 # Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
 #
 [Definition]
-# Option:  failregex
+
 # Notes.:  http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
 #          all authentication problems (%E field)
 #          Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
 # Values:  TEXT
 #
 failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
 ignoreregex = 
 # DEV Notes:
 # http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
 # all authentication problems (%E field)
 # Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
 #
 # Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
 # Author: Daniel Black
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@ -1,17 +1,33 @@
-# Fail2Ban configuration file
+# Fail2Ban apache-auth filter
 #
 # Author: Cyril Jaquier
 #
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
-# common.local
+# apache-common.local
 before = apache-common.conf
 [Definition]
 failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
            ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
            ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
            ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
 ignoreregex = 
 # DEV Notes:
 #
 # This filter matches the authorization failures of Apache. It takes the log messages
 # from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
 # HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
@ -34,23 +50,7 @@ before = apache-common.conf
 #     ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
 #     ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
 #
-failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
+# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c
            ^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
            ^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
            ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
            ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
            ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
            ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
            ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
            ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
            ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
            ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
            ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 # 
-ignoreregex = 
+# Author: Cyril Jaquier
 # Major edits by Daniel Black
--- a/config/filter.d/apache-badbots.conf
+++ b/config/filter.d/apache-badbots.conf
@ -1,27 +1,21 @@
 # Fail2Ban configuration file
 #
-# List of bad bots fetched from http://www.user-agents.org
+# Regexp to catch known spambots and software alike. Please verify
-# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh
+# that it is your intent to block IPs which were driven by
-#
+# above mentioned bots.
-# Author: Yaroslav Halchenko
+
 #
 #
 [Definition]
 badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
-badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
+badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
 # Option:  failregex
 # Notes.:  Regexp to catch known spambots and software alike. Please verify
 #          that it is your intent to block IPs which were driven by
 #          above mentioned bots.
 # Values:  TEXT
 #
 failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
 # DEV Notes:
 # List of bad bots fetched from http://www.user-agents.org
 # Generated on Thu Nov  7 14:23:35 PST 2013 by files/gen_badbots.
 #
 # Author: Yaroslav Halchenko
--- a/config/filter.d/apache-botsearch.conf
+++ b/config/filter.d/apache-botsearch.conf
@ -0,0 +1,48 @@
 # Fail2Ban filter to match web requests for selected URLs that don't exist
 #
 # This filter is aimed at blocking specific URLs that don't exist. This
 # could be a set of URLs places in a Disallow: directive in robots.txt or
 # just some web services that don't exist caused bots are searching for
 # exploitable content. This filter is designed to have a low false postitive
 # rate due.
 #
 # An alternative to this is the apache-noscript filter which blocks all
 # types of scripts that don't exist.
 #
 #
 # This is normally a predefined list of exploitable or valuable web services
 # that are hidden or aren't actually installed.
 #
 [INCLUDES]
 # overwrite with apache-common.local if _apache_error_client is incorrect.
 before = apache-common.conf
 [Definition]
 failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): <webroot><block>(, referer: \S+)?\s*$
            ^%(_apache_error_client)s script '<webroot><block>' not found or unable to stat(, referer: \S+)?\s*$
 ignoreregex = 
 [Init]
 # Webroot represents the webroot on which all other files are based
 webroot = /var/www/
 # Block is the actual non-found directories to block
 block = (<webmail>|<phpmyadmin>|<wordpress>)[^,]*
 # These are just convient definitions that assist the blocking of stuff that 
 # isn't installed
 webmail = roundcube|(ext)?mail|horde|(v-?)?webmail
 phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)
 wordpress = wp-(login|signup)\.php
 # DEV Notes:
 #
 # Author: Daniel Black
--- a/config/filter.d/apache-common.conf
+++ b/config/filter.d/apache-common.conf
@ -1,21 +1,21 @@
 # Generic configuration items (to be used as interpolations) in other
-# apache filters
+# apache filters.
 #
 # Author: Yaroslav Halchenko
 #
 #
 [INCLUDES]
 # Load customizations if any available
 after = apache-common.local
 [DEFAULT]
 _apache_error_client = \[\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
 # Common prefix for [error] apache messages which also would include <HOST>
 # Depending on the version it could be
 # 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
 # 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
 # 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to 
 #
 # Reference: https://github.com/fail2ban/fail2ban/issues/268
-_apache_error_client = \[\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client <HOST>(:\d{1,5})?\]
+#
 # Author: Yaroslav Halchenko
--- a/config/filter.d/apache-modsecurity.conf
+++ b/config/filter.d/apache-modsecurity.conf
@ -0,0 +1,18 @@
 # Fail2Ban apache-modsec filter
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # apache-common.local
 before = apache-common.conf
 [Definition]
 failregex = ^%(_apache_error_client)s ModSecurity:  (\[.*?\] )*Access denied with code [45]\d\d.*$
 ignoreregex = 
 # https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
 # Author: Daniel Black
--- a/config/filter.d/apache-nohome.conf
+++ b/config/filter.d/apache-nohome.conf
@ -1,28 +1,20 @@
-# Fail2Ban configuration file
+# Fail2Ban filter to web requests for home directories on Apache servers
 #
 # Author: Yaroslav O. Halchenko <debian@onerussian.com>
 #
 #
 # Regex to match failures to find a home directory on a server, which
 # became popular last days. Most often attacker just uses IP instead of
 # domain name -- so expect to see them in generic error.log if you have
 # per-domain log files.
 [INCLUDES]
-# Read common prefixes. If any customizations available -- read them from
+# overwrite with apache-common.local if _apache_error_client is incorrect.
 # common.local
 before = apache-common.conf
 [Definition]
-# Option:  failregex
+
 # Notes.:  regex to match failures to find a home directory on a server, which
 #          became popular last days. Most often attacker just uses IP instead of
 #          domain name -- so expect to see them in generic error.log if you have
 #          per-domain log files.
 # Values:  TEXT
 #
 failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Yaroslav O. Halchenko <debian@onerussian.com>
--- a/config/filter.d/apache-noscript.conf
+++ b/config/filter.d/apache-noscript.conf
@ -1,29 +1,32 @@
-# Fail2Ban configuration file
+# Fail2Ban filter to block web requests for scripts (on non scripted websites)
 #
-# Author: Cyril Jaquier
+# This matches many types of scripts that don't exist. This could generate a
 # lot of false positive matches in cases like wikis and forums where users
 # no affiliated with the website can insert links to missing files/scripts into
 # pages and cause non-malicious browsers of the site to trigger against this
 # filter.
 #
 # If you'd like to match specific URLs that don't exist see the
 # apache-botsearch filter.
 #
 [INCLUDES]
-# Read common prefixes. If any customizations available -- read them from
+# overwrite with apache-common.local if _apache_error_client is incorrect.
 # common.local
 before = apache-common.conf
 [Definition]
-# Option:  failregex
+failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$
-# Notes.:  regex to match the password failure messages in the logfile. The
+            ^%(_apache_error_client)s script '/\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
            ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # DEV Notes:
 #
 # https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
 #
 # Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2
 #
 # Author: Cyril Jaquier
--- a/config/filter.d/apache-overflows.conf
+++ b/config/filter.d/apache-overflows.conf
@ -1,25 +1,36 @@
-# Fail2Ban configuration file
+# Fail2Ban filter to block web requests on a long or suspicious nature
 #
 # Author: Tim Connors
 #
 #
 [INCLUDES]
-# Read common prefixes. If any customizations available -- read them from
+# overwrite with apache-common.local if _apache_error_client is incorrect.
 # common.local
 before = apache-common.conf
 [Definition]
-# Option:  failregex
+failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$
 # Notes.:  Regexp to catch Apache overflow attempts.
 # Values:  TEXT
 #
 failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
 # DEV Notes:
 # 
 # fgrep -r 'URI too long' httpd-2.*
 #   httpd-2.2.25/server/protocol.c:                          "request failed: URI too long (longer than %d)", r->server->limit_req_line);
 #   httpd-2.4.4/server/protocol.c:                              "request failed: URI too long (longer than %d)",
 #
 # fgrep -r 'in request' ../httpd-2.* | fgrep Invalid
 #   httpd-2.2.25/server/core.c:                     "Invalid URI in request %s", r->the_request);
 #   httpd-2.2.25/server/core.c:                          "Invalid method in request %s", r->the_request);
 #   httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.
 #   httpd-2.4.4/server/core.c:                     "Invalid URI in request %s", r->the_request);
 #   httpd-2.4.4/server/core.c:                              "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);
 #   httpd-2.4.4/server/core.c:                              "Invalid method in request %s", r->the_request);
 #
 # fgrep -r 'invalid characters in URI' httpd-2.*
 #   httpd-2.4.4/server/protocol.c:                              "request failed: invalid characters in URI");
 #
 # http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620
 #   ...possible attempt to establish SSL connection on non-SSL port
 #
 # https://wiki.apache.org/httpd/ListOfErrors
 # Author: Tim Connors
--- a/config/filter.d/assp.conf
+++ b/config/filter.d/assp.conf
@ -1,33 +1,24 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
-# for Anti-Spam SMTP Proxy Server also known as ASSP
+# 
 #    Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
 #    ProjektSite: http://sourceforge.net/projects/assp/?source=directory
 #
 # Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
 #
 [Definition] 
 # Option:  failregex
 # Notes.:  regex to match the SMTP failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
 # Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
 #           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
 #           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
 __assp_actions = (?:dropping|refusing)
 failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
 			^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
 			^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # DEV Notes:
 #
 # Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
 #           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
 #           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
 #
 # Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
--- a/config/filter.d/asterisk.conf
+++ b/config/filter.d/asterisk.conf
@ -1,31 +1,14 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for asterisk authentication failures
 #
 # Author: Xavier Devlamynck
 #
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
-# Option:  failregex
+__pid_re = (?:\[\d+\])
 # Notes.:  regex to match the password failures messages in the logfile.
 # Values:  TEXT
 #
 log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
-failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
+# All Asterisk log messages begin like this:
-            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - No matching peer found$
+log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*
-            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Username/auth name mismatch$
+
-            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Device does not match ACL$
+failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|No matching peer found|Username/auth name mismatch|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Peer is not supposed to register$
            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - ACL error \(permit/deny\)$
            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Not a local domain$
            ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
@ -33,11 +16,9 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?'
            ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
            ^\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
 # Author: Xavier Devlamynck
--- a/config/filter.d/common.conf
+++ b/config/filter.d/common.conf
@ -1,9 +1,6 @@
 # Generic configuration items (to be used as interpolations) in other
 # filters  or actions configurations
 #
 # Author: Yaroslav Halchenko
 #
 #
 [INCLUDES]
@ -37,16 +34,18 @@ __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_r
 # Some messages have a kernel prefix with a timestamp
 # EXAMPLES: kernel: [769570.846956]
-__kernel_prefix = kernel: \[\d+\.\d+\]
+__kernel_prefix = kernel: \[ *\d+\.\d+\]
 __hostname = \S+
 # A MD5 hex
 # EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
 __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
 # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
 # <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
 __bsd_syslog_verbose = (<[^.]+\.[^.]+>)
 #
 # Common line prefixes (beginnings) which could be used in filters
 #
 #      [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
@ -54,3 +53,4 @@ __bsd_syslog_verbose = (<[^.]+\.[^.]+>)
 # This can be optional (for instance if we match named native log files)
 __prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
 # Author: Yaroslav Halchenko
--- a/config/filter.d/counter-strike.conf
+++ b/config/filter.d/counter-strike.conf
@ -0,0 +1,16 @@
 # Fail2Ban filter for failure attempts in Counter Strike-1.6
 #
 #
 [Definition]
 failregex = ^: Bad Rcon: "rcon \d+ "\S+"  sv_contact ".*?"" from "<HOST>:\d+"$
 [Init]
 datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S
 # Author: Daniel Black
--- a/config/filter.d/courier-auth.conf
+++ b/config/filter.d/courier-auth.conf
@ -1,8 +1,4 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for courier authentication failures
 #
 # Author: Christoph Haas
 # Modified by: Cyril Jaquier
 #
 #
 [INCLUDES]
@ -11,22 +7,13 @@
 # common.local
 before = common.conf
 [Definition]
 _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Christoph Haas
 # Modified by: Cyril Jaquier
--- a/config/filter.d/courier-smtp.conf
+++ b/config/filter.d/courier-smtp.conf
@ -1,6 +1,4 @@
-# Fail2Ban configuration file
+# Fail2Ban filter to block relay attempts though a Courier smtp server
 #
 # Author: Cyril Jaquier
 #
 #
@ -10,22 +8,12 @@
 # common.local
 before = common.conf
 [Definition]
 _daemon = courieresmtpd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Cyril Jaquier
--- a/config/filter.d/cyrus-imap.conf
+++ b/config/filter.d/cyrus-imap.conf
@ -1,6 +1,5 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for authentication failures on Cyrus imap server
 #
 # Author: Jan Wagner <waja@cyconet.org>
 #
 #
@ -10,22 +9,12 @@
 # common.local
 before = common.conf
 [Definition]
 _daemon = (?:cyrus/)?(?:imapd?|pop3d?)
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Jan Wagner <waja@cyconet.org>
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@ -1,7 +1,5 @@
-# Fail2Ban configuration file for dovecot
+# Fail2Ban filter Dovecot authentication and pop3/imap server
 #
 # Author: Martin Waschbuesch
 #         Daniel Black (rewrote with begin and end anchors)
 [INCLUDES]
@ -9,26 +7,21 @@ before = common.conf
 [Definition]
-_daemon = dovecot(-auth)?
+_daemon = (auth|dovecot(-auth)?|auth-worker)
-# Option:  failregex
+failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
-# Notes.:  regex to match the password failures messages in the logfile.
+            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
-#          first regex is essentially a copy of pam-generic.conf
+            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)s(pam_unix(\(\S+\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 [Init]
 # Option:  journalmatch
 # Notes.:  systemd journalctl style match filter for journal based backends
 # Values:  TEXT
 #
 journalmatch = _SYSTEMD_UNIT=dovecot.service
 # DEV Notes:
 # * the first regex is essentially a copy of pam-generic.conf
 # * Probably doesn't do dovecot sql/ldap backends properly
 #
 # Author: Martin Waschbuesch
 #         Daniel Black (rewrote with begin and end anchors)
--- a/config/filter.d/dropbear.conf
+++ b/config/filter.d/dropbear.conf
@ -1,8 +1,15 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for dropbear
 #
-# Author: Francis Russell
+# NOTE: The regex below is ONLY intended to work with a patched
-#         Zak B. Elep
+# version of Dropbear as described here:
 # http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
 #            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
 #
 # The standard Dropbear output doesn't provide enough information to
 # ban all types of attack.  The Dropbear patch adds IP address
 # information to the 'exit before auth' message which is always
 # produced for any form of non-successful login. It is that message
 # which this file matches.
 #
 # More information: http://bugs.debian.org/546913
@ -12,41 +19,30 @@
 # common.local
 before = common.conf
 [Definition]
 _daemon = dropbear
-# Option:  failregex
+failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
-# Notes.:  regex to match the password failures messages in the logfile. The
+            ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
-#          host must be matched by a group named "host". The tag "<HOST>" can
+            ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 # These match the unmodified dropbear messages. It isn't possible to
 # match the source of the 'exit before auth' messages from dropbear.
 #
 failregex = ^%(__prefix_line)s(L|l)ogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
            ^%(__prefix_line)s(B|b)ad password attempt for .+ from <HOST>:.*\s*$
            ^%(__prefix_line)sExit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
 # The only line we need to match with the modified dropbear.
 # NOTE: The failregex below is ONLY intended to work with a patched
 # version of Dropbear as described here:
 # http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
 #
 # The standard Dropbear output doesn't provide enough information to
 # ban all types of attack.  The Dropbear patch adds IP address
 # information to the 'exit before auth' message which is always
 # produced for any form of non-successful login. It is that message
 # which this file matches.
 # failregex = ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # DEV Notes:
 #
 # The first two regexs here match the unmodified dropbear messages. It isn't
 # possible to match the source of the 'exit before auth' messages from dropbear
 # as they don't include the "from <HOST>" bit.
 #
 # The second last failregex line we need to match with the modified dropbear.
 #
 # For the second regex the following apply:
 #
 # http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
 # http://svn.dd-wrt.com/changeset/16642#file64
 #
 # http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
 #
 # Author: Francis Russell
 #         Zak B. Elep
--- a/config/filter.d/exim-common.conf
+++ b/config/filter.d/exim-common.conf
@ -1,17 +1,18 @@
-# Fail2Ban configuration file for exim
+# Fail2Ban filter file for common exim expressions
 #
 # Author:  Daniel Black
 #
 # This is to be used by other exim filters
 [INCLUDES]
 # Load customizations if any available
 #
 after = exim-common.local
 [Definition]
 # From exim source code: ./src/receive.c:add_host_info_for_log
 host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
 pid = ( \[\d+\])?
 # DEV Notes:
 # From exim source code: ./src/receive.c:add_host_info_for_log
 #
 # Author:  Daniel Black
--- a/config/filter.d/exim-spam.conf
+++ b/config/filter.d/exim-spam.conf
@ -1,9 +1,22 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for exim the spam rejection messages
 #
-# Author: Cyril Jaquier
+# Honeypot traps are very useful for fighting spam. You just activate an email
-#         Daniel Black (rewrote with strong regexs)
+# address on your domain that you do not intend to use at all, and that normal
 # people do not risk to try for contacting you. It may be something that 
 # spammers often test. You can also hide the address on a web page to be picked
 # by spam spiders. Or simply parse your mail logs for an invalid address 
 # already being frequently targeted by spammers. Enable the address and 
 # redirect it to the blackhole. In Exim's alias file, you would add the 
 # following line (assuming the address is honeypot@yourdomain.com):
 #
 # honeypot:  :blackhole:
 #
 # For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used.
 #
 # To this filter use the jail.local should contain in the right jail:
 #
 # filter = exim-spam[honeypot=honeypot@yourdomain.com]
 #
 [INCLUDES]
@ -11,19 +24,27 @@
 # exim-common.local
 before = exim-common.conf
 [Definition]
 # Option:  failregex
 # Notes.:  This includes the spam rejection messages of exim.
 #          Note the %(host_info) defination contains a <HOST> match
 failregex =  ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
             ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
             ^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[<HOST>\]\) for <honeypot>$
             ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 [Init]
 # Option:  honeypot
 # Notes.:  honeypot is an email address that isn't published anywhere that a
 #          legitimate email sender would send email too.
 # Values:  email address
 honeypot = trap@example.com
 # DEV Notes:
 # The %(host_info) defination contains a <HOST> match
 #
 # Author: Cyril Jaquier
 #         Daniel Black (rewrote with strong regexs)
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@ -1,7 +1,7 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for exim
 #
-# Author: Cyril Jaquier
+# This includes the rejection messages of exim. For spam and filter
-#         Daniel Black (rewrote with strong regexs)
+# related bans use the exim-spam.conf
 #
@ -11,22 +11,22 @@
 # exim-common.local
 before = exim-common.conf
 [Definition]
 # Option:  failregex
 # Notes.:  This includes the rejection messages of exim. For spam and filter
 #          related bans use the exim-spam.conf
 #          Note the %(host_info) defination contains a <HOST> match
 failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
             ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
-             ^%(pid)s SMTP protocol synchronization error \(.*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
+             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # DEV Notes:
 # The %(host_info) defination contains a <HOST> match
 #
 # SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
 # to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
 # user injectable data.
 #
 # Author: Cyril Jaquier
 #         Daniel Black (rewrote with strong regexs)
--- a/config/filter.d/freeswitch.conf
+++ b/config/filter.d/freeswitch.conf
@ -0,0 +1,23 @@
 # Fail2Ban configuration file
 #
 # Enable "log-auth-failures" on each Sofia profile to monitor
 # <param name="log-auth-failures" value="true"/>
 # -- this requires a high enough loglevel on your logs to save these messages.
 #
 # In the fail2ban jail.local file for this filter set ignoreip to the internal
 # IP addresses on your LAN.
 #
 [Definition]
 failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
            ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
 ignoreregex =
 # Author: Rupa SChomaker, soapee01, Daniel Black
 # http://wiki.freeswitch.org/wiki/Fail2ban
 # Thanks to Jim on mailing list of samples and guidance
 #
 # No need to match the following. Its a duplicate of the SIP auth regex.
 #  ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
--- a/config/filter.d/groupoffice.conf
+++ b/config/filter.d/groupoffice.conf
@ -0,0 +1,14 @@
 # Fail2Ban filter for Group-Office
 #
 # Enable logging with:
 # $config['info_log']='/home/groupoffice/log/info.log';
 #
 [Definition]
 failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$
 # Author: Daniel Black
--- a/config/filter.d/gssftpd.conf
+++ b/config/filter.d/gssftpd.conf
@ -1,19 +1,18 @@
-# Fail2Ban configuration file for wuftpd
+# Fail2Ban filter file for gssftp
 #
 # Author: Kevin Zembower (copied from wsftpd.conf)
 #
 # Note: gssftp is part of the krb5-appl-servers in Fedora
 #
 [INCLUDES]
 before = common.conf
 [Definition]
-# Option: failregex
+_daemon = ftpd
-# Notes.: regex to match the password failures messages in the logfile.
+
-# Values: TEXT
+failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
 #
 failregex = ftpd(?:\[\d+\])?:\s+repeated login failures from <HOST> \(\S+\)$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Kevin Zembower
 # Edited: Daniel Black - syslog based daemon
--- a/config/filter.d/horde.conf
+++ b/config/filter.d/horde.conf
@ -0,0 +1,16 @@
 # fail2ban filter configuration for horde
 [Definition]
 failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[<HOST>\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$
 ignoreregex = 
 # DEV NOTES:
 # https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132
 # https://github.com/horde/horde/blob/master/horde/login.php
 # 
 # Author: Daniel Black
--- a/config/filter.d/lighttpd-auth.conf
+++ b/config/filter.d/lighttpd-auth.conf
@ -1,18 +1,10 @@
-# Fail2Ban configuration file
+# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
 #
 # Author: Francois Boulogne <fboulogne@april.org>
 #
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match wrong passwords as notified by lighttpd's auth Module
 # Values:  TEXT
 #
 failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Francois Boulogne <fboulogne@april.org>
--- a/config/filter.d/mysqld-auth.conf
+++ b/config/filter.d/mysqld-auth.conf
@ -1,8 +1,11 @@
-# Fail2Ban configuration file for unsuccesfull MySQL authentication attempts
+# Fail2Ban filter for unsuccesfull MySQL authentication attempts
 #
 # Authors: Artur Penttinen
 #          Yaroslav O. Halchenko
 #
 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
 # log-error=/var/log/mysqld.log
 # log-warning = 2
 #
 # If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
 [INCLUDES]
@ -10,22 +13,20 @@
 # common.local
 before = common.conf
 [Definition]
-#_daemon = mysqld
+_daemon = mysqld
-# Option:  failregex
+failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 # 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
 failregex = Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # DEV Notes:
 #
 # Technically __prefix_line can equate to an empty string hence it can support
 # syslog and non-syslog at once.
 # Example:
 # 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
 #
 # Authors: Artur Penttinen
 #          Yaroslav O. Halchenko
--- a/config/filter.d/named-refused.conf
+++ b/config/filter.d/named-refused.conf
@ -1,28 +1,46 @@
-# Fail2Ban configuration file for named (bind9). Trying to generalize the
+# Fail2Ban filter file for named (bind9).
 #          structure which is general to capture general patterns in log
 #          lines to cover different configurations/distributions
 #
-# Author: Yaroslav Halchenko
+
 # This filter blocks attacks against named (bind9) however it requires special
 # configuration on bind.
 #
 # By default, logging is off with bind9 installation.
 #
 # You will need something like this in your named.conf to provide proper logging.
 #
 # logging {
 #     channel security_file {
 #         file "/var/log/named/security.log" versions 3 size 30m;
 #         severity dynamic;
 #         print-time yes;
 #     };
 #     category security {
 #         security_file;
 #     };
 # };
 [Definition]
 # 
 # Daemon name
 _daemon=named
 #
 # Shortcuts for easier comprehension of the failregex
 __pid_re=(?:\[\d+\])
 __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
 __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
 #       hostname       daemon_id         spaces
 # this can be optional (for instance if we match named native log files)
 __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
 failregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
            ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
            ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
 # DEV Notes:
 # Trying to generalize the
 #          structure which is general to capture general patterns in log
 #          lines to cover different configurations/distributions
 #          
 # Author: Yaroslav Halchenko
--- a/config/filter.d/nginx-http-auth.conf
+++ b/config/filter.d/nginx-http-auth.conf
@ -0,0 +1,15 @@
 # fail2ban filter configuration for nginx
 [Definition]
 failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
 ignoreregex = 
 # DEV NOTES:
 # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
 # Extensive search of all nginx auth failures not done yet.
 # 
 # Author: Daniel Black
--- a/config/filter.d/nsd.conf
+++ b/config/filter.d/nsd.conf
@ -0,0 +1,26 @@
 # Fail2Ban configuration file
 #
 # Author: Bas van den Dikkenberg
 #
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = nsd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 failregex =  ^\[\]%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
              ^\[\]%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
--- a/config/filter.d/openwebmail.conf
+++ b/config/filter.d/openwebmail.conf
@ -0,0 +1,15 @@
 # Fail2Ban filter for Openwebmail
 # banning hosts with authentication errors in /var/log/openwebmail.log
 # OpenWebMail http://openwebmail.org
 #
 [Definition]
 failregex = ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$
            ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$
 ignoreregex =
 # DEV Notes:
 #
 # Author: Ivo Truxa (c) 2013 truXoft.com
--- a/config/filter.d/pam-generic.conf
+++ b/config/filter.d/pam-generic.conf
@ -1,30 +1,29 @@
 # Fail2Ban configuration file for generic PAM authentication errors
 #
-# Author: Yaroslav Halchenko
+
-#
+[INCLUDES]
-#
+
 before = common.conf
 [Definition]
-# if you want to catch only login erros from specific daemons, use smth like
+# if you want to catch only login errors from specific daemons, use something like
 #_ttys_re=(?:ssh|pure-ftpd|ftp)
-# To catch all failed logins
+#
 # Default: catch all failed logins
 _ttys_re=\S*
 #
 # Shortcuts for easier comprehension of the failregex
 __pid_re=(?:\[\d+\])
 __pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
-__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
+_daemon = \S+
-# Option: failregex
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
 # Notes.: regex to match the password failures messages in the logfile.
 # Values: TEXT
 #
 failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # DEV Notes:
 #
 # for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
 # _daemon = \S*\(?pam_unix\)?
 # failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
 #
 # Author: Yaroslav Halchenko
--- a/config/filter.d/perdition.conf
+++ b/config/filter.d/perdition.conf
@ -1,6 +1,4 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for perdition
 #
 # Author: Christophe Carles and Daniel Black
 #
 #
@ -14,3 +12,7 @@ _daemon=perdition.\S+
 failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
            ^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
 ignoreregex =
 # Author: Christophe Carles and Daniel Black
--- a/config/filter.d/php-url-fopen.conf
+++ b/config/filter.d/php-url-fopen.conf
@ -1,23 +1,20 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for URLs with a URL as a script parameters
 # which can be an indication of a fopen url php injection
 #
 # Example of web requests in Apache access log:
 # 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
 [Definition]
 failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
 ignoreregex = 
 # DEV Notes:
 #
 # Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
 # Version 2
 # fixes the failregex so REFERERS that contain =http:// don't get blocked
 # (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
 # http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
 #
-
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match this kind of request:
 #
 # 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
 #
 failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
--- a/config/filter.d/postfix-sasl.conf
+++ b/config/filter.d/postfix-sasl.conf
@ -0,0 +1,14 @@
 # Fail2Ban filter for postfix authentication failures
 #
 [INCLUDES]
 before = common.conf
 [Definition]
 _daemon = postfix/smtpd
 failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
 # Author: Yaroslav Halchenko
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@ -1,6 +1,4 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for selected Postfix SMTP rejections
 #
 # Author: Cyril Jaquier
 #
 #
@ -10,32 +8,18 @@
 # common.local
 before = common.conf
 [Definition]
 _daemon = postfix/smtpd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 [Init]
 # Option:  journalmatch
 # Notes.:  systemd journalctl style match filter for journal based backends
 # Values:  TEXT
 #
 journalmatch = _SYSTEMD_UNIT=postfix.service
 # Author: Cyril Jaquier
--- a/config/filter.d/proftpd.conf
+++ b/config/filter.d/proftpd.conf
@ -1,36 +1,24 @@
-# Fail2Ban configuration file
+# Fail2Ban fitler for the Proftpd FTP daemon
 #
 # Author: Yaroslav Halchenko
 #         Daniel Black - hardening of regex
 #
 # Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
 # See: http://www.proftpd.org/docs/howto/DNS.html
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
-_deamon = proftpd
+_daemon = proftpd
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
 __suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
 failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Yaroslav Halchenko
 #         Daniel Black - hardening of regex
--- a/config/filter.d/pure-ftpd.conf
+++ b/config/filter.d/pure-ftpd.conf
@ -1,28 +1,24 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for pureftp
 #
-# Author: Cyril Jaquier
+# Disable hostname based logging by:
-# Modified: Yaroslav Halchenko for pure-ftpd
+#
 # Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve'
 #
 #
 [INCLUDES]
 before = common.conf
 [Definition]
 # Error message specified in multiple languages
 __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
-#
+failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile. The
 #         host must be matched by a group named "host". The tag "<HOST>" can
 #         be used for standard IP/hostname matching and is only an alias for
 #         (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
 failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Cyril Jaquier
 # Modified: Yaroslav Halchenko for pure-ftpd
 # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
--- a/config/filter.d/qmail.conf
+++ b/config/filter.d/qmail.conf
@ -1,22 +1,31 @@
-# Fail2Ban configuration file
+# Fail2Ban filters for qmail RBL patches/fake proxies
 #
-# Author: Cyril Jaquier
+# the default djb RBL implementation doesn't log any rejections 
 # so is useless with this filter.
 #
 # One patch is here:
 #
 # http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
 [INCLUDES]
 before = common.conf
 [Definition]
-# Option:  failregex
+_daemon = (?:qmail|rblsmtpd)
-# Notes.:  regex to match the password failures messages in the logfile. The
+
-#          host must be matched by a group named "host". The tag "<HOST>" can
+failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
-#          be used for standard IP/hostname matching and is only an alias for
+            ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+            ^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
 # Values:  TEXT
 #
 failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
 # DEV Notes:
 #
 # These seem to be for two or 3 different patches to qmail or rblsmtpd
 # so you'll probably only ever see one of these regex's that match.
 #
 # ref: https://github.com/fail2ban/fail2ban/pull/386
 #
 # Author: Daniel Black
--- a/config/filter.d/recidive.conf
+++ b/config/filter.d/recidive.conf
@ -1,9 +1,8 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for repeat bans
 #
 # Author: Tom Hendrikx, modifications by Amir Caspi 
 #
 # This filter monitors the fail2ban log file, and enables you to add long 
 # time bans for ip addresses that get banned by fail2ban multiple times.
 #
 # Reasons to use this: block very persistent attackers for a longer time, 
 # stop receiving email notifications about the same attacker over and 
 # over again.
@ -13,34 +12,25 @@
 # drawbacks, namely in that it works only with iptables, or if you use a 
 # different blocking mechanism for this jail versus others (e.g. hostsdeny 
 # for most jails, and shorewall for this one).
-#
+
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = fail2ban\.server\.actions
 # The name of the jail that this filter is used for. In jail.conf, name the 
 # jail using this filter 'recidive', or change this line!
 _jailname = recidive
-# Option:  failregex
+failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
 failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+<HOST>
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 # Ignore our own bans, to keep our counts exact.
 ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>
 [Init]
-# Option:  journalmatch
+journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=4
-# Notes.:  systemd journalctl style match filter for journal based backends
+
-# Values:  TEXT
+# Author: Tom Hendrikx, modifications by Amir Caspi 
 #
 journalmatch = _SYSTEMD_UNIT=fail2ban.service
--- a/config/filter.d/roundcube-auth.conf
+++ b/config/filter.d/roundcube-auth.conf
@ -1,6 +1,5 @@
 # Fail2Ban configuration file for roundcube web server
 #
 # Author: Teodor Micu & Yaroslav Halchenko & terence namusonge
 #
 #
@ -10,17 +9,21 @@ before = common.conf
 [Definition]
-# Option:  failregex
+failregex = ^\s*(\[\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^\s*(\[\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. AUTHENTICATE .*)?\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # DEV Notes:
 #
 # Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
 #
 # Part after <HOST> comes straight from IMAP server up until the " in ....."
 # Earlier versions didn't log the IMAP response hence optional.
 #
 # DoS resistance:
 #
 # Assume that the user can inject "from <HOST>" into the imap response
 # somehow. Write test cases around this to ensure that the combination of 
 # arbitary user input and IMAP response doesn't inject the wrong IP for 
 # fail2ban
 #
 # Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black
--- a/config/filter.d/sasl.conf
+++ b/config/filter.d/sasl.conf
@ -1,22 +0,0 @@
 # Fail2Ban configuration file
 #
 # Author: Yaroslav Halchenko
 #
 #
 [Definition]
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
 failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
--- a/config/filter.d/selinux-common.conf
+++ b/config/filter.d/selinux-common.conf
@ -0,0 +1,21 @@
 # Fail2Ban configuration file for generic SELinux audit messages
 #
 # This file is not intended to be used directly, and should be included into a
 # filter file which would define following variables. See selinux-ssh.conf as
 # and example.
 #
 # _type
 # _uid
 # _auid 
 # _subj
 # _msg
 #
 # Also one of these variables must include <HOST>.
 [Definition]
 failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
 ignoreregex =
 # Author: Daniel Black
--- a/config/filter.d/selinux-ssh.conf
+++ b/config/filter.d/selinux-ssh.conf
@ -0,0 +1,25 @@
 # Fail2Ban configuration file for SELinux ssh authentication errors
 #
 [INCLUDES]
 after = selinux-common.conf
 [Definition]
 _type = USER_(ERR|AUTH)
 _uid  = 0
 _auid = \d+
 _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
 _exe  =/usr/sbin/sshd
 _terminal = ssh
 _msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
 # DEV Notes:
 #
 # Note: USER_LOGIN is ignored as this is the duplicate messsage
 # ssh logs after 3 USER_AUTH failures.
 # 
 # Author: Daniel Black
--- a/config/filter.d/sendmail-spam.conf
+++ b/config/filter.d/sendmail-spam.conf
@ -0,0 +1,30 @@
 # Fail2ban filter for sendmail spam
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = sendmail
 failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here<SKIPLINES>(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[<HOST>\]$
 [Init]
 # "maxlines" is number of log lines to buffer for multi-line regex searches
 maxlines = 10
 # DEV NOTES:
 # 
 # There can be a nunber of non-related lines between the first and second part
 # of this regex maxlines of 10 is quite generious. Only one of the 
 # "No such user" lines needs to be matched before the line with the HOST.
 #
 # Note the capture __prefix, includes both the __prefix_lines (which includes
 # the sendmail PID), but also the \w+ which the the sendmail assigned mail ID.
 #
 # Author: Daniel Black
--- a/config/filter.d/sieve.conf
+++ b/config/filter.d/sieve.conf
@ -1,7 +1,4 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for sieve authentication failures
 #
 # Author: Jan Wagner <waja@cyconet.org>
 #
 #
 [INCLUDES]
@ -10,21 +7,12 @@
 # common.local
 before = common.conf
 [Definition]
 _deamon = (?:cyrus/)?(?:tim)?sieved?
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching.
 # Values: TEXT
 #
 failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Jan Wagner <waja@cyconet.org>
--- a/config/filter.d/sogo-auth.conf
+++ b/config/filter.d/sogo-auth.conf
@ -1,20 +1,17 @@
-# /etc/fail2ban/filter.d/sogo-auth.conf
+# Fail2ban filter for SOGo authentcation
 #
 # Fail2Ban configuration file
 # By Arnd Brandes
 # SOGo
 #
 # Log file usually in /var/log/sogo/sogo.log
 [Definition]
 # Option: failregex
 # Filter Ban in /var/log/sogo/sogo.log
 # Note: the error log may contain multiple hosts, whereas the first one 
 # is the client and all others are poxys. We match the first one, only
-failregex = Login from '<HOST>' for user '.*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
+failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
 # Option: ignoreregex
 # Notes.: regex to ignore. If this regex matches, the line is ignored.
 # Values: TEXT
 #
 ignoreregex = 
 # 
 # DEV Notes:
 #
 # The error log may contain multiple hosts, whereas the first one 
 # is the client and all others are poxys. We match the first one, only
 #
 # Author: Arnd Brandes
--- a/config/filter.d/solid-pop3d.conf
+++ b/config/filter.d/solid-pop3d.conf
@ -0,0 +1,32 @@
 # Fail2Ban filter for unsuccesful solid-pop3 authentication attempts
 #
 # Doesn't currently provide PAM support as PAM log messages don't include rhost as
 # remote IP.
 #
 [INCLUDES]
 before = common.conf
 [Definition]
 _daemon = solid-pop3d
 failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
            ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
            ^%(__prefix_line)sroot login not allowed - <HOST>$
            ^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
 ignoreregex = 
 # DEV Notes:
 #
 # solid-pop3d needs to be compiled with --enable-logextend to support
 # IP addresses in log messages.
 #
 # solid-pop3d-0.15/src/main.c contains all authentication errors
 # except for PAM authentication messages ( src/authenticate.c )
 #
 # A pam authentication failure message (note no IP for rhost).
 # Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=jacques
 # 
 # Authors: Daniel Black
--- a/config/filter.d/squid.conf
+++ b/config/filter.d/squid.conf
@ -0,0 +1,13 @@
 # Fail2Ban filter for Squid attempted proxy bypasses
 #
 #
 [Definition]
 failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/403 .*$
            ^\s+\d\s<HOST>\s+NONE/405 .*$
 # Author: Daniel Black
--- a/config/filter.d/sshd-ddos.conf
+++ b/config/filter.d/sshd-ddos.conf
@ -1,6 +1,4 @@
-# Fail2Ban configuration file
+# Fail2Ban ssh filter for at attempted exploit
 #
 # Author: Yaroslav Halchenko
 #
 # The regex here also relates to a exploit:
 #
@ -20,25 +18,12 @@ before = common.conf
 _daemon = sshd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 [Init]
 # Option:  journalmatch
 # Notes.:  systemd journalctl style match filter for journal based backend
 # Values:  TEXT
 #
 journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
 # Author: Yaroslav Halchenko
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -1,7 +1,4 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for openssh
 #
 # Author: Cyril Jaquier
 #
 #
 [INCLUDES]
@ -10,38 +7,25 @@
 # common.local
 before = common.conf
 [Definition]
 _daemon = sshd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 #          Multiline regexs should use tag "<SKIPLINES>" to separate lines.
 #          This allows lines between the matching lines to continue to be
 #          searched for other failures. This tag can be used multiple times.
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
-            ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
+            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 [Init]
@ -49,8 +33,14 @@ ignoreregex =
 # "maxlines" is number of log lines to buffer for multi-line regex searches
 maxlines = 10
 # Option:  journalmatch
 # Notes.:  systemd journalctl style match filter for journal based backend
 # Values:  TEXT
 #
 journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
 # DEV Notes:
 #
 #   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
 #   it is coming before use of <HOST> which is not hard-anchored at the end as well,
 #   and later catch-all's could contain user-provided input, which need to be greedily
 #   matched away first.
 #
 # Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
--- a/config/filter.d/stunnel.conf
+++ b/config/filter.d/stunnel.conf
@ -0,0 +1,11 @@
 # Fail2ban filter for stunnel
 [Definition]
 failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from <HOST>:\d+ : (?P<CODE>[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$
 # DEV NOTES:
 # 
 # Author: Daniel Black
 #
 # Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4
--- a/config/filter.d/suhosin.conf
+++ b/config/filter.d/suhosin.conf
@ -1,19 +1,28 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for suhosian PHP hardening
 #
-# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+# This occurs with lighttpd or directly from the plugin
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
-# Option:  failregex
+_daemon = (?:lighttpd|suhosin)
-# Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
+
-# Values:  TEXT
+
 _lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
 failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
 ignoreregex = 
 # DEV Notes:
 #
 # https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
 failregex = ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
-ignoreregex = 
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
--- a/config/filter.d/uwimap-auth.conf
+++ b/config/filter.d/uwimap-auth.conf
@ -0,0 +1,17 @@
 # Fail2Ban filter for uwimap
 #
 [INCLUDES]
 before = common.conf
 [Definition]
 _daemon = (?:ipop3d|imapd)
 failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$ 
            ^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
 ignoreregex = 
 # Author: Amir Caspi
--- a/config/filter.d/vsftpd.conf
+++ b/config/filter.d/vsftpd.conf
@ -1,23 +1,22 @@
-# Fail2Ban configuration file
+# Fail2Ban filter for vsftp
 #
 # Author: Cyril Jaquier
 #
 #
 # Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
 # /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
 # incoming ip address rather than domain names.
 [INCLUDES]
 before = common.conf
 [Definition]
-# Option: failregex
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
-# Notes.: regex to match the password failures messages in the logfile. The
+_daemon =  vsftpd
-#          host must be matched by a group named "host". The tag "<HOST>" can
+
-#          be used for standard IP/hostname matching and is only an alias for
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+            ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 # Values: TEXT
 #
 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
            \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
 # Author: Cyril Jaquier
 # Documentation from fail2ban wiki
--- a/Show More
+++ b/Show More