Re-tagging 0.8.7 with hope to do that last time ;)

-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iEYEABECAAYFAlAYOHoACgkQjRFFY3XAJMjhMQCdGJhq6ZcD11b3M3brz4X9M5hR
 GNIAnAhTSETsuP+h1qJ/hhCDvyTdC6yc
 =3KZh
 -----END PGP SIGNATURE-----

Merge tag '0.8.7' into debian -- additional fixes after reviewing more of Debian bug reports

Re-tagging 0.8.7 with hope to do that last time ;)

* tag '0.8.7':
  ENH: match possibly present "pam_unix(sshd:auth):" portion for sshd (Closes: #648020)
  ENH: add wu-ftpd failregex for use against syslog (Closes: #514239)
  BF: anchor chain name in actioncheck's for iptables actions (Closes: #672228)
  BF: inline comments must use ; not # -- recidive jail

ChangeLog

@@ -24,8 +24,10 @@ ver. 0.8.7 (2012/07/31) - stable
      message stays non-unicode. Close gh-32
    * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
      already present in the pattern
-   * [47e956b] Replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
+   * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
      friend to developers stuck with Windows (Closes gh-66)
+   * [80b191c] anchor grep regexp in actioncheck to not match partial names
+     of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
 - New features:
   François Boulogne
    * [a7cb20e..] add lighttpd-auth filter/jail
@@ -65,6 +67,10 @@ ver. 0.8.7 (2012/07/31) - stable
      default with -v to control verbosity
    * [b4099da] adjusted header for config/*.conf to mention .local and way
      to comment (Thanks Stefano Forli for the note)
+   * [6ad55f6] added failregex for wu-ftpd to match against syslog instead
+     of DoS-prone auth.log's rhost (Closes: #514239)
+   * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
+     sshd filter (Closes: #648020)
   Yehuda Katz & Yaroslav Halchenko
    * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
 

config/action.d/iptables-allports.conf

@@ -29,7 +29,7 @@ actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the

config/action.d/iptables-multiport.conf

@@ -27,7 +27,7 @@ actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the

config/action.d/iptables-new.conf

@@ -29,7 +29,7 @@ actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <por
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the

config/action.d/iptables.conf

@@ -27,7 +27,7 @@ actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the

config/filter.d/sshd.conf

@@ -30,7 +30,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro
             ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
-            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+            ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
             ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
             ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

config/filter.d/wuftpd.conf

@@ -12,6 +12,7 @@
 # Values: TEXT
 #
 failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$
+            wu-ftpd(?:\[\d+\])?: *failed login from .*\[<HOST>\] *$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

config/jail.conf

@@ -303,6 +303,6 @@ filter   = recidive
 logpath  = /var/log/fail2ban.log
 action   = iptables-allports[name=recidive]
            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
-bantime  = 604800  # 1 week
-findtime = 86400   # 1 day
+bantime  = 604800  ; 1 week
+findtime = 86400   ; 1 day
 maxretry = 5

testcases/files/logs/sshd

@@ -27,3 +27,6 @@ Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but
 
 #8 DenyUsers https://github.com/fail2ban/fail2ban/issues/47
 Apr 16 22:01:15 al-ribat sshd[5154]: User root from 46.45.128.3 not allowed because listed in DenyUsers
+
+# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648020
+Nov  8 11:19:38 bar sshd[25427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.6

testcases/files/logs/wu-ftpd

@@ -0,0 +1,2 @@
+# This login line is from syslog
+Oct  6 09:59:26 myserver wu-ftpd[18760]: failed login from hj-145-173-a8.bta.net.cn [202.108.145.173]