Merge branch 'master' of github.com:fail2ban/fail2ban

2013-09-25 17:54:38 -04:00 · 2013-09-25 17:54:38 -04:00 · 2668adc896
parent 1af4543aca 8c2a5612ed
commit 2668adc896
220 changed files with 6863 additions and 1877 deletions
--- a/.coveragerc
+++ b/.coveragerc
@ -0,0 +1,4 @@
 [run]
 branch = True
 omit = /usr*
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,8 @@
 *~
 build
 dist
 *.pyc
 htmlcov
 .coverage
 *.orig
 *.rej
--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,18 @@
 # vim ft=yaml
 # travis-ci.org definition for Fail2Ban build
 language: python
 python:
  - "2.5"
  - "2.6"
  - "2.7"
 before_install:
  - sudo apt-get update -qq
 install:
  - pip install pyinotify
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then sudo apt-get install -qq python-gamin; fi
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then pip install -q coveralls; fi
 script:
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then export PYTHONPATH="$PYTHONPATH:/usr/share/pyshared:/usr/lib/pyshared/python2.7"; fi
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi
 after_success:
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coveralls; fi
--- a/.travis_coveragerc
+++ b/.travis_coveragerc
@ -0,0 +1,6 @@
 [run]
 branch = True
 omit =
    /usr/*
    /home/travis/virtualenv/*
--- a/282
+++ b/282
@ -4,9 +4,289 @@
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
 ================================================================================
-Fail2Ban (version 0.8.7.1)                                            2012/07/31
+Fail2Ban (version 0.8.10)                                             2013/06/12
 ================================================================================
 ver. 0.8.11 (2013/XX/XXX) - loves-unittests
 -----------
 - Fixes:
  Daniel Black & Marcel Dopita
   * filter.d/apache-auth -- fixed and apache auth samples provide. closes #286
  Yaroslav Halchenko
   * filter.d/common.conf -- make colon after [daemon] optional. Closes gh-267
   * filter.d/apache-common.conf -- support apache 2.4 more detailed error
     log format.  Closes gh-268
   * Backends changes detection and parsing. Close gh-223 and gh-103:
     - Polling backend: detect changes in the files not only based on
       mtime, but also on the size and inode.  It should allow for
       better detection of changes and log rotations on busy servers,
       older python 2.4, and file systems with precision of mtime only
       up to a second (e.g. ext3).
     - All backends, possible race condition: do not read from a file
       initially reported empty.  Originally could have lead to
       accounting for detected log lines multiple times.
     - Do not crash if executing a command in fail2ban-client interactive
       mode has failed (e.g. due to incorrect syntax). Closes gh-353
  Daniel Black & Мернов Георгий
   * filter.d/dovecot.conf -- Fix when no TLS enabled - line doesn't end in ,
  Daniel Black
   * action.d/hostsdeny -- NOTE: new dependancy 'ed'. Switched to use 'ed' across
     all platforms to ensure permissions are the same before and after a ban -
     closes gh-266. hostsdeny supports daemon_list now too.
   * filter.d/roundcube-auth - timezone offset can be positive or negative
   * action.d/bsd-ipfw - action option unsed. Fixed to blocktype for
     consistency. default to port unreach instead of deny
  Rolf Fokkens
   * action.d/dshield.conf and complain.conf -- reorder mailx arguments.
     https://bugzilla.redhat.com/show_bug.cgi?id=998020
  John Doe (ache)
   * action.d/bsd-ipfw.conf - invert actionstop logic to make exist status 0.
     closes gh-343.
  JP Espinosa (Reviewed by O.Poplawski)
   * files/redhat-initd - rewritten to use stock init.d functions thus
     avoiding problems with getpid.  Also $network and iptables moved
     to Should- rc init fields
 - New Features:
  Andy Fragen and Daniel Black
   * filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule
     numbers.
  Daniel Black & ykimon
   * filter.d/3proxy.conf -- filter added
  Daniel Black
   * filter.d/exim-spam.conf -- a splitout of exim's spam regexes
     with additions for greater control over filtering spam.
   * add date expression for apache-2.4 - milliseconds
  Christophe Carles & Daniel Black
   * filter.d/perdition.conf -- filter added
 - Enhancements:
  François Boulogne and Frédéric
   * filter.d/lighttpd - auth regexs for lighttpd-1.4.31
  Daniel Black
   * filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
     and extra failure examples in sample logs
   * filter.d/apache-auth - added expressions for mod_authz, mod_auth and
     mod_auth_digest failures.
   * filter.d/recidive -- support f2b syslog target and anchor regex at start
   * filter.d/pam-generic - added syslog prefix. Disabled support for
     linux-pam before version 0.99.2.0 (2005)
   * filter.d/gssftpd - anchored regex at start
   * filter.d/mysqld-auth.conf - mysql can use syslog
  Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
   * filter.d/exim.conf -- regex hardening and extra failure examples in
     sample logs
   * filter.d/named-refused.conf - BIND 9.9.3 regex changes
  Daniel Black & Sebastian Arcus
   * filter.d/asterisk -- more regexes
  Yaroslav Halchenko
   * fail2ban-regex -- refactored to provide more details (missing and
     ignored lines, control over logging, etc) while maintaining look&feel
   * fail2ban-client -- log to standard error. Closes gh-264
   * Fail to configure if not a single log file was found for an
     enabled jail. Closes gh-63
   * <HOST> is now enforced to end with an alphanumeric
   * filter.d/roundcube-auth.conf -- anchored version
   * date matching - for standard asctime formats prefer more detailed
     first (thus use year if available)
  Alexander Dietrich
   * action.d/sendmail-common.conf -- added common sendmail settings file
     and made the sender display name configurable
  Steven Hiscocks
   * filter.d/dovecot - Addition of session, time values and possible blank
     user
  Zurd and Daniel Black
   * filter/named-refused - added refused on zone transfer
   * filter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd} - General
     regex impovements
   * IMPORTANT: 'lighttpd-fastcgi' filter has been renamed to 'suhosin', which
     will require changing in jail.{conf,local} if using this filter.
  Zurd
   * filter.d/postfix - add filter for VRFY failures. closes gh-322.
  Orion Poplawski
   * fail2ban.d/ and jail.d/ directories are added to etc/fail2ban to facilitate
     their use
 ver. 0.8.10 (2013/06/12) - wanna-be-secure
 -----------
 Primarily bugfix and enhancements release, triggered by "bugs" in
 apache- filters.  If you are relying on listed below apache- filters,
 upgrade asap and seek your distributions to patch their fail2ban
 distribution with [6ccd5781].
 - Fixes: Yaroslav Halchenko
   * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
     failregex at the beginning (and where applicable at the end).
     Addresses a possible DoS. Closes gh-248
   * action.d/{route,shorewall}.conf - blocktype must be defined
     within [Init].  Closes gh-232
 - Enhancements
  Yaroslav Halchenko
   * jail.conf -- assure all jails have actions and remove unused
     ports specifications
  Terence Namusonge
   * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
  Daniel Black
   * files/suse-initd -- update to the copy from stock SUSE
  silviogarbes & Daniel Black
    * Updates to asterisk filter. Closes gh-227/gh-230.
  Carlos Alberto Lopez Perez
    * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
 ver. 0.8.9 (2013/05/13) - wanna-be-stable
 ----------
 Originally targeted as a bugfix release, it incorporated many new
 enhancements, few new features, and more importantly -- quite extended
 tests battery with current 94% coverage (from 56% of 0.8.8).
 This release introduces over 200 of non-merge commits from 16
 contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
 Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki,
 ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
 Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.
 Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
 Hendrikx, Yehuda Katz and other TBN heroes supporting users on
 fail2ban-users mailing list and IRC.
 - Fixes: Yaroslav Halchenko
   * [6f4dad46] python-2.4 is the minimal version.
   * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
     on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
   * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
     insight. Closes gh-103.
   * [ab044b75] delay check for the existence of config directory until read.
   * [3b4084d4] fixing up for handling of TAI64N timestamps.
   * [154aa38e] do not shutdown logging until all jails stop.
   * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184.
     Thanks to Jon Foster for report and troubleshooting.
  Orion Poplawski
   * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
     newly created directories.
  Nicolas Collignon
   * [39667ff6] Avoid leaking file descriptors. Closes gh-167.
  Sergey Brester
   * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
     sorting template list.
  Steven Hiscocks
   * [7a442f07] When changing log target with python2.{4,5} handle KeyError.
     Closes gh-147, gh-148.
   * [b6a68f51] Fix delaction on server side. Closes gh-124.
  Daniel Black
   * [f0610c01] Allow more that a one word command when changing and Action via
     the fail2ban-client. Closes gh-134.
   * [945ad3d9] Fix dates on email actions to work in different locals. Closes
     gh-70. Thanks to iGeorgeX for the idea.
  blotus
   * [96eb8986] ' and " should also be escaped in action tags Closes gh-109
  Christoph Theis, Nick Hilliard, Daniel Black
   * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
 - New features:
  Yaroslav Halchenko
   * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
     to provide additional flexibility to system adminstrators. Thanks to
     beilber for the idea. Closes gh-114.
   * [3ce53e87] Add exim filter.
  Erwan Ben Souiden
   * [d7d5228] add nagios integration documentation and script to ensure
     fail2ban is running. Closes gh-166.
  Artur Penttinen
   * [29d0df5] Add mysqld filter. Closes gh-152.
  ArndRaphael Brandes
   * [bba3fd8] Add Sogo filter. Closes gh-117.
  Michael Gebetsriother
   * [f9b78ba] Add action route to block at routing level.
  Teodor Micu & Yaroslav Halchenko
   * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
  Daniel Black
   * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
  Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
   * [b6d0e8a] Add and enhance the bsd-ipfw action from
     FreeBSD ports.
  Soulard Morgan
   * [f336d9f] Add filter for webmin. Closes gh-99.
  Steven Hiscocks
   * [..746c7d9] bash interactive shell completions for fail2ban-*'s
  Nick Hilliard
   * [0c5a9c5] Add pf action.
 - Enhancements:
  Enrico Labedzki
   * [24a8d07] Added new date format for ASSP SMTP Proxy.
  Steven Hiscocks
   * [3d6791f] Ensure restart of Actions after a check fails occurs
     consistently. Closes gh-172.
   * [MANY] Improvements to test cases, travis, and code coverage (coveralls).
   * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
   * [ce3ab34] Added ability to specify PID file.
  Orion Poplawski
   * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
     Closes gh-142.
  Yaroslav Halchenko
   * [MANY] Lots of improvements to log messages, man pages and test cases.
   * [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
     Closes gh-126. Bug report by Michael Heuberger.
   * [40c5a2d] adding more of diagnostic messages into -client while starting
     the daemon.
   * [8e63d4c] Compare against None with 'is' instead of '=='.
   * [6fef85f] Strip CR and LF while analyzing the log line
  Daniel Black
   * [3aeb1a9] Add jail.conf manual page. Closes gh-143.
   * [MANY] man page edits.
   * [7cd6dab] Added help command to fail2ban-client.
   * [c8c7b0b,23bbc60] Better logging of log file read errors.
   * [3665e6d] Added code coverage to development process.
   * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
     source. Also include BSD changes.
   * [1d9abd1] Action files can have tags in definition that refer to other
     tags.
   * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
     unreachable rather than just a drop of the packet.
  Pascal Borreli
   * [a2b29b4] Fixed lots of typos in config files and documentation.
  hamilton5
   * [7ede1e8] Update dovecot filter config.
  Romain Riviere
   * [0ac8746] Enhance named-refused filter for views.
  James Stout
   * [..2143cdf] Solaris support enhancements:
     - README.Solaris
     - failregex'es tune ups (sshd.conf)
     - hostsdeny: do not rely on support of '-i' in sed
 ver. 0.8.8 (2012/12/06) - stable
 ----------
 - Fixes:
  Alan Jenkins
   * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
     banning due to misconfigured DNS. Closes gh-64
  Yaroslav Halchenko
   * [83109bc] IMPORTANT: escape the content of <matches> (if used in
     custom action files) since its value could contain arbitrary
     symbols.  Thanks for discovery go to the NBS System security
     team
   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83
   * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
   * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
     in the console. Closes gh-91
 - New features:
  David Engeset
   * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
     the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86
  Yaroslav Halchenko
 - Enhancements:
   * [2d66f31] replaced uninformative "Invalid command" message with warning log
     exception why command actually failed
   * [958a1b0] improved failregex to "support" auth.backend = "htdigest"
   * [9e7a3b7] until we make it proper module -- adjusted sys.path only if
     system-wide run
   * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79
   * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
     for this gh-87)
   * Various others: travis-ci integration, script to run tests
     against all available Python versions, etc
 ver. 0.8.7.1 (2012/07/31) - stable
 ----------
--- a/359
+++ b/359
@ -21,17 +21,247 @@ would like to add to Fail2Ban, the best way to do so it to use the GitHub Pull
 Request feature. You can find more details on the Fail2Ban wiki
 (http://www.fail2ban.org/wiki/index.php/Get_Involved)
-Testing
+Pull Requests
 =============
 When submitting pull requests on GitHub we ask you to:
 * Clearly describe the problem you're solving;
 * Don't introduce regressions that will make it hard for systems adminstrators 
  to update;
 * If adding a major feature rebase your changes on master and get to a single commit;
 * Include test cases (see below);
 * Include sample logs (if relevant);
 * Include a change to the relevant section of the ChangeLog; and
 * Include yourself in THANKS if not already there.
 Filters
 =======
-Existing tests can be run by executing `fail2ban-testcases`.
+* Include sample logs with 1.2.3.4 used for IP addresses and 
  example.com/example.org used for DNS names
 * Ensure sample log is provided in testcases/files/logs/ with same name as the
  filter. Each log line should include match meta data for time & IP above
  every line (see other sample log files for examples)
 * Ensure regexs start with a ^ and are restrictive as possible. E.g. not .* if
  \d+ is sufficient
 * Use the functionality of regexs http://docs.python.org/2/library/re.html
 * Take a look at the source code of the application. You may see optional or
  extra log messages, or parts there of, that need to form part of your regex.
 If you only have a basic knowledge of regular repressions read
 http://docs.python.org/2/library/re.html first.
 Filter Security
 ---------------
 Poor filter regular expressions are suseptable to DoS attacks.
 When a remote user has the ability to introduce text that will match the 
 filter regex, such that the inserted text matches the <HOST> part, they have the
 ability to deny any host they choose.
 So the <HOST> part must be anchored on text generated by the application, and not
 the user, to a sufficient extent that the user cannot insert the entire text.
 Filters are matched against the log line with their date removed.
 Ideally filter regex should anchor to the beginning and end of the log line
 however as more applications log at the beginning than the end, achoring the
 beginning is more important. If the log file used by the application is shared
 with other applications, like system logs, ensure the other application that
 use that log file do not log user generated text at the beginning of the line,
 or, if they do, ensure the regexs of the filter are sufficient to mitigate the
 risk of insertion.
 When creating a regex that extends back to the begining remember the date part
 has been removed within fail2ban so theres no need to match that. If the format
 is like '<date...> error 1.2.3.4 is evil' then you will need to match the < at
 the start so here the regex would start like '^<> <HOST> is evil$'.
 Some applications log spaces at the end. If you're not sure add \s*$ as the
 end part of the regex.
 Examples of poor filters
 ------------------------
 1. Too restrictive
 We find a log message:
    Apr-07-13 07:08:36 Invalid command fial2ban from 1.2.3.4
 We make a failregex
    ^Invalid command \S+ from <HOST>
 Now think evil. The user does the command 'blah from 1.2.3.44'
 The program diliently logs:
    Apr-07-13 07:08:36 Invalid command blah from 1.2.3.44 from 1.2.3.4
 And fail2ban matches 1.2.3.44 as the IP that it ban. A DoS attack was successful.
 The fix here is that the command can be anything so .* is approprate.
    ^Invalid command .* from <HOST>
 Here the .* will match until the end of the string. Then realise it has more to
 match, i.e. "from <HOST>" and go back until it find this. Then it will ban
 1.2.3.4 correctly. Since the <HOST> is always at the end, end the regex with a $.
    ^Invalid command .* from <HOST>$
 Note if we'd just had the expression:
    ^Invalid command \S+ from <HOST>$
 Then provided the user put a space in their command they would have never been
 banned.
 2. Filter regex can match other user injected data
 From the apache vulnerability CVE-2013-2178
 ( original ref: https://vndh.net/note:fail2ban-089-denial-service ).
 An example bad regex for apache:
    failregex = [[]client <HOST>[]] user .* not found
 Since the user can do a get request on:
    GET /[client%20192.168.0.1]%20user%20root%20not%20found HTTP/1.0
 Host: remote.site
 Now the log line will be:
    [Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found
 As this log line doesn't match other expressions hence it matches the above
 regex and blocks 192.168.33.1 as a denial of service from the HTTP requester.
 3. Applicaiton generates two identical log messages with different meanings
 If the application generates the following two messages under different
 circmstances:
    client <IP>: authentication failed
    client <USER>: authentication failed
 Then it's obvious that a regex of "^client <HOST>: authentication
 failed$" will still cause problems if the user can trigger the second
 log message with a <USER> of 123.1.1.1.
 Here there's nothing to do except request/change the application so it logs
 messages differently.
 Code Testing
 ============
 Existing tests can be run by executing `fail2ban-testcases`. This has options
 like --log-level that will probably be useful. `fail2ban-testcases --help` for
 full options.
 Test cases should cover all usual cases, all exception cases and all inside
 / outside boundary conditions.
 Test cases should cover all branches. The coverage tool will help identify
 missing branches. Also see http://nedbatchelder.com/code/coverage/branch.html
 for more details.
 Install the package python-coverage to visualise your test coverage. Run the
 following (note: on Debian-based systems, the script is called
 `python-coverage`):
 coverage run fail2ban-testcases
 coverage html
 Then look at htmlcov/index.html and see how much coverage your test cases
 exert over the codebase. Full coverage is a good thing however it may not be
 complete. Try to ensure tests cover as many independent paths through the
 code.
 Manual Execution. To run in a development environment do:
 ./fail2ban-client -c config/ -s /tmp/f2b.sock -i start
 some quick commands:
 status
 add test pyinotify
 status test
 set test addaction iptables
 set test actionban iptables echo <ip> <cidr> >> /tmp/ban
 set test actionunban iptables echo <ip> <cidr> >> /tmp/unban
 get test actionban iptables
 get test actionunban iptables
 set test banip 192.168.2.2
 status test
 Documentation about creating tests (when tests are required and some guidelines
 for creating good tests) will be added soon.
 Coding Standards
 ================
-Coming Soon.
+
 Style
 -----
 Please use tabs for now. Keep to 80 columns, at least for readable text.
 Tests
 -----
 Add tests. They should test all the code you add in a meaning way.
 Coverage
 --------
 Test coverage should always increase as you add code.
 You may use "# pragma: no cover" in the code for branches of code that support
 older versions on python. For all other uses of "pragma: no cover" or
 "pragma: no branch" document the reason why its not covered. "I haven't written
 a test case" isn't a sufficient reason.
 Documentation
 -------------
 Ensure this documentation is up to date after changes. Also ensure that the man
 pages still are accurate. Ensure that there is sufficient documentation for
 your new features to be used.
 Bugs
 ----
 Remove them and don't add any more.
 Git
 ---
 Use the following tags in your commit messages:
 'BF:' for bug fixes
 'DOC:' for documentation fixes
 'ENH:' for enhancements
 'TST:' for commits concerning tests only (thus not touching the main code-base)
 Multiple tags could be joined with +, e.g. "BF+TST:".
 Use the text "closes #333"/"resolves #333 "/"fixes #333" where 333 represents
 an issue that is closed. Other text and details in link below.
 See: https://help.github.com/articles/closing-issues-via-commit-messages
 If merge resulted in conflicts, clarify what changes were done to
 corresponding files in the 'Conflicts:' section of the merge commit
 message.  See e.g. https://github.com/fail2ban/fail2ban/commit/f5a8a8ac
 Adding Actions
 --------------
 If you add an action.d/*.conf file also add a example in config/jail.conf
 with enabled=false and maxretry=5 for ssh.
 Design
@ -58,18 +288,20 @@ one)::
 RF-Note   just a note which might be useful to address while doing RF
 JailThread -> Filter -> FileFilter -> {FilterPoll, FilterPyinotify, ...}
-         |     |         * FileContainer
+               |         * FileContainer
-         |     + FailManager
+               + FailManager
-         |     + DateDetector
+               + DateDetector
-         \- -> Actions
+			   + Jail (provided in __init__) which contains this Filter
-               * Actions
+                 (used for passing tickets from FailManager to Jail's __queue)
               + BanManager
 Server
   + Jails
      * Jail
-        + Filter
+        + Filter  (in __filter)
        * tickets (in __queue)
        + Actions (in __action)
          * Action
          + BanManager
 failmanager.py
 ~~~~~~~~~~~~~~
@ -125,12 +357,14 @@ FileContainer
  .__pos
    Keeps the position pointer
 dnsutils.py
 ~~~~~~~~~~~
 DNSUtils
  Utility class for DNS and IP handling
  RF-Note: convert to functions within a separate submodule
 filter*.py
 ~~~~~~~~~~
@ -147,10 +381,103 @@ one way or another provide
 		except FailManagerEmpty:
 			self.failManager.cleanup(MyTime.time())
-thus channeling "ban tickets" from their failManager to a
+thus channeling "ban tickets" from their failManager to the
 corresponding jail.
 action.py
 ~~~~~~~~~
 Takes care about executing start/check/ban/unban/stop commands
 Releasing
 =========
 # Check distribution patches and see if they can be included
  * https://apps.fedoraproject.org/packages/fail2ban/sources
  * http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/
  * http://svnweb.freebsd.org/ports/head/security/py-fail2ban/
  * https://build.opensuse.org/package/show?package=fail2ban&project=openSUSE%3AFactory
  * http://sophie.zarb.org/sources/fail2ban (Mageia)
  * https://trac.macports.org/browser/trunk/dports/security/fail2ban
 # Check distribution outstanding bugs
  * https://github.com/fail2ban/fail2ban/issues?sort=updated&state=open
  * http://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=fail2ban
  * http://bugs.sabayon.org/buglist.cgi?quicksearch=net-analyzer%2Ffail2ban
  * https://bugs.gentoo.org/buglist.cgi?query_format=advanced&short_desc=fail2ban&bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=IN_PROGRESS&short_desc_type=allwords
  * https://bugzilla.redhat.com/buglist.cgi?query_format=advanced&bug_status=NEW&bug_status=ASSIGNED&component=fail2ban&classification=Red%20Hat&classification=Fedora
  * http://www.freebsd.org/cgi/query-pr-summary.cgi?text=fail2ban
 # Provide a release sample to distributors
  * Debian: Yaroslav Halchenko <debian@onerussian.com>
            http://packages.qa.debian.org/f/fail2ban.html
  * FreeBSD: Christoph Theis theis@gmx.at>, Nick Hilliard <nick@foobar.org>
            http://svnweb.freebsd.org/ports/head/security/py-fail2ban/Makefile?view=markup
  * Fedora: Axel Thimm <Axel.Thimm@atrpms.net>
            https://apps.fedoraproject.org/packages/fail2ban
  * Gentoo: netmon@gentoo.org
            http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/metadata.xml?view=markup
  * openSUSE: Stephan Kulow <coolo@suse.com>
            https://build.opensuse.org/package/users?package=fail2ban&project=openSUSE%3AFactory
  * Mac Ports: @Malbrouck on github (gh-49)
            https://trac.macports.org/browser/trunk/dports/security/fail2ban/Portfile
 # Wait for feedback from distributors
 # Ensure the version is correct in ./common/version.py
 # Add/finalize the corresponding entry in the ChangeLog
  To generate a list of committers use e.g.
  git shortlog -sn 0.8.8.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g'
  Ensure the top of the ChangeLog has the right version and current date.
  Ensure the top entry of the ChangeLog has the right version and current date.
 # Update man pages
  (cd man ; ./generate-man )
  git commit -m 'update man pages for release' man/*
 # Make sure the tests pass
  ./fail2ban-testcases-all
 # Prepare/upload source and rpm binary distributions
  python setup.py check
  python setup.py sdist
  python setup.py bdist_rpm
  python setup.py upload
 # Run the following and update the wiki with output:
  python -c 'import common.protocol; common.protocol.printWiki()'
 # Email users and development list of release
 # notify distributors
 Post Release
 ============
 Add the following to the top of the ChangeLog
 ver. 0.8.12 (2013/XX/XXX) - wanna-be-released
 -----------
 - Fixes:
 - New Features:
 - Enhancements:
 and adjust common/version.py to carry .dev suffix to signal
 a version under development.
--- a/60
+++ b/60
@ -1,8 +1,11 @@
-README
+README.md
 README.Solaris
 ChangeLog
 TODO
 THANKS
 COPYING
 DEVELOP
 doc/run-rootless.txt
 fail2ban-client
 fail2ban-server
 fail2ban-testcases
@ -40,6 +43,30 @@ server/banmanager.py
 server/datetemplate.py
 server/mytime.py
 server/failregex.py
 testcases/files/testcase-usedns.log
 testcases/files/logs/bsd/syslog-plain.txt
 testcases/files/logs/bsd/syslog-v.txt
 testcases/files/logs/bsd/syslog-vv.txt
 testcases/files/logs/apache-overflows
 testcases/files/logs/assp
 testcases/files/logs/asterisk
 testcases/files/logs/dovecot
 testcases/files/logs/exim
 testcases/files/logs/lighttpd
 testcases/files/logs/mysqld.log
 testcases/files/logs/named-refused
 testcases/files/logs/pam-generic
 testcases/files/logs/postfix
 testcases/files/logs/proftpd
 testcases/files/logs/pure-ftpd
 testcases/files/logs/roundcube-auth
 testcases/files/logs/sasl
 testcases/files/logs/sogo-auth
 testcases/files/logs/sshd
 testcases/files/logs/sshd-ddos
 testcases/files/logs/vsftpd
 testcases/files/logs/webmin-auth
 testcases/files/logs/wu-ftpd
 testcases/banmanagertestcase.py
 testcases/failmanagertestcase.py
 testcases/clientreadertestcase.py
@ -48,13 +75,17 @@ testcases/__init__.py
 testcases/datedetectortestcase.py
 testcases/actiontestcase.py
 testcases/servertestcase.py
 testcases/sockettestcase.py
 testcases/files/testcase01.log
 testcases/files/testcase02.log
 testcases/files/testcase03.log
 testcases/files/testcase04.log
 testcases/misctestcase.py
 testcases/utils.py
 setup.py
 setup.cfg
 common/__init__.py
 common/exceptions.py
 common/helpers.py
 common/version.py
 common/protocol.py
@ -70,7 +101,7 @@ config/filter.d/couriersmtp.conf
 config/filter.d/cyrus-imap.conf
 config/filter.d/exim.conf
 config/filter.d/gssftpd.conf
-config/filter.d/lighttpd-fastcgi.conf
+config/filter.d/suhosin.conf
 config/filter.d/named-refused.conf
 config/filter.d/postfix.conf
 config/filter.d/proftpd.conf
@ -86,6 +117,22 @@ config/filter.d/vsftpd.conf
 config/filter.d/webmin-auth.conf
 config/filter.d/wuftpd.conf
 config/filter.d/xinetd-fail.conf
 config/filter.d/asterisk.conf
 config/filter.d/dovecot.conf
 config/filter.d/dropbear.conf
 config/filter.d/lighttpd-auth.conf
 config/filter.d/recidive.conf
 config/filter.d/roundcube-auth.conf
 config/filter.d/assp.conf
 config/filter.d/mysqld-auth.conf
 config/filter.d/sogo-auth.conf
 config/action.d/bsd-ipfw.conf
 config/action.d/dummy.conf
 config/action.d/iptables-blocktype.conf
 config/action.d/iptables-ipset-proto4.conf
 config/action.d/iptables-ipset-proto6.conf
 config/action.d/iptables-xt_recent-echo.conf
 config/action.d/route.conf
 config/action.d/complain.conf
 config/action.d/dshield.conf
 config/action.d/hostsdeny.conf
@ -101,6 +148,7 @@ config/action.d/mail-buffered.conf
 config/action.d/mail-whois.conf
 config/action.d/mail-whois-lines.conf
 config/action.d/mynetwatchman.conf
 config/action.d/pf.conf
 config/action.d/sendmail.conf
 config/action.d/sendmail-buffered.conf
 config/action.d/sendmail-whois.conf
@ -108,6 +156,8 @@ config/action.d/sendmail-whois-lines.conf
 config/action.d/shorewall.conf
 config/fail2ban.conf
 man/fail2ban-client.1
 man/fail2ban.1
 man/jail.conf.5
 man/fail2ban-client.h2m
 man/fail2ban-server.1
 man/fail2ban-server.h2m
@ -121,8 +171,14 @@ files/macosx-initd
 files/solaris-fail2ban.xml
 files/solaris-svc-fail2ban
 files/suse-initd
 files/fail2ban-logrotate
 files/cacti/fail2ban_stats.sh
 files/cacti/cacti_host_template_fail2ban.xml
 files/cacti/README
 files/nagios/check_fail2ban
 files/nagios/f2ban.txt
 files/bash-completion
 files/fail2ban-tmpfiles.conf
 files/fail2ban.service
 files/ipmasq-ZZZzzz_fail2ban.rul
 files/nagios/README
--- a/95
+++ b/95
@ -1,95 +0,0 @@
                         __      _ _ ___ _               
                        / _|__ _(_) |_  ) |__  __ _ _ _  
                       |  _/ _` | | |/ /| '_ \/ _` | ' \ 
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
 ================================================================================
 Fail2Ban (version 0.8.7)                                              2012/07/31
 ================================================================================
 Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many
 password failures. It updates firewall rules to reject the IP address. These
 rules can be defined by the user. Fail2Ban can read multiple log files such as
 sshd or Apache web server ones.
 This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
 are available on the project website: http://www.fail2ban.org
 Installation:
 -------------
 Required:
   >=python-2.3 (http://www.python.org)
 Optional:
   pyinotify:
      >=linux-2.6.13
      >=python-2.4
      >=pyinotify-0.8.3 (https://github.com/seb-m/pyinotify)
   Gamin:
      >=gamin-0.0.21 (http://www.gnome.org/~veillard/gamin)
 To install, just do:
 > tar xvfj fail2ban-0.8.7.tar.bz2
 > cd fail2ban-0.8.7
 > python setup.py install
 This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
 placed into /usr/bin.
 It is possible that Fail2ban is already packaged for your distribution. In this
 case, you should use it.
 Fail2Ban should be correctly installed now. Just type:
 > fail2ban-client -h
 to see if everything is alright. You should always use fail2ban-client and never
 call fail2ban-server directly.
 Configuration:
 --------------
 You can configure Fail2ban using the files in /etc/fail2ban. It is possible to
 configure the server using commands sent to it by fail2ban-client. The available
 commands are described in the man page of fail2ban-client. Please refer to it or
 to the website: http://www.fail2ban.org
 Contact:
 --------
 Website: http://www.fail2ban.org
 You need some new features, you found bugs: visit
 https://github.com/fail2ban/fail2ban/issues
 and if your issue is not yet known -- file a bug report.
 If you would like to troubleshoot or discuss: join the mailing list
 https://lists.sourceforge.net/lists/listinfo/fail2ban-users
 If you just appreciate this program: send kudos to the original author
 (Cyril Jaquier: <cyril.jaquier@fail2ban.org>) or the mailing list
 https://lists.sourceforge.net/lists/listinfo/fail2ban-users
 Thanks:
 -------
 See THANKS file.
 License:
 --------
 Fail2Ban is free software; you can redistribute it and/or modify it under the
 terms of the GNU General Public License as published by the Free Software
 Foundation; either version 2 of the License, or (at your option) any later
 version.
 Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY
 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE. See the GNU General Public License for more details.
 You should have received a copy of the GNU General Public License along with
 Fail2Ban; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
 Suite 330, Boston, MA  02111-1307  USA
--- a/README.Solaris
+++ b/README.Solaris
@ -0,0 +1,122 @@
 # vim:tw=80:ft=txt
 README FOR SOLARIS INSTALLATIONS
 By Roy Sigurd Karlsbakk <roy@karlsbakk.net>
 ABOUT
 This readme is meant for those wanting to install fail2ban on Solaris 10,
 OpenSolaris, OpenIndiana etc. To some degree it may as well be useful for
 users of older Solaris versions and Nexenta, but don't rely on it.
 READ ME FIRST
 If I use the term Solaris, I am talking about any Solaris dialect, that is, the
 official Sun/Oracle ones or derivates. If I describe an OS as
 "OpenSolaris-based", it means it's either OpenSolaris, OpenIndiana or one of the
 other, but /not/ the Nexenta family, since this only uses the OpenSolaris/
 IllumOS kernel and not the userland. If I say Solaris 10, I mean Solaris 10 and
 perhaps, if you're lucky and have some good gods on your side, it may also apply
 to Solaris 9 or even 8 and hopefully in the new Solaris 11 whenever that may be
 released. Quoted lines of code, settings et cetera are indented with two spaces.
 This does _not_ mean you should use that indentation, especially in config files
 where they can be harmful. Optional settings are prefixed with OPT: while
 required settings are prefixed with REQ:. If no prefix is found, regard it as a
 required setting.
 INSTALLATION ON SOLARIS
 The installation is straight forward on Solaris as well as on linux/bsd/etc.
 ./setup.py install installs the general packages in /usr/bin on OpenSolaris-
 based distros or (at least on this box) under /usr/sfw/bin on Solaris 10. In
 the files/ directory you will find the file solaris-fail2ban.xml containing the
 Solaris service. To install this, run the following command as root (or with
 sudo):
  svccfg import files/solaris-fail2ban.xml
 This should normally without giving an error. If you get an error, deal with it,
 and please post any relevant info (or fixes?) to the fail2ban mailing list.
 Next install the service handler - copy the script in and allow it to be executed:
  cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban
  chmod +x /lib/svc/method/svc-fail2ban
 CONFIGURE SYSLOG
 For some reason, a default Solaris installation does not log ssh login attempts,
 and since fail2ban works by monitoring logs, enabling this logging is rather
 important for it to work. To enable this, edit /etc/syslog.conf and add a line
 at the end:
  auth.info					/var/adm/auth.log
 Save the file and exit, and run
  touch /var/adm/auth.log
 The Solaris system logger will _not_ create a non-existing file. Now, restart
 the system logger.
  svcadm restart system-log
 Try to ssh into localhost with ssh asdf@localhost and enter an invalid password.
 Make sure this is logged in the above file. When done, you may configure
 fail2ban.
 FAIL2BAN CONFIGURATION
 OPT: Create /etc/fail2ban/fail2ban.local containing:
 # Fail2Ban configuration file for logging fail2ban on Solaris
 #
 [Definition]
 logtarget = /var/adm/fail2ban.log
 REQ: Create /etc/fail2ban/jail.local containing:
 [ssh-tcpwrapper]
 enabled     = true
 filter      = sshd
 action      = hostsdeny[daemon_list=sshd]
              sendmail-whois[name=SSH, dest=you@example.com]
 ignoreregex = for myuser from
 logpath     = /var/adm/auth.log
 Set the sendmail dest address to something useful or drop the line to stop it spamming you.
 Set 'myuser' to your username to avoid banning yourself or remove the line.
 START (OR RESTART) FAIL2BAN
 Enable the fail2ban service with
  svcadm enable fail2ban
 When done, check that all services are running well
  svcs -xv
 GOTCHAS AND FIXMES
 * It seems the installation may be starting fail2ban automatically. If this is
  done, fail2ban will not start, but no errors will be returned from svcs
  (above). Check if it's running with 'ps -ef | grep fail2ban' and manually kill
  the PID if it is. Re-enable fail2ban and try again
    svcadm disable fail2ban
    svcadm enable fail2ban
 * If svcs -xv says that fail2ban failed to start or svcs says it's in maintenance mode
  check /var/svc/log/network-fail2ban:default.log for clues. 
  Check permissions on /var/adm, /var/adm/auth.log /var/adm/fail2ban.log and /var/run/fail2ban
  You may need to:
  sudo mkdir /var/run/fail2ban
 * Fail2ban adds lines like these to /etc/hosts.deny:
    sshd: 1.2.3.4
--- a/README.md
+++ b/README.md
@ -0,0 +1,105 @@
                         __      _ _ ___ _               
                        / _|__ _(_) |_  ) |__  __ _ _ _  
                       |  _/ _` | | |/ /| '_ \/ _` | ' \ 
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
                       v0.8.10                  2013/06/12
 ## Fail2Ban: ban hosts that cause multiple authentication errors
 Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many
 password failures. It updates firewall rules to reject the IP address. These
 rules can be defined by the user. Fail2Ban can read multiple log files such as
 sshd or Apache web server ones.
 This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
 are available in fail2ban(1) manpage and on the website http://www.fail2ban.org
 Installation:
 -------------
 **It is possible that Fail2ban is already packaged for your distribution.  In
 this case, you should use it instead.**
 Required:
 - [Python >= 2.4](http://www.python.org)
 Optional:
 - [pyinotify >= 0.8.3](https://github.com/seb-m/pyinotify)
  - Linux >= 2.6.13
 - [gamin >= 0.0.21](http://www.gnome.org/~veillard/gamin)
 To install, just do:
    tar xvfj fail2ban-0.8.10.tar.bz2
    cd fail2ban-0.8.10
    python setup.py install
 This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
 placed into /usr/bin, and configuration under /etc/fail2ban.
 Fail2Ban should be correctly installed now. Just type:
    fail2ban-client -h
 to see if everything is alright. You should always use fail2ban-client and
 never call fail2ban-server directly.
 Configuration:
 --------------
 You can configure Fail2Ban using the files in /etc/fail2ban. It is possible to
 configure the server using commands sent to it by fail2ban-client. The
 available commands are described in the fail2ban-client(1) manpage.  Also see
 fail2ban(1) manpage for further references and find even more documentation on
 the website: http://www.fail2ban.org
 Code status:
 ------------
 * [![tests status](https://secure.travis-ci.org/fail2ban/fail2ban.png?branch=master)](https://travis-ci.org/fail2ban/fail2ban) travis-ci.org (master branch)
 * [![Coverage Status](https://coveralls.io/repos/fail2ban/fail2ban/badge.png?branch=master)](https://coveralls.io/r/fail2ban/fail2ban)
 Contact:
 --------
 ### You found a severe security vulnerability in Fail2Ban?
 email details to fail2ban-vulnerabilities at lists dot sourceforge dot net .
 ### You need some new features, you found bugs?
 visit [Issues](https://github.com/fail2ban/fail2ban/issues)
 and if your issue is not yet known -- file a bug report. See
 [Fail2Ban wiki](http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help)
 on further instructions.
 ### You would like to troubleshoot or discuss?
 join the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users)
 ### You would like to contribute (new filters/actions/code/documentation)?
 send a pull request
 ### You just appreciate this program:
 send kudos to the original author ([Cyril Jaquier](mailto: Cyril Jaquier <cyril.jaquier@fail2ban.org>)
 or better to the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users)
 since Fail2Ban is "community-driven" for years now.
 Thanks:
 -------
 See [THANKS](https://github.com/fail2ban/fail2ban/blob/master/THANKS) file.
 License:
 --------
 Fail2Ban is free software; you can redistribute it and/or modify it under the
 terms of the GNU General Public License as published by the Free Software
 Foundation; either version 2 of the License, or (at your option) any later
 version.
 Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY
 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE. See the GNU General Public License for more details.
 You should have received a copy of the GNU General Public License along with
 Fail2Ban; if not, write to the Free Software Foundation, Inc., 51 Franklin
 Street, Fifth Floor, Boston, MA 02110, USA
--- a/36
+++ b/36
@ -1,47 +1,71 @@
-Fail2Ban is an open source project with many contributions from its
+Fail2Ban is an open source project which was conceived and originally
-users community. Below is an alphabetically sorted partial list of the
+developed by Cyril Jaquier until 2010.  Since then Fail2Ban grew into
-contributors to the project.  If you have been left off, please let us
+a community-driven project with many contributions from its users.
-know (preferably send a pull request on github with the "fix") and you
+Below is an alphabetically sorted partial list of the contributors to
-will be added
+the project.  If you have been left off, please let us know
 (preferably send a pull request on github with the "fix") and you will
 be added
 Adrien Clerc
 ache
 Andrey G. Grozin
 Andy Fragen
 Arturo 'Buanzo' Busleiman
 Axel Thimm
 Beau Raines
 Bill Heaton
 Carlos Alberto Lopez Perez
 Christian Rauch
 Christophe Carles
 Christoph Haas
 Christos Psonis
 Cyril Jaquier
 Daniel B. Cid
 Daniel Black
 David Nutter
 Eric Gerbier
 Enrico Labedzki
 ftoppi
 François Boulogne
 Frédéric
 Georgiy Mernov
 Guillaume Delvit
 Hanno 'Rince' Wagner
 Iain Lea
 Jonathan Kamens
 Jonathan Underwood
 Joël Bertrand
 JP Espinosa
 Justin Shore
 Kévin Drapel
 kojiro
 Manuel Arostegui Ramirez
 Marcel Dopita
 Mark Edgington
 Markus Hoffmann
 Marvin Rouge
 mEDI
 Мернов Георгий
 Michael C. Haller
 Michael Hanselmann
-NickMunger
+Nick Munger
 Patrick Börjesson
 Raphaël Marichez
 René Berber
 Robert Edeker
 Rolf Fokkens
 Russell Odom
 Sebastian Arcus
 Sireyessire
 silviogarbes
 Stephen Gildea
 Steven Hiscocks
 Tom Pike
 Tyler
 Vaclav Misek
 Vincent Deffontaines
 Yaroslav Halchenko
 ykimon
 Yehuda Katz
 zugeschmiert
 Zurd
--- a/9
+++ b/9
@ -13,9 +13,14 @@ Legend:
 # partially done
 * done
- Removed relative imports
+- more detailed explaination in DEVELOP for new developers (eg. howto build this HEX numbers in ChangeLog)
- Cleanup fail2ban-client and fail2ban-server. Move code to server/ and client/
+- Run tests though all filters/examples files - (see sshd example file) as unit
  test
 * Removed relative imports
 * Cleanup fail2ban-client and fail2ban-server. Move code to server/ and client/
 - Add timeout to external commands (signal alarm, watchdog thread, etc)
--- a/client/init.py
+++ b/client/init.py
@ -19,10 +19,7 @@
 # Author: Cyril Jaquier
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
--- a/client/actionreader.py
+++ b/client/actionreader.py
@ -19,11 +19,8 @@
 # Author: Cyril Jaquier
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
@ -35,8 +32,8 @@ logSys = logging.getLogger("fail2ban.client.config")
 class ActionReader(ConfigReader):
-	def __init__(self, action, name):
+	def __init__(self, action, name, **kwargs):
-		ConfigReader.__init__(self)
+		ConfigReader.__init__(self, **kwargs)
 		self.__file = action[0]
 		self.__cInfo = action[1]
 		self.__name = name
--- a/client/beautifier.py
+++ b/client/beautifier.py
@ -17,20 +17,14 @@
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-# Author: Cyril Jaquier
+__author__ = "Cyril Jaquier, Yaroslav Halchenko"
-# 
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko"
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 from server.jails import UnknownJailException
 from server.jails import DuplicateJailException
 import logging
 from common.exceptions import UnknownJailException, DuplicateJailException
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban.client.config")
@ -62,10 +56,10 @@ class Beautifier:
 				msg = "Jail started"
 			elif inC[0] == "stop":
 				if len(inC) == 1:
-					if response == None:
+					if response is None:
 						msg = "Shutdown successful"
 				else:
-					if response == None:
+					if response is None:
 						msg = "Jail stopped"
 			elif inC[0] == "add":
 				msg = "Added jail " + response
--- a/client/configparserinc.py
+++ b/client/configparserinc.py
@ -19,11 +19,8 @@
 # Author: Yaroslav Halchenko
 # Modified: Cyril Jaquier
 # $Revision$
 __author__ = 'Yaroslav Halhenko'
 __revision__ = '$Revision$'
 __date__ = '$Date$'
 __copyright__ = 'Copyright (c) 2007 Yaroslav Halchenko'
 __license__ = 'GPL'
--- a/client/configreader.py
+++ b/client/configreader.py
@ -19,15 +19,12 @@
 # Author: Cyril Jaquier
 # Modified by: Yaroslav Halchenko (SafeConfigParserWithIncludes)
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
-import logging, os
+import glob, logging, os
 from configparserinc import SafeConfigParserWithIncludes
 from ConfigParser import NoOptionError, NoSectionError
@ -35,36 +32,57 @@ from ConfigParser import NoOptionError, NoSectionError
 logSys = logging.getLogger("fail2ban.client.config")
 class ConfigReader(SafeConfigParserWithIncludes):
 	DEFAULT_BASEDIR = '/etc/fail2ban'
-	BASE_DIRECTORY = "/etc/fail2ban/"
+	def __init__(self, basedir=None):
 	def __init__(self):
 		SafeConfigParserWithIncludes.__init__(self)
 		self.setBaseDir(basedir)
 		self.__opts = None
-	#@staticmethod
+	def setBaseDir(self, basedir):
-	def setBaseDir(folderName):
+		if basedir is None:
-		path = folderName.rstrip('/')
+			basedir = ConfigReader.DEFAULT_BASEDIR	# stock system location
-		ConfigReader.BASE_DIRECTORY = path + '/'
+		self._basedir = basedir.rstrip('/')
-	setBaseDir = staticmethod(setBaseDir)
+	
-		
+	def getBaseDir(self):
-	#@staticmethod
+		return self._basedir
 	def getBaseDir():
 		return ConfigReader.BASE_DIRECTORY
 	getBaseDir = staticmethod(getBaseDir)
 	def read(self, filename):
-		basename = ConfigReader.BASE_DIRECTORY + filename
+		if not os.path.exists(self._basedir):
-		logSys.debug("Reading " + basename)
+			raise ValueError("Base configuration directory %s does not exist "
-		bConf = basename + ".conf"
+							  % self._basedir)
-		bLocal = basename + ".local"
+		basename = os.path.join(self._basedir, filename)
-		if os.path.exists(bConf) or os.path.exists(bLocal):
+		logSys.debug("Reading configs for %s under %s "  % (basename, self._basedir))
-			SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
+		config_files = [ basename + ".conf",
-			return True
+						 basename + ".local" ]
-		else:
+
-			logSys.error(bConf + " and " + bLocal + " do not exist")
+		# choose only existing ones
 		config_files = filter(os.path.exists, config_files)
 		# possible further customizations under a .conf.d directory
 		config_dir = basename + '.d'
 		config_files += sorted(glob.glob('%s/*.conf' % config_dir))
 		if len(config_files):
 			# at least one config exists and accessible
 			logSys.debug("Reading config files: " + ', '.join(config_files))
 			config_files_read = SafeConfigParserWithIncludes.read(self, config_files)
 			missed = [ cf for cf in config_files if cf not in config_files_read ]
 			if missed:
 				logSys.error("Could not read config files: " + ', '.join(missed))
 			if config_files_read:
 				return True
 			logSys.error("Found no accessible config files for %r under %s" %
 						 ( filename, self.getBaseDir() ))
 			return False
-	
+		else:
 			logSys.error("Found no accessible config files for %r " % filename
 						 + (["under %s" % self.getBaseDir(),
 							 "among existing ones: " + ', '.join(config_files)][bool(len(config_files))]))
 			return False
 	##
 	# Read the options.
 	#
@ -85,7 +103,7 @@ class ConfigReader(SafeConfigParserWithIncludes):
 					v = self.getint(sec, option[1])
 				else:
 					v = self.get(sec, option[1])
-				if not pOptions == None and option[1] in pOptions:
+				if not pOptions is None and option[1] in pOptions:
 					continue
 				values[option[1]] = v
 			except NoSectionError, e:
@ -93,9 +111,9 @@ class ConfigReader(SafeConfigParserWithIncludes):
 				logSys.error(e)
 				values[option[1]] = option[2]
 			except NoOptionError:
-				if not option[2] == None:
+				if not option[2] is None:
-					logSys.warn("'%s' not defined in '%s'. Using default value"
+					logSys.warn("'%s' not defined in '%s'. Using default one: %r"
-								% (option[1], sec))
+								% (option[1], sec, option[2]))
 					values[option[1]] = option[2]
 			except ValueError:
 				logSys.warn("Wrong value for '" + option[1] + "' in '" + sec +
--- a/client/configurator.py
+++ b/client/configurator.py
@ -19,11 +19,8 @@
 # Author: Cyril Jaquier
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
@ -43,15 +40,19 @@ class Configurator:
 		self.__fail2ban = Fail2banReader()
 		self.__jails = JailsReader()
-	#@staticmethod
+	def setBaseDir(self, folderName):
-	def setBaseDir(folderName):
+		self.__fail2ban.setBaseDir(folderName)
-		ConfigReader.setBaseDir(folderName)
+		self.__jails.setBaseDir(folderName)
 	setBaseDir = staticmethod(setBaseDir)
-	#@staticmethod
+	def getBaseDir(self):
-	def getBaseDir():
+		fail2ban_basedir = self.__fail2ban.getBaseDir()
-		return ConfigReader.getBaseDir()
+		jails_basedir = self.__jails.getBaseDir()
-	getBaseDir = staticmethod(getBaseDir)
+		if fail2ban_basedir != jails_basedir:
 			logSys.error("fail2ban.conf and jails.conf readers have differing "
 						 "basedirs: %r and %r. "
 						 "Returning the one for fail2ban.conf"
 						 % (fail2ban_basedir, jails_basedir))
 		return fail2ban_basedir
 	def readEarly(self):
 		self.__fail2ban.read()
--- a/client/csocket.py
+++ b/client/csocket.py
@ -19,11 +19,8 @@
 # Author: Cyril Jaquier
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
--- a/client/fail2banreader.py
+++ b/client/fail2banreader.py
@ -19,11 +19,8 @@
 # Author: Cyril Jaquier
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
@ -35,14 +32,15 @@ logSys = logging.getLogger("fail2ban.client.config")
 class Fail2banReader(ConfigReader):
-	def __init__(self):
+	def __init__(self, **kwargs):
-		ConfigReader.__init__(self)
+		ConfigReader.__init__(self, **kwargs)
 	def read(self):
 		ConfigReader.read(self, "fail2ban")
 	def getEarlyOptions(self):
-		opts = [["string", "socket", "/tmp/fail2ban.sock"]]
+		opts = [["string", "socket", "/var/run/fail2ban/fail2ban.sock"],
 				["string", "pidfile", "/var/run/fail2ban/fail2ban.pid"]]
 		return ConfigReader.getOptions(self, "Definition", opts)
 	def getOptions(self):
--- a/client/filterreader.py
+++ b/client/filterreader.py
@ -19,11 +19,8 @@
 # Author: Cyril Jaquier
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
@ -35,8 +32,8 @@ logSys = logging.getLogger("fail2ban.client.config")
 class FilterReader(ConfigReader):
-	def __init__(self, fileName, name):
+	def __init__(self, fileName, name, **kwargs):
-		ConfigReader.__init__(self)
+		ConfigReader.__init__(self, **kwargs)
 		self.__file = fileName
 		self.__name = name
--- a/client/jailreader.py
+++ b/client/jailreader.py
@ -19,11 +19,8 @@
 # Author: Cyril Jaquier
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
@ -40,10 +37,11 @@ class JailReader(ConfigReader):
 	actionCRE = re.compile("^((?:\w|-|_|\.)+)(?:\[(.*)\])?$")
-	def __init__(self, name):
+	def __init__(self, name, force_enable=False, **kwargs):
-		ConfigReader.__init__(self)
+		ConfigReader.__init__(self, **kwargs)
 		self.__name = name
 		self.__filter = None
 		self.__force_enable = force_enable
 		self.__actions = list()
 	def setName(self, value):
@ -53,10 +51,10 @@ class JailReader(ConfigReader):
 		return self.__name
 	def read(self):
-		ConfigReader.read(self, "jail")
+		return ConfigReader.read(self, "jail")
 	def isEnabled(self):
-		return self.__opts["enabled"]
+		return self.__force_enable or self.__opts["enabled"]
 	def getOptions(self):
 		opts = [["bool", "enabled", "false"],
@ -75,7 +73,8 @@ class JailReader(ConfigReader):
 		if self.isEnabled():
 			# Read filter
-			self.__filter = FilterReader(self.__opts["filter"], self.__name)
+			self.__filter = FilterReader(self.__opts["filter"], self.__name,
 										 basedir=self.getBaseDir())
 			ret = self.__filter.read()
 			if ret:
 				self.__filter.getOptions(self.__opts)
@ -86,8 +85,10 @@ class JailReader(ConfigReader):
 			# Read action
 			for act in self.__opts["action"].split('\n'):
 				try:
 					if not act:			  # skip empty actions
 						continue
 					splitAct = JailReader.splitAction(act)
-					action = ActionReader(splitAct, self.__name)
+					action = ActionReader(splitAct, self.__name, basedir=self.getBaseDir())
 					ret = action.read()
 					if ret:
 						action.getOptions(self.__opts)
@ -96,20 +97,36 @@ class JailReader(ConfigReader):
 						raise AttributeError("Unable to read action")
 				except Exception, e:
 					logSys.error("Error in action definition " + act)
-					logSys.debug(e)
+					logSys.debug("Caught exception: %s" % (e,))
 					return False
 			if not len(self.__actions):
 				logSys.warn("No actions were defined for %s" % self.__name)
 		return True
-	def convert(self):
+	def convert(self, allow_no_files=False):
 		"""Convert read before __opts to the commands stream
 		Parameters
 		----------
 		allow_missing : bool
 		  Either to allow log files to be missing entirely.  Primarily is
 		  used for testing
 		 """
 		stream = []
 		for opt in self.__opts:
 			if opt == "logpath":
 				found_files = 0
 				for path in self.__opts[opt].split("\n"):
 					pathList = glob.glob(path)
 					if len(pathList) == 0:
-						logSys.error("No file found for " + path)
+						logSys.error("No file(s) found for glob %s" % path)
 					for p in pathList:
 						found_files += 1
 						stream.append(["set", self.__name, "addlogpath", p])
 				if not (found_files or allow_no_files):
 					raise ValueError(
 						"Have not found any log file for %s jail" % self.__name)
 			elif opt == "backend":
 				backend = self.__opts[opt]
 			elif opt == "maxretry":
@ -142,12 +159,20 @@ class JailReader(ConfigReader):
 	def splitAction(action):
 		m = JailReader.actionCRE.match(action)
 		d = dict()
-		if not m.group(2) == None:
+		mgroups = m.groups()
 		if len(mgroups) == 2:
 			action_name, action_opts = mgroups
 		elif len(mgroups) == 1:
 			action_name, action_opts = mgroups[0], None
 		else:
 			raise ValueError("While reading action %s we should have got up to "
 							 "2 groups. Got: %r" % (action, mgroups))
 		if not action_opts is None:
 			# Huge bad hack :( This method really sucks. TODO Reimplement it.
 			actions = ""
 			escapeChar = None
 			allowComma = False
-			for c in m.group(2):
+			for c in action_opts:
 				if c in ('"', "'") and not allowComma:
 					# Start
 					escapeChar = c
@ -172,6 +197,6 @@ class JailReader(ConfigReader):
 				try:
 					d[p[0].strip()] = p[1].strip()
 				except IndexError:
-					logSys.error("Invalid argument %s in '%s'" % (p, m.group(2)))
+					logSys.error("Invalid argument %s in '%s'" % (p, action_opts))
-		return [m.group(1), d]
+		return [action_name, d]
 	splitAction = staticmethod(splitAction)
--- a/client/jailsreader.py
+++ b/client/jailsreader.py
@ -18,12 +18,9 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 # Author: Cyril Jaquier
-# 
+#
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
@ -35,21 +32,37 @@ from jailreader import JailReader
 logSys = logging.getLogger("fail2ban.client.config")
 class JailsReader(ConfigReader):
-	
+
-	def __init__(self):
+	def __init__(self, force_enable=False, **kwargs):
-		ConfigReader.__init__(self)
+		"""
 		Parameters
 		----------
 		force_enable : bool, optional
 		  Passed to JailReader to force enable the jails.
 		  It is for internal use
 		"""
 		ConfigReader.__init__(self, **kwargs)
 		self.__jails = list()
-	
+		self.__force_enable = force_enable
 	def read(self):
-		ConfigReader.read(self, "jail")
+		return ConfigReader.read(self, "jail")
-	
+
-	def getOptions(self, section = None):
+	def getOptions(self, section=None):
 		"""Reads configuration for jail(s) and adds enabled jails to __jails
 		"""
 		opts = []
 		self.__opts = ConfigReader.getOptions(self, "Definition", opts)
-		if section:
+		if section is None:
-			# Get the options of a specific jail.
+			sections = self.sections()
-			jail = JailReader(section)
+		else:
 			sections = [ section ]
 		# Get the options of all jails.
 		for sec in sections:
 			jail = JailReader(sec, basedir=self.getBaseDir(),
 							  force_enable=self.__force_enable)
 			jail.read()
 			ret = jail.getOptions()
 			if ret:
@ -57,34 +70,30 @@ class JailsReader(ConfigReader):
 					# We only add enabled jails
 					self.__jails.append(jail)
 			else:
-				logSys.error("Errors in jail '%s'. Skipping..." % section)
+				logSys.error("Errors in jail %r. Skipping..." % sec)
 				return False
 		else:
 			# Get the options of all jails.
 			for sec in self.sections():
 				jail = JailReader(sec)
 				jail.read()
 				ret = jail.getOptions()
 				if ret:
 					if jail.isEnabled():
 						# We only add enabled jails
 						self.__jails.append(jail)
 				else:
 					logSys.error("Errors in jail '" + sec + "'. Skipping...")
 					return False
 		return True
-	
+
-	def convert(self):
+	def convert(self, allow_no_files=False):
 		"""Convert read before __opts and jails to the commands stream
 		Parameters
 		----------
 		allow_missing : bool
 		  Either to allow log files to be missing entirely.  Primarily is
 		  used for testing
 		"""
 		stream = list()
 		for opt in self.__opts:
 			if opt == "":
 				stream.append([])
 		# Convert jails
 		for jail in self.__jails:
-			stream.extend(jail.convert())
+			stream.extend(jail.convert(allow_no_files=allow_no_files))
 		# Start jails
 		for jail in self.__jails:
 			stream.append(["start", jail.getName()])
-		
+
 		return stream
-		
+
--- a/common/init.py
+++ b/common/init.py
@ -19,10 +19,12 @@
 # Author: Cyril Jaquier
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 import logging
 # Custom debug level
 logging.HEAVYDEBUG = 5
--- a/common/exceptions.py
+++ b/common/exceptions.py
@ -0,0 +1,36 @@
 # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
 # vi: set ft=python sts=4 ts=4 sw=4 noet :
 """Fail2Ban exceptions used by both client and server
 """
 # This file is part of Fail2Ban.
 #
 # Fail2Ban is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # Fail2Ban is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Yaroslav Halchenko"
 __license__ = "GPL"
 #
 # Jails
 #
 class DuplicateJailException(Exception):
 	pass
 class UnknownJailException(Exception):
 	pass
--- a/common/helpers.py
+++ b/common/helpers.py
@ -17,25 +17,12 @@
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-# Author: Cyril Jaquier
+__author__ = "Cyril Jaquier, Arturo 'Buanzo' Busleiman, Yaroslav Halchenko"
 # Author: Arturo 'Buanzo' Busleiman
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2009 Cyril Jaquier"
 __license__ = "GPL"
 def formatExceptionInfo():
-	""" Author: Arturo 'Buanzo' Busleiman """
+	""" Consistently format exception information """
 	import sys
 	cla, exc = sys.exc_info()[:2]
-	excName = cla.__name__
+	return (cla.__name__, str(exc))
 	try:
 		excArgs = exc.__dict__["args"]
 	except KeyError:
 		excArgs = str(exc)
 	return (excName, excArgs)
--- a/common/protocol.py
+++ b/common/protocol.py
@ -19,11 +19,8 @@
 # Author: Cyril Jaquier
 # 
 # $Revision$
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision$"
 __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
@ -40,6 +37,7 @@ protocol = [
 ["stop", "stops all jails and terminate the server"], 
 ["status", "gets the current status of the server"], 
 ["ping", "tests if the server is alive"], 
 ["help", "return this output"], 
 ['', "LOGGING", ""],
 ["set loglevel <LEVEL>", "sets logging level to <LEVEL>. 0 is minimal, 4 is debug"], 
 ["get loglevel", "gets the logging level"], 
@ -64,6 +62,7 @@ protocol = [
 ["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"], 
 ["set <JAIL> usedns <VALUE>", "sets the usedns mode for <JAIL>"],
 ["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"], 
 ["set <JAIL> unbanip <IP>", "manually Unban <IP> in <JAIL>"], 
 ["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"], 
 ["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"], 
 ["set <JAIL> delaction <ACT>", "removes the action <NAME> from <JAIL>"], 
@ -89,6 +88,7 @@ protocol = [
 ["get <JAIL> actioncheck <ACT>", "gets the check command for the action <ACT> for <JAIL>"],
 ["get <JAIL> actionban <ACT>", "gets the ban command for the action <ACT> for <JAIL>"],
 ["get <JAIL> actionunban <ACT>", "gets the unban command for the action <ACT> for <JAIL>"],
 ["get <JAIL> cinfo <ACT> <KEY>", "gets the value for <KEY> for the action <ACT> for <JAIL>"],
 ]
 ##
--- a/common/version.py
+++ b/common/version.py
@ -18,11 +18,10 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 # Author: Cyril Jaquier
-# 
+#
 # $Revision$
-__author__ = "Cyril Jaquier"
+__author__ = "Cyril Jaquier, Yaroslav Halchenko"
-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Yaroslav Halchenko"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
-version = "0.8.7.1"
+version = "0.8.10.dev"
--- a/config/action.d/bsd-ipfw.conf
+++ b/config/action.d/bsd-ipfw.conf
@ -0,0 +1,83 @@
 # Fail2Ban configuration file
 #
 # Author: Nick Munger
 # Modified by: Ken Menzel
 #              Daniel Black (start/stop)
 #              Fabian Wenk (many ideas as per fail2ban users list)
 #
 # Ensure firewall_enable="YES" in the top of /etc/rc.conf
 #
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop =  [ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 # requires an ipfw rule like "deny ip from table(1) to me"
 actionban = ipfw table <table> add <ip>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = ipfw table <table> delete <ip>
 [Init]
 # Option:  table
 # Notes:   The ipfw table to use. If a ipfw rule using this table already exists,
 #          this action will not create a ipfw rule to block it and the following
 #          options will have no effect.
 # Values:  NUM
 table = 1
 # Option:  port
 # Notes.:  Specifies port to monitor. Blank indicate block all ports.
 # Values:  [ NUM | STRING ]
 #
 port = 
 # Option:  startstatefile
 # Notes:   A file to indicate that the table rule that was added. Ensure it is unique per table.
 # Values:  STRING
 startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
 # Option: block
 # Notes:  This is how much to block.
 #         Can be "ip", "tcp", "udp" or various other options.
 # Values: STRING
 block = ip
 # Option:  blocktype
 # Notes.:  How to block the traffic. Use a action from man 5 ipfw
 #          Common values: deny, unreach port, reset
 #          ACTION defination at the top of man ipfw for allowed values.
 # Values:  STRING
 #
 blocktype = unreach port
--- a/config/action.d/complain.conf
+++ b/config/action.d/complain.conf
@ -52,24 +52,19 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <failtime>  unix timestamp of the last failure
 #          <bantime>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
 	    IP=<ip>
            if [ ! -z "$ADDRESSES" ]; then
-                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '<ip>' <logpath>) | <mailcmd> "Abuse from <ip>" $ADDRESSES <mailargs>
+                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '<ip>' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
            fi
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <bantime>  unix timestamp of the ban time
 #          <unbantime>  unix timestamp of the unban time
 # Values:  CMD
 #
 actionunban =
--- a/config/action.d/dshield.conf
+++ b/config/action.d/dshield.conf
@ -25,7 +25,6 @@
 # configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
 # configure how often the buffer is flushed).
 #
 # $Revision$
 [Definition]
@ -40,7 +39,7 @@ actionstart =
 # Values:  CMD
 #
 actionstop = if [ -f <tmpfile>.buffer ]; then
-                 cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <dest> <mailargs>
+                 cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
                 date +%%s > <tmpfile>.lastsent
             fi
             rm -f <tmpfile>.buffer <tmpfile>.first
@ -54,9 +53,7 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 # See http://www.dshield.org/specs.html for more on report format/notes
@ -83,7 +80,7 @@ actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
            LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
            LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
            if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
-                cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <dest> <mailargs>
+                cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
                rm -f <tmpfile>.buffer <tmpfile>.first
                echo $NOW > <tmpfile>.lastsent
            fi
@ -91,16 +88,14 @@ actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = if [ -f <tmpfile>.first ]; then
                  NOW=`date +%%s`
                  LOGAGE=$(($NOW - `cat <tmpfile>.first`))
                  if [ $LOGAGE -gt <maxbufferage> ]; then
-                      cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <dest> <mailargs>
+                      cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
                      rm -f <tmpfile>.buffer <tmpfile>.first
                      echo $NOW > <tmpfile>.lastsent
                  fi
@ -116,7 +111,7 @@ actionunban = if [ -f <tmpfile>.first ]; then
 port = ???
 # Option:  userid
-# Notes.:  Your DSheild user ID. Should be provided either in the jail config or
+# Notes.:  Your DShield user ID. Should be provided either in the jail config or
 #          in a .local file.
 #          Register at https://secure.dshield.org/register.html
 # Values:  [ NUM ]  Default: 0
@ -124,13 +119,13 @@ port = ???
 userid = 0
 # Option:  myip
-# Notes.:  TThe target IP for the attack (your public IP). Should be provided
+# Notes.:  The target IP for the attack (your public IP). Should be provided
 #          either in the jail config or in a .local file unless your PUBLIC IP
 #          is the first IP assigned to eth0
 # Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
 #          which in most cases will be a private IP, and therefore incorrect
 #
-myip = `ip -4 addr show dev eth0 | grep inet | head -1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
 # Option:  protocol
 # Notes.:  The protocol over which the attack is happening
@ -159,7 +154,6 @@ minreportinterval = 3600
 #          submit the batch, even if we haven't reached <lines> yet. Note that
 #          this is only checked on each ban/unban, and that we always send
 #          anything in the buffer on shutdown. Must be greater than
 #          <minreportinterval>.
 # Values:  [ NUM ]  Default: 21600 (6 hours)
 #
 maxbufferage = 21600
--- a/config/action.d/dummy.conf
+++ b/config/action.d/dummy.conf
@ -2,7 +2,6 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [Definition]
@ -11,14 +10,14 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = touch /tmp/fail2ban.dummy
+actionstart = touch /var/run/fail2ban/fail2ban.dummy
-              printf %%b "<init>\n" >> /tmp/fail2ban.dummy
+              printf %%b "<init>\n" >> /var/run/fail2ban/fail2ban.dummy
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = rm -f /tmp/fail2ban.dummy
+actionstop = rm -f /var/run/fail2ban/fail2ban.dummy
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@ -29,22 +28,18 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = printf %%b "+<ip>\n" >> /tmp/fail2ban.dummy
+actionban = printf %%b "+<ip>\n" >> /var/run/fail2ban/fail2ban.dummy
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = printf %%b "-<ip>\n" >> /tmp/fail2ban.dummy
+actionunban = printf %%b "-<ip>\n" >> /var/run/fail2ban/fail2ban.dummy
 [Init]
--- a/config/action.d/hostsdeny.conf
+++ b/config/action.d/hostsdeny.conf
@ -1,8 +1,8 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
 # Edited for cross platform by: James Stout, Yaroslav Halchenko and Daniel Black
 #
 # $Revision$
 #
 [Definition]
@ -28,23 +28,19 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = IP=<ip> &&
-            printf %%b "ALL: $IP\n" >> <file>
+            printf %%b "<daemon_list>: $IP\n" >> <file>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
+actionunban = echo "/^<daemon_list>: <ip>$/<br>d<br>w<br>q" | ed <file>
 [Init]
@ -53,3 +49,9 @@ actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
 # Values:  STR  Default:  /etc/hosts.deny
 #
 file = /etc/hosts.deny
 # Option:  daemon_list
 # Notes:   The list of services that this action will deny. See the man page
 #          for hosts.deny/hosts_access. Default is all services.
 # Values:  STR  Default: ALL
 daemon_list = ALL
--- a/config/action.d/ipfilter.conf
+++ b/config/action.d/ipfilter.conf
@ -34,24 +34,25 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
+actionban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -f -
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 # note -r option used to remove matching rule
-actionunban = echo block in quick from <ip>/32 | /sbin/ipf -r -f -
+actionunban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -r -f -
 [Init]
 # Option: Blocktype
 # Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent
 #         Shell expansion. This should be blank (unquoted) to drop the packet.
 # Values: STRING
 blocktype = "return-icmp(port-unr)"
--- a/config/action.d/ipfw.conf
+++ b/config/action.d/ipfw.conf
@ -3,7 +3,6 @@
 # Author: Nick Munger
 # Modified by: Cyril Jaquier
 #
 # $Revision$
 #
 [Definition]
@ -32,20 +31,16 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = ipfw add deny tcp from <ip> to <localhost> <port>
+actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
@ -63,3 +58,11 @@ port = ssh
 # Values:  IP
 #
 localhost = 127.0.0.1
 # Option:  blocktype
 # Notes.:  How to block the traffic. Use a action from man 5 ipfw
 #          Common values: deny, unreach port, reset
 # Values:  STRING
 #
 blocktype = unreach port
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@ -4,9 +4,13 @@
 # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
 # 			made active on all ports from original iptables.conf
 #
 # $Revision$
 #
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 # Option:  actionstart
@ -34,26 +38,22 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
--- a/config/action.d/iptables-blocktype.conf
+++ b/config/action.d/iptables-blocktype.conf
@ -0,0 +1,22 @@
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
 #
 # This is a included configuration file and includes the defination for the blocktype
 # used in all iptables based actions by default.
 #
 # The user can override the default in iptables-blocktype.local
 [INCLUDES]
 after = iptables-blocktype.local
 [Init]
 # Option:  blocktype
 # Note:    This is what the action does with rules. This can be any jump target
 #          as per the iptables man page (section 8). Common values are DROP
 #          REJECT, REJECT --reject-with icmp-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp-port-unreachable
--- a/config/action.d/iptables-ipset-proto4.conf
+++ b/config/action.d/iptables-ipset-proto4.conf
@ -0,0 +1,74 @@
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
 #
 # This is for ipset protocol 4 (ipset v4.2). If you have a later version
 # of ipset try to use the iptables-ipset-proto6.conf as it does some things
 # nicer.
 # 
 # This requires the program ipset which is normally in package called ipset.
 #
 # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
 #
 # If you are running on an older kernel you make need to patch in external
 # modules.
 #
 # On Debian machines this can be done with:
 #
 # apt-get install ipset xtables-addons-source 
 # module-assistant auto-install xtables-addons
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = ipset --create fail2ban-<name> iphash
              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
             ipset --flush fail2ban-<name>
             ipset --destroy fail2ban-<name>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = ipset --test fail2ban-<name> <ip> ||  ipset --add fail2ban-<name> <ip>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = ipset --test fail2ban-<name> <ip> && ipset --del fail2ban-<name> <ip>
 [Init]
 # Default name of the ipset
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default: ssh
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
--- a/config/action.d/iptables-ipset-proto6.conf
+++ b/config/action.d/iptables-ipset-proto6.conf
@ -0,0 +1,81 @@
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
 #
 # This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
 # Use ipset -V to see the protocol and version. Version 4 should use
 # iptables-ipset-proto4.conf.
 #
 # This requires the program ipset which is normally in package called ipset.
 #
 # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
 #
 # If you are running on an older kernel you make need to patch in external
 # modules.
 #
 # On Debian machines this can be done with:
 #
 # apt-get install ipset xtables-addons-source 
 # module-assistant auto-install xtables-addons
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
             ipset flush fail2ban-<name>
             ipset destroy fail2ban-<name>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = ipset del fail2ban-<name> <ip> -exist
 [Init]
 # Default name of the ipset
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default: ssh
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option: bantime
 # Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
 # Values:  [ NUM ]  Default: 600
 bantime = 600
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@ -7,9 +7,12 @@
 # make "fail2ban-<name>-log" chain to log and drop
 # insert a jump to fail2ban-<name> from -I <chain> if proto/port match
 #
 # $Revision$
 #
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 # Option:  actionstart
@ -21,7 +24,7 @@ actionstart = iptables -N fail2ban-<name>
              iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
              iptables -N fail2ban-<name>-log
              iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
-              iptables -A fail2ban-<name>-log -j DROP
+              iptables -A fail2ban-<name>-log -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -42,9 +45,7 @@ actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
@ -52,16 +53,14 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@ -2,9 +2,12 @@
 #
 # Author: Cyril Jaquier
 # Modified by Yaroslav Halchenko for multiport banning
 # $Revision$
 #
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 # Option:  actionstart
@ -32,26 +35,22 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@ -4,9 +4,13 @@
 # Copied from iptables.conf and modified by Yaroslav Halchenko 
 #  to fullfill the needs of bugreporter dbts#350746.
 #
 # $Revision$
 #
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 # Option:  actionstart
@ -34,26 +38,22 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
--- a/config/action.d/iptables-xt_recent-echo.conf
+++ b/config/action.d/iptables-xt_recent-echo.conf
@ -2,16 +2,20 @@
 #
 # Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
 #
 # $Revision: 1 $
 #
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-# Changing iptables rules requires root priviledges. If fail2ban is
+# Changing iptables rules requires root privileges. If fail2ban is
 # configured to run as root, firewall setup can be performed by
 # fail2ban automatically. However, if fail2ban is configured to run as
 # a normal user, the configuration must be done by some other means
@ -29,7 +33,7 @@
 #    own rules. The 3600 second timeout is independent and acts as a
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
-actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP
+actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -46,9 +50,7 @@ actioncheck = test -e /proc/net/xt_recent/fail2ban-<name>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = echo +<ip> > /proc/net/xt_recent/fail2ban-<name>
@ -56,16 +58,14 @@ actionban = echo +<ip> > /proc/net/xt_recent/fail2ban-<name>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = echo -<ip> > /proc/net/xt_recent/fail2ban-<name>
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@ -2,9 +2,12 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 before = iptables-blocktype.conf
 [Definition]
 # Option:  actionstart
@ -32,26 +35,22 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
--- a/config/action.d/mail-buffered.conf
+++ b/config/action.d/mail-buffered.conf
@ -2,7 +2,6 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [Definition]
@ -15,7 +14,7 @@ actionstart = printf %%b "Hi,\n
              The jail <name> has been started successfully.\n
              Output will be buffered until <lines> lines are available.\n
              Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -26,13 +25,13 @@ actionstop = if [ -f <tmpfile> ]; then
                 These hosts have been banned by Fail2Ban.\n
                 `cat <tmpfile>`
                 Regards,\n
-                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
+                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from `uname -n`" <dest>
                 rm <tmpfile>
             fi
             printf %%b "Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@ -43,9 +42,7 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
@ -62,9 +59,7 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = 
--- a/config/action.d/mail-whois-lines.conf
+++ b/config/action.d/mail-whois-lines.conf
@ -2,7 +2,6 @@
 #
 # Author: Cyril Jaquier
 # Modified-By: Yaroslav Halchenko to include grepping on IP over log files
 # $Revision$
 #
 [Definition]
@ -14,7 +13,7 @@
 actionstart = printf %%b "Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -23,7 +22,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@ -34,10 +33,7 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <failtime>  unix timestamp of the last failure
 #          <bantime>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = printf %%b "Hi,\n
@ -48,21 +44,19 @@ actionban = printf %%b "Hi,\n
            Lines containing IP:<ip> in <logpath>\n
            `grep '\<<ip>\>' <logpath>`\n\n
            Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from  `uname -n`" <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <bantime>  unix timestamp of the ban time
 #          <unbantime>  unix timestamp of the unban time
 # Values:  CMD
 #
 actionunban = 
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
--- a/config/action.d/mail-whois.conf
+++ b/config/action.d/mail-whois.conf
@ -2,7 +2,6 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [Definition]
@ -14,7 +13,7 @@
 actionstart = printf %%b "Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -23,7 +22,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@ -34,9 +33,7 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = printf %%b "Hi,\n
@ -45,21 +42,19 @@ actionban = printf %%b "Hi,\n
            Here are more information about <ip>:\n
            `whois <ip>`\n
            Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = 
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
--- a/config/action.d/mail.conf
+++ b/config/action.d/mail.conf
@ -2,7 +2,6 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [Definition]
@ -14,7 +13,7 @@
 actionstart = printf %%b "Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
-              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started  on `uname -n`" <dest>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@ -23,7 +22,7 @@ actionstart = printf %%b "Hi,\n
 actionstop = printf %%b "Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
-             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@ -34,30 +33,26 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = printf %%b "Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n
            Regards,\n
-            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = 
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
--- a/config/action.d/mynetwatchman.conf
+++ b/config/action.d/mynetwatchman.conf
@ -24,7 +24,6 @@
 # Another useful configuration value is <getcmd>, if you don't have wget
 # installed (an example config for curl is given below)
 #
 # $Revision$
 [Definition]
@ -49,9 +48,7 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 #
@ -71,9 +68,7 @@ actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",or
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban =
@ -102,13 +97,13 @@ mnwlogin =
 mnwpass =
 # Option:  myip
-# Notes.:  TThe target IP for the attack (your public IP). Should be overridden
+# Notes.:  The target IP for the attack (your public IP). Should be overridden
 #          either in the jail config or in a .local file unless your PUBLIC IP
 #          is the first IP assigned to eth0
 # Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
 #          which in most cases will be a private IP, and therefore incorrect
 #
-myip = `ip -4 addr show dev eth0 | grep inet | head -1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
 # Option:  protocol
 # Notes.:  The protocol over which the attack is happening
--- a/config/action.d/osx-ipfw.conf
+++ b/config/action.d/osx-ipfw.conf
@ -0,0 +1,87 @@
 # Fail2Ban configuration file
 #
 # Author: Nick Munger
 # Modified by: Andy Fragen and Daniel Black
 #
 # Mod for OS X, using random rulenum as OSX ipfw doesn't include tables
 #
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    <ip>  IP address
 # Values:  CMD
 #
 actionban = ipfw add <rulenum> set <setnum> <blocktype> log <block> from <ip> to <dst> <port>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    <ip>  IP address
 # Values:  CMD
 #
 actionunban = ipfw delete `ipfw -S list | grep -i 'set <setnum> <blocktype> log <block> from <ip> to <dst>' | awk '{print $1;}'`
 [Init]
 # Option:  port
 # Notes.:  specifies port to block. Can be blank however may require block="ip"
 # Values:  [ NUM | STRING ]
 #
 port = ssh
 # Option:  dst
 # Notes.:  the local IP address of the network interface
 # Values:  IP, any, me or anything support by ipfw as a dst
 #
 dst = me
 # Option: block
 # Notes:  This is how much to block.
 #         Can be "ip", "tcp", "udp" or various other options.
 # Values: STRING
 block = tcp
 # Option:  blocktype
 # Notes.:  How to block the traffic. Use a action from man 8 ipfw
 #          Common values: deny, unreach port, reset
 # Values:  STRING
 #
 blocktype = unreach port
 # Option:  set number
 # Notes.:  The ipset number this is added to.
 # Values:  0-31
 setnum = 10
 # Option:  number for ipfw rule
 # Notes:   This is meant to be automaticly generated and not overwritten
 # Values:  Random value between 10000 and 12000
 rulenum="`echo $((RANDOM%%2000+10000))`"
 # Duplicate prevention mechanism
 #rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`"
--- a/config/action.d/pf.conf
+++ b/config/action.d/pf.conf
@ -0,0 +1,62 @@
 # Fail2Ban configuration file
 #
 # OpenBSD pf ban/unban
 #
 # Author: Nick Hilliard <nick@foobar.org>
 #
 #
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 # we don't enable PF automatically, as it will be enabled elsewhere
 actionstart = 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 # we don't disable PF automatically either
 actionstop = 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    <ip>  IP address
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    <ip>  IP address
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 # note -r option used to remove matching rule
 actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
 [Init]
 # Option:  tablename
 # Notes.:  The pf table name.
 # Values:  [ STRING ]  Default: fail2ban
 #
 tablename = fail2ban
--- a/config/action.d/route.conf
+++ b/config/action.d/route.conf
@ -0,0 +1,26 @@
 # Fail2Ban configuration file
 #
 # Author: Michael Gebetsroither
 #
 # This is for blocking whole hosts through blackhole routes.
 #
 # PRO:
 #   - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).
 #   - It's FAST for very large numbers of blocked ips.
 #   - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering.
 #   - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts.
 #   - No additional software required beside iproute/iproute2
 #
 # CON:
 #   - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
 [Definition]
 actionban   = ip route add <blocktype> <ip>
 actionunban = ip route del <blocktype> <ip>
 [Init]
 # Option:  blocktype
 # Note:    Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
 # Values:  STRING
 blocktype = unreachable
--- a/config/action.d/sendmail-buffered.conf
+++ b/config/action.d/sendmail-buffered.conf
@ -2,17 +2,20 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 before = sendmail-common.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
-              From: Fail2Ban <<sender>>
+              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
@ -25,8 +28,8 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
 # Values:  CMD
 #
 actionstop = if [ -f <tmpfile> ]; then
-                 printf %%b "Subject: [Fail2Ban] <name>: summary
+                 printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
-                 From: Fail2Ban <<sender>>
+                 From: <sendername> <<sender>>
                 To: <dest>\n
                 Hi,\n
                 These hosts have been banned by Fail2Ban.\n
@ -35,7 +38,7 @@ actionstop = if [ -f <tmpfile> ]; then
                 Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
                 rm <tmpfile>
             fi
-             printf %%b "Subject: [Fail2Ban] <name>: stopped
+             printf %%b "Subject: [Fail2Ban] <name>: stopped  on `uname -n`
             From: Fail2Ban <<sender>>
             To: <dest>\n
             Hi,\n
@ -52,16 +55,14 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
            LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
            if [ $LINE -ge <lines> ]; then
-                printf %%b "Subject: [Fail2Ban] <name>: summary
+                printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
-                From: Fail2Ban <<sender>>
+                From: <sendername> <<sender>>
                To: <dest>\n
                Hi,\n
                These hosts have been banned by Fail2Ban.\n
@ -74,27 +75,17 @@ actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = 
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
 # Destination/Addressee of the mail
 #
 dest = root
 # Sender of the mail
 #
 sender = fail2ban
 # Default number of lines that are buffered
 #
 lines = 5
--- a/config/action.d/sendmail-common.conf
+++ b/config/action.d/sendmail-common.conf
@ -0,0 +1,23 @@
 # Fail2Ban configuration file
 #
 # Common settings for sendmail actions
 #
 # Users can override the defaults in sendmail-common.local
 [INCLUDES]
 after = sendmail-common.local
 [Init]
 # Recipient mail address
 #
 dest = root
 # Sender mail address
 #
 sender = fail2ban
 # Sender display name
 #
 sendername = Fail2Ban
--- a/config/action.d/sendmail-whois-lines.conf
+++ b/config/action.d/sendmail-whois-lines.conf
@ -2,18 +2,21 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 before = sendmail-common.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
-              Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
+              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
-              From: Fail2Ban <<sender>>
+              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
@ -24,9 +27,9 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
-             Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
+             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
-             From: Fail2Ban <<sender>>
+             From: <sendername> <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
@ -42,14 +45,12 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
-            Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
-            From: Fail2Ban <<sender>>
+            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
@ -57,34 +58,24 @@ actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
            Here are more information about <ip>:\n
            `/usr/bin/whois <ip>`\n\n
            Lines containing IP:<ip> in <logpath>\n
-            `/bin/grep '\<<ip>\>' <logpath>`\n\n
+            `grep '\<<ip>\>' <logpath>`\n\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = 
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
 # Destination/Addressee of the mail
 #
 dest = root
 # Sender of the mail
 #
 sender = fail2ban
 # Path to the log files which contain relevant lines for the abuser IP
 #
 logpath = /dev/null
--- a/config/action.d/sendmail-whois.conf
+++ b/config/action.d/sendmail-whois.conf
@ -2,18 +2,21 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 before = sendmail-common.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
-              Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
+              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
-              From: Fail2Ban <<sender>>
+              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
@ -24,9 +27,9 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
-             Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
+             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
-             From: Fail2Ban <<sender>>
+             From: <sendername> <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
@ -42,14 +45,12 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
-            Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
-            From: Fail2Ban <<sender>>
+            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
@ -62,24 +63,14 @@ actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = 
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
 # Destination/Addressee of the mail
 #
 dest = root
 # Sender of the mail
 #
 sender = fail2ban
--- a/config/action.d/sendmail.conf
+++ b/config/action.d/sendmail.conf
@ -2,18 +2,21 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 before = sendmail-common.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
-              Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
+              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
-              From: Fail2Ban <<sender>>
+              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
@ -24,9 +27,9 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
-             Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
+             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
-             From: Fail2Ban <<sender>>
+             From: <sendername> <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
@ -42,14 +45,12 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
-            Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
-            From: Fail2Ban <<sender>>
+            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
@ -60,24 +61,14 @@ actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = 
 [Init]
-# Defaut name of the chain
+# Default name of the chain
 #
 name = default
 # Destination/Addressee of the mail
 #
 dest = root
 # Sender of the mail
 #
 sender = fail2ban
--- a/config/action.d/shorewall.conf
+++ b/config/action.d/shorewall.conf
@ -2,7 +2,6 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 # The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
 # file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
@ -36,19 +35,23 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = shorewall drop <ip>
+actionban = shorewall <blocktype> <ip>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
+# Tags:    See jail.conf(5) man page
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = shorewall allow <ip>
 [Init]
 # Option:  blocktype
 # Note:    This is what the action does with rules.
 #          See man page of shorewall for options that include drop, logdrop, reject, or logreject
 # Values:  STRING
 blocktype = reject
--- a/config/fail2ban.conf
+++ b/config/fail2ban.conf
@ -1,6 +1,6 @@
 # Fail2Ban main configuration file
 #
-# Comments: use '#' for comment lines and ';' for inline comments
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
 #
 # Changes:  in most of the cases you should not modify this
 #           file, but provide customizations in fail2ban.local file, e.g.:
@ -24,6 +24,10 @@ loglevel = 3
 # Option:  logtarget
 # Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
 #          Only one log target can be specified.
 #          If you change logtarget from the default value and you are
 #          using logrotate -- also adjust or disable rotation in the
 #          corresponding configuration file
 #          (e.g. /etc/logrotate.d/fail2ban on Debian systems)
 # Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
 #
 logtarget = /var/log/fail2ban.log
@ -36,3 +40,10 @@ logtarget = /var/log/fail2ban.log
 #
 socket = /var/run/fail2ban/fail2ban.sock
 # Option: pidfile
 # Notes.: Set the PID file. This is used to store the process ID of the
 #         fail2ban server.
 # Values: FILE  Default:  /var/run/fail2ban/fail2ban.pid
 #
 pidfile = /var/run/fail2ban/fail2ban.pid
--- a/config/filter.d/3proxy.conf
+++ b/config/filter.d/3proxy.conf
@ -0,0 +1,18 @@
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
 #
 # Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
 #
 [Definition]
 # Option:  failregex
 # Notes.:  http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
 #          all authentication problems (%E field)
 #          Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
 # Values:  TEXT
 #
 failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
 ignoreregex = 
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@ -2,21 +2,52 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = apache-common.conf
 [Definition]
-# Option:  failregex
+# This filter matches the authorization failures of Apache. It takes the log messages
-# Notes.:  regex to match the password failure messages in the logfile. The
+# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
-#          host must be matched by a group named "host". The tag "<HOST>" can
+# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] user .* authentication failure
+# An unauthorized response 401 is the first step for a browser to instigate authentication
-            [[]client <HOST>[]] user .* not found
+# however apache doesn't log this as an error. Only subsequent errors are logged in the 
-            [[]client <HOST>[]] user .* password mismatch
+# error log.
 #
 # Source:
 #
 # By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
 # for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
 # all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
 # to return the actual failure.
 #
 # See also: http://wiki.apache.org/httpd/ListOfErrors
 # Expressions that don't have tests and aren't common.
 # more be added with  https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 
 #     ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
 #     ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
 #     ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
 #
 failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
            ^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
            ^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
            ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
            ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
            ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
            ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
            ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
            ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
            ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
            ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
            ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/apache-badbots.conf
+++ b/config/filter.d/apache-badbots.conf
@ -5,7 +5,6 @@
 #
 # Author: Yaroslav Halchenko
 #
 # $Revision$
 #
 [Definition]
@ -16,7 +15,7 @@ badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|Da
 # Option:  failregex
 # Notes.:  Regexp to catch known spambots and software alike. Please verify
 #          that it is your intent to block IPs which were driven by
-#          abovementioned bots.
+#          above mentioned bots.
 # Values:  TEXT
 #
 failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
--- a/config/filter.d/apache-common.conf
+++ b/config/filter.d/apache-common.conf
@ -0,0 +1,21 @@
 # Generic configuration items (to be used as interpolations) in other
 # apache filters
 #
 # Author: Yaroslav Halchenko
 #
 #
 [INCLUDES]
 # Load customizations if any available
 after = apache-common.local
 [DEFAULT]
 # Common prefix for [error] apache messages which also would include <HOST>
 # Depending on the version it could be
 # 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
 # 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
 # Reference: https://github.com/fail2ban/fail2ban/issues/268
 _apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client <HOST>(:\d{1,5})?\]
--- a/config/filter.d/apache-nohome.conf
+++ b/config/filter.d/apache-nohome.conf
@ -2,9 +2,14 @@
 #
 # Author: Yaroslav O. Halchenko <debian@onerussian.com>
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = apache-common.conf
 [Definition]
 # Option:  failregex
@ -14,7 +19,7 @@
 #          per-domain log files.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] File does not exist: .*/~.*
+failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/apache-noscript.conf
+++ b/config/filter.d/apache-noscript.conf
@ -2,9 +2,14 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = apache-common.conf
 [Definition]
 # Option:  failregex
@ -14,8 +19,8 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
+failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
-            [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
+            ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/apache-overflows.conf
+++ b/config/filter.d/apache-overflows.conf
@ -2,16 +2,21 @@
 #
 # Author: Tim Connors
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = apache-common.conf
 [Definition]
 # Option:  failregex
 # Notes.:  Regexp to catch Apache overflow attempts.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
+failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/assp.conf
+++ b/config/filter.d/assp.conf
@ -0,0 +1,33 @@
 # Fail2Ban configuration file
 # for Anti-Spam SMTP Proxy Server also known as ASSP
 #    Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
 #    ProjektSite: http://sourceforge.net/projects/assp/?source=directory
 #
 # Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
 #
 [Definition] 
 # Option:  failregex
 # Notes.:  regex to match the SMTP failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
 # Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
 #           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
 #           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
 __assp_actions = (?:dropping|refusing)
 failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
 			^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
 			^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
--- a/config/filter.d/asterisk.conf
+++ b/config/filter.d/asterisk.conf
@ -2,7 +2,6 @@
 #
 # Author: Xavier Devlamynck
 #
 # $Revision$
 #
@ -15,25 +14,30 @@ before = common.conf
 [Definition]
 # Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
+# Notes.:  regex to match the password failures messages in the logfile.
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Wrong password$
+log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - No matching peer found$
+
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch$
+failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL$
+            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - No matching peer found$
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register$
+            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Username/auth name mismatch$
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)$
+            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Device does not match ACL$
-            NOTICE%(__pid_re)s <HOST> failed to authenticate as '.*'$
+            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Peer is not supposed to register$
-            NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from <HOST>\)$
+            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - ACL error \(permit/deny\)$
-            NOTICE%(__pid_re)s .*: Host <HOST> failed MD5 authentication for '.*' (.*)$
+            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Not a local domain$
-            NOTICE%(__pid_re)s .*: Failed to authenticate user .*@<HOST>.*$
+            ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
--- a/config/filter.d/common.conf
+++ b/config/filter.d/common.conf
@ -3,7 +3,6 @@
 #
 # Author: Yaroslav Halchenko
 #
 # $Revision$
 #
 [INCLUDES]
@ -28,9 +27,13 @@ __pid_re = (?:\[\d+\])
 # EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
 __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
 # extra daemon info
 # EXAMPLE: [ID 800047 auth.info]
 __daemon_extra_re = (?:\[ID \d+ \S+\])
 # Combinations of daemon name and PID
 # EXAMPLES: sshd[31607], pop(pam_unix)[4920]
-__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
+__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)
 # Some messages have a kernel prefix with a timestamp
 # EXAMPLES: kernel: [769570.846956]
@ -38,10 +41,16 @@ __kernel_prefix = kernel: \[\d+\.\d+\]
 __hostname = \S+
 # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
 # <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
 __bsd_syslog_verbose = (<[^.]+\.[^.]+>)
 #
 # Common line prefixes (beginnings) which could be used in filters
 #
-#       [hostname] [vserver tag] daemon_id spaces
+#      [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
-# this can be optional (for instance if we match named native log files)
+#
-__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
+# This can be optional (for instance if we match named native log files)
 __prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
--- a/config/filter.d/courierlogin.conf
+++ b/config/filter.d/courierlogin.conf
@ -3,11 +3,19 @@
 # Author: Christoph Haas
 # Modified by: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@ -15,7 +23,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
+failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/couriersmtp.conf
+++ b/config/filter.d/couriersmtp.conf
@ -2,11 +2,19 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = courieresmtpd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@ -14,7 +22,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = error,relay=<HOST>,.*550 User unknown
+failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/cyrus-imap.conf
+++ b/config/filter.d/cyrus-imap.conf
@ -2,11 +2,19 @@
 #
 # Author: Jan Wagner <waja@cyconet.org>
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = (?:cyrus/)?(?:imapd?|pop3d?)
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@ -14,10 +22,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
 	    : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
 	    : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
 	    : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@ -1,20 +1,23 @@
-# Fail2Ban configuration file for dovcot
+# Fail2Ban configuration file for dovecot
 #
 # Author: Martin Waschbuesch
-#
+#         Daniel Black (rewrote with begin and end anchors)
-# $Revision$
+
-#
+[INCLUDES]
 before = common.conf
 [Definition]
 _daemon = dovecot(-auth)?
 # Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
+# Notes.:  regex to match the password failures messages in the logfile.
-#          host must be matched by a group named "host". The tag "<HOST>" can
+#          first regex is essentially a copy of pam-generic.conf
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
+failregex = ^%(__prefix_line)s(pam_unix(\(\S+\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/dropbear.conf
+++ b/config/filter.d/dropbear.conf
@ -3,7 +3,6 @@
 # Author: Francis Russell
 #         Zak B. Elep
 #
 # $Revision$
 #
 # More information: http://bugs.debian.org/546913
@ -28,8 +27,9 @@ _daemon = dropbear
 # These match the unmodified dropbear messages. It isn't possible to
 # match the source of the 'exit before auth' messages from dropbear.
 #
-failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
+failregex = ^%(__prefix_line)s(L|l)ogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
-            ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$
+            ^%(__prefix_line)s(B|b)ad password attempt for .+ from <HOST>:.*\s*$
            ^%(__prefix_line)sExit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
 # The only line we need to match with the modified dropbear.
--- a/config/filter.d/exim-common.conf
+++ b/config/filter.d/exim-common.conf
@ -0,0 +1,17 @@
 # Fail2Ban configuration file for exim
 #
 # Author:  Daniel Black
 #
 [INCLUDES]
 # Load customizations if any available
 #
 after = exim-common.local
 [Definition]
 # From exim source code: ./src/receive.c:add_host_info_for_log
 host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
 pid = ( \[\d+\])?
--- a/config/filter.d/exim-spam.conf
+++ b/config/filter.d/exim-spam.conf
@ -0,0 +1,29 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
 #         Daniel Black (rewrote with strong regexs)
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # exim-common.local
 before = exim-common.conf
 [Definition]
 # Option:  failregex
 # Notes.:  This includes the spam rejection messages of exim.
 #          Note the %(host_info) defination contains a <HOST> match
 failregex =  ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
             ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@ -1,20 +1,29 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
 #         Daniel Black (rewrote with strong regexs)
 #
-# $Revision$
+
-#
+
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # exim-common.local
 before = exim-common.conf
 [Definition]
 # Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
+# Notes.:  This includes the rejection messages of exim. For spam and filter
-#          host must be matched by a group named "host". The tag "<HOST>" can
+#          related bans use the exim-spam.conf
-#          be used for standard IP/hostname matching and is only an alias for
+#          Note the %(host_info) defination contains a <HOST> match
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+
-# Values:  TEXT
+failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
-#
+             ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
-failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
+             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
             ^%(pid)s SMTP protocol synchronization error \(.*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/gssftpd.conf
+++ b/config/filter.d/gssftpd.conf
@ -1,20 +1,18 @@
-# Fail2Ban configuration file for wuftpd
+# Fail2Ban configuration file for gssftp
 #
-# Author: Kevin Zembower (copied from wsftpd.conf)
+# Author: Kevin Zembower
 # Edited: Daniel Black - syslog based daemon
 #
-# $Revision$
+# Note: gssftp is part of the krb5-appl-servers in Fedora
 #
 [INCLUDES]
 before = common.conf
 [Definition]
-# Option: failregex
+_daemon = ftpd
-# Notes.: regex to match the password failures messages in the logfile.
+
-# Values: TEXT
+failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
 #
 failregex = ftpd(?:\[\d+\])?:\s+repeated login failures from <HOST> \(\S+\)$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
--- a/config/filter.d/lighttpd-auth.conf
+++ b/config/filter.d/lighttpd-auth.conf
@ -9,7 +9,7 @@
 # Notes.:  regex to match wrong passwords as notified by lighttpd's auth Module
 # Values:  TEXT
 #
-failregex = .*http_auth.*(password doesn\'t match|wrong password).*IP: <HOST>\s*$
+failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/mysqld-auth.conf
+++ b/config/filter.d/mysqld-auth.conf
@ -0,0 +1,32 @@
 # Fail2Ban configuration file for unsuccesfull MySQL authentication attempts
 #
 # Authors: Artur Penttinen
 #          Yaroslav O. Halchenko
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = mysqld
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 # 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
 #
 failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
--- a/config/filter.d/named-refused.conf
+++ b/config/filter.d/named-refused.conf
@ -4,7 +4,6 @@
 #
 # Author: Yaroslav Halchenko
 #
 # $Revision$
 #
 [Definition]
@ -22,14 +21,11 @@ __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)
 # this can be optional (for instance if we match named native log files)
 __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile.
 # Values: TEXT
 #
 failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
-# Option:  ignoreregex
+# note - (\.\d+)? is a really ugly catch of the microseconds not captured in
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# in the date detector
 # Values:  TEXT
 #
-ignoreregex = 
+failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
--- a/config/filter.d/pam-generic.conf
+++ b/config/filter.d/pam-generic.conf
@ -2,8 +2,10 @@
 #
 # Author: Yaroslav Halchenko
 #
 # $Revision$
 #
 [INCLUDES]
 before = common.conf
 [Definition]
@ -12,17 +14,19 @@
 # To catch all failed logins
 _ttys_re=\S*
 #
 # Shortcuts for easier comprehension of the failregex
 __pid_re=(?:\[\d+\])
 __pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
-__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
+_daemon = \S+
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile.
 # Values: TEXT
 #
-failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
 # for linux-pam before 0.99.2.0 (late 2005)
 # _daemon = \S*\(?pam_unix\)?
 # failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/perdition.conf
+++ b/config/filter.d/perdition.conf
@ -0,0 +1,16 @@
 # Fail2Ban configuration file
 #
 # Author: Christophe Carles and Daniel Black
 #
 #
 [INCLUDES]
 before = common.conf
 [Definition]
 _daemon=perdition.\S+
 failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
            ^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@ -2,11 +2,19 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = postfix/smtpd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@ -14,7 +22,9 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = reject: RCPT from (.*)\[<HOST>\]: 554
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/proftpd.conf
+++ b/config/filter.d/proftpd.conf
@ -1,26 +1,22 @@
 # Fail2Ban configuration file
 #
 # Author: Yaroslav Halchenko
 #         Daniel Black - hardening of regex
 #
-# $Revision$
+
-#
+[INCLUDES]
 before = common.conf
 [Definition]
-# Option: failregex
+_daemon = proftpd
-# Notes.: regex to match the password failures messages in the logfile. The
+
-#          host must be matched by a group named "host". The tag "<HOST>" can
+__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
-#          be used for standard IP/hostname matching and is only an alias for
+
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
-# Values: TEXT
+            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
-#
+            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
-failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$
+            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
--- a/config/filter.d/pure-ftpd.conf
+++ b/config/filter.d/pure-ftpd.conf
@ -3,7 +3,6 @@
 # Author: Cyril Jaquier
 # Modified: Yaroslav Halchenko for pure-ftpd
 #
 # $Revision$
 #
 [Definition]
--- a/config/filter.d/qmail.conf
+++ b/config/filter.d/qmail.conf
@ -2,7 +2,6 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [Definition]
--- a/config/filter.d/recidive.conf
+++ b/config/filter.d/recidive.conf
@ -15,8 +15,18 @@
 # for most jails, and shorewall for this one).
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = fail2ban.actions
 # The name of the jail that this filter is used for. In jail.conf, name the 
 # jail using this filter 'recidive', or change this line!
 _jailname = recidive
@ -28,11 +38,11 @@ _jailname = recidive
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+<HOST>
+failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?:.*)\]\s+Ban\s+<HOST>\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 # Ignore our own bans, to keep our counts exact.
-ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>
+ignoreregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>\s*$
--- a/config/filter.d/roundcube-auth.conf
+++ b/config/filter.d/roundcube-auth.conf
@ -0,0 +1,26 @@
 # Fail2Ban configuration file for roundcube web server
 #
 # Author: Teodor Micu & Yaroslav Halchenko & terence namusonge
 #
 #
 [INCLUDES]
 before = common.conf
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. AUTHENTICATE .*)?\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
--- a/config/filter.d/sasl.conf
+++ b/config/filter.d/sasl.conf
@ -2,7 +2,6 @@
 #
 # Author: Yaroslav Halchenko
 #
 # $Revision$
 #
 [Definition]
--- a/config/filter.d/sieve.conf
+++ b/config/filter.d/sieve.conf
@ -2,18 +2,26 @@
 #
 # Author: Jan Wagner <waja@cyconet.org>
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _deamon = (?:cyrus/)?(?:tim)?sieved?
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching.
 # Values: TEXT
 #
-failregex = : badlogin: .*\[<HOST>\] (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure$
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/sogo-auth.conf
+++ b/config/filter.d/sogo-auth.conf
@ -0,0 +1,20 @@
 # /etc/fail2ban/filter.d/sogo-auth.conf
 #
 # Fail2Ban configuration file
 # By Arnd Brandes
 # SOGo
 #
 [Definition]
 # Option: failregex
 # Filter Ban in /var/log/sogo/sogo.log
 # Note: the error log may contain multiple hosts, whereas the first one 
 # is the client and all others are poxys. We match the first one, only
 failregex = Login from '<HOST>' for user '.*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
 # Option: ignoreregex
 # Notes.: regex to ignore. If this regex matches, the line is ignored.
 # Values: TEXT
 #
 ignoreregex = 
--- a/config/filter.d/sshd-ddos.conf
+++ b/config/filter.d/sshd-ddos.conf
@ -2,11 +2,24 @@
 #
 # Author: Yaroslav Halchenko
 #
-# $Revision$
+# The regex here also relates to a exploit:
 #
 #  http://www.securityfocus.com/bid/17958/exploit
 #  The example code here shows the pushing of the exploit straight after
 #  reading the server version. This is where the client version string normally
 #  pushed. As such the server will read this unparsible information as
 #  "Did not receive identification string".
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = sshd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@ -14,7 +27,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
+failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -2,7 +2,6 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [INCLUDES]
@ -23,16 +22,16 @@ _daemon = sshd
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
-            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
+            ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
-            ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
-            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
 # Option:  ignoreregex
--- a/config/filter.d/lighttpd-fastcgi.conf
+++ b/config/filter.d/lighttpd-fastcgi.conf
@ -9,7 +9,8 @@
 # Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
 # Values:  TEXT
 #
-failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
 failregex = ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/vsftpd.conf
+++ b/config/filter.d/vsftpd.conf
@ -2,7 +2,6 @@
 #
 # Author: Cyril Jaquier
 #
 # $Revision$
 #
 [Definition]
--- a/config/filter.d/webmin-auth.conf
+++ b/config/filter.d/webmin-auth.conf
@ -3,7 +3,6 @@
 # Author: Cyril Jaquier
 # Rule by : Delvit Guillaume
 #
 # $Revision$
 #
 [Definition]
@ -18,8 +17,8 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = webmin.* Non-existent login as .+ from <HOST>$
+failregex = webmin.* Non-existent login as .+ from <HOST>\s*$
-            webmin.* Invalid login as .+ from <HOST>$
+            webmin.* Invalid login as .+ from <HOST>\s*$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/wuftpd.conf
+++ b/config/filter.d/wuftpd.conf
@ -2,17 +2,23 @@
 #
 # Author: Yaroslav Halchenko
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = wu-ftpd
 # Option: failregex
 # Notes.: regex to match the password failures messages in the logfile.
 # Values: TEXT
 #
-failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$
+failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
            wu-ftpd(?:\[\d+\])?: *failed login from .*\[<HOST>\] *$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/xinetd-fail.conf
+++ b/config/filter.d/xinetd-fail.conf
@ -2,11 +2,19 @@
 #
 # Author: Guido Bozzetto
 #
 # $Revision$
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = xinetd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@ -20,8 +28,8 @@
 # load => xinetd: max_load (temporary problem)
 #
-failregex = xinetd(?:\[\d{1,5}\])?: FAIL: \S+ address from=<HOST>$
+failregex = ^%(__prefix_line)sFAIL: \S+ address from=<HOST>$
-            xinetd(?:\[\d{1,5}\])?: FAIL: \S+ libwrap from=<HOST>$
+            ^%(__prefix_line)sFAIL: \S+ libwrap from=<HOST>$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/jail.conf
+++ b/config/jail.conf
@ -1,6 +1,6 @@
 # Fail2Ban jail specifications file
 #
-# Comments: use '#' for comment lines and ';' for inline comments
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
 #
 # Changes:  in most of the cases you should not modify this
 #           file, but provide customizations in jail.local file, e.g.:
@ -46,10 +46,10 @@ maxretry = 3
 backend = auto
 # "usedns" specifies if jails should trust hostnames in logs,
-#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
+#   warn when DNS lookups are performed, or ignore all hostnames in logs
 #
-# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
+# yes:   if a hostname is encountered, a DNS lookup will be performed.
-# warn:  if a hostname is encountered, a reverse DNS lookup will be performed, 
+# warn:  if a hostname is encountered, a DNS lookup will be performed,
 #        but it will be logged as a warning.
 # no:    if a hostname is encountered, will not be used for banning,
 #        but it will be logged as info.
@ -65,7 +65,7 @@ usedns = warn
 enabled  = false
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
-           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com]
+           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
 logpath  = /var/log/sshd.log
 maxretry = 5
@ -89,6 +89,13 @@ action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@example.com]
 logpath  = /var/log/mail.log
 # ASSP SMTP Proxy Jail
 [assp]
 enabled  = false
 filter   = assp
 action = iptables-multiport[name=assp,port="25,465,587"]
 logpath  = /root/path/to/assp/logs/maillog.txt
 # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
 # used to avoid banning the user "myuser".
@ -96,11 +103,55 @@ logpath  = /var/log/mail.log
 enabled     = false
 filter      = sshd
-action      = hostsdeny
+action      = hostsdeny[daemon_list=sshd]
              sendmail-whois[name=SSH, dest=you@example.com]
 ignoreregex = for myuser from
 logpath     = /var/log/sshd.log
 # Here we use blackhole routes for not requiring any additional kernel support
 # to store large volumes of banned IPs
 [ssh-route]
 enabled = false
 filter = sshd
 action = route
 logpath = /var/log/sshd.log
 maxretry = 5
 # Here we use a combination of Netfilter/Iptables and IPsets
 # for storing large volumes of banned IPs
 #
 # IPset comes in two versions. See ipset -V for which one to use
 # requires the ipset package and kernel support.
 [ssh-iptables-ipset4]
 enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/sshd.log
 maxretry = 5
 [ssh-iptables-ipset6]
 enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
 logpath  = /var/log/sshd.log
 maxretry = 5
 # bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
 # table number must be unique.
 # 
 # This will create a deny rule for that table ONLY if a rule 
 # for the table doesn't ready exist.
 #
 [ssh-bsd-ipfw]
 enabled  = false
 filter   = sshd
 action   = bsd-ipfw[port=ssh,table=1]
 logpath  = /var/log/auth.log
 maxretry = 5
 # This jail demonstrates the use of wildcards in "logpath".
 # Moreover, it is possible to give other files on a new line.
@ -172,6 +223,27 @@ action   = shorewall
           sendmail[name=Postfix, dest=you@example.com]
 logpath  = /var/log/apache2/error_log
 # Monitor roundcube server
 [roundcube-iptables]
 enabled  = false
 filter   = roundcube-auth
 action   = iptables-multiport[name=RoundCube, port="http,https"]
 logpath  = /var/log/roundcube/userlogins
 # Monitor SOGo groupware server
 [sogo-iptables]
 enabled  = false
 filter   = sogo-auth
 # without proxy this would be:
 # port    = 20000
 action   = iptables-multiport[name=SOGo, port="http,https"]
 logpath  = /var/log/sogo/sogo.log
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
@ -179,35 +251,25 @@ logpath  = /var/log/apache2/error_log
 [php-url-fopen]
 enabled = false
-port    = http,https
+action  = iptables-multiport[name=php-url-open, port="http,https"]
 filter  = php-url-fopen
 logpath = /var/www/*/logs/access_log
 maxretry = 1
-# A simple PHP-fastcgi jail which works with lighttpd.
+[suhosin]
 # If you run a lighttpd server, then you probably will
 # find these kinds of messages in your error_log:
 # ALERT – tried to register forbidden variable ‘GLOBALS’
 # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
 # This jail would block the IP 1.2.3.4.
 [lighttpd-fastcgi]
 enabled = false
-port    = http,https
+filter  = suhosin
-filter  = lighttpd-fastcgi
+action  = iptables-multiport[name=suhosin, port="http,https"]
 # adapt the following two items as needed
 logpath = /var/log/lighttpd/error.log
 maxretry = 2
 # Same as above for mod_auth
 # It catches wrong authentifications
 [lighttpd-auth]
 enabled = false
 port    = http,https
 filter  = lighttpd-auth
 action  = iptables-multiport[name=lighttpd-auth, port="http,https"]
 # adapt the following two items as needed
 logpath = /var/log/lighttpd/error.log
 maxretry = 2
@ -291,6 +353,19 @@ action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 # To log wrong MySQL access attempts add to /etc/my.cnf:
 # log-error=/var/log/mysqld.log
 # log-warning = 2
 [mysqld-iptables]
 enabled  = false
 filter   = mysqld-auth
 action   = iptables[name=mysql, port=3306, protocol=tcp]
           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
 logpath  = /var/log/mysqld.log
 maxretry = 5
 # Jail for more extended banning of persistent abusers
 # !!! WARNING !!!
 #   Make sure that your loglevel specified in fail2ban.conf/.local
@ -306,3 +381,43 @@ action   = iptables-allports[name=recidive]
 bantime  = 604800  ; 1 week
 findtime = 86400   ; 1 day
 maxretry = 5
 # PF is a BSD based firewall
 [ssh-pf]
 enabled=false
 filter = sshd
 action = pf
 logpath  = /var/log/sshd.log
 maxretry=5
 [3proxy]
 enabled = false
 filter  = 3proxy
 action  = iptables[name=3proxy, port=3128, protocol=tcp]
 logpath = /var/log/3proxy.log
 [exim]
 enabled = false
 filter = exim
 action = iptables-multiport[name=exim,port="25,465,587"]
 logpath = /var/log/exim/mainlog
 [exim-spam]
 enabled = false
 filter = exim-spam
 action = iptables-multiport[name=exim-spam,port="25,465,587"]
 logpath = /var/log/exim/mainlog
 [perdition]
 enabled = false
 filter = perdition
 action = iptables-multiport[name=perdition,port="110,143,993,995"]
 logpath = /var/log/maillog
 [osx-ssh-ipfw]
 enabled = false
 filter = sshd
 action = osx-ipfw
 logpath = /var/log/secure.log
--- a/Show More
+++ b/Show More