diff --git a/.codespellrc b/.codespellrc new file mode 100644 index 00000000..a5dd775e --- /dev/null +++ b/.codespellrc @@ -0,0 +1,12 @@ +[codespell] +# THANKS - names +skip = .git,*.pdf,*.svg,venv,.codespellrc,THANKS,*test*.log,logs +check-hidden = true +# Ignore all acronyms etc as plenty e.g. in fail2ban/server/strptime.py +# Try to identify incomplete words which are part of a regex, hence having [] at the beginning +# Ignore all urls as something with :// in it +# Ignore all lines with codespell-ignore in them for pragma annotation +ignore-regex = (\b([A-Z][A-Z][A-Z]+|gir\.st)\b)|\[[a-zA-Z]+\][a-z]+\b|[a-z]+://\S+|.*codespell-ignore.* +# some oddly named variables, some names, etc +# wee -- comes in regex etc for weeks +ignore-words-list = theis,timere,alls,wee,wight,ans,re-use diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 00000000..7373affc --- /dev/null +++ b/.github/workflows/codespell.yml @@ -0,0 +1,22 @@ +--- +name: Codespell + +on: + push: + branches: [master] + pull_request: + branches: [master] + +permissions: + contents: read + +jobs: + codespell: + name: Check for spelling errors + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Codespell + uses: codespell-project/actions-codespell@v2 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 39c85231..30e38f7d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,15 +22,15 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - python-version: [2.7, 3.5, 3.6, 3.7, 3.8, 3.9, '3.10', '3.11.0-beta.3', pypy2, pypy3] + python-version: [3.7, 3.8, 3.9, '3.10', '3.11', '3.12', '3.13.0-alpha.2', pypy3.10] fail-fast: false # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} @@ -51,24 +51,32 @@ jobs: - name: Install dependencies run: | - if [[ "$F2B_PY" = 3 ]]; then python -m pip install --upgrade pip || echo "can't upgrade pip"; fi - if [[ "$F2B_PY" = 3 ]] && ! command -v 2to3x -v 2to3 > /dev/null; then - #pip install 2to3 - sudo apt-get -y install 2to3 - fi + #if [[ "$F2B_PY" = 3 ]]; then python -m pip install --upgrade pip || echo "can't upgrade pip"; fi #sudo apt-get -y install python${F2B_PY/2/}-pyinotify || echo 'inotify not available' python -m pip install pyinotify || echo 'inotify not available' + sudo apt-get -y install sqlite3 || echo 'sqlite3 not available' #sudo apt-get -y install python${F2B_PY/2/}-systemd || echo 'systemd not available' sudo apt-get -y install libsystemd-dev || echo 'systemd dependencies seems to be unavailable' python -m pip install systemd-python || echo 'systemd not available' - #readline if available as module: + # readline if available as module: python -c 'import readline' 2> /dev/null || python -m pip install readline || echo 'readline not available' + # asyncore/asynchat: + if dpkg --compare-versions "$F2B_PYV" ge 3.12; then + #sudo apt-get -y install python${F2B_PY/2/}-setuptools || echo 'setuptools not unavailable' + python -m pip install setuptools || echo "can't install setuptools" + # don't install async* modules, we need to cover bundled-in libraries: + #python -m pip install pyasynchat || echo "can't install pyasynchat"; + #python -m pip install pyasyncore || echo "can't install pyasyncore"; + fi + # aiosmtpd in test_smtp (for 3.10+, no need to test it everywhere): + if dpkg --compare-versions "$F2B_PYV" ge 3.10; then + #sudo apt-get -y install python${F2B_PY/2/}-aiosmtpd || echo 'aiosmtpd not available' + python -m pip install aiosmtpd || echo 'aiosmtpd not available' + fi - name: Before scripts run: | cd "$GITHUB_WORKSPACE" - # Manually execute 2to3 for now - if [[ "$F2B_PY" = 3 ]]; then echo "2to3 ..." && ./fail2ban-2to3; fi _debug() { echo -n "$1 "; err=$("${@:2}" 2>&1) && echo 'OK' || echo -e "FAIL\n$err"; } # (debug) output current preferred encoding: _debug 'Encodings:' python -c 'import locale, sys; from fail2ban.helpers import PREFER_ENC; print(PREFER_ENC, locale.getpreferredencoding(), (sys.stdout and sys.stdout.encoding))' @@ -80,14 +88,8 @@ jobs: - name: Test suite run: | - if [[ "$F2B_PY" = 2 ]]; then - python setup.py test - elif dpkg --compare-versions "$F2B_PYV" lt 3.10; then - python bin/fail2ban-testcases --verbosity=2 - else - echo "Skip systemd backend since systemd-python module must be fixed for python >= v.3.10 in GHA ..." - python bin/fail2ban-testcases --verbosity=2 -i "[sS]ystemd|[jJ]ournal" - fi + #python setup.py test + python bin/fail2ban-testcases --verbosity=2 #- name: Test suite (debug some systemd tests only) #run: python bin/fail2ban-testcases --verbosity=2 "[sS]ystemd|[jJ]ournal" diff --git a/.gitignore b/.gitignore index 780ecfb5..5f1b8924 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ htmlcov __pycache__ .vagrant/ .idea/ +.venv/ diff --git a/.project b/.project deleted file mode 100644 index 6d59cd24..00000000 --- a/.project +++ /dev/null @@ -1,17 +0,0 @@ - - - fail2ban-unstable - - - - - - org.python.pydev.PyDevBuilder - - - - - - org.python.pydev.pythonNature - - diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 502af5be..00000000 --- a/.travis.yml +++ /dev/null @@ -1,82 +0,0 @@ -# vim ft=yaml -# travis-ci.org definition for Fail2Ban build -# https://travis-ci.org/fail2ban/fail2ban/ - -#os: linux - -language: python -dist: xenial - -matrix: - fast_finish: true - include: - - python: 2.7 - #- python: pypy - - python: 3.4 - - python: 3.5 - - python: 3.6 - - python: 3.7 - - python: 3.8 - - python: 3.9-dev - - python: pypy3.5 -before_install: - - echo "running under $TRAVIS_PYTHON_VERSION" - - if [[ $TRAVIS_PYTHON_VERSION == 2* || $TRAVIS_PYTHON_VERSION == pypy* && $TRAVIS_PYTHON_VERSION != pypy3* ]]; then export F2B_PY=2; fi - - if [[ $TRAVIS_PYTHON_VERSION == 3* || $TRAVIS_PYTHON_VERSION == pypy3* ]]; then export F2B_PY=3; fi - - echo "Set F2B_PY=$F2B_PY" - - travis_retry sudo apt-get update -qq - # Set this so sudo executes the correct python binary - # Anything not using sudo will already have the correct environment - - export VENV_BIN="$VIRTUAL_ENV/bin" && echo "VENV_BIN set to $VENV_BIN" -install: - # Install Python packages / dependencies - # coverage - - travis_retry pip install coverage - # coveralls (note coveralls doesn't support 2.6 now): - #- if [[ $TRAVIS_PYTHON_VERSION != 2.6* ]]; then F2B_COV=1; else F2B_COV=0; fi - - F2B_COV=1 - - if [[ "$F2B_COV" = 1 ]]; then travis_retry pip install coveralls; fi - # codecov: - - travis_retry pip install codecov - # dnspython or dnspython3 - - if [[ "$F2B_PY" = 2 ]]; then travis_retry pip install dnspython || echo 'not installed'; fi - - if [[ "$F2B_PY" = 3 ]]; then travis_retry pip install dnspython3 || echo 'not installed'; fi - # python systemd bindings: - - if [[ "$F2B_PY" = 2 ]]; then travis_retry sudo apt-get install -qq python-systemd || echo 'not installed'; fi - - if [[ "$F2B_PY" = 3 ]]; then travis_retry sudo apt-get install -qq python3-systemd || echo 'not installed'; fi - # gamin - install manually (not in PyPI) - travis-ci system Python is 2.7 - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then (travis_retry sudo apt-get install -qq python-gamin && cp /usr/share/pyshared/gamin.py /usr/lib/pyshared/python2.7/_gamin.so $VIRTUAL_ENV/lib/python2.7/site-packages/) || echo 'not installed'; fi - # pyinotify - - travis_retry pip install pyinotify || echo 'not installed' - # Install helper tools - - sudo apt-get install shellcheck -before_script: - # Manually execute 2to3 for now - - if [[ "$F2B_PY" = 3 ]]; then ./fail2ban-2to3; fi - # (debug) output current preferred encoding: - - python -c 'import locale, sys; from fail2ban.helpers import PREFER_ENC; print(PREFER_ENC, locale.getpreferredencoding(), (sys.stdout and sys.stdout.encoding))' -script: - # Keep the legacy setup.py test approach of checking coverage for python2 - - if [[ "$F2B_PY" = 2 ]]; then coverage run setup.py test; fi - # Coverage doesn't pick up setup.py test with python3, so run it directly (with same verbosity as from setup) - - if [[ "$F2B_PY" = 3 ]]; then coverage run bin/fail2ban-testcases --verbosity=2; fi - # Use $VENV_BIN (not python) or else sudo will always run the system's python (2.7) - - sudo $VENV_BIN/pip install . - # Doc files should get installed on Travis under Linux (some builds/python's seem to use another path segment) - - test -e /usr/share/doc/fail2ban/FILTERS && echo 'found' || echo 'not found' - # Test initd script - - shellcheck -s bash -e SC1090,SC1091 files/debian-initd -after_success: - - if [[ "$F2B_COV" = 1 ]]; then coveralls; fi - - codecov - -# Might be worth looking into -#notifications: -# email: true -# irc: -# channels: "irc.freenode.org#fail2ban" -# template: -# - "%{repository}@%{branch}: %{message} (%{build_url})" -# on_success: change -# on_failure: change -# skip_join: true diff --git a/ChangeLog b/ChangeLog index 8c3be67d..c9ba7d5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,71 @@ Fail2Ban: Changelog =================== +ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km +----------- + +### Compatibility +* the minimum supported python version is now 3.5, if you have previous python version + you can use the 0.11 or 1.0 version of fail2ban or upgrade python (or even build it from source). + +### Fixes +* circumvent SEGFAULT in a python's socket module by getaddrinfo with disabled IPv6 (gh-3438) +* avoid sporadic error in pyinotify backend if pending file deleted in other thread, e. g. by flushing logs (gh-3635) +* `action.d/cloudflare-token.conf` - fixes gh-3479, url-encode args by unban +* `action.d/*ipset*`: make `maxelem` ipset option configurable through banaction arguments (gh-3564) +* `filter.d/apache-common.conf` - accepts remote besides client (gh-3622) +* `filter.d/mysqld-auth.conf` - matches also if no suffix in message (mariadb 10.3 log format, gh-3603) +* `filter.d/nginx-*.conf` - nginx error-log filters extended with support of journal format (gh-3646) +* `filter.d/postfix.conf`: + - "rejected" rule extended to match "Access denied" too (gh-3474) + - avoid double counting ('lost connection after AUTH' together with message 'disconnect ...', gh-3505) + - add Sender address rejected: Malformed DNS server reply (gh-3590) + - add to postfix syslog daemon format (gh-3690) + - change journalmatch postfix, allow sub-units with postfix@-.service (gh-3692) +* `filter.d/recidive.conf`: support for systemd-journal, conditional RE depending on logtype (for file or journal, gh-3693) +* `filter.d/slapd.conf` - filter rewritten for single-line processing, matches errored result without `text=...` (gh-3604) + +### New Features and Enhancements +* supports python 3.12 and 3.13 (gh-3487) +* bundling async modules removed in python 3.12+ (fallback to local libraries pyasyncore/pyasynchat if import would miss them, gh-3487) +* `fail2ban-client` extended (gh-2975): + - `fail2ban-client status --all [flavor]` - returns status of fail2ban and all jails in usual form + - `fail2ban-client stats` - returns statistic in form of table (jail, backend, found and banned counts) + - `fail2ban-client statistic` or `fail2ban-client statistics` - same as `fail2ban-client stats` (aliases for stats) + - `fail2ban-client status --all stats` - (undocumented, flavor "stats") returns statistic of all jails in form of python dict +* `fail2ban-regex` extended to load settings from jail (by simple name it'd prefer jail to the filter now, gh-2655); + to load the settings from filter one could use: +```diff +- fail2ban-regex ... sshd ; # jail ++ fail2ban-regex ... sshd.conf ; # filter +# or: ++ fail2ban-regex ... filter.d/sshd ; # filter +``` +* better auto-detection for IPv6 support (`allowipv6 = auto` by default), trying to check sysctl net.ipv6.conf.all.disable_ipv6 + (value read from `/proc/sys/net/ipv6/conf/all/disable_ipv6`) if available, otherwise seeks over local IPv6 from network interfaces + if available for platform and uses DNS to find local IPv6 as a fallback only +* improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132) +* `action.d/mikrotik.conf` - new action for mikrotik routerOS, adds and removes entries from address lists on the router (gh-2860) +* `action.d/pf.conf` - pf action extended with support of `protocol=all` (gh-3503) +* `action.d/smtp.py` - added optional support for TLS connections via the `ssl` arg. +* `filter.d/dante.conf` - new filter for Dante SOCKS server (gh-2112) +* `filter.d/exim.conf`, `filter.d/exim-spam.conf`: + - messages are prefiltered by `prefregex` now + - filter can bypass additional timestamp or pid that may be logged via systemd-journal or syslog-ng (gh-3060) + - rewrite host line regex for all varied exim's log_selector states (gh-3263, gh-3701, gh-3702) + - fixed "dropped: too many ..." regex, also matching unrecognized commands now (gh-3502) +* `filter.d/named-refused.conf` - denied allows any reason in parenthesis as suffix (gh-3697) +* `filter.d/nginx-forbidden.conf` - new filter to ban forbidden locations, e. g. using `deny` directive (gh-2226) +* `filter.d/routeros-auth.conf` - new filter detecting failed login attempts in the log produced by MikroTik RouterOS +* `filter.d/sshd.conf`: + - avoid double counting for "maximum authentication attempts exceeded" (gh-3502) + - message "Disconnecting ... Too many authentication failures" is not a failure anymore + - mode `ddos`/`aggressive` extended to match new messages caused by port scanner, wrong payload on ssh port (gh-3486): + * message authentication code incorrect [preauth] + * connection corrupted [preauth] + * timeout before authentication + + ver. 1.0.2 (2022/11/09) - finally-war-game-test-tape-not-a-nuclear-alarm ----------- @@ -53,7 +118,7 @@ ver. 1.0.1 (2022/09/27) - energy-equals-mass-times-the-speed-of-light-squared * [stability] solves race condition with uncontrolled growth of failure list (jail with too many matches, that did not cause ban), behavior changed to ban ASAP, gh-2945 * fixes search for the best datepattern - e. g. if line is too short, boundaries check for previously known - unprecise pattern may fail on incomplete lines (logging break-off, no flush, etc), gh-3020 + imprecise pattern may fail on incomplete lines (logging break-off, no flush, etc), gh-3020 * [stability, performance] backend `systemd`: - fixes error "local variable 'line' referenced before assignment", introduced in 55d7d9e2, gh-3097 - don't update database too often (every 10 ticks or ~ 10 seconds in production) @@ -391,7 +456,7 @@ filter = flt[logtype=short] * `filter.d/znc-adminlog.conf`: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded ### Enhancements -* introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf) to contol +* introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf) to control how many matches per ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118); * fail2ban.conf: introduced new section `[Thread]` and option `stacksize` to configure default size of the stack for threads running in fail2ban (gh-2356), it could be set in `fail2ban.local` to @@ -501,7 +566,7 @@ ver. 0.10.3 (2018/04/04) - the-time-is-always-right-to-do-what-is-right - fixed root login refused regex (optional port before preauth, gh-2080); - avoid banning of legitimate users when pam_unix used in combination with other password method, so bypass pam_unix failures if accepted available for this user gh-2070; - - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly); + - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediately); - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode it counts failure on closing connection within preauth-stage (gh-2085); * `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101); @@ -831,7 +896,7 @@ ver. 0.10.0-alpha-1 (2016/07/14) - ipv6-support-etc sane environment in error case of `actioncheck`. * Reporting via abuseipdb.com: - Bans can now be reported to abuseipdb - - Catagories must be set in the config + - Categories must be set in the config - Relevant log lines included in report ### Enhancements @@ -968,7 +1033,7 @@ releases. - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs. * filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882) * filter.d/asterisk.conf - - fixed failregex AMI Asterisk authentification failed (see gh-1302) + - fixed failregex AMI Asterisk authentication failed (see gh-1302) - removed invalid (vulnerable) regex blocking IPs using forign data (from header "from") thus not the IP-address that really originates the request (see gh-1927) - fixed failregex for the SQL-injection attempts with single-quotes in connect-string (see gh-2011) @@ -1268,7 +1333,7 @@ ver. 0.9.3 (2015/08/01) - lets-all-stay-friends * `filter.d/roundcube-auth.conf` - Updated regex to work with 'errors' log (1.0.5 and 1.1.1) - Added regex to work with 'userlogins' log -* `action.d/sendmail*.conf` - use LC_ALL (superseeding LC_TIME) to override +* `action.d/sendmail*.conf` - use LC_ALL (superseding LC_TIME) to override locale on systems with customized LC_ALL * performance fix: minimizes connection overhead, close socket only at communication end (gh-1099) @@ -1438,7 +1503,7 @@ ver. 0.9.1 (2014/10/29) - better, faster, stronger * Ignored IPs are no longer banned when being restored from persistent database * Manually unbanned IPs are now removed from persistent database, such they - wont be banned again when Fail2Ban is restarted + won't be banned again when Fail2Ban is restarted * Pass "bantime" parameter to the actions in default jail's action definition(s) * `filters.d/sieve.conf` - fixed typo in _daemon. Thanks Jisoo Park @@ -1729,7 +1794,7 @@ those filters were used. all platforms to ensure permissions are the same before and after a ban. Closes gh-266. hostsdeny supports daemon_list now too. * `action.d/bsd-ipfw` - action option unused. Change blocktype to port unreach - instead of deny for consistancy. + instead of deny for consistency. * `filter.d/dovecot` - added to support different dovecot failure "..disallowed plaintext auth". Closes Debian bug #709324 * `filter.d/roundcube-auth` - timezone offset can be positive or negative @@ -1919,7 +1984,7 @@ fail2ban-users mailing list and IRC. ### New Features - Yaroslav Halchenko * [9ba27353] Add support for `jail.d/{confilefile}` and `fail2ban.d/{configfile}` - to provide additional flexibility to system adminstrators. Thanks to + to provide additional flexibility to system administrators. Thanks to beilber for the idea. Closes gh-114. * [3ce53e87] Add exim filter. - Erwan Ben Souiden @@ -2070,7 +2135,7 @@ ver. 0.8.7 (2012/07/31) - stable * [47c03a2] files/nagios - spelling/grammar fixes * [b083038] updated Free Software Foundation's address * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606 - * [642d9af,3282f86] reformated printing of jail's name to be consistent + * [642d9af,3282f86] reformatted printing of jail's name to be consistent with init's info messages * [3282f86] uniform use of capitalized Jail in the messages - Leonardo Chiquitto @@ -2415,7 +2480,7 @@ ver. 0.6.1 (2006/03/16) - stable - Fixed crash when time format does not match data - Propagated patch from Debian to fix fail2ban search path addition to the path search list: now it is added first. Thanks to Nick Craig-Wood -- Added SMTP authentification for mail notification. Thanks to Markus Hoffmann +- Added SMTP authentication for mail notification. Thanks to Markus Hoffmann - Removed debug mode as it is confusing for people - Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark Edgington @@ -2448,7 +2513,7 @@ ver. 0.5.5 (2005/10/26) - beta further adjusted by upstream author). * Added -f command line parameter for [findtime]. * Added a cleanup of firewall rules on emergency shutdown when unknown - exception is catched. + exception is caught. * Fail2ban should not crash now if a wrong file name is specified in config. * reordered code a bit so that log targets are setup right after background and then only loglevel (verbose, debug) is processed, so the warning could diff --git a/FILTERS b/FILTERS index 2ed6281d..18b8825c 100644 --- a/FILTERS +++ b/FILTERS @@ -129,7 +129,7 @@ Date/Time --------- At the moment, Fail2Ban depends on log lines to have time stamps. That is why -before starting to develop failregex, check if your log line format known to +before starting to develop failregex, check if your log line format is known to Fail2Ban. Copy the time component from the log line and append an IP address to test with following command:: diff --git a/MANIFEST b/MANIFEST index fec09dde..972a2b48 100644 --- a/MANIFEST +++ b/MANIFEST @@ -40,6 +40,7 @@ config/action.d/mail.conf config/action.d/mail-whois-common.conf config/action.d/mail-whois.conf config/action.d/mail-whois-lines.conf +config/action.d/mikrotik.conf config/action.d/mynetwatchman.conf config/action.d/netscaler.conf config/action.d/nftables-allports.conf @@ -90,6 +91,7 @@ config/filter.d/counter-strike.conf config/filter.d/courier-auth.conf config/filter.d/courier-smtp.conf config/filter.d/cyrus-imap.conf +config/filter.d/dante.conf config/filter.d/directadmin.conf config/filter.d/domino-smtp.conf config/filter.d/dovecot.conf @@ -121,6 +123,8 @@ config/filter.d/nagios.conf config/filter.d/named-refused.conf config/filter.d/nginx-bad-request.conf config/filter.d/nginx-botsearch.conf +config/filter.d/nginx-error-common.conf +config/filter.d/nginx-forbidden.conf config/filter.d/nginx-http-auth.conf config/filter.d/nginx-limit-req.conf config/filter.d/nsd.conf @@ -138,6 +142,7 @@ config/filter.d/pure-ftpd.conf config/filter.d/qmail.conf config/filter.d/recidive.conf config/filter.d/roundcube-auth.conf +config/filter.d/routeros-auth.conf config/filter.d/scanlogd.conf config/filter.d/screensharingd.conf config/filter.d/selinux-common.conf @@ -175,7 +180,6 @@ CONTRIBUTING.md COPYING .coveragerc DEVELOP -fail2ban-2to3 fail2ban/client/actionreader.py fail2ban/client/beautifier.py fail2ban/client/configparserinc.py @@ -191,6 +195,8 @@ fail2ban/client/filterreader.py fail2ban/client/__init__.py fail2ban/client/jailreader.py fail2ban/client/jailsreader.py +fail2ban/compat/asynchat.py +fail2ban/compat/asyncore.py fail2ban/exceptions.py fail2ban/helpers.py fail2ban/__init__.py @@ -204,7 +210,6 @@ fail2ban/server/datedetector.py fail2ban/server/datetemplate.py fail2ban/server/failmanager.py fail2ban/server/failregex.py -fail2ban/server/filtergamin.py fail2ban/server/filterpoll.py fail2ban/server/filter.py fail2ban/server/filterpyinotify.py @@ -272,7 +277,7 @@ fail2ban/tests/files/config/apache-auth/noentry/.htaccess fail2ban/tests/files/config/apache-auth/README fail2ban/tests/files/database_v1.db fail2ban/tests/files/database_v2.db -fail2ban/tests/files/filter.d/substition.conf +fail2ban/tests/files/filter.d/substitution.conf fail2ban/tests/files/filter.d/testcase01.conf fail2ban/tests/files/filter.d/testcase02.conf fail2ban/tests/files/filter.d/testcase02.local @@ -300,6 +305,7 @@ fail2ban/tests/files/logs/counter-strike fail2ban/tests/files/logs/courier-auth fail2ban/tests/files/logs/courier-smtp fail2ban/tests/files/logs/cyrus-imap +fail2ban/tests/files/logs/dante fail2ban/tests/files/logs/directadmin fail2ban/tests/files/logs/domino-smtp fail2ban/tests/files/logs/dovecot @@ -329,6 +335,7 @@ fail2ban/tests/files/logs/nagios fail2ban/tests/files/logs/named-refused fail2ban/tests/files/logs/nginx-bad-request fail2ban/tests/files/logs/nginx-botsearch +fail2ban/tests/files/logs/nginx-forbidden fail2ban/tests/files/logs/nginx-http-auth fail2ban/tests/files/logs/nginx-limit-req fail2ban/tests/files/logs/nsd @@ -346,6 +353,7 @@ fail2ban/tests/files/logs/pure-ftpd fail2ban/tests/files/logs/qmail fail2ban/tests/files/logs/recidive fail2ban/tests/files/logs/roundcube-auth +fail2ban/tests/files/logs/routeros-auth fail2ban/tests/files/logs/scanlogd fail2ban/tests/files/logs/screensharingd fail2ban/tests/files/logs/selinux-ssh diff --git a/README.md b/README.md index 6bf94c25..601d72ca 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| - v1.0.1.dev1 20??/??/?? + v1.1.0.dev1 20??/??/?? ## Fail2Ban: ban hosts that cause multiple authentication errors @@ -29,26 +29,27 @@ and the website: https://www.fail2ban.org Installation: ------------- -**It is possible that Fail2Ban is already packaged for your distribution. In -this case, you should use that instead.** +Fail2Ban is likely already packaged for your Linux distribution and [can installed with a simple command](https://github.com/fail2ban/fail2ban/wiki/How-to-install-fail2ban-packages). + +If your distribution is not listed, you can install from GitHub: Required: -- [Python2 >= 2.7 or Python >= 3.2](https://www.python.org) or [PyPy](https://pypy.org) -- python-setuptools, python-distutils or python3-setuptools for installation from source +- [Python >= 3.5](https://www.python.org) or [PyPy3](https://pypy.org) +- python-setuptools, python-distutils (or python3-setuptools) for installation from source Optional: - [pyinotify >= 0.8.3](https://github.com/seb-m/pyinotify), may require: * Linux >= 2.6.13 -- [gamin >= 0.0.21](http://www.gnome.org/~veillard/gamin) - [systemd >= 204](http://www.freedesktop.org/wiki/Software/systemd) and python bindings: * [python-systemd package](https://www.freedesktop.org/software/systemd/python-systemd/index.html) - [dnspython](http://www.dnspython.org/) +- [pyasyncore](https://pypi.org/project/pyasyncore/) and [pyasynchat](https://pypi.org/project/pyasynchat/) (normally bundled-in within fail2ban, for python 3.12+ only) To install: - tar xvfj fail2ban-1.0.1.tar.bz2 - cd fail2ban-1.0.1 + tar xvfj fail2ban-master.tar.bz2 + cd fail2ban-master sudo python setup.py install Alternatively, you can clone the source from GitHub to a directory of Your choice, and do the install from there. Pick the correct branch, for example, master or 0.11 @@ -90,11 +91,7 @@ fail2ban(1) and jail.conf(5) manpages for further references. Code status: ------------ -* travis-ci.org: [![tests status](https://secure.travis-ci.org/fail2ban/fail2ban.svg?branch=master)](https://travis-ci.org/fail2ban/fail2ban?branch=master) / [![tests status](https://secure.travis-ci.org/fail2ban/fail2ban.svg?branch=0.11)](https://travis-ci.org/fail2ban/fail2ban?branch=0.11) (0.11 branch) / [![tests status](https://secure.travis-ci.org/fail2ban/fail2ban.svg?branch=0.10)](https://travis-ci.org/fail2ban/fail2ban?branch=0.10) (0.10 branch) - -* coveralls.io: [![Coverage Status](https://coveralls.io/repos/fail2ban/fail2ban/badge.svg?branch=master)](https://coveralls.io/github/fail2ban/fail2ban?branch=master) / [![Coverage Status](https://coveralls.io/repos/fail2ban/fail2ban/badge.svg?branch=0.11)](https://coveralls.io/github/fail2ban/fail2ban?branch=0.11) (0.11 branch) / [![Coverage Status](https://coveralls.io/repos/fail2ban/fail2ban/badge.svg?branch=0.10)](https://coveralls.io/github/fail2ban/fail2ban?branch=0.10) / (0.10 branch) - -* codecov.io: [![codecov.io](https://codecov.io/gh/fail2ban/fail2ban/coverage.svg?branch=master)](https://codecov.io/gh/fail2ban/fail2ban/branch/master) / [![codecov.io](https://codecov.io/gh/fail2ban/fail2ban/coverage.svg?branch=0.11)](https://codecov.io/gh/fail2ban/fail2ban/branch/0.11) (0.11 branch) / [![codecov.io](https://codecov.io/gh/fail2ban/fail2ban/coverage.svg?branch=0.10)](https://codecov.io/gh/fail2ban/fail2ban/branch/0.10) (0.10 branch) +* [![CI](https://github.com/fail2ban/fail2ban/actions/workflows/main.yml/badge.svg)](https://github.com/fail2ban/fail2ban/actions/workflows/main.yml) Contact: -------- diff --git a/RELEASE b/RELEASE index 2b2bc58e..96f402a0 100644 --- a/RELEASE +++ b/RELEASE @@ -13,7 +13,7 @@ Preparation * Check distribution patches and see if they can be included * https://apps.fedoraproject.org/packages/fail2ban/sources - * http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/ + * https://gitweb.gentoo.org/repo/gentoo.git/tree/net-analyzer/fail2ban * http://svnweb.freebsd.org/ports/head/security/py-fail2ban/ * https://build.opensuse.org/package/show?package=fail2ban&project=openSUSE%3AFactory * http://sophie.zarb.org/sources/fail2ban (Mageia) @@ -49,7 +49,7 @@ Preparation ad-hoc bash script to run in a clean clone: - find -type f | grep -v -e '\.git' -e '/doc/' -e '\.travis' -e MANIFEST | sed -e 's,^\./,,g' | while read f; do grep -ne "^$f\$" MANIFEST >/dev/null || echo "$f" ; done + find -type f | grep -v -e '\.git' -e '/doc/' -e MANIFEST | sed -e 's,^\./,,g' | while read f; do grep -ne "^$f\$" MANIFEST >/dev/null || echo "$f" ; done or an alternative for comparison with previous release @@ -115,7 +115,7 @@ Pre Release * Arch Linux: - * https://www.archlinux.org/packages/community/any/fail2ban/ + * https://www.archlinux.org/packages/extra/any/fail2ban/ * Debian: Yaroslav Halchenko @@ -134,7 +134,7 @@ Pre Release * Gentoo: netmon@gentoo.org - * http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/metadata.xml?view=markup + * https://gitweb.gentoo.org/repo/gentoo.git/tree/net-analyzer/fail2ban/metadata.xml * https://bugs.gentoo.org/buglist.cgi?quicksearch=fail2ban * openSUSE: Stephan Kulow diff --git a/THANKS b/THANKS index 9dd2e47c..7c008c2c 100644 --- a/THANKS +++ b/THANKS @@ -22,6 +22,7 @@ Andrey G. Grozin Andy Fragen Arturo 'Buanzo' Busleiman Axel Thimm +Balazs Mateffy Bas van den Dikkenberg Beau Raines Bill Heaton diff --git a/bin/fail2ban-client b/bin/fail2ban-client index 5e6843ed..31a701aa 100755 --- a/bin/fail2ban-client +++ b/bin/fail2ban-client @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- # vi: set ft=python sts=4 ts=4 sw=4 noet : diff --git a/bin/fail2ban-regex b/bin/fail2ban-regex index 09044f0a..e60d2542 100755 --- a/bin/fail2ban-regex +++ b/bin/fail2ban-regex @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- # vi: set ft=python sts=4 ts=4 sw=4 noet : # diff --git a/bin/fail2ban-server b/bin/fail2ban-server index 03dc0fd3..23f2fa90 100755 --- a/bin/fail2ban-server +++ b/bin/fail2ban-server @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- # vi: set ft=python sts=4 ts=4 sw=4 noet : diff --git a/bin/fail2ban-testcases b/bin/fail2ban-testcases index ba3d90b9..48aae4b5 100755 --- a/bin/fail2ban-testcases +++ b/bin/fail2ban-testcases @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- # vi: set ft=python sts=4 ts=4 sw=4 noet : """Script to run Fail2Ban tests battery diff --git a/config/action.d/bsd-ipfw.conf b/config/action.d/bsd-ipfw.conf index 444192d3..d0029454 100644 --- a/config/action.d/bsd-ipfw.conf +++ b/config/action.d/bsd-ipfw.conf @@ -80,7 +80,7 @@ block = ip # Option: blocktype # Notes.: How to block the traffic. Use a action from man 5 ipfw # Common values: deny, unreach port, reset -# ACTION defination at the top of man ipfw for allowed values. +# ACTION definition at the top of man ipfw for allowed values. # Values: STRING # blocktype = unreach port diff --git a/config/action.d/cloudflare-token.conf b/config/action.d/cloudflare-token.conf index 8c5c37de..ff5f5c4e 100644 --- a/config/action.d/cloudflare-token.conf +++ b/config/action.d/cloudflare-token.conf @@ -50,11 +50,12 @@ actionban = curl -s -X POST "<_cf_api_url>" \ #