From 314e402fe0fd46b102d94000ec626b212bdca657 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Wed, 10 Jan 2018 14:48:25 +0100
Subject: [PATCH 1/3] filter.d/sendmail-auth.conf - extended daemon for Fedora
 24/RHEL - the daemon name is "sendmail" (gh-1632)

---
 ChangeLog                               | 1 +
 config/filter.d/sendmail-auth.conf      | 2 +-
 fail2ban/tests/files/logs/sendmail-auth | 4 ++++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 49a34e02..ec11539f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,7 @@ releases.
     - fixed failregex of "AUTH command used when not advertised" to better handle the foreign
       input SMTP command (lower/mixed case auth command, prevent injection) (gh-1979)
 * filter.d/postfix-*.conf - added optional port regex (gh-1902)
+* filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
 
 ### New Features
 
diff --git a/config/filter.d/sendmail-auth.conf b/config/filter.d/sendmail-auth.conf
index 7886e60d..3e2d34a8 100644
--- a/config/filter.d/sendmail-auth.conf
+++ b/config/filter.d/sendmail-auth.conf
@@ -7,7 +7,7 @@ before = common.conf
 
 [Definition]
 
-_daemon = (?:sm-(mta|acceptingconnections))
+_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
 
 failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
 
diff --git a/fail2ban/tests/files/logs/sendmail-auth b/fail2ban/tests/files/logs/sendmail-auth
index 7cc18c70..835508f6 100644
--- a/fail2ban/tests/files/logs/sendmail-auth
+++ b/fail2ban/tests/files/logs/sendmail-auth
@@ -10,3 +10,7 @@ Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-
 
 # failJSON: { "time": "2005-02-24T13:00:17", "match": true , "host": "95.70.241.192" }
 Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6
+
+# gh-1632, Fedora 24/RHEL - the daemon name is "sendmail":
+# failJSON: { "time": "2005-02-24T14:00:00", "match": true , "host": "192.0.2.1" }
+Feb 24 14:00:00 server sendmail[26592]: u0CB32qX026592: [192.0.2.1]: possible SMTP attack: command=AUTH, count=5

From 7e05976ead14984a0c10d76f2e49713762479039 Mon Sep 17 00:00:00 2001
From: "Serg G. Brester" <github@sebres.de>
Date: Thu, 11 Jan 2018 12:38:34 +0100
Subject: [PATCH 2/3] action.d/hostsdeny.conf: actionunban rewritten using sed,
 also dots in IP were escaped now.

Closes  #2000
---
 config/action.d/hostsdeny.conf | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/config/action.d/hostsdeny.conf b/config/action.d/hostsdeny.conf
index d74f498d..5cca6529 100644
--- a/config/action.d/hostsdeny.conf
+++ b/config/action.d/hostsdeny.conf
@@ -31,8 +31,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = IP=<ip> &&
-            printf %%b "<daemon_list>: $IP\n" >> <file>
+actionban = IP=<ip> && printf %%b "<daemon_list>: $IP\n" >> <file>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -40,7 +39,7 @@ actionban = IP=<ip> &&
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = echo "/^<daemon_list>: <ip>$/<br>d<br>w<br>q" | ed <file>
+actionunban = IP=$(echo <ip> | sed 's/\./\\./g') && sed -i "/^<daemon_list>: $IP$/d" <file>
 
 [Init]
 

From 2bce0c5e3ee805779359b02e4ad5272b32553e77 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Mon, 15 Jan 2018 18:00:15 +0100
Subject: [PATCH 3/3] file-filter's: provide stop function in order to
 explicitly delete/stop monitoring of each file.

---
 fail2ban/server/filter.py          | 9 +++++++++
 fail2ban/server/filterpyinotify.py | 3 ++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py
index c309bbb2..25a0e687 100644
--- a/fail2ban/server/filter.py
+++ b/fail2ban/server/filter.py
@@ -1061,6 +1061,15 @@ class FileFilter(Filter):
 		ret.append(("File list", path))
 		return ret
 
+	def stop(self):
+		"""Stop monitoring of log-file(s)
+		"""
+		# stop files monitoring:
+		for path in self.__logs.keys():
+			self.delLogPath(path)
+		# stop thread:
+		super(Filter, self).stop()
+
 ##
 # FileContainer class.
 #
diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
index ef26303a..17d387a1 100644
--- a/fail2ban/server/filterpyinotify.py
+++ b/fail2ban/server/filterpyinotify.py
@@ -78,6 +78,7 @@ class FilterPyinotify(FileFilter):
 		self.__modified = False
 		# Pyinotify watch manager
 		self.__monitor = pyinotify.WatchManager()
+		self.__notifier = None
 		self.__watchFiles = dict()
 		self.__watchDirs = dict()
 		self.__pending = dict()
@@ -240,7 +241,7 @@ class FilterPyinotify(FileFilter):
 	def _delFileWatcher(self, path):
 		try:
 			wdInt = self.__watchFiles.pop(path)
-			if not self._delWatch(wdInt): # pragma: no cover
+			if not self._delWatch(wdInt):
 				logSys.debug("Non-existing file watcher %r for file %s", wdInt, path)
 			logSys.debug("Removed file watcher for %s", path)
 			return True