Merge branch '0.10' into 0.11

ChangeLog

@@ -80,6 +80,7 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition
 * `action.d/helpers-common.conf`: rewritten grep arguments, now options `-wF` used to match only
   whole words and fixed string (not as pattern), gh-2298
 * `filter.d/sshd.conf`:
+  - matches `Bad protocol version identification` in `ddos` and `aggressive` modes (gh-2404).
   - captures `Disconnecting ...: Change of username or service not allowed` (gh-2239, gh-2279)
   - captures `Disconnected from ... [preauth]` (`extra`/`aggressive` mode and preauth phase only, gh-2239, gh-2279)
 * `filter.d/mysqld-auth.conf`: 

config/action.d/badips.py

@@ -54,9 +54,6 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
 	age : str, optional
 		Age of last report for bad IPs, per badips.com syntax.
 		Default "24h" (24 hours)
-	key : str, optional
-		Key issued by badips.com to report bans, for later retrieval
-		of personalised content.
 	banaction : str, optional
 		Name of banaction to use for blacklisting bad IPs. If `None`,
 		no blacklist of IPs will take place.
@@ -67,8 +64,8 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
 		"postfix", but want to use whole "mail" category for blacklist.
 		Default `category`.
 	bankey : str, optional
-		Key issued by badips.com to blacklist IPs reported with the
-		associated key.
+		Key issued by badips.com to retrieve personal list
+		of blacklist IPs.
 	updateperiod : int, optional
 		Time in seconds between updating bad IPs blacklist.
 		Default 900 (15 minutes)
@@ -93,7 +90,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
 	def _Request(self, url, **argv):
 		return Request(url, headers={'User-Agent': self.agent}, **argv)
 
-	def __init__(self, jail, name, category, score=3, age="24h", key=None,
+	def __init__(self, jail, name, category, score=3, age="24h",
 		banaction=None, bancategory=None, bankey=None, updateperiod=900, 
 		loglevel='DEBUG', agent="Fail2Ban", timeout=TIMEOUT):
 		super(BadIPsAction, self).__init__(jail, name)
@@ -103,7 +100,6 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
 		self.category = category
 		self.score = score
 		self.age = age
-		self.key = key
 		self.banaction = banaction
 		self.bancategory = bancategory or category
 		self.bankey = bankey
@@ -381,8 +377,6 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
 		"""
 		try:
 			url = "/".join([self._badips, "add", self.category, str(aInfo['ip'])])
-			if self.key:
-				url = "?".join([url, urlencode({'key': self.key})])
 			self._logSys.debug('badips.com: ban, url: %r', url)
 			response = urlopen(self._Request(url), timeout=self.timeout)
 		except HTTPError as response: # pragma: no cover

config/filter.d/sshd.conf

@@ -65,6 +65,7 @@ mdre-normal =
 mdrp-normal-suff-onclosed = (?:%(__suff)s|\s*)$
 
 mdre-ddos = ^Did not receive identification string from <HOST>
+            ^Bad protocol version identification '.*' from <HOST>
             ^Connection <F-MLFFORGET>reset</F-MLFFORGET> by <HOST>
             ^Connection <F-MLFFORGET>closed</F-MLFFORGET> by%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
             ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:

fail2ban/tests/action_d/test_badips.py

@@ -83,7 +83,7 @@ if sys.version_info >= (2,7): # pragma: no cover - may be unavailable
 				'banaction': "test",
 				'age': "2w",
 				'score': 5,
-				'key': "fail2ban-test-suite",
+				#'key': "fail2ban-test-suite",
 				#'bankey': "fail2ban-test-suite",
 				'timeout': (3 if unittest.F2B.fast else 60),
 				})

fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf

@@ -56,6 +56,7 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for
 mdre-normal =
 
 mdre-ddos =  ^%(__prefix_line_sl)sDid not receive identification string from <HOST>
+             ^%(__prefix_line_sl)sBad protocol version identification '.*' from <HOST>
              ^%(__prefix_line_sl)sConnection closed by%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
              ^%(__prefix_line_sl)sConnection reset by <HOST>
              ^%(__prefix_line_ml1)sSSH: Server;Ltype: (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:.*%(__prefix_line_ml2)sRead from socket failed: Connection reset by peer%(__suff)s$

fail2ban/tests/files/logs/sshd

@@ -267,6 +267,10 @@ Mar 19 16:47:50 srv sshd[5672]: Disconnected from authenticating user admin 192.
 Jun 7 01:10:56 host sshd[5937]: Did not receive identification string from 69.61.56.114
 # failJSON: { "time": "2005-06-07T01:11:57", "match": true , "host": "192.0.2.5", "desc": "refactored message (with port now, gh-2062)" }
 Jun 7 01:11:57 host sshd[8782]: Did not receive identification string from 192.0.2.5 port 35836
+# failJSON: { "time": "2005-06-07T01:11:58", "match": true , "host": "69.61.56.115", "desc": "bad protocol version, gh-2404" }
+Jun 7 01:11:58 host sshd[8783]: Bad protocol version identification 'dummy string' from 69.61.56.115 port 31778
+# failJSON: { "time": "2005-06-07T01:11:58", "match": true , "host": "69.61.56.115", "desc": "check inject on ident" }
+Jun 7 01:11:58 host sshd[8783]: Bad protocol version identification 'dummy string' from 192.0.2.1' from 69.61.56.115 port 31778
 
 # gh-864(1):
 # failJSON: { "match": false }

files/fail2ban.service.in

@@ -6,13 +6,13 @@ PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftabl
 
 [Service]
 Type=simple
-ExecStartPre=/bin/mkdir -p /var/run/fail2ban
+ExecStartPre=/bin/mkdir -p /run/fail2ban
 ExecStart=@BINDIR@/fail2ban-server -xf start
 # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
 # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
 ExecStop=@BINDIR@/fail2ban-client stop
 ExecReload=@BINDIR@/fail2ban-client reload
-PIDFile=/var/run/fail2ban/fail2ban.pid
+PIDFile=/run/fail2ban/fail2ban.pid
 Restart=on-failure
 RestartPreventExitStatus=0 255