Merge commit '0.8.8-212-gf6f30f1' into 0.9

* commit '0.8.8-212-gf6f30f1': (24 commits) DOC: tune up formatting (spaces) and prelude for the changelog entry DOC: more ChangeLog entries all the way back to 0.8.8 DOC: move new actions and filters to New Features in ChangeLog DOC: tomcat and Guacmole are next release DOC: credit man page edits DOC: developers please rebase and use a single commit DOC: post release ChangeLog entry DOC: ChangeLog - current HEAD back to ce3ab34 DOC: begining of ChangeLog DOC: version/date of release DOC: ChangeLog versions and dates for Releasing DOC: guidance for pull requests BF: filter.d/sshd "Did not receive identification string" relates to an exploit so document this in sshd-ddos.conf but leave it out of authentication based blocks in sshd.conf DOC: a plugin to thanks for the community support Add After, PIDFile, and change WantedBy to multi-user.target in fail2ban.server DOC: slight tune ups to README (we are no longer compatible with python 2.3 ;) ) ENH: more openssh fail messages from openssh source code (CVS 20121205) Add systemd unit file and tmpfiles.d configuration files BF: do not rely on scripts being under /usr -- might differ eg on Fedora -- rely on import of common.version (Closes gh-112) RF: move exceptions used by both client and server into common/exceptions.py ... Conflicts: ChangeLog README
2013-04-22 09:55:27 -04:00 · 2013-04-22 09:55:27 -04:00 · 698c74d9ed
parent 1fcb5efbd7 f6f30f122e
commit 698c74d9ed
7 changed files with 158 additions and 28 deletions
--- a/96
+++ b/96
@ -21,35 +21,113 @@ Will carry all fixes in 0.8.x series and new features and enhancements
 ver. 0.8.9 (2013/04/XXX) - wanna-be-stable
 ----------
-This release incorporates 144 (XXX) non-merge commits from 14
+Although primarily a bugfix release, it incorporates many new
-contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
+enhancements, few new features, but more importantly -- quite extended
-Black, Steven Hiscocks, ArndRa, hamilton5, pigsyn, Erwan Ben Souiden,
+tests battery with current 94% coverage.  This release incorporates
-Michael Gebetsroither, Orion Poplawski, Artur Penttinen, sebres,
+more than a 100 of non-merge commits from 14 contributors (sorted by
-Nicolas Collignon, Pascal Borreli, blotus:
+number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks,
 ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
 Orion Poplawski, Artur Penttinen, sebres, Nicolas Collignon, Pascal
 Borreli, blotus:
 - Fixes:
  Yaroslav Halchenko
   * [6f4dad46] Documentation python-2.4 is the minimium version.
   * [1eb23cf8] do not rely on scripts being under /usr -- might differ eg on
     Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
   * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
     insight. Closes gh-103.
   * [ab044b75] delay check for the existence of config directory until read.
   * [3b4084d4] fixing up for handling of TAI64N timestamps.
   * [154aa38e] do not shutdown logging until all jails stop.
  Orion Poplawski
   * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
     newly created directories.
  Nicolas Collignon
   * [39667ff6] Avoid leaking file descriptors. Closes gh-167.
  Sergey Brester
   * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
     sorting template list.
  Steven Hiscocks
   * [7a442f07] When changing log target with python2.{4,5} handle KeyError.
     Closes gh-147, gh-148.
   * [b6a68f51] Fix delaction on server side. Closes gh-124.
  Daniel Black
   * [f0610c01] Allow more that a one word command when changing and Action via
     the fail2ban-client. Closes gh-134.
  blotus
   * [96eb8986] ' and " should also be escaped in action tags Closes gh-109
 - New features:
  Yaroslav Halchenko
   * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
     to provide additional flexibility to system adminstrators. Thanks to
     beilber for the idea. Closes gh-114.
   * [3ce53e87] Add exim filter.
  Erwan Ben Souiden
   * [d7d5228] add nagios integration documentation and script to ensure
     fail2ban is running. Closes gh-166.
  Artur Penttinen
   * [29d0df5] Add mysqld filter. Closes gh-152.
  ArndRaphael Brandes
   * [bba3fd8] Add Sogo filter. Closes gh-117.
  Michael Gebetsriother
   * [f9b78ba] Add action route to block at routing level.
  Teodor Micu & Yaroslav Halchenko
   * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
  Daniel Black
   * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
  Soulard Morgan
   * [f336d9f] Add filter for webmin. Closes gh-99.
 - Enhancements:
  Steven Hiscocks
   * [3d6791f] Ensure restart of Actions after a check fails occurs
     consistently. Closes gh-172.
   * [MANY] Improvements to test cases, travis, and code coverage (coveralls).
   * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
   * [ce3ab34] Added ability to specify PID file.
  Orion Poplawski
   * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
     Closes gh-142.
  Yaroslav Halchenko
   * [MANY] Lots of improvements to log messages, man pages and test cases.
   * [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
     Closes gh-126. Bug report by Michael Heuberger.
   * [40c5a2d] adding more of diagnostic messages into -client while starting
     the daemon.
  Daniel Black
   * [3aeb1a9] Add jail.conf manual page. Closes gh-143.
   * [MANY] man page edits.
   * [7cd6dab] Added help command to fail2ban-client.
   * [c8c7b0b,23bbc60] Better logging of log file read errors.
   * [3665e6d] Added code coverage to development process.
  Pascal Borreli
   * [a2b29b4] Fixed lots of typos in config files and documentation.
  hamilton5
   * [7ede1e8] Update dovecot filter config.
 Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
 Hendrikx and other TBN heroes supporting users on fail2ban-users
 mailing list and IRC.
 ver. 0.8.8 (2012/12/06) - stable
 ----------
 - Fixes:
  Alan Jenkins
   * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
-     banning due to misconfigured DNS. Close gh-64
+     banning due to misconfigured DNS. Closes gh-64
  Yaroslav Halchenko
   * [83109bc] IMPORTANT: escape the content of <matches> (if used in
     custom action files) since its value could contain arbitrary
     symbols.  Thanks for discovery go to the NBS System security
     team
-   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83
+   * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83
   * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
   * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
-     in the console. Close gh-91
+     in the console. Closes gh-91
 - New features:
  David Engeset
   * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
-     the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86
+     the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86
  Yaroslav Halchenko
 - Enhancements:
   * [2d66f31] replaced uninformative "Invalid command" message with warning log
--- a/27
+++ b/27
@ -21,6 +21,19 @@ would like to add to Fail2Ban, the best way to do so it to use the GitHub Pull
 Request feature. You can find more details on the Fail2Ban wiki
 (http://www.fail2ban.org/wiki/index.php/Get_Involved)
 Pull Requests
 =============
 When submitting pull requests on GitHub we ask you to:
 * Clearly describe the problem you're solving;
 * Don't introduce regressions that will make it hard for systems adminstrators 
  to update;
 * If adding a major feature rebase your changes on master and get to a single commit;
 * Include test cases (see below);
 * Include sample logs (if relevant);
 * Include a change to the relevant section of the ChangeLog; and
 * Include yourself in THANKS if not already there.
 Testing
 =======
@ -257,6 +270,10 @@ Releasing
  git shortlog -sn 0.8.8.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g'
  Ensure the top of the ChangeLog has the right version and current date.
  Ensure the top entry of the ChangeLog has the right version and current date.
 # Update man pages
  (cd man ; ./generate-man )
@ -280,3 +297,13 @@ Releasing
 # Email users and development list of release
 TODO notifying distributors etc.
 Post Release:
 Add the following to the top of the ChangeLog
 ver. 0.8.9 (2013/XX/XXX) - wanna-be-stable
 - Fixes
 - New Features
 - Enhancements
--- a/37
+++ b/37
@ -13,13 +13,13 @@ rules can be defined by the user. Fail2Ban can read multiple log files such as
 sshd or Apache web server ones.
 This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
-are available on the project website: http://www.fail2ban.org
+are available in fail2ban(1) manpage and on the website http://www.fail2ban.org
 Installation:
 -------------
 Required:
-   >=python-2.3 or >=python-3.0 (http://www.python.org)
+   >=python-2.4 or >=python-3.0 (http://www.python.org)
 Optional:
   pyinotify:
@ -38,42 +38,43 @@ To install, just do:
 This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
 placed into /usr/bin.
-It is possible that Fail2ban is already packaged for your distribution. In this
+It is possible that Fail2ban is already packaged for your distribution.  In
-case, you should use it.
+this case, you should use it.
 Fail2Ban should be correctly installed now. Just type:
 > fail2ban-client -h
-to see if everything is alright. You should always use fail2ban-client and never
+to see if everything is alright. You should always use fail2ban-client and
-call fail2ban-server directly.
+never call fail2ban-server directly.
 Configuration:
 --------------
-You can configure Fail2Ban using the files in /etc/fail2ban. It is
+You can configure Fail2Ban using the files in /etc/fail2ban. It is possible to
-possible to configure the server using commands sent to it by
+configure the server using commands sent to it by fail2ban-client. The
-fail2ban-client. The available commands are described in the
+available commands are described in the fail2ban-client(1) manpage.  Also see
-fail2ban-client(1) manpage.  Also see fail2ban(1) manpage for further
+fail2ban(1) manpage for further references and find even more documentation on
-references and find even more documentation on the website:
+the website: http://www.fail2ban.org
 http://www.fail2ban.org
 Contact:
 --------
 Website: http://www.fail2ban.org
-You need some new features, you found bugs: visit
+You need some new features, you found bugs?
-https://github.com/fail2ban/fail2ban/issues
+visit https://github.com/fail2ban/fail2ban/issues
 and if your issue is not yet known -- file a bug report.
-If you would like to troubleshoot or discuss: join the mailing list
+You would like to troubleshoot or discuss?
 join the mailing list
 https://lists.sourceforge.net/lists/listinfo/fail2ban-users
-If you just appreciate this program: send kudos to the original author
+You just appreciate this program:
-(Cyril Jaquier: <cyril.jaquier@fail2ban.org>) or the mailing list
+send kudos to the original author (Cyril Jaquier <cyril.jaquier@fail2ban.org>)
 or better to the mailing list
 https://lists.sourceforge.net/lists/listinfo/fail2ban-users
-
+since Fail2Ban is "community-driven" for years now.
 Thanks:
 -------
--- a/config/filter.d/sshd-ddos.conf
+++ b/config/filter.d/sshd-ddos.conf
@ -2,6 +2,13 @@
 #
 # Author: Yaroslav Halchenko
 #
 # The regex here also relates to a exploit:
 #
 #  http://www.securityfocus.com/bid/17958/exploit
 #  The example code here shows the pushing of the exploit straight after
 #  reading the server version. This is where the client version string normally
 #  pushed. As such the server will read this unparsible information as
 #  "Did not receive identification string".
 [INCLUDES]
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -25,12 +25,14 @@ _daemon = sshd
 #
 failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
-            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
+            ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
 # Option:  ignoreregex
--- a/files/fail2ban-tmpfiles.conf
+++ b/files/fail2ban-tmpfiles.conf
@ -0,0 +1 @@
 D /var/run/fail2ban 0755 root root -
--- a/files/fail2ban.service
+++ b/files/fail2ban.service
@ -0,0 +1,14 @@
 [Unit]
 Description=Fail2ban Service
 After=syslog.target network.target
 [Service]
 Type=forking
 ExecStart=/usr/bin/fail2ban-client -x start
 ExecStop=/usr/bin/fail2ban-client stop
 ExecReload=/usr/bin/fail2ban-client reload
 PIDFile=/var/run/fail2ban/fail2ban.pid
 Restart=always
 [Install]
 WantedBy=multi-user.target