From ed816afbcdd5e48b58b8bb9c3a5ad797ba317d0f Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 14 Dec 2013 01:41:28 +0000 Subject: [PATCH 01/10] ENH: add badips action --- config/action.d/badips.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 config/action.d/badips.conf diff --git a/config/action.d/badips.conf b/config/action.d/badips.conf new file mode 100644 index 00000000..4a5c0f97 --- /dev/null +++ b/config/action.d/badips.conf @@ -0,0 +1,19 @@ +# Fail2ban reporting to badips.com +# +# Note: This reports and IP only and does not actually ban traffic. Use +# another action in the same jail if you want bans to occur. +# +# Set the category to the appropriate value before use. +# +# To get see register and optional key to get personalised graphs see: +# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key + +[Definition] + +actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add// + +[Init] + +# Option: category +# Notes.: Values are from the list here: http://www.badips.com/get/categories +category = From 4765bc757c5d651bd5fc556890d21b6a6b01f649 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Tue, 14 Jan 2014 17:59:40 +0100 Subject: [PATCH 02/10] BF Dovecot auth failures I am sorry, I installed the Win GIT, but still did not learn how to work with it, so am posting here again. This time, I'll avoid posting two pull requests, so please fix the dovecot.filter for me, if you don't mind. This current filter does not match authentication errors in my Dovecot logs (two different lines attached). First of all the session string is at the end (after the optional TLS string), and not before it as it is now in the filter. I don't see it anywhere in the other logs here in the opposite order, hence I assume it is the rule for all installations. And then, the session ID can include also other characters than those matched by \w+ (i.e. the slash and the plus signs in my case), hence it needs to be \S+ instead. Personally, I'd do the regex much less restrictive than it is, but if I follow the current logics, the following form works: 
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HO
ST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$
--- testcases/files/logs/dovecot | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot index aa79e65a..b9ca50f9 100644 --- a/testcases/files/logs/dovecot +++ b/testcases/files/logs/dovecot @@ -42,3 +42,9 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER # failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" } Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104 + +# failJSON: { "time": "2014-01-13T20:51:05", "match": true , "host": "1.2.3.4" } +Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, session=<6brQWt/vCADDhP/+> +# failJSON: { "time": "2014-01-14T15:54:30", "match": true , "host": "1.2.3.4" } +Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session= + From 657da2041c1191fb21d6f70e17298f3216f925cd Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 15 Jan 2014 08:02:47 +1100 Subject: [PATCH 03/10] BF: dovecot filters, session characters and order of session/tls in log messages --- ChangeLog | 2 ++ config/filter.d/dovecot.conf | 2 +- testcases/files/logs/dovecot | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index aebfa829..c0b97c85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,8 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better send. This ensures that all data is sent before closing the connection. - Removed unnecessary reference to as yet undeclared $jail_name when checking a specific jail. + - Filter dovecot reordered session and TLS items in regex with wider scope + for session characters. Thanks Ivo Truxa. Closes gh-586 - Enhancements: - added firewallcmd-ipset action diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index a51ce259..c4ce7d7c 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -10,7 +10,7 @@ before = common.conf _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(\s+user=\S*)?\s*$ - ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$ + ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ignoreregex = diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot index b9ca50f9..5fe89c56 100644 --- a/testcases/files/logs/dovecot +++ b/testcases/files/logs/dovecot @@ -43,8 +43,8 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104 -# failJSON: { "time": "2014-01-13T20:51:05", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-01-13T20:51:05", "match": true , "host": "1.2.3.4" } Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, session=<6brQWt/vCADDhP/+> -# failJSON: { "time": "2014-01-14T15:54:30", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" } Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session= From 93613e82f0aec7257ea046209d44dbb92d4f8c97 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 15 Jan 2014 09:40:18 +1100 Subject: [PATCH 04/10] DOC: credits for action.d/badips --- ChangeLog | 1 + THANKS | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index aebfa829..48af9ff0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -66,6 +66,7 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - Added filter.d/horde - Added filter for freeswitch. Thanks Jim and editors and authors of http://wiki.freeswitch.org/wiki/Fail2ban + - Added action.d/badips. Thanks to Amy for making a nice API. ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes diff --git a/THANKS b/THANKS index 38e29fe6..9224d207 100644 --- a/THANKS +++ b/THANKS @@ -12,6 +12,7 @@ ache ag4ve (Shawn) Alasdair D. Campbell Amir Caspi +Amy Andrey G. Grozin Andy Fragen Arturo 'Buanzo' Busleiman From 224e795f4c45fc9cf4b8c769b1fa97d544aeacde Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 18 Jan 2014 19:12:33 +1100 Subject: [PATCH 05/10] DOC: note in man page about "last message repeated" syslog compression. Closes Debian bug #620364 --- man/jail.conf.5 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/man/jail.conf.5 b/man/jail.conf.5 index e79ecd14..f8f076c6 100644 --- a/man/jail.conf.5 +++ b/man/jail.conf.5 @@ -129,6 +129,8 @@ name of the filter -- filename of the filter in /etc/fail2ban/filter.d/ without .TP .B logpath filename(s) of the log files to be monitored. Globs -- paths containing * and ? or [0-9] -- can be used however only the files that exist at start up matching this glob pattern will be considered. + +Ensure syslog or the program that generates the log file isn't configured to compress repeated log messages to "\fI*last message repeated 5 time*s\fR" otherwise it will fail to detect. This is called \fIRepeatedMsgReduction\fR in rsyslog and should be \fIOff\fR. .TP .B action action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by [name=value,name2=value]. Values can also be quoted. More that one action can be specified (in separate lines). From c6c75dd19e7bdda3034db572ec02ef80489547e1 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 18 Jan 2014 19:28:21 +1100 Subject: [PATCH 06/10] BF: complete MANIFEST --- MANIFEST | 20 +++++++++++++++++++- common/version.py | 2 +- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/MANIFEST b/MANIFEST index 98a98532..9f2e5932 100644 --- a/MANIFEST +++ b/MANIFEST @@ -55,15 +55,20 @@ testcases/files/logs/bsd/syslog-plain.txt testcases/files/logs/bsd/syslog-v.txt testcases/files/logs/bsd/syslog-vv.txt testcases/files/logs/apache-overflows +testcases/files/logs/apache-modsecurity testcases/files/logs/assp testcases/files/logs/asterisk testcases/files/logs/dovecot +testcases/files/logs/ejabberd-auth testcases/files/logs/exim +testcases/files/logs/freeswitch testcases/files/logs/groupoffice +testcases/files/logs/horde testcases/files/logs/suhosin testcases/files/logs/mysqld-auth testcases/files/logs/named-refused testcases/files/logs/nginx-http-auth +testcases/files/logs/nsd testcases/files/logs/openwebmail testcases/files/logs/pam-generic testcases/files/logs/postfix @@ -72,6 +77,8 @@ testcases/files/logs/pure-ftpd testcases/files/logs/roundcube-auth testcases/files/logs/postfix-sasl testcases/files/logs/sogo-auth +testcases/files/logs/solid-pop3d +testcases/files/logs/squid testcases/files/logs/sshd testcases/files/logs/sshd-ddos testcases/files/logs/vsftpd @@ -141,6 +148,7 @@ config/jail.conf config/filter.d/common.conf config/filter.d/apache-auth.conf config/filter.d/apache-badbots.conf +config/filter.d/apache-modsecurity.conf config/filter.d/apache-nohome.conf config/filter.d/apache-noscript.conf config/filter.d/apache-overflows.conf @@ -148,10 +156,14 @@ config/filter.d/nginx-http-auth.conf config/filter.d/courierlogin.conf config/filter.d/couriersmtp.conf config/filter.d/cyrus-imap.conf +config/filter.d/ejabberd-auth.conf config/filter.d/exim.conf +config/filter.d/freeswitch.conf config/filter.d/gssftpd.conf +config/filter.d/horde.conf config/filter.d/suhosin.conf config/filter.d/named-refused.conf +config/filter.d/nsd.conf config/filter.d/openwebmail.conf config/filter.d/postfix.conf config/filter.d/proftpd.conf @@ -161,6 +173,8 @@ config/filter.d/pam-generic.conf config/filter.d/php-url-fopen.conf config/filter.d/postfix-sasl.conf config/filter.d/sieve.conf +config/filter.d/solid-pop3d.conf +config/filter.d/squid.conf config/filter.d/sshd.conf config/filter.d/sshd-ddos.conf config/filter.d/vsftpd.conf @@ -186,12 +200,15 @@ config/filter.d/groupoffice.conf config/filter.d/perdition.conf config/filter.d/uwimap-auth.conf config/action.d/apf.conf +config/action.d/blocklist_de.conf config/action.d/osx-afctl.conf config/action.d/osx-ipfw.conf config/action.d/sendmail-common.conf +config/action.d/badips.conf config/action.d/bsd-ipfw.conf config/action.d/dummy.conf -config/action.d/firewall-cmd-direct-new.conf +config/action.d/firewallcmd-new.conf +config/action.d/firewallcmd-ipset.conf config/action.d/iptables-ipset-proto6-allports.conf config/action.d/iptables-blocktype.conf config/action.d/iptables-ipset-proto4.conf @@ -219,6 +236,7 @@ config/action.d/sendmail-buffered.conf config/action.d/sendmail-whois.conf config/action.d/sendmail-whois-lines.conf config/action.d/shorewall.conf +config/action.d/ufw.conf config/fail2ban.conf doc/run-rootless.txt man/fail2ban-client.1 diff --git a/common/version.py b/common/version.py index eec5e794..871ecd04 100644 --- a/common/version.py +++ b/common/version.py @@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __license__ = "GPL" -version = "0.8.11.dev" +version = "0.8.12" From 2647461a3ce7e280c81bc889af6f0639bbd544f8 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 18 Jan 2014 19:38:25 +1100 Subject: [PATCH 07/10] DOC: ChangeLog. Note incompatible changes and group new filters and actions under New Features --- ChangeLog | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0ee04c9c..4469b43a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,17 +11,18 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better ----------- - IMPORTANT incompatible changes: + - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name + name length. As per gh-395 + - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog. + Part of gh-447. - Fixes: - - Rename firewall-cmd-direct-new to firewall-cmd-new to fit within jail name - name length. As per gh-395 - allow for ",milliseconds" in the custom date format of proftpd.log - allow for ", referer ..." in apache-* filter for apache error logs. - allow for spaces at the beginning of kernel messages. Closes gh-448 - recidive jail to block all protocols. Closes gh-440. Thanksg Ioan Indreias - smtps not a IANA standard and has been removed from Arch. Replaced with 465. Thanks Stefan. Closes gh-447 - - mysqld-syslog-iptables rule was too long. Part of gh-447. - add 'flushlogs' command to allow logrotation without clobbering logtarget settings. Closes gh-458, Debian bug #697333, Redhat bug #891798. - complain action - ensure where not matching other IPs in log sample. @@ -37,16 +38,13 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better for session characters. Thanks Ivo Truxa. Closes gh-586 - Enhancements: - - added firewallcmd-ipset action - long names on jails documented based on iptables limit of 30 less len("fail2ban-"). - remove indentation of name and loglevel while logging to SYSLOG to resolve syslog(-ng) parsing problems. Closes Debian bug #730202. - - added squid filter. Thanks Roman Gelfand. - updated check_fail2ban to return performance data for all jails. - filter apache-noscript now includes php cgi scripts. Thanks dani. Closes gh-503 - - added ufw action. Thanks Guilhem Lettron. lp-#701522 - exim-spam filter to match spamassassin log entry for option SAdevnull. Thanks Ivo Truxa. Closes gh-533 - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543 @@ -54,7 +52,6 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better Closes gh-566 - Added to sshd filter expression for "Received disconnect from : 3: ...: Auth fail". Thanks Marcel Dopita. Closes gh-289 - - Added filter.d/ejabberd-auth - Improved ACL-handling for Asterisk - loglines now also report "[PID]" after the name portion - Added improper command pipelining to postfix filter. @@ -68,7 +65,11 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - Added filter.d/horde - Added filter for freeswitch. Thanks Jim and editors and authors of http://wiki.freeswitch.org/wiki/Fail2ban + - Added filter for squid. Thanks Roman Gelfand. + - Added filter for ejabberd-auth - Added action.d/badips. Thanks to Amy for making a nice API. + - Added firewallcmd-ipset action + - Added ufw action. Thanks Guilhem Lettron. lp-#701522 ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes From 058621f9bd60adeac0ce2b950835056940cd3e01 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 18 Jan 2014 20:16:38 +1100 Subject: [PATCH 08/10] ENH: continue with rest of fail2ban config even if errors. Closes gh-585 --- ChangeLog | 2 ++ THANKS | 1 + fail2ban-client | 5 +++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4469b43a..b22fd955 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,8 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better a specific jail. - Filter dovecot reordered session and TLS items in regex with wider scope for session characters. Thanks Ivo Truxa. Closes gh-586 + - A single bad failregex or command syntax in configuration files won't stop + fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585. - Enhancements: - long names on jails documented based on iptables limit of 30 less diff --git a/THANKS b/THANKS index 9224d207..a5ef4fda 100644 --- a/THANKS +++ b/THANKS @@ -82,6 +82,7 @@ Stephen Gildea Steven Hiscocks Tom Pike Tomas Pihl +Tomasz Ciolek Tyler Vaclav Misek Vincent Deffontaines diff --git a/fail2ban-client b/fail2ban-client index 1237680b..0f863ab0 100755 --- a/fail2ban-client +++ b/fail2ban-client @@ -145,6 +145,7 @@ class Fail2banClient: def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() + ret = True for c in cmd: beautifier.setInputCmd(c) try: @@ -155,10 +156,10 @@ class Fail2banClient: if showRet: print beautifier.beautify(ret[1]) else: + ret = False logSys.error("NOK: " + `ret[1].args`) if showRet: print beautifier.beautifyError(ret[1]) - return False except socket.error: if showRet: logSys.error("Unable to contact server. Is it running?") @@ -167,7 +168,7 @@ class Fail2banClient: if showRet: logSys.error(e) return False - return True + return ret ## # Process a command line. From 5ade6a13afb7ed1e9d7fb48bcc07a8fef2d1ac9d Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 18 Jan 2014 21:00:24 +1100 Subject: [PATCH 09/10] DOC: ChangeLog dateing and normalisation --- ChangeLog | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4469b43a..246223e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,7 +7,7 @@ Fail2Ban (version 0.8.12.dev) 2013/11/13 ================================================================================ -ver. 0.8.12 (2013/12/XX) - things-can-only-get-better +ver. 0.8.12 (2014/01/XX) - things-can-only-get-better ----------- - IMPORTANT incompatible changes: @@ -47,9 +47,6 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better Thanks dani. Closes gh-503 - exim-spam filter to match spamassassin log entry for option SAdevnull. Thanks Ivo Truxa. Closes gh-533 - - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543 - - Added filter.d/groupoffice filter thanks to logs from Merijn Schering. - Closes gh-566 - Added to sshd filter expression for "Received disconnect from : 3: ...: Auth fail". Thanks Marcel Dopita. Closes gh-289 - Improved ACL-handling for Asterisk @@ -59,17 +56,21 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - New Features: - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist. - - Add filter for apache-modsecurity + - Add filter for apache-modsecurity. - filter.d/nsd.conf -- also amended Unix date template to match nsd format - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543 - - Added filter.d/horde + - Added filter.d/horde. - Added filter for freeswitch. Thanks Jim and editors and authors of - http://wiki.freeswitch.org/wiki/Fail2ban + http://wiki.freeswitch.org/wiki/Fail2ban. - Added filter for squid. Thanks Roman Gelfand. - - Added filter for ejabberd-auth + - Added filter for ejabberd-auth. + - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543 + - Added filter.d/groupoffice filter thanks to logs from Merijn Schering. + Closes gh-566 - Added action.d/badips. Thanks to Amy for making a nice API. - - Added firewallcmd-ipset action + - Added firewallcmd-ipset action. - Added ufw action. Thanks Guilhem Lettron. lp-#701522 + - Added blocklist_de action. ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes From 59b1e225e9928003e840050f0d14eb3cb2db677f Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 18 Jan 2014 21:13:55 +1100 Subject: [PATCH 10/10] DOC/ENH: update man pages for release --- man/fail2ban-client.1 | 10 +++++++--- man/fail2ban-regex.1 | 6 +++--- man/fail2ban-server.1 | 6 +++--- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index 62ae0edd..7542d5be 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4. -.TH FAIL2BAN-CLIENT "1" "November 2013" "fail2ban-client v0.8.11" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-CLIENT "1" "January 2014" "fail2ban-client v0.8.12" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fIOPTIONS\fR] \fI\fR .SH DESCRIPTION -Fail2Ban v0.8.11 reads log file that contains password failure report +Fail2Ban v0.8.12 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP @@ -82,6 +82,10 @@ file .TP \fBget logtarget\fR gets logging target +.TP +\fBflushlogs\fR +flushes the logtarget if a file +and reopens it. For log rotation. .IP JAIL CONTROL .TP diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1 index e2c99565..1dec0860 100644 --- a/man/fail2ban-regex.1 +++ b/man/fail2ban-regex.1 @@ -1,5 +1,5 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4. -.TH FAIL2BAN-REGEX "1" "November 2013" "fail2ban-regex 0.8.11" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-REGEX "1" "January 2014" "fail2ban-regex 0.8.12" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS @@ -16,7 +16,7 @@ string a string representing a log line .TP filename -path to a log file (/var/log/auth.log) +path to a log file (\fI/var/log/auth.log\fP) .SS "REGEX:" .TP string diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index 147bdeaa..d2c7cf6f 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4. -.TH FAIL2BAN-SERVER "1" "November 2013" "fail2ban-server v0.8.11" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-SERVER "1" "January 2014" "fail2ban-server v0.8.12" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fIOPTIONS\fR] .SH DESCRIPTION -Fail2Ban v0.8.11 reads log file that contains password failure report +Fail2Ban v0.8.12 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .PP Only use this command for debugging purpose. Start the server with