From 97f48991a2f8a0f77644d7a1c76078fee65b5aa5 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 20 Jan 2009 21:24:33 +0000
Subject: [PATCH 01/15] - Remove socket file on startup is fail2ban crashed.
 Thanks to Detlef Reichelt.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@718 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog        | 2 ++
 files/suse-initd | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index c6a39d87..1773cc77 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,8 @@ ver. 0.8.4 (2008/??/??) - stable
 - Added/improved filters and date formats.
 - Added actions to report abuse to ISP, DShield and
   myNetWatchman. Thanks to Russell Odom.
+- Suse init script. Remove socket file on startup is fail2ban
+  crashed. Thanks to Detlef Reichelt.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/files/suse-initd b/files/suse-initd
index ecd55d9a..1dec63e2 100755
--- a/files/suse-initd
+++ b/files/suse-initd
@@ -35,6 +35,13 @@ rc_reset
 case "$1" in
     start)
         echo -n "Starting Fail2Ban "
+        # a cleanup workaround, since /etc/init.d/boot.local removes only. 
+        # regular files, and not sockets 
+        if test -e $FAIL2BAN_SOCKET; then
+            if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
+                rm $FAIL2BAN_SOCKET
+            fi
+        fi
         /sbin/startproc $FAIL2BAN_BIN start &>/dev/null
         rc_status -v
         ;;

From 870f9d9ea751a3aa6200318a249807de91b23b5c Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 20 Jan 2009 21:48:04 +0000
Subject: [PATCH 02/15] - Removed begin-line anchor for "standard" timestamp.
 Fixed Debian bug #500824.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@719 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog              | 2 ++
 server/datedetector.py | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 1773cc77..2cd36723 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,8 @@ ver. 0.8.4 (2008/??/??) - stable
   myNetWatchman. Thanks to Russell Odom.
 - Suse init script. Remove socket file on startup is fail2ban
   crashed. Thanks to Detlef Reichelt.
+- Removed begin-line anchor for "standard" timestamp. Fixed
+  Debian bug #500824.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/server/datedetector.py b/server/datedetector.py
index e68e5bce..87c87837 100644
--- a/server/datedetector.py
+++ b/server/datedetector.py
@@ -44,7 +44,7 @@ class DateDetector:
 			# standard
 			template = DateStrptime()
 			template.setName("MONTH Day Hour:Minute:Second")
-			template.setRegex("^\S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}")
+			template.setRegex("\S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}")
 			template.setPattern("%b %d %H:%M:%S")
 			self.__templates.append(template)
 			# asctime

From 024a77a679178a13cb2c3a52574a567303fdb68d Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 20 Jan 2009 23:08:59 +0000
Subject: [PATCH 03/15] - Removed print.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@720 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 server/datetemplate.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/server/datetemplate.py b/server/datetemplate.py
index f7f19f0d..6ed61efa 100644
--- a/server/datetemplate.py
+++ b/server/datetemplate.py
@@ -132,7 +132,7 @@ class DateStrptime(DateTemplate):
 				conv = self.convertLocale(dateMatch.group())
 				try:
 					date = list(time.strptime(conv, self.getPattern()))
-				except ValueError:
+				except ValueError, e:
 					# Try to add the current year to the pattern. Should fix
 					# the "Feb 29" issue.
 					conv += " %s" % MyTime.gmtime()[0]
@@ -187,6 +187,5 @@ class DateISO8601(DateTemplate):
 		if dateMatch:
 			# Parses the date.
 			value = dateMatch.group()
-			print value
 			date = list(iso8601.parse_date(value).utctimetuple())
 		return date

From 756cfcda5f7eee63419d943d3cf93275294836bf Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 27 Jan 2009 22:58:29 +0000
Subject: [PATCH 04/15] - Added nagios script. Thanks to Sebastian Mueller.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@721 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                   |   1 +
 MANIFEST                    |   2 +
 files/nagios/check_fail2ban | 106 ++++++++++++++++++++++++++++++++++++
 files/nagios/f2ban.txt      |  18 ++++++
 4 files changed, 127 insertions(+)
 create mode 100644 files/nagios/check_fail2ban
 create mode 100644 files/nagios/f2ban.txt

diff --git a/ChangeLog b/ChangeLog
index 2cd36723..46fd5f1f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,6 +24,7 @@ ver. 0.8.4 (2008/??/??) - stable
   crashed. Thanks to Detlef Reichelt.
 - Removed begin-line anchor for "standard" timestamp. Fixed
   Debian bug #500824.
+- Added nagios script. Thanks to Sebastian Mueller.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/MANIFEST b/MANIFEST
index 1ea7a621..39ca0df8 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -116,3 +116,5 @@ files/suse-initd
 files/cacti/fail2ban_stats.sh
 files/cacti/cacti_host_template_fail2ban.xml
 files/cacti/README
+files/nagios/check_fail2ban
+files/nagios/f2ban.txt
diff --git a/files/nagios/check_fail2ban b/files/nagios/check_fail2ban
new file mode 100644
index 00000000..0b40db53
--- /dev/null
+++ b/files/nagios/check_fail2ban
@@ -0,0 +1,106 @@
+#!/bin/bash
+#
+# Usage: ./check_fail2ban
+###############################################################################################
+# Description: 
+#		This plugin will check the status of Fail2ban.  
+#
+# Created:      2008-10-25 (Sebastian Mueller)
+#
+# Changes:      2008-10-26 fixed some issues (Sebastian Mueller)
+# Changes:      2009-01-25 add the second check, when server is not replying and the
+#		process is hang-up (Sebastian Mueller)
+#
+# please visit my website http://www.elchtest.eu or my personal WIKI http://wiki.elchtest.eu
+#
+################################################################################################
+# if you have any questions, send a mail to linux@krabbe-offline.de 
+#
+# this script is for my personal use. read the script before running/using it!!!
+#
+#
+# YOU HAVE BEEN WARNED. THIS MAY DESTROY YOUR MACHINE. I ACCEPT NO RESPONSIBILITY.
+###############################################################################################
+
+
+SECOND_CHECK=0 
+STATE_OK=0
+STATE_CRITICAL=2
+
+######################################################################
+# Read the Status from fail2ban-client 
+######################################################################
+check_processes_fail2ban()
+{
+        
+  F2B=`sudo -u root fail2ban-client ping | awk -F " " '{print $3}'`
+  exit_fail2ban=0
+
+  if  [[ $F2B = "pong" ]]; then
+   exit_fail2ban=$STATE_OK
+ else
+ exit_fail2ban=$STATE_CRITICAL
+ fi
+
+}
+######################################################################
+# first check in the Background, PID will be killed when no response
+# after 10 seconds, might be possible, otherwise the scipt will be
+# pressent in your memory all the time
+#
+######################################################################
+
+check_processes_fail2ban &
+pid=$!
+
+typeset -i i=0
+while ps $pid >/dev/null
+do
+ sleep 1
+ i=$i+1
+if [ $i -ge 10 ]
+ then
+ kill $pid 
+   SECOND_CHECK=1
+   exit_fail2ban=$STATE_CRITICAL
+   break
+fi
+done
+
+######################################################################
+# when the Server response (doesent mean the FAIL2BAN is working)
+# in the first step, then it will run again and test the Service 
+# and provide the real status
+######################################################################
+
+
+if [ $SECOND_CHECK -eq 0  ]; then
+  check_processes_fail2ban
+ elif [ $SECOND_CHECK -eq 1 ]; then
+  exit_fail2ban=$STATE_CRITICAL
+fi
+
+
+
+######################################################################
+# Mainmenu
+######################################################################
+
+
+final_exit=$exit_fail2ban
+if [ $final_exit -eq 0  ]; then
+  echo "SYSTEM OK - Fail2ban is working normaly"
+  exitstatus=$STATE_OK
+elif [ $final_exit -ne "0" ]; then
+  echo "SYSTEM WARNING - Fail2Ban is not working"
+######################################################################
+# If don't have a Nagios Server for monitoring, remove the comment and
+# add your Mail Addres. You can check it with a Cron Job once a hour.
+# put a txt file on your server and describe how to fix the issue, this 
+# could be attached to the mail.
+######################################################################
+#  mutt -s "FAIL2BAN NOT WORKING" your@email.com < /home/f2ban.txt
+
+  exitstatus=$STATE_CRITICAL
+fi
+exit $exitstatus
diff --git a/files/nagios/f2ban.txt b/files/nagios/f2ban.txt
new file mode 100644
index 00000000..a811cd5d
--- /dev/null
+++ b/files/nagios/f2ban.txt
@@ -0,0 +1,18 @@
+It seems that Fail2ban is currently not working, please login and check
+
+HELP:
+
+1.) stop the Service
+/etc/init.d/fail2ban stop
+
+2.) delete the socket if avalible
+rm /tmp/fail2ban.sock
+
+3.) start the Service 
+/etc/init.d/fail2ban start
+
+4.) check if fail2ban is working
+fail2ban-client ping
+Answer should be "pong"
+
+5.) if the answer is not "pong" run away or  CRY FOR HELP ;-) 

From 6b9896c332057455e91f0e79a36e50400d89cb4c Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 27 Jan 2009 23:21:55 +0000
Subject: [PATCH 05/15] - Added CPanel date format. Thanks to David Collins.
 Tracker #1967610.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@722 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog              | 2 ++
 server/datedetector.py | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 46fd5f1f..fe73c096 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,8 @@ ver. 0.8.4 (2008/??/??) - stable
 - Removed begin-line anchor for "standard" timestamp. Fixed
   Debian bug #500824.
 - Added nagios script. Thanks to Sebastian Mueller.
+- Added CPanel date format. Thanks to David Collins. Tracker
+  #1967610
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/server/datedetector.py b/server/datedetector.py
index 87c87837..6ee6870d 100644
--- a/server/datedetector.py
+++ b/server/datedetector.py
@@ -77,6 +77,12 @@ class DateDetector:
 			template.setRegex("\d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}")
 			template.setPattern("%d/%b/%Y:%H:%M:%S")
 			self.__templates.append(template)
+			# CPanel 05/20/2008:01:57:39
+			template = DateStrptime()
+			template.setName("Month/Day/Year:Hour:Minute:Second")
+			template.setRegex("\d{2}/\d{2}/\d{4}:\d{2}:\d{2}:\d{2}")
+			template.setPattern("%m/%d/%Y:%H:%M:%S")
+			self.__templates.append(template)
 			# Exim 2006-12-21 06:43:20
 			template = DateStrptime()
 			template.setName("Year-Month-Day Hour:Minute:Second")

From e46e8ed32e2adc68dda08695ea65202fb9b296f3 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 27 Jan 2009 23:35:46 +0000
Subject: [PATCH 06/15] - Improved SASL filter. Thanks to Loic Pefferkorn.
 Tracker #2310410.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@723 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                 | 4 +++-
 config/filter.d/sasl.conf | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fe73c096..6150aea7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,7 +26,9 @@ ver. 0.8.4 (2008/??/??) - stable
   Debian bug #500824.
 - Added nagios script. Thanks to Sebastian Mueller.
 - Added CPanel date format. Thanks to David Collins. Tracker
-  #1967610
+  #1967610.
+- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker
+  #2310410.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/config/filter.d/sasl.conf b/config/filter.d/sasl.conf
index c25aca6b..bff6f92b 100644
--- a/config/filter.d/sasl.conf
+++ b/config/filter.d/sasl.conf
@@ -14,7 +14,7 @@
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values: TEXT
 #
-failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
+failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

From e16c18d091e0142ed906a77533a162ad092d21aa Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 27 Jan 2009 23:39:38 +0000
Subject: [PATCH 07/15] - Added NetBSD ipfilter (ipf command) action. Thanks to
 Ed Ravin. Tracker #2484115.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@724 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                     |  2 ++
 MANIFEST                      |  1 +
 config/action.d/ipfilter.conf | 57 +++++++++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 config/action.d/ipfilter.conf

diff --git a/ChangeLog b/ChangeLog
index 6150aea7..1b6b6138 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -29,6 +29,8 @@ ver. 0.8.4 (2008/??/??) - stable
   #1967610.
 - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker
   #2310410.
+- Added NetBSD ipfilter (ipf command) action. Thanks to Ed
+  Ravin. Tracker #2484115.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/MANIFEST b/MANIFEST
index 39ca0df8..00040912 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -83,6 +83,7 @@ config/action.d/complain.conf
 config/action.d/dshield.conf
 config/action.d/hostsdeny.conf
 config/action.d/ipfw.conf
+config/action.d/ipfilter.conf
 config/action.d/iptables.conf
 config/action.d/iptables-allports.conf
 config/action.d/iptables-multiport.conf
diff --git a/config/action.d/ipfilter.conf b/config/action.d/ipfilter.conf
new file mode 100644
index 00000000..991d9e58
--- /dev/null
+++ b/config/action.d/ipfilter.conf
@@ -0,0 +1,57 @@
+# Fail2Ban configuration file
+#
+# NetBSD ipfilter (ipf command) ban/unban
+#
+# Author: Ed Ravin <eravin@panix.com>
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+# enable IPF if not already enabled
+actionstart = /sbin/ipf -E
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
+actionstop = 
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+# note -r option used to remove matching rule
+actionunban = echo block in quick from <ip>/32 | /sbin/ipf -r -f -
+
+[Init]
+

From e86e7d002e56d1a90bd9102a5eef9a1261b4b43a Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 3 Feb 2009 21:51:32 +0000
Subject: [PATCH 08/15] - Added missing semi-colon in the bind9 example. Thanks
 to Yaroslav Halchenko.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@725 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 config/jail.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/jail.conf b/config/jail.conf
index 57bc9839..3ce79715 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -178,7 +178,7 @@ ignoreip = 168.192.0.1
 #     category security {
 #         security_file;
 #     };
-# }
+# };
 #
 # in your named.conf to provide proper logging.
 # This jail blocks UDP traffic for DNS requests.

From 376f348823666bc8750ba12938ca1165c23490c2 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 3 Feb 2009 21:56:03 +0000
Subject: [PATCH 09/15] - Pull a commit from Yaroslav git repo. BF: addressing
 added bang to ssh log (closes: #512193).

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@726 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 config/filter.d/sshd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 2993b30f..596837ba 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -31,7 +31,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro
             ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
             ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
             ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
-            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
+            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
             ^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$
 
 # Option:  ignoreregex

From 7fd0300a73bfb7c026b41ced7a1774bfe2a7b5ed Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 3 Feb 2009 22:37:46 +0000
Subject: [PATCH 10/15] - Added cyrus-imap and sieve filters. Thanks to Jan
 Wagner. Debian bug #513953.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@727 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                       |  2 ++
 MANIFEST                        |  2 ++
 config/filter.d/cyrus-imap.conf | 26 ++++++++++++++++++++++++++
 config/filter.d/sieve.conf      | 22 ++++++++++++++++++++++
 4 files changed, 52 insertions(+)
 create mode 100644 config/filter.d/cyrus-imap.conf
 create mode 100644 config/filter.d/sieve.conf

diff --git a/ChangeLog b/ChangeLog
index 1b6b6138..42e5b41d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,8 @@ ver. 0.8.4 (2008/??/??) - stable
   #2310410.
 - Added NetBSD ipfilter (ipf command) action. Thanks to Ed
   Ravin. Tracker #2484115.
+- Added cyrus-imap and sieve filters. Thanks to Jan Wagner.
+  Debian bug #513953.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/MANIFEST b/MANIFEST
index 00040912..7d8a722d 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -64,6 +64,7 @@ config/filter.d/apache-noscript.conf
 config/filter.d/apache-overflows.conf
 config/filter.d/courierlogin.conf
 config/filter.d/couriersmtp.conf
+config/filter.d/cyrus-imap.conf
 config/filter.d/exim.conf
 config/filter.d/gssftpd.conf
 config/filter.d/named-refused.conf
@@ -73,6 +74,7 @@ config/filter.d/pure-ftpd.conf
 config/filter.d/qmail.conf
 config/filter.d/pam-generic.conf
 config/filter.d/sasl.conf
+config/filter.d/sieve.conf
 config/filter.d/sshd.conf
 config/filter.d/sshd-ddos.conf
 config/filter.d/vsftpd.conf
diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf
new file mode 100644
index 00000000..07669113
--- /dev/null
+++ b/config/filter.d/cyrus-imap.conf
@@ -0,0 +1,26 @@
+# Fail2Ban configuration file
+#
+# Author: Jan Wagner <waja@cyconet.org>
+#
+# $Revision$
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
+	    : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
+	    : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
+	    : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
diff --git a/config/filter.d/sieve.conf b/config/filter.d/sieve.conf
new file mode 100644
index 00000000..00e9daf1
--- /dev/null
+++ b/config/filter.d/sieve.conf
@@ -0,0 +1,22 @@
+# Fail2Ban configuration file
+#
+# Author: Jan Wagner <waja@cyconet.org>
+#
+# $Revision$
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching.
+# Values: TEXT
+#
+failregex = : badlogin: .*\[<HOST>\] (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 

From abd061bad8ca73b7fbcfbb03cf2376a907b89ec3 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Sun, 8 Feb 2009 17:31:24 +0000
Subject: [PATCH 11/15] - Changed <HOST> template to be more restrictive.
 Debian bug #514163.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                            | 2 ++
 config/filter.d/apache-auth.conf     | 2 +-
 config/filter.d/apache-noscript.conf | 2 +-
 config/filter.d/common.conf          | 2 +-
 config/filter.d/courierlogin.conf    | 2 +-
 config/filter.d/couriersmtp.conf     | 2 +-
 config/filter.d/cyrus-imap.conf      | 2 +-
 config/filter.d/exim.conf            | 2 +-
 config/filter.d/postfix.conf         | 2 +-
 config/filter.d/proftpd.conf         | 2 +-
 config/filter.d/pure-ftpd.conf       | 2 +-
 config/filter.d/qmail.conf           | 2 +-
 config/filter.d/sasl.conf            | 2 +-
 config/filter.d/sshd-ddos.conf       | 2 +-
 config/filter.d/sshd.conf            | 2 +-
 config/filter.d/vsftpd.conf          | 2 +-
 config/filter.d/webmin-auth.conf     | 2 +-
 config/filter.d/xinetd-fail.conf     | 2 +-
 server/failregex.py                  | 2 +-
 server/filter.py                     | 2 +-
 testcases/filtertestcase.py          | 8 ++++----
 21 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 42e5b41d..25f8d534 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,8 @@ ver. 0.8.4 (2008/??/??) - stable
   Ravin. Tracker #2484115.
 - Added cyrus-imap and sieve filters. Thanks to Jan Wagner.
   Debian bug #513953.
+- Changed <HOST> template to be more restrictive. Debian bug
+  #514163.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf
index 20553d91..962fb2e3 100644
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@@ -11,7 +11,7 @@
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = [[]client <HOST>[]] user .* authentication failure
diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf
index 25dd62d3..4746fbfb 100644
--- a/config/filter.d/apache-noscript.conf
+++ b/config/filter.d/apache-noscript.conf
@@ -11,7 +11,7 @@
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf
index ee084229..b580c78d 100644
--- a/config/filter.d/common.conf
+++ b/config/filter.d/common.conf
@@ -3,7 +3,7 @@
 #
 # Author: Yaroslav Halchenko
 #
-# $Revision:  $
+# $Revision$
 #
 
 [INCLUDES]
diff --git a/config/filter.d/courierlogin.conf b/config/filter.d/courierlogin.conf
index a5b6d161..b8710ac3 100644
--- a/config/filter.d/courierlogin.conf
+++ b/config/filter.d/courierlogin.conf
@@ -12,7 +12,7 @@
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
diff --git a/config/filter.d/couriersmtp.conf b/config/filter.d/couriersmtp.conf
index a035e285..f0d696ff 100644
--- a/config/filter.d/couriersmtp.conf
+++ b/config/filter.d/couriersmtp.conf
@@ -11,7 +11,7 @@
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = error,relay=<HOST>,.*550 User unknown
diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf
index 07669113..3a8734ee 100644
--- a/config/filter.d/cyrus-imap.conf
+++ b/config/filter.d/cyrus-imap.conf
@@ -11,7 +11,7 @@
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf
index 98b589be..a25ef3db 100644
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@@ -11,7 +11,7 @@
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf
index c808b109..8db7faee 100644
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@@ -11,7 +11,7 @@
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = reject: RCPT from (.*)\[<HOST>\]: 554
diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf
index 852fb59c..ec613b94 100644
--- a/config/filter.d/proftpd.conf
+++ b/config/filter.d/proftpd.conf
@@ -11,7 +11,7 @@
 # Notes.: regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
 failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf
index 1933d6e0..fbbfc2d1 100644
--- a/config/filter.d/pure-ftpd.conf
+++ b/config/filter.d/pure-ftpd.conf
@@ -16,7 +16,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut
 # Notes.: regex to match the password failures messages in the logfile. The
 #         host must be matched by a group named "host". The tag "<HOST>" can
 #         be used for standard IP/hostname matching and is only an alias for
-#         (?:::f{4,6}:)?(?P<host>\S+)
+#         (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
 failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
diff --git a/config/filter.d/qmail.conf b/config/filter.d/qmail.conf
index 0ae518fc..4d7acd6f 100644
--- a/config/filter.d/qmail.conf
+++ b/config/filter.d/qmail.conf
@@ -11,7 +11,7 @@
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>
diff --git a/config/filter.d/sasl.conf b/config/filter.d/sasl.conf
index bff6f92b..5cd8a6d5 100644
--- a/config/filter.d/sasl.conf
+++ b/config/filter.d/sasl.conf
@@ -11,7 +11,7 @@
 # Notes.: regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
 failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
diff --git a/config/filter.d/sshd-ddos.conf b/config/filter.d/sshd-ddos.conf
index 9720ab4a..4f4b6fa2 100644
--- a/config/filter.d/sshd-ddos.conf
+++ b/config/filter.d/sshd-ddos.conf
@@ -11,7 +11,7 @@
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 596837ba..2c53ee7d 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -20,7 +20,7 @@ _daemon = sshd
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf
index d905f825..4fc25777 100644
--- a/config/filter.d/vsftpd.conf
+++ b/config/filter.d/vsftpd.conf
@@ -11,7 +11,7 @@
 # Notes.: regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
diff --git a/config/filter.d/webmin-auth.conf b/config/filter.d/webmin-auth.conf
index ddf081ea..70997e01 100644
--- a/config/filter.d/webmin-auth.conf
+++ b/config/filter.d/webmin-auth.conf
@@ -15,7 +15,7 @@
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = webmin.* Non-existent login as .+ from <HOST>$
diff --git a/config/filter.d/xinetd-fail.conf b/config/filter.d/xinetd-fail.conf
index a60bffd5..e1c1e108 100644
--- a/config/filter.d/xinetd-fail.conf
+++ b/config/filter.d/xinetd-fail.conf
@@ -11,7 +11,7 @@
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 # Cfr.: /var/log/(daemon\.|sys)log
diff --git a/server/failregex.py b/server/failregex.py
index 398817fd..0a5a0de4 100644
--- a/server/failregex.py
+++ b/server/failregex.py
@@ -44,7 +44,7 @@ class Regex:
 		self._matchCache = None
 		# Perform shortcuts expansions.
 		# Replace "<HOST>" with default regular expression for host.
-		regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
+		regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)")
 		if regex.lstrip() == '':
 			raise RegexException("Cannot add empty regex")
 		try:
diff --git a/server/filter.py b/server/filter.py
index bf5d34f8..16c82af4 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -492,7 +492,7 @@ import socket, struct
 
 class DNSUtils:
 	
-	IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
+	IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
 	
 	#@staticmethod
 	def dnsToIp(dns):
diff --git a/testcases/filtertestcase.py b/testcases/filtertestcase.py
index a90ec468..f738f34a 100644
--- a/testcases/filtertestcase.py
+++ b/testcases/filtertestcase.py
@@ -99,7 +99,7 @@ class GetFailures(unittest.TestCase):
 		output = ('193.168.0.128', 3, 1124013599.0)
 		
 		self.__filter.addLogPath(GetFailures.FILENAME_01)
-		self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)")
+		self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>")
 
 		self.__filter.getFailures(GetFailures.FILENAME_01)
 		
@@ -116,7 +116,7 @@ class GetFailures(unittest.TestCase):
 		output = ('141.3.81.106', 4, 1124013539.0)
 
 		self.__filter.addLogPath(GetFailures.FILENAME_02)
-		self.__filter.addFailRegex("Failed .* (?:::f{4,6}:)(?P<host>\S*)")
+		self.__filter.addFailRegex("Failed .* from <HOST>")
 		
 		self.__filter.getFailures(GetFailures.FILENAME_02)
 		
@@ -133,7 +133,7 @@ class GetFailures(unittest.TestCase):
 		output = ('203.162.223.135', 6, 1124013544.0)
 
 		self.__filter.addLogPath(GetFailures.FILENAME_03)
-		self.__filter.addFailRegex("error,relay=(?:::f{4,6}:)?(?P<host>\S*),.*550 User unknown")
+		self.__filter.addFailRegex("error,relay=<HOST>,.*550 User unknown")
 		
 		self.__filter.getFailures(GetFailures.FILENAME_03)
 		
@@ -151,7 +151,7 @@ class GetFailures(unittest.TestCase):
 				  ('212.41.96.185', 4, 1124013598.0)]
 
 		self.__filter.addLogPath(GetFailures.FILENAME_04)
-		self.__filter.addFailRegex("Invalid user .* (?P<host>\S*)")
+		self.__filter.addFailRegex("Invalid user .* <HOST>")
 		
 		self.__filter.getFailures(GetFailures.FILENAME_04)
 

From 3155bc8f03967bb896aa9887374d284dfb770d32 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Sun, 8 Feb 2009 19:50:44 +0000
Subject: [PATCH 12/15] - Use timetuple instead of utctimetuple for ISO 8601.
 Maybe not a 100% correct fix but seems to work. Tracker #2500276.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@729 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog              | 2 ++
 server/datetemplate.py | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 25f8d534..0d551c2d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -35,6 +35,8 @@ ver. 0.8.4 (2008/??/??) - stable
   Debian bug #513953.
 - Changed <HOST> template to be more restrictive. Debian bug
   #514163.
+- Use timetuple instead of utctimetuple for ISO 8601. Maybe
+  not a 100% correct fix but seems to work. Tracker #2500276.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/server/datetemplate.py b/server/datetemplate.py
index 6ed61efa..284d374b 100644
--- a/server/datetemplate.py
+++ b/server/datetemplate.py
@@ -187,5 +187,5 @@ class DateISO8601(DateTemplate):
 		if dateMatch:
 			# Parses the date.
 			value = dateMatch.group()
-			date = list(iso8601.parse_date(value).utctimetuple())
+			date = list(iso8601.parse_date(value).timetuple())
 		return date

From 55fd21ec4bc8ee115c382b8a13fce673ecf1d0b3 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Mon, 9 Feb 2009 20:27:35 +0000
Subject: [PATCH 13/15] - Made the named-refused regex a bit less restrictive
 in order to match logs with "view". Thanks to Stephen Gildea.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@730 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                          | 2 ++
 config/filter.d/named-refused.conf | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 0d551c2d..8ecdf817 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,8 @@ ver. 0.8.4 (2008/??/??) - stable
   #514163.
 - Use timetuple instead of utctimetuple for ISO 8601. Maybe
   not a 100% correct fix but seems to work. Tracker #2500276.
+- Made the named-refused regex a bit less restrictive in
+  order to match logs with "view". Thanks to Stephen Gildea. 
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf
index c2c06a8f..ebf7681a 100644
--- a/config/filter.d/named-refused.conf
+++ b/config/filter.d/named-refused.conf
@@ -26,7 +26,7 @@ __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
 # Notes.: regex to match the password failures messages in the logfile.
 # Values: TEXT
 #
-failregex = %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
+failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

From 0cf733e87869ffa5fd19b00284a4b767dc9ac792 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Mon, 9 Feb 2009 22:08:21 +0000
Subject: [PATCH 14/15] - Fixed maxretry/findtime rate. Many thanks to Christos
 Psonis. Tracker #2019714.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@731 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                        |  4 +++-
 server/faildata.py               |  8 +++++++-
 server/failmanager.py            |  4 ++++
 testcases/failmanagertestcase.py | 16 ++++++++++++++--
 4 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8ecdf817..f9ab625f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,7 +38,9 @@ ver. 0.8.4 (2008/??/??) - stable
 - Use timetuple instead of utctimetuple for ISO 8601. Maybe
   not a 100% correct fix but seems to work. Tracker #2500276.
 - Made the named-refused regex a bit less restrictive in
-  order to match logs with "view". Thanks to Stephen Gildea. 
+  order to match logs with "view". Thanks to Stephen Gildea.
+- Fixed maxretry/findtime rate. Many thanks to Christos
+  Psonis. Tracker #2019714.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/server/faildata.py b/server/faildata.py
index bcd945d8..d68cd7c1 100644
--- a/server/faildata.py
+++ b/server/faildata.py
@@ -34,6 +34,7 @@ class FailData:
 	def __init__(self):
 		self.__retry = 0
 		self.__lastTime = 0
+		self.__lastReset = 0
 	
 	def setRetry(self, value):
 		self.__retry = value
@@ -50,4 +51,9 @@ class FailData:
 	
 	def getLastTime(self):
 		return self.__lastTime
-	
\ No newline at end of file
+
+	def getLastReset(self):
+		return self.__lastReset
+
+	def setLastReset(self, value):
+		self.__lastReset = value
diff --git a/server/failmanager.py b/server/failmanager.py
index b5e95867..95cd47c0 100644
--- a/server/failmanager.py
+++ b/server/failmanager.py
@@ -90,11 +90,15 @@ class FailManager:
 			unixTime = ticket.getTime()
 			if self.__failList.has_key(ip):
 				fData = self.__failList[ip]
+				if fData.getLastReset() < unixTime - self.__maxTime:
+					fData.setLastReset(unixTime)
+					fData.setRetry(0)
 				fData.inc()
 				fData.setLastTime(unixTime)
 			else:
 				fData = FailData()
 				fData.inc()
+				fData.setLastReset(unixTime)
 				fData.setLastTime(unixTime)
 				self.__failList[ip] = fData
 			self.__failTotal += 1
diff --git a/testcases/failmanagertestcase.py b/testcases/failmanagertestcase.py
index 7dfed256..95f25b44 100644
--- a/testcases/failmanagertestcase.py
+++ b/testcases/failmanagertestcase.py
@@ -39,7 +39,12 @@ class AddFailure(unittest.TestCase):
 					    ['193.168.0.128', 1167605999.0],
 					    ['87.142.124.10', 1167605999.0],
 					    ['87.142.124.10', 1167605999.0],
-					    ['87.142.124.10', 1167605999.0]]
+					    ['87.142.124.10', 1167605999.0],
+					    ['100.100.10.10', 1000000000.0],
+					    ['100.100.10.10', 1000000500.0],
+					    ['100.100.10.10', 1000001000.0],
+					    ['100.100.10.10', 1000001500.0],
+					    ['100.100.10.10', 1000002000.0]]
 		
 		self.__failManager = FailManager()
 		for i in self.__items:
@@ -49,7 +54,7 @@ class AddFailure(unittest.TestCase):
 		"""Call after every test case."""
 	
 	def testAdd(self):
-		self.assertEqual(self.__failManager.size(), 2)
+		self.assertEqual(self.__failManager.size(), 3)
 	
 	def _testDel(self):
 		self.__failManager.delFailure('193.168.0.128')
@@ -76,3 +81,10 @@ class AddFailure(unittest.TestCase):
 	def testbanNOK(self):
 		self.__failManager.setMaxRetry(10)
 		self.assertRaises(FailManagerEmpty, self.__failManager.toBan)
+
+	def testWindow(self):
+		ticket = self.__failManager.toBan()
+		self.assertNotEqual(ticket.getIP(), "100.100.10.10")
+		ticket = self.__failManager.toBan()
+		self.assertNotEqual(ticket.getIP(), "100.100.10.10")
+		self.assertRaises(FailManagerEmpty, self.__failManager.toBan)

From 53886e91b3a68e4d00ffce4fa9c345e64460ed22 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Mon, 9 Feb 2009 22:36:11 +0000
Subject: [PATCH 15/15] - Use 80 columns.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@732 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog | 419 +++++++++++++++++++++++-------------------------------
 README    |  94 ++++++------
 TODO      |  36 +++--
 3 files changed, 237 insertions(+), 312 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f9ab625f..6b5c9864 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,130 +1,102 @@
-               __      _ _ ___ _               
-              / _|__ _(_) |_  ) |__  __ _ _ _  
-             |  _/ _` | | |/ /| '_ \/ _` | ' \ 
-             |_| \__,_|_|_/___|_.__/\__,_|_||_|
+                         __      _ _ ___ _               
+                        / _|__ _(_) |_  ) |__  __ _ _ _  
+                       |  _/ _` | | |/ /| '_ \/ _` | ' \ 
+                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
-=============================================================
-Fail2Ban (version 0.8.4)                           2008/??/??
-=============================================================
+================================================================================
+Fail2Ban (version 0.8.4)                                              2009/02/??
+================================================================================
 
-ver. 0.8.4 (2008/??/??) - stable
+ver. 0.8.4 (2009/??/??) - stable
 ----------
-- Merged patches from Debian package. Thanks to Yaroslav
-  Halchenko.
-- Use current day and month instead of Jan 1st if both are
-  not available in the log. Thanks to Andreas Itzchak
-  Rehberg.
-- Try to match the regex even if the line does not contain a
-  valid date/time. Described in Debian #491253. Thanks to
-  Yaroslav Halchenko.
+- Merged patches from Debian package. Thanks to Yaroslav Halchenko.
+- Use current day and month instead of Jan 1st if both are not available in the
+  log. Thanks to Andreas Itzchak Rehberg.
+- Try to match the regex even if the line does not contain a valid date/time.
+  Described in Debian #491253. Thanks to Yaroslav Halchenko.
 - Added/improved filters and date formats.
-- Added actions to report abuse to ISP, DShield and
-  myNetWatchman. Thanks to Russell Odom.
-- Suse init script. Remove socket file on startup is fail2ban
-  crashed. Thanks to Detlef Reichelt.
-- Removed begin-line anchor for "standard" timestamp. Fixed
-  Debian bug #500824.
+- Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to
+  Russell Odom.
+- Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to
+  Detlef Reichelt.
+- Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
 - Added nagios script. Thanks to Sebastian Mueller.
-- Added CPanel date format. Thanks to David Collins. Tracker
-  #1967610.
-- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker
-  #2310410.
-- Added NetBSD ipfilter (ipf command) action. Thanks to Ed
-  Ravin. Tracker #2484115.
-- Added cyrus-imap and sieve filters. Thanks to Jan Wagner.
-  Debian bug #513953.
-- Changed <HOST> template to be more restrictive. Debian bug
-  #514163.
-- Use timetuple instead of utctimetuple for ISO 8601. Maybe
-  not a 100% correct fix but seems to work. Tracker #2500276.
-- Made the named-refused regex a bit less restrictive in
-  order to match logs with "view". Thanks to Stephen Gildea.
-- Fixed maxretry/findtime rate. Many thanks to Christos
-  Psonis. Tracker #2019714.
+- Added CPanel date format. Thanks to David Collins. Tracker #1967610.
+- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
+- Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker
+  #2484115.
+- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
+- Changed <HOST> template to be more restrictive. Debian bug #514163.
+- Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct
+  fix but seems to work. Tracker #2500276.
+- Made the named-refused regex a bit less restrictive in order to match logs
+  with "view". Thanks to Stephen Gildea.
+- Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker
+  #2019714.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
 - Process failtickets as long as failmanager is not empty.
-- Added "pam-generic" filter and more configuration fixes.
-  Thanks to Yaroslav Halchenko.
-- Fixed socket path in redhat and suse init script. Thanks to
-  Jim Wight.
-- Fixed PID file while started in daemon mode. Thanks to
-  Christian Jobic who submitted a similar patch.
+- Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav
+  Halchenko.
+- Fixed socket path in redhat and suse init script. Thanks to Jim Wight.
+- Fixed PID file while started in daemon mode. Thanks to Christian Jobic who
+  submitted a similar patch.
 - Fixed "fail2ban-client get <jail> logpath". Bug #1916986.
 - Added gssftpd filter. Thanks to Kevin Zembower.
-- Added "Day/Month/Year Hour:Minute:Second" date template.
-  Thanks to Dennis Winter.
-- Fixed ignoreregex processing in fail2ban-client. Thanks to
-  René Berber.
+- Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis
+  Winter.
+- Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber.
 - Added ISO 8601 date/time format.
 - Added and changed some logging level and messages.
-- Added missing ignoreregex to filters. Thanks to Klaus
-  Lehmann.
-- Use poll instead of select in asyncore.loop. This should
-  solve the "Unknown error 514". Thanks to Michael Geiger and
-  Klaus Lehmann.
+- Added missing ignoreregex to filters. Thanks to Klaus Lehmann.
+- Use poll instead of select in asyncore.loop. This should solve the "Unknown
+  error 514". Thanks to Michael Geiger and Klaus Lehmann.
 
 ver. 0.8.2 (2008/03/06) - stable
 ----------
 - Fixed named filter. Thanks to Yaroslav Halchenko
-- Fixed wrong path for apache-auth in jail.conf. Thanks to
-  Vincent Deffontaines
-- Fixed timezone bug with epoch date template. Thanks to
-  Michael Hanselmann
-- Added "full line failregex" patch. Thanks to Yaroslav
-  Halchenko. It will be possible to create stronger failregex
-  against log injection
+- Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines
+- Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann
+- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be
+  possible to create stronger failregex against log injection
 - Fixed ipfw action script. Thanks to Nick Munger
-- Removed date from logging message when using SYSLOG. Thanks
-  to Iain Lea
-- Fixed "ignore IPs". Only the first value was taken into
-  account. Thanks to Adrien Clerc
+- Removed date from logging message when using SYSLOG. Thanks to Iain Lea
+- Fixed "ignore IPs". Only the first value was taken into account. Thanks to
+  Adrien Clerc
 - Moved socket to /var/run/fail2ban.
 - Rewrote the communication server.
 - Refactoring. Reduced number of files.
-- Removed Python 2.4. Minimum required version is now Python
-  2.3.
+- Removed Python 2.4. Minimum required version is now Python 2.3.
 - New log rotation detection algorithm.
 - Print monitored files in status.
-- Create a PID file in /var/run/fail2ban/. Thanks to Julien
-  Perez.
-- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed
-  this out. Thanks to Yaroslav Halchenko for the fix.
-- "reload <jail>" reloads a single jail and the parameters in
-  fail2ban.conf.
+- Create a PID file in /var/run/fail2ban/. Thanks to Julien Perez.
+- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks
+  to Yaroslav Halchenko for the fix.
+- "reload <jail>" reloads a single jail and the parameters in fail2ban.conf.
 - Added Mac OS/X startup script. Thanks to Bill Heaton.
 - Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
 - Replaced "echo" with "printf" in actions. Fix #1839673
-- Replaced "reject" with "drop" in shorwall action. Fix
-  #1854875
+- Replaced "reject" with "drop" in shorwall action. Fix #1854875
 - Fixed Debian bug #456567, #468477, #462060, #461426
-- readline is now optional in fail2ban-client (not needed in
-  fail2ban-server).
+- readline is now optional in fail2ban-client (not needed in fail2ban-server).
 
 ver. 0.8.1 (2007/08/14) - stable
 ----------
 - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
 - Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
-- Improved regular expressions. Thanks to Yaroslav Halchenko
-  and others
-- Added sendmail actions. The action started with "mail" are
-  now deprecated. Thanks to Raphaël Marichez
+- Improved regular expressions. Thanks to Yaroslav Halchenko and others
+- Added sendmail actions. The action started with "mail" are now deprecated.
+  Thanks to Raphaël Marichez
 - Added "ignoreregex" support to fail2ban-regex
-- Updated suse-initd and added it to MANIFEST. Thanks to
-  Christian Rauch
-- Tightening up the pid check in redhat-initd. Thanks to
-  David Nutter
-- Added webmin authentication filter. Thanks to Guillaume
-  Delvit
-- Removed textToDns() which is not required anymore. Thanks
-  to Yaroslav Halchenko
-- Added new action iptables-allports. Thanks to Yaroslav
-  Halchenko
-- Added "named" date format to date detector. Thanks to
-  Yaroslav Halchenko
-- Added filter file for named (bind9). Thanks to Yaroslav
+- Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch
+- Tightening up the pid check in redhat-initd. Thanks to David Nutter
+- Added webmin authentication filter. Thanks to Guillaume Delvit
+- Removed textToDns() which is not required anymore. Thanks to Yaroslav
   Halchenko
+- Added new action iptables-allports. Thanks to Yaroslav Halchenko
+- Added "named" date format to date detector. Thanks to Yaroslav Halchenko
+- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
 - Fixed vsftpd filter. Thanks to Yaroslav Halchenko
 
 ver. 0.8.0 (2007/05/03) - stable
@@ -144,20 +116,17 @@ ver. 0.7.8 (2007/03/21) - release candidate
 ----------
 - Fixed asctime pattern in datedetector.py
 - Added new filters/actions. Thanks to Yaroslav Halchenko
-- Added Suse init script and modified gentoo-initd. Thanks to
-  Christian Rauch
+- Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch
 - Moved every locking statements in a try..finally block
 
 ver. 0.7.7 (2007/02/08) - release candidate
 ----------
 - Added signal handling in fail2ban-client
 - Added a wonderful visual effect when waiting on the server
-- fail2ban-client returns an error code if configuration is
-  not valid
+- fail2ban-client returns an error code if configuration is not valid
 - Added new filters/actions. Thanks to Yaroslav Halchenko
 - Call Python interpreter directly (instead of using "env")
-- Added file support to fail2ban-regex. Benchmark feature has
-  been removed
+- Added file support to fail2ban-regex. Benchmark feature has been removed
 - Added cacti script and template.
 - Added IP list in "status <JAIL>". Thanks to Eric Gerbier
 
@@ -167,60 +136,53 @@ ver. 0.7.6 (2007/01/04) - beta
 - Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey
 - Use numeric output for iptables in "actioncheck"
 - Fixed removal of host in hosts.deny. Thanks to René Berber
-- Added new date format (2006-12-21 06:43:20) and Exim4
-  filter. Thanks to mEDI
-- Several "failregex" and "ignoreregex" are now accepted.
-  Creation of rules should be easier now.
+- Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI
+- Several "failregex" and "ignoreregex" are now accepted. Creation of rules
+  should be easier now.
 - Added license in COPYING. Thanks to Axel Thimm
-- Allow comma in action options. The value of the option must
-  be escaped with " or '. Thanks to Yaroslav Halchenko
-- Now Fail2ban goes in /usr/share/fail2ban instead of
-  /usr/lib/fail2ban. This is more compliant with FHS. Thanks
-  to Axel Thimm and Yaroslav Halchenko
+- Allow comma in action options. The value of the option must be escaped with "
+  or '. Thanks to Yaroslav Halchenko
+- Now Fail2ban goes in /usr/share/fail2ban instead of /usr/lib/fail2ban. This is
+  more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko
 
 ver. 0.7.5 (2006/12/07) - beta
 ----------
-- Do not ban a host that is currently banned. Thanks to
-  Yaroslav Halchenko
-- The supported tags in "action(un)ban" are <ip>, <failures>
-  and <time>
+- Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko
+- The supported tags in "action(un)ban" are <ip>, <failures> and <time>
 - Fixed refactoring bug (getLastcommand -> getLastAction)
-- Added option "ignoreregex" in filter scripts and jail.conf.
-  Feature Request #1283304
+- Added option "ignoreregex" in filter scripts and jail.conf. Feature Request
+  #1283304
 - Fixed a bug in user defined time regex/pattern
 - Improved documentation
 - Moved version.py and protocol.py to common/
 - Merged "maxtime" option with "findtime"
-- Added "<HOST>" tag support in failregex which matches
-  default IP address/hostname. "(?P<host>\S)" is still valid
-  and supported
-- Fixed exception when calling fail2ban-server with unknown
-  option
-- Fixed Debian bug 400162. The "socket" option is now handled
-  correctly by fail2ban-client
+- Added "<HOST>" tag support in failregex which matches default IP
+  address/hostname. "(?P<host>\S)" is still valid and supported
+- Fixed exception when calling fail2ban-server with unknown option
+- Fixed Debian bug 400162. The "socket" option is now handled correctly by
+  fail2ban-client
 - Fixed RedHat init script. Thanks to Justin Shore
-- Changed timeout to 30 secondes before assuming the server
-  cannot be started. Thanks to Joël Bertrand
+- Changed timeout to 30 secondes before assuming the server cannot be started.
+  Thanks to Joël Bertrand
 
 ver. 0.7.4 (2006/11/01) - beta
 ----------
 - Improved configuration files. Thanks to Yaroslav Halchenko
 - Added man page for "fail2ban-regex"
 - Moved ban/unban messages from "info" level to "warn"
-- Added "-s" option to specify the socket path and "socket"
-  option in "fail2ban.conf"
+- Added "-s" option to specify the socket path and "socket" option in
+  "fail2ban.conf"
 - Added "backend" option in "jail.conf"
-- Added more filters/actions and jail samples. Thanks to Nick
-  Munger, Christoph Haas
+- Added more filters/actions and jail samples. Thanks to Nick Munger, Christoph
+  Haas
 - Improved testing framework
-- Fixed a bug in the return code handling of the executed
-  commands. Thanks to Yaroslav Halchenko
-- Signal handling. There is a bug with join() and signal in
-  Python
+- Fixed a bug in the return code handling of the executed commands. Thanks to
+  Yaroslav Halchenko
+- Signal handling. There is a bug with join() and signal in Python
 - Better debugging output for "fail2ban-regex"
 - Added support for more date format
-- cPickle does not work with Python 2.5. Use pickle instead
-  (performance is not a problem in our case)
+- cPickle does not work with Python 2.5. Use pickle instead (performance is not
+  a problem in our case)
 
 ver. 0.7.3 (2006/09/28) - beta
 ----------
@@ -240,15 +202,13 @@ ver. 0.7.2 (2006/09/10) - beta
 - Improved client output
 - Added more get/set commands
 - Added more configuration templates
-- Removed "logpath" and "maxretry" from filter templates.
-  They must be defined in jail.conf now
+- Removed "logpath" and "maxretry" from filter templates. They must be defined
+  in jail.conf now
 - Added interactive mode. Use "-i"
-- Added a date detector. "timeregex" and "timepattern" are no
-  more needed
-- Added "fail2ban-regex". This is a tool to help finding
-  "failregex"
-- Improved server communication. Start a new thread for each
-  incoming request. Fail2ban is not really thread-safe yet
+- Added a date detector. "timeregex" and "timepattern" are no more needed
+- Added "fail2ban-regex". This is a tool to help finding "failregex"
+- Improved server communication. Start a new thread for each incoming request.
+  Fail2ban is not really thread-safe yet
 
 ver. 0.7.1 (2006/08/23) - alpha
 ----------
@@ -259,106 +219,91 @@ ver. 0.7.1 (2006/08/23) - alpha
 
 ver. 0.7.0 (2006/08/23) - alpha
 ----------
-- Almost a complete rewrite :) Fail2ban design is really
-  better (IMHO). There is a lot of new features
+- Almost a complete rewrite :) Fail2ban design is really better (IMHO). There is
+  a lot of new features
 - Client/Server architecture
-- Multithreading. Each jail has its own threads: one for the
-  log reading and another for the actions
+- Multithreading. Each jail has its own threads: one for the log reading and
+  another for the actions
 - Execute several actions
-- Split configuration files. They are more readable and easy
-  to use
-- failregex uses group (<host>) now. This feature was already
-  present in the Debian package
+- Split configuration files. They are more readable and easy to use
+- failregex uses group (<host>) now. This feature was already present in the
+  Debian package
 - lots of things...
 
 ver. 0.6.1 (2006/03/16) - stable
 ----------
-- Added permanent banning. Set banTime to a negative value to
-  enable this feature (-1 is perfect). Thanks to Mannone
+- Added permanent banning. Set banTime to a negative value to enable this
+  feature (-1 is perfect). Thanks to Mannone
 - Fixed locale bug. Thanks to Fernando José
 - Fixed crash when time format does not match data
-- Propagated patch from Debian to fix fail2ban search path 
-  addition to the path search list: now it is added first. 
-  Thanks to Nick Craig-Wood
-- Added SMTP authentification for mail notification. Thanks
-  to Markus Hoffmann
+- Propagated patch from Debian to fix fail2ban search path addition to the path
+  search list: now it is added first. Thanks to Nick Craig-Wood
+- Added SMTP authentification for mail notification. Thanks to Markus Hoffmann
 - Removed debug mode as it is confusing for people
-- Added parsing of timestamp in TAI64N format (#1275325).
-  Thanks to Mark Edgington
-- Added patch #1382936 (Default formatted syslog logging).
-  Thanks to Patrick B�rjesson
-- Removed 192.168.0.0/16 from ignoreip. Attacks could also
-  come from the local network.
-- Robust startup: if iptables module does not get fully
-  initialized after startup of fail2ban, fail2ban will do
-  "maxreinit" attempts to initialize its own firewall. It
-  will sleep between attempts for "polltime" number of
-  seconds (closes Debian: #334272). Thanks to Yaroslav
-  Halchenko
-- Added "interpolations" in fail2ban.conf. This is provided
-  by the ConfigParser module. Old configuration files still
-  work. Thanks to Yaroslav Halchenko
-- Added initial support for hosts.deny and shorewall. Need
-  more testing. Please test. Thanks to kojiro from Gentoo
-  forum for hosts.deny support
+- Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark
+  Edgington
+- Added patch #1382936 (Default formatted syslog logging). Thanks to Patrick
+  B�rjesson
+- Removed 192.168.0.0/16 from ignoreip. Attacks could also come from the local
+  network.
+- Robust startup: if iptables module does not get fully initialized after
+  startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its
+  own firewall. It will sleep between attempts for "polltime" number of seconds
+  (closes Debian: #334272). Thanks to Yaroslav Halchenko
+- Added "interpolations" in fail2ban.conf. This is provided by the ConfigParser
+  module. Old configuration files still work. Thanks to Yaroslav Halchenko
+- Added initial support for hosts.deny and shorewall. Need more testing. Please
+  test. Thanks to kojiro from Gentoo forum for hosts.deny support
 - Added support for vsftpd. Thanks to zugeschmiert
 
 ver. 0.6.0 (2005/11/20) - stable
 ----------
-- Propagated patches introduced by Debian maintainer 
-  (Yaroslav Halchenko):
-  * Added an option to report local time (including timezone)
-    or GMT in mail notification.
+- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
+  * Added an option to report local time (including timezone) or GMT in mail
+    notification.
 
 ver. 0.5.5 (2005/10/26) - beta
 ----------
-- Propagated patches introduced by Debian maintainer 
-  (Yaroslav Halchenko):
-  * Introduced fwcheck option to verify consistency of the
-    chains. Implemented automatic restart of fail2ban main
-    function in case check of fwban or fwunban command failed
-    (closes: #329163, #331695). (Introduced patch was further
-    adjusted by upstream author).
+- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
+  * Introduced fwcheck option to verify consistency of the chains. Implemented
+    automatic restart of fail2ban main function in case check of fwban or
+    fwunban command failed (closes: #329163, #331695). (Introduced patch was
+    further adjusted by upstream author).
   * Added -f command line parameter for [findtime].
-  * Added a cleanup of firewall rules on emergency shutdown
-    when unknown exception is catched.
-  * Fail2ban should not crash now if a wrong file name is
-    specified in config.
-  * reordered code a bit so that log targets are setup right
-    after background and then only loglevel (verbose, debug)
-    is processed, so the warning could be seen in the logs
-  * Added a keyword <section> in parsing of the subject and
-    the body of an email sent out by fail2ban (closes:
-    #330311)
+  * Added a cleanup of firewall rules on emergency shutdown when unknown
+    exception is catched.
+  * Fail2ban should not crash now if a wrong file name is specified in config.
+  * reordered code a bit so that log targets are setup right after background
+    and then only loglevel (verbose, debug) is processed, so the warning could
+    be seen in the logs
+  * Added a keyword <section> in parsing of the subject and the body of an email
+    sent out by fail2ban (closes: #330311)
 
 ver. 0.5.4 (2005/09/13) - beta
 ----------
 - Fixed bug #1286222.
-- Propagated patches introduced by Debian maintainer 
-  (Yaroslav Halchenko):
-  * Fixed handling of SYSLOG logging target. Now it can log
-    to any SYSLOG target and facility as directed by the 
-    config
+- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
+  * Fixed handling of SYSLOG logging target. Now it can log to any SYSLOG target
+    and facility as directed by the config
   * Format of SYSLOG entries fixed to look closer to standard
   * Fixed errata in config/gentoo-confd
-  * Introduced findtime configuration variable to control the
-    lifetime of caught "failed" log entries
+  * Introduced findtime configuration variable to control the lifetime of caught
+    "failed" log entries
 	
 ver. 0.5.3 (2005/09/08) - beta
 ----------
-- Fixed a bug when overriding "maxfailures" or "bantime".
-  Thanks to Yaroslav Halchenko
-- Added more debug output if an error occurs when sending
-  mail. Thanks to Stephen Gildea
-- Renamed "maxretry" to "maxfailures" and changed default
-  value to 5. Thanks to Stephen Gildea
+- Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav
+  Halchenko
+- Added more debug output if an error occurs when sending mail. Thanks to
+  Stephen Gildea
+- Renamed "maxretry" to "maxfailures" and changed default value to 5. Thanks to
+  Stephen Gildea
 - Hopefully fixed bug #1256075
 - Fixed bug #1262345
 - Fixed exception handling in PIDLock
-- Removed warning when using "-V" or "-h" with no config
-  file. Thanks to Yaroslav Halchenko
-- Removed "-i eth0" from config file. Thanks to Yaroslav
-  Halchenko
+- Removed warning when using "-V" or "-h" with no config file. Thanks to
+  Yaroslav Halchenko
+- Removed "-i eth0" from config file. Thanks to Yaroslav Halchenko
 
 ver. 0.5.2 (2005/08/06) - beta
 ----------
@@ -374,11 +319,9 @@ ver. 0.5.1 (2005/07/23) - beta
 ----------
 - Fixed bugs #1241756, #1239557
 - Added log targets in configuration file. Removed -l option
-- Changed iptables rules in order to create a separated chain
-  for each section
+- Changed iptables rules in order to create a separated chain for each section
 - Fixed static banList in firewall.py
-- Added an initd script for Debian. Thanks to Yaroslav
-  Halchenko
+- Added an initd script for Debian. Thanks to Yaroslav Halchenko
 - Check for obsolete files after install
 
 ver. 0.5.0 (2005/07/12) - beta
@@ -386,24 +329,22 @@ ver. 0.5.0 (2005/07/12) - beta
 - Added support for CIDR mask in ignoreip
 - Added mail notification support
 - Fixed bug #1234699
-- Added tags replacement in rules definition. Should allow a
-  clean solution for Feature Request #1229479
+- Added tags replacement in rules definition. Should allow a clean solution for
+  Feature Request #1229479
 - Removed "interface" and "firewall" options
-- Added start and end commands in the configuration file.
-  Thanks to Yaroslav Halchenko
+- Added start and end commands in the configuration file. Thanks to Yaroslav
+  Halchenko
 - Added firewall rules definition in the configuration file
 - Cleaned fail2ban.py
-- Added an initd script for RedHat/Fedora. Thanks to Andrey
-  G. Grozin
+- Added an initd script for RedHat/Fedora. Thanks to Andrey G. Grozin
 
 ver. 0.4.1 (2005/06/30) - stable
 ----------
-- Fixed textToDNS method which generated wrong matches for
-  "rhost=12-xyz...". Thanks to Tom Pike
+- Fixed textToDNS method which generated wrong matches for "rhost=12-xyz...".
+  Thanks to Tom Pike
 - fail2ban.conf modified for readability. Thanks to Iain Lea
 - Added an initd script for Gentoo
-- Changed default PID lock file location from /tmp to
-  /var/run
+- Changed default PID lock file location from /tmp to /var/run
 
 ver. 0.4.0 (2005/04/24) - stable
 ----------
@@ -419,8 +360,8 @@ ver. 0.3.1 (2005/03/31) - beta
 
 ver. 0.3.0 (2005/02/24) - beta
 ----------
-- Re-writting of parts of the code in order to handle several
-  log files with different rules
+- Re-writting of parts of the code in order to handle several log files with
+  different rules
 - Removed sshd.py because it is no more needed
 - Fixed a bug when exiting with IP in the ban list
 - Added PID lock file
@@ -430,26 +371,22 @@ ver. 0.3.0 (2005/02/24) - beta
 
 ver. 0.1.2 (2004/11/21) - beta
 ----------
-- Add ipfw and ipfwadm support. The rules are taken from
-  BlockIt. Thanks to Robert Edeker
-- Add -e option which allows to set the interface. Thanks to
-  Robert Edeker who reminded me this
+- Add ipfw and ipfwadm support. The rules are taken from BlockIt. Thanks to
+  Robert Edeker
+- Add -e option which allows to set the interface. Thanks to Robert Edeker who
+  reminded me this
 - Small code cleaning
 
 ver. 0.1.1 (2004/10/23) - beta
 ----------
-- Add SIGTERM handler in order to exit nicely when in daemon
-  mode
-- Add -r option which allows to set the maximum number of
-  login failures
-- Remove the Metalog class as the log file are not so syslog
-  daemon specific
-- Rewrite log reader to be service centered. Sshd support
-  added. Match "Failed password" and "Illegal user"
+- Add SIGTERM handler in order to exit nicely when in daemon mode
+- Add -r option which allows to set the maximum number of login failures
+- Remove the Metalog class as the log file are not so syslog daemon specific
+- Rewrite log reader to be service centered. Sshd support added. Match "Failed
+  password" and "Illegal user"
 - Add /etc/fail2ban.conf configuration support
 - Code documentation
 
-
 ver. 0.1.0 (2004/10/12) - alpha
 ----------
 - Initial release
diff --git a/README b/README
index 1c1cbf66..7f147670 100644
--- a/README
+++ b/README
@@ -1,21 +1,19 @@
-               __      _ _ ___ _               
-              / _|__ _(_) |_  ) |__  __ _ _ _  
-             |  _/ _` | | |/ /| '_ \/ _` | ' \ 
-             |_| \__,_|_|_/___|_.__/\__,_|_||_|
+                         __      _ _ ___ _               
+                        / _|__ _(_) |_  ) |__  __ _ _ _  
+                       |  _/ _` | | |/ /| '_ \/ _` | ' \ 
+                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
-=============================================================
-Fail2Ban (version 0.8.4)                           2008/??/??
-=============================================================
+================================================================================
+Fail2Ban (version 0.8.4)                                              2009/??/??
+================================================================================
 
-Fail2Ban scans log files like /var/log/pwdfail and bans IP
-that makes too many password failures. It updates firewall
-rules to reject the IP address. These rules can be defined by
-the user. Fail2Ban can read multiple log files such as sshd
-or Apache web server ones.
+Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many
+password failures. It updates firewall rules to reject the IP address. These
+rules can be defined by the user. Fail2Ban can read multiple log files such as
+sshd or Apache web server ones.
 
-This README is a quick introduction to Fail2ban. More
-documentation, FAQ, HOWTOs are available on the project
-website: http://www.fail2ban.org
+This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
+are available on the project website: http://www.fail2ban.org
 
 Installation:
 -------------
@@ -32,33 +30,32 @@ To install, just do:
 > cd fail2ban-0.8.4
 > python setup.py install
 
-This will install Fail2Ban into /usr/share/fail2ban. The
-executable scripts are placed into /usr/bin.
+This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
+placed into /usr/bin.
 
-It is possible that Fail2ban is already packaged for your
-distribution. In this case, you should use it.
+It is possible that Fail2ban is already packaged for your distribution. In this
+case, you should use it.
 
 Fail2Ban should be correctly installed now. Just type:
 
 > fail2ban-client -h
 
-to see if everything is alright. You should always use
-fail2ban-client and never call fail2ban-server directly.
+to see if everything is alright. You should always use fail2ban-client and never
+call fail2ban-server directly.
 
 Configuration:
 --------------
 
-You can configure Fail2ban using the files in /etc/fail2ban.
-It is possible to configure the server using commands sent to
-it by fail2ban-client. The available commands are described
-in the man page of fail2ban-client. Please refer to it or to
-the website: http://www.fail2ban.org
+You can configure Fail2ban using the files in /etc/fail2ban. It is possible to
+configure the server using commands sent to it by fail2ban-client. The available
+commands are described in the man page of fail2ban-client. Please refer to it or
+to the website: http://www.fail2ban.org
 
 Contact:
 --------
 
-You need some new features, you found bugs or you just
-appreciate this program, you can contact me at:
+You need some new features, you found bugs or you just appreciate this program,
+you can contact me at:
 
 Website: http://www.fail2ban.org
 
@@ -67,34 +64,27 @@ Cyril Jaquier: <cyril.jaquier@fail2ban.org>
 Thanks:
 -------
 
-Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
-Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko,
-Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
-Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler,
-Nick Munger, Christoph Haas, Justin Shore, Joël Bertrand,
-René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch,
-Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner,
-Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
-Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann,
-Vincent Deffontaines, Bill Heaton, Russell Odom and many
-others.
+Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker, Tom Pike, Iain Lea,
+Andrey G. Grozin, Yaroslav Halchenko, Jonathan Kamens, Stephen Gildea, Markus
+Hoffmann, Mark Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler, Nick
+Munger, Christoph Haas, Justin Shore, Joël Bertrand, René Berber, mEDI, Axel
+Thimm, Eric Gerbier, Christian Rauch, Michael C. Haller, Jonathan Underwood,
+Hanno 'Rince' Wagner, Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
+Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann, Vincent Deffontaines,
+Bill Heaton, Russell Odom, Christos Psonis and many others.
 
 License:
 --------
 
-Fail2Ban is free software; you can redistribute it
-and/or modify it under the terms of the GNU General Public
-License as published by the Free Software Foundation; either
-version 2 of the License, or (at your option) any later
+Fail2Ban is free software; you can redistribute it and/or modify it under the
+terms of the GNU General Public License as published by the Free Software
+Foundation; either version 2 of the License, or (at your option) any later
 version.
 
-Fail2Ban is distributed in the hope that it will be
-useful, but WITHOUT ANY WARRANTY; without even the implied
-warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-PURPOSE.  See the GNU General Public License for more
-details.
+Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+PARTICULAR PURPOSE. See the GNU General Public License for more details.
 
-You should have received a copy of the GNU General Public
-License along with Fail2Ban; if not, write to the Free
-Software Foundation, Inc., 59 Temple Place, Suite 330,
-Boston, MA  02111-1307  USA
+You should have received a copy of the GNU General Public License along with
+Fail2Ban; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
+Suite 330, Boston, MA  02111-1307  USA
diff --git a/TODO b/TODO
index 318f839e..4737c79a 100644
--- a/TODO
+++ b/TODO
@@ -1,11 +1,11 @@
-               __      _ _ ___ _               
-              / _|__ _(_) |_  ) |__  __ _ _ _  
-             |  _/ _` | | |/ /| '_ \/ _` | ' \ 
-             |_| \__,_|_|_/___|_.__/\__,_|_||_|
+                         __      _ _ ___ _               
+                        / _|__ _(_) |_  ) |__  __ _ _ _  
+                       |  _/ _` | | |/ /| '_ \/ _` | ' \ 
+                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
-=============================================================
-ToDo                                         $Revision$
-=============================================================
+================================================================================
+ToDo                                                            $Revision$
+================================================================================
 
 Legend:
 - not yet done
@@ -15,26 +15,24 @@ Legend:
 
 - Removed relative imports
 
-- Cleanup fail2ban-client and fail2ban-server. Move code to
-  server/ and client/
+- Cleanup fail2ban-client and fail2ban-server. Move code to server/ and client/
 
-- Add timeout to external commands (signal alarm, watchdog
-  thread, etc)
+- Add timeout to external commands (signal alarm, watchdog thread, etc)
 
 - New backend: pyinotify
 
-- Uniformize filters and actions name. Use the software name
-  (openssh, postfix, proftp)
+- Uniformize filters and actions name. Use the software name (openssh, postfix,
+  proftp)
 
-- Added <USER> tag for failregex. Add features using this
-  information. Maybe add more tags
+- Added <USER> tag for failregex. Add features using this information. Maybe add
+  more tags
 
 - Look at the memory consumption. Decrease memory usage
 
 - More detailed statistics
 
-- Auto-enable function (search for log files), check
-  modification date to see if service is still in use
+- Auto-enable function (search for log files), check modification date to see if
+  service is still in use
 
 - Improve parsing of the action parameters in jailreader.py
 
@@ -44,8 +42,8 @@ Legend:
 
 - Multiline log reading
 
-- Improve execution of action. Why does subprocess.call
-  deadlock with multi-jails?
+- Improve execution of action. Why does subprocess.call deadlock with
+  multi-jails?
 
 # see Feature Request Tracking System at SourceForge.net