Merge branch 'upstream' into debian-release

* upstream:
  for 0.8.5 release -- changelog + version
  BF: use addfailregex instead of failregex while processing per-jail "failregex" parameter (Closes: #635830) (LP: #635036)
  BF: use os.path.join to generate full path - fixes includes in configs given local filename
  very minor -- uniform indentation in example
  BF: use standard/reserved example.com instead of mail.com
  ENH: Adding author for dovecot filter and prunning unneeded space in the regexp

ChangeLog

@@ -4,9 +4,47 @@
                        |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 ================================================================================
-Fail2Ban (version 0.8.4)                                              2009/09/07
+Fail2Ban (version 0.8.5)                                              2011/07/28
 ================================================================================
 
+ver. 0.8.5 (2011/07/28) - stable
+----------
+- Fix: use addfailregex instead of failregex while processing per-jail
+  "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to
+  Marat Khayrullin for the patch and Daniel T Chen for forwarding to
+  Debian.
+- Fix: use os.path.join to generate full path - fixes includes in configs
+  given local filename (5 weeks ago) [yarikoptic]
+- Fix: allowed for trailing spaces in proftpd logs
+- Fix: escaped () in pure-ftpd filter. Thanks to Teodor
+- Fix: allowed space in the trailing of failregex for sasl.conf:
+  see http://bugs.debian.org/573314
+- Fix: use /var/run/fail2ban instead of /tmp for temp files in actions:
+  see http://bugs.debian.org/544232
+- Fix: Tai64N stores time in GMT, needed to convert to local time before
+  returning
+- Fix: disabled named-refused-udp jail entirely with a big fat warning
+- Fix: added time module. Bug reported in buanzo's blog:
+  see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
+- Fix: Patch to make log file descriptors cloexec to stop leaking file
+  descriptors on fork/exec. Thanks to Jonathan Underwood:
+  see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24
+- Enhancement: added author for dovecot filter and pruned unneeded space
+  in the regexp
+- Enhancement: proftpd filter -- if login failed -- count regardless of the
+  reason for failure
+- Enhancement: added <chain> to action.d/iptables*. Thanks to Matthijs Kooijman:
+  see http://bugs.debian.org/515599
+- Enhancement: added filter.d/dovecot.conf from Martin Waschbuesch
+- Enhancement: made filter.d/apache-overflows.conf catch more:
+  see http://bugs.debian.org/574182
+- Enhancement: added dropbear filter from Francis Russell and Zak B. Elep:
+  see http://bugs.debian.org/546913
+- Enhancement: changed default ignoreip to ignore entire loopback zone (/8):
+  see http://bugs.debian.org/598200
+- Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer
+- Few minor cosmetic changes
+
 ver. 0.8.4 (2009/09/07) - stable
 ----------
 - Check the inode number for rotation in addition to checking the first line of

README

@@ -4,7 +4,7 @@
                        |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 ================================================================================
-Fail2Ban (version 0.8.4)                                              2009/09/07
+Fail2Ban (version 0.8.5)                                              2011/07/26
 ================================================================================
 
 Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many

client/configparserinc.py

@@ -43,7 +43,7 @@ class SafeConfigParserWithIncludes(SafeConfigParser):
 
 [INCLUDES]
 before = 1.conf
-			   3.conf
+         3.conf
 
 after = 1.conf
 
@@ -54,8 +54,8 @@ after = 1.conf
 	the tree.
 
 	I wasn't sure what would be the right way to implement generic (aka c++
-    template) so we could base at any *configparser class... so I will
+	template) so we could base at any *configparser class... so I will
-    leave it for the future
+	leave it for the future
 
 	"""
 
@@ -86,7 +86,7 @@ after = 1.conf
 						if os.path.isabs(newResource):
 							r = newResource
 						else:
-							r = "%s/%s" % (resourceDir, newResource)
+							r = os.path.join(resourceDir, newResource)
 						if r in seen:
 							continue
 						s = seen + [resource]

client/jailreader.py

@@ -120,7 +120,7 @@ class JailReader(ConfigReader):
 			elif opt == "bantime":
 				stream.append(["set", self.__name, "bantime", self.__opts[opt]])
 			elif opt == "failregex":
-				stream.append(["set", self.__name, "failregex", self.__opts[opt]])
+				stream.append(["set", self.__name, "addfailregex", self.__opts[opt]])
 			elif opt == "ignoreregex":
 				for regex in self.__opts[opt].split('\n'):
 					# Do not send a command if the rule is empty.

common/version.py

@@ -21,7 +21,7 @@
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision: 754 $"
 __date__ = "$Date: 2009-09-07 21:13:45 +0200 (Mon, 07 Sep 2009) $"
-__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011 Yaroslav Halchenko"
 __license__ = "GPL"
 
-version = "0.8.4-SVN"
+version = "0.8.5"

config/filter.d/dovecot.conf

@@ -1,6 +1,6 @@
 # Fail2Ban configuration file for dovcot
 #
-# Author: 
+# Author: Martin Waschbuesch
 #
 # $Revision: $
 #
@@ -14,7 +14,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = .*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
+failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

config/jail.conf

@@ -45,7 +45,7 @@ backend = auto
 enabled  = false
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
-           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
+           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com]
 logpath  = /var/log/sshd.log
 maxretry = 5
 
@@ -54,7 +54,7 @@ maxretry = 5
 enabled  = false
 filter   = proftpd
 action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
-           sendmail-whois[name=ProFTPD, dest=you@mail.com]
+           sendmail-whois[name=ProFTPD, dest=you@example.com]
 logpath  = /var/log/proftpd/proftpd.log
 maxretry = 6
 
@@ -66,7 +66,7 @@ enabled  = false
 filter   = sasl
 backend  = polling
 action   = iptables[name=sasl, port=smtp, protocol=tcp]
-           sendmail-whois[name=sasl, dest=you@mail.com]
+           sendmail-whois[name=sasl, dest=you@example.com]
 logpath  = /var/log/mail.log
 
 # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
@@ -77,7 +77,7 @@ logpath  = /var/log/mail.log
 enabled     = false
 filter      = sshd
 action      = hostsdeny
-              sendmail-whois[name=SSH, dest=you@mail.com]
+              sendmail-whois[name=SSH, dest=you@example.com]
 ignoreregex = for myuser from
 logpath     = /var/log/sshd.log
 
@@ -101,7 +101,7 @@ maxretry = 6
 enabled  = false
 filter   = postfix
 action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
-           sendmail[name=Postfix, dest=you@mail.com]
+           sendmail[name=Postfix, dest=you@example.com]
 logpath  = /var/log/postfix.log
 bantime  = 300
 
@@ -112,7 +112,7 @@ bantime  = 300
 
 enabled  = false
 filter   = vsftpd
-action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
+action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
@@ -124,7 +124,7 @@ bantime  = 1800
 enabled  = false
 filter   = vsftpd
 action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
-           sendmail-whois[name=VSFTPD, dest=you@mail.com]
+           sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
@@ -137,7 +137,7 @@ bantime  = 1800
 enabled  = false
 filter   = apache-badbots
 action   = iptables-multiport[name=BadBots, port="http,https"]
-           sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
+           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
 logpath  = /var/www/*/logs/access_log
 bantime  = 172800
 maxretry = 1
@@ -149,7 +149,7 @@ maxretry = 1
 enabled  = false
 filter   = apache-noscript
 action   = shorewall
-           sendmail[name=Postfix, dest=you@mail.com]
+           sendmail[name=Postfix, dest=you@example.com]
 logpath  = /var/log/apache2/error_log
 
 # Ban attackers that try to use PHP's URL-fopen() functionality
@@ -190,7 +190,7 @@ maxretry = 2
 enabled  = false
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
-           sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
+           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
 logpath  = /var/log/auth.log
 ignoreip = 168.192.0.1
 
@@ -224,7 +224,7 @@ ignoreip = 168.192.0.1
 # enabled  = false
 # filter   = named-refused
 # action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
-#            sendmail-whois[name=Named, dest=you@mail.com]
+#            sendmail-whois[name=Named, dest=you@example.com]
 # logpath  = /var/log/named/security.log
 # ignoreip = 168.192.0.1
 
@@ -235,7 +235,7 @@ ignoreip = 168.192.0.1
 enabled  = false
 filter   = named-refused
 action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
-           sendmail-whois[name=Named, dest=you@mail.com]
+           sendmail-whois[name=Named, dest=you@example.com]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1
 

files/nagios/check_fail2ban

@@ -99,7 +99,7 @@ elif [ $final_exit -ne "0" ]; then
 # put a txt file on your server and describe how to fix the issue, this 
 # could be attached to the mail.
 ######################################################################
-#  mutt -s "FAIL2BAN NOT WORKING" your@email.com < /home/f2ban.txt
+#  mutt -s "FAIL2BAN NOT WORKING" your@example.com < /home/f2ban.txt
 
   exitstatus=$STATE_CRITICAL
 fi