Merge branch 'upstream' into debian-release

* upstream: for 0.8.5 release -- changelog + version BF: use addfailregex instead of failregex while processing per-jail "failregex" parameter (Closes: #635830) (LP: #635036) BF: use os.path.join to generate full path - fixes includes in configs given local filename very minor -- uniform indentation in example BF: use standard/reserved example.com instead of mail.com ENH: Adding author for dovecot filter and prunning unneeded space in the regexp
2011-07-28 23:08:08 -04:00 · 2011-07-28 23:08:08 -04:00 · d7dd84be01
parent 2ab8e35652 6c07999157
commit d7dd84be01
8 changed files with 62 additions and 24 deletions
--- a/40
+++ b/40
@ -4,9 +4,47 @@
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|

 ================================================================================
-Fail2Ban (version 0.8.4)                                              2009/09/07
+Fail2Ban (version 0.8.5)                                              2011/07/28
 ================================================================================

+ver. 0.8.5 (2011/07/28) - stable
+----------
+- Fix: use addfailregex instead of failregex while processing per-jail
+  "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to
+  Marat Khayrullin for the patch and Daniel T Chen for forwarding to
+  Debian.
+- Fix: use os.path.join to generate full path - fixes includes in configs
+  given local filename (5 weeks ago) [yarikoptic]
+- Fix: allowed for trailing spaces in proftpd logs
+- Fix: escaped () in pure-ftpd filter. Thanks to Teodor
+- Fix: allowed space in the trailing of failregex for sasl.conf:
+  see http://bugs.debian.org/573314
+- Fix: use /var/run/fail2ban instead of /tmp for temp files in actions:
+  see http://bugs.debian.org/544232
+- Fix: Tai64N stores time in GMT, needed to convert to local time before
+  returning
+- Fix: disabled named-refused-udp jail entirely with a big fat warning
+- Fix: added time module. Bug reported in buanzo's blog:
+  see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
+- Fix: Patch to make log file descriptors cloexec to stop leaking file
+  descriptors on fork/exec. Thanks to Jonathan Underwood:
+  see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24
+- Enhancement: added author for dovecot filter and pruned unneeded space
+  in the regexp
+- Enhancement: proftpd filter -- if login failed -- count regardless of the
+  reason for failure
+- Enhancement: added <chain> to action.d/iptables*. Thanks to Matthijs Kooijman:
+  see http://bugs.debian.org/515599
+- Enhancement: added filter.d/dovecot.conf from Martin Waschbuesch
+- Enhancement: made filter.d/apache-overflows.conf catch more:
+  see http://bugs.debian.org/574182
+- Enhancement: added dropbear filter from Francis Russell and Zak B. Elep:
+  see http://bugs.debian.org/546913
+- Enhancement: changed default ignoreip to ignore entire loopback zone (/8):
+  see http://bugs.debian.org/598200
+- Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer
+- Few minor cosmetic changes
+
 ver. 0.8.4 (2009/09/07) - stable
 ----------
 - Check the inode number for rotation in addition to checking the first line of
--- a/2
+++ b/2
@ -4,7 +4,7 @@
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|

 ================================================================================
-Fail2Ban (version 0.8.4)                                              2009/09/07
+Fail2Ban (version 0.8.5)                                              2011/07/26
 ================================================================================

 Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many
--- a/client/configparserinc.py
+++ b/client/configparserinc.py
@ -86,7 +86,7 @@ after = 1.conf
 						if os.path.isabs(newResource):
 							r = newResource
 						else:
-							r = "%s/%s" % (resourceDir, newResource)
+							r = os.path.join(resourceDir, newResource)
 						if r in seen:
 							continue
 						s = seen + [resource]
--- a/client/jailreader.py
+++ b/client/jailreader.py
@ -120,7 +120,7 @@ class JailReader(ConfigReader):
 			elif opt == "bantime":
 				stream.append(["set", self.__name, "bantime", self.__opts[opt]])
 			elif opt == "failregex":
-				stream.append(["set", self.__name, "failregex", self.__opts[opt]])
+				stream.append(["set", self.__name, "addfailregex", self.__opts[opt]])
 			elif opt == "ignoreregex":
 				for regex in self.__opts[opt].split('\n'):
 					# Do not send a command if the rule is empty.
--- a/common/version.py
+++ b/common/version.py
@ -21,7 +21,7 @@
 __author__ = "Cyril Jaquier"
 __version__ = "$Revision: 754 $"
 __date__ = "$Date: 2009-09-07 21:13:45 +0200 (Mon, 07 Sep 2009) $"
-__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011 Yaroslav Halchenko"
 __license__ = "GPL"

-version = "0.8.4-SVN"
+version = "0.8.5"
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@ -1,6 +1,6 @@
 # Fail2Ban configuration file for dovcot
 #
-# Author: 
+# Author: Martin Waschbuesch
 #
 # $Revision: $
 #
--- a/config/jail.conf
+++ b/config/jail.conf
@ -45,7 +45,7 @@ backend = auto
 enabled  = false
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
-           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
+           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com]
 logpath  = /var/log/sshd.log
 maxretry = 5

@ -54,7 +54,7 @@ maxretry = 5
 enabled  = false
 filter   = proftpd
 action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
-           sendmail-whois[name=ProFTPD, dest=you@mail.com]
+           sendmail-whois[name=ProFTPD, dest=you@example.com]
 logpath  = /var/log/proftpd/proftpd.log
 maxretry = 6

@ -66,7 +66,7 @@ enabled  = false
 filter   = sasl
 backend  = polling
 action   = iptables[name=sasl, port=smtp, protocol=tcp]
-           sendmail-whois[name=sasl, dest=you@mail.com]
+           sendmail-whois[name=sasl, dest=you@example.com]
 logpath  = /var/log/mail.log

 # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
@ -77,7 +77,7 @@ logpath  = /var/log/mail.log
 enabled     = false
 filter      = sshd
 action      = hostsdeny
-              sendmail-whois[name=SSH, dest=you@mail.com]
+              sendmail-whois[name=SSH, dest=you@example.com]
 ignoreregex = for myuser from
 logpath     = /var/log/sshd.log

@ -101,7 +101,7 @@ maxretry = 6
 enabled  = false
 filter   = postfix
 action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
-           sendmail[name=Postfix, dest=you@mail.com]
+           sendmail[name=Postfix, dest=you@example.com]
 logpath  = /var/log/postfix.log
 bantime  = 300

@ -112,7 +112,7 @@ bantime  = 300

 enabled  = false
 filter   = vsftpd
-action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
+action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
@ -124,7 +124,7 @@ bantime  = 1800
 enabled  = false
 filter   = vsftpd
 action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
-           sendmail-whois[name=VSFTPD, dest=you@mail.com]
+           sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
@ -137,7 +137,7 @@ bantime  = 1800
 enabled  = false
 filter   = apache-badbots
 action   = iptables-multiport[name=BadBots, port="http,https"]
-           sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
+           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
 logpath  = /var/www/*/logs/access_log
 bantime  = 172800
 maxretry = 1
@ -149,7 +149,7 @@ maxretry = 1
 enabled  = false
 filter   = apache-noscript
 action   = shorewall
-           sendmail[name=Postfix, dest=you@mail.com]
+           sendmail[name=Postfix, dest=you@example.com]
 logpath  = /var/log/apache2/error_log

 # Ban attackers that try to use PHP's URL-fopen() functionality
@ -190,7 +190,7 @@ maxretry = 2
 enabled  = false
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
-           sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
+           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
 logpath  = /var/log/auth.log
 ignoreip = 168.192.0.1

@ -224,7 +224,7 @@ ignoreip = 168.192.0.1
 # enabled  = false
 # filter   = named-refused
 # action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
-#            sendmail-whois[name=Named, dest=you@mail.com]
+#            sendmail-whois[name=Named, dest=you@example.com]
 # logpath  = /var/log/named/security.log
 # ignoreip = 168.192.0.1

@ -235,7 +235,7 @@ ignoreip = 168.192.0.1
 enabled  = false
 filter   = named-refused
 action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
-           sendmail-whois[name=Named, dest=you@mail.com]
+           sendmail-whois[name=Named, dest=you@example.com]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1

--- a/files/nagios/check_fail2ban
+++ b/files/nagios/check_fail2ban
@ -99,7 +99,7 @@ elif [ $final_exit -ne "0" ]; then
 # put a txt file on your server and describe how to fix the issue, this 
 # could be attached to the mail.
 ######################################################################
-#  mutt -s "FAIL2BAN NOT WORKING" your@email.com < /home/f2ban.txt
+#  mutt -s "FAIL2BAN NOT WORKING" your@example.com < /home/f2ban.txt

  exitstatus=$STATE_CRITICAL
 fi