From add8e61036a2dcb62250cb46e1209e0a5379b379 Mon Sep 17 00:00:00 2001
From: Cyril Roos <cyril@localhost.localdomain>
Date: Wed, 2 Jul 2014 13:52:06 +0200
Subject: [PATCH 01/82] Added Directadmin filter, jail and log test

---
 config/filter.d/directadmin.conf      | 23 +++++++++++++++++++++++
 config/jail.conf                      |  5 +++++
 fail2ban/tests/files/logs/directadmin | 14 ++++++++++++++
 3 files changed, 42 insertions(+)
 create mode 100644 config/filter.d/directadmin.conf
 create mode 100644 fail2ban/tests/files/logs/directadmin

diff --git a/config/filter.d/directadmin.conf b/config/filter.d/directadmin.conf
new file mode 100644
index 00000000..7622e548
--- /dev/null
+++ b/config/filter.d/directadmin.conf
@@ -0,0 +1,23 @@
+# Fail2Ban configuration file for Directadmin
+#
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^: \'<HOST>\' \d{1,3} failed login attempt(s)?. \s*
+
+ignoreregex = 
+
+[Init]
+datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S
+
+#
+# Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590
+#
+# Author: Cyril Roos
+
diff --git a/config/jail.conf b/config/jail.conf
index c42952d8..bfc2a9c2 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -709,3 +709,8 @@ enabled = false
 logpath = /opt/sun/comms/messaging64/log/mail.log_current
 maxretry = 6
 banaction = iptables-allports
+
+[directadmin]
+enabled = false
+logpath = /var/log/directadmin/login.log
+port = 2222
diff --git a/fail2ban/tests/files/logs/directadmin b/fail2ban/tests/files/logs/directadmin
new file mode 100644
index 00000000..85f7f8b9
--- /dev/null
+++ b/fail2ban/tests/files/logs/directadmin
@@ -0,0 +1,14 @@
+# failJSON: { "time": "2014-07-02T00:17:45", "match": true , "host": "3.2.1.4" }
+2014:07:02-00:17:45: '3.2.1.4' 2 failed login attempts. Account 'test'
+
+# failJSON: { "time": "2014-07-02T13:07:40", "match": true , "host": "40.40.123.231" }
+2014:07:02-13:07:40: '40.40.123.231' 13 failed login attempts. Account 'admin'
+
+# failJSON: { "time": "2014-07-02T13:07:50", "match": true , "host": "40.40.123.231" }
+2014:07:02-13:07:50: '40.40.123.231' 5 failed login attempt. Invalid account 'user%2Ename'
+
+# failJSON: { "time": "2014-07-02T13:28:39", "match": false , "host": "12.12.123.231" }
+2014:07:02-13:28:39: '12.12.123.231' successful login to 'nobody' after 1 attempts
+
+# failJSON: { "time": "2014-07-02T13:29:38", "match": true , "host": "1.2.3.4" }
+2014:07:02-13:29:38: '1.2.3.4' 2 failed login attempts. Account 'user' via 'admin'

From 3777591ab0ccb473397ed88ffe4c96d7db893a93 Mon Sep 17 00:00:00 2001
From: Marc Laporte <marc@marclaporte.com>
Date: Sat, 5 Jul 2014 11:55:57 -0400
Subject: [PATCH 02/82] typo

---
 config/jail.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/jail.conf b/config/jail.conf
index c42952d8..5c5c7651 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -10,7 +10,7 @@
 #
 # YOU SHOULD NOT MODIFY THIS FILE.
 #
-# It will probably be overwitten or improved in a distribution update.
+# It will probably be overwritten or improved in a distribution update.
 #
 # Provide customizations in a jail.local file or a jail.d/customisation.local.
 # For example to change the default bantime for all jails and to enable the

From 43950d8b7eb2d3b5bab0e67dfbaa3fbadda16872 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue, 8 Jul 2014 11:09:25 -0400
Subject: [PATCH 03/82] BF: fix path to the exim log on Debian systems
 (/var/log/exim4)

---
 config/jail.conf         | 4 ++--
 config/paths-common.conf | 1 +
 config/paths-debian.conf | 1 +
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/jail.conf b/config/jail.conf
index c42952d8..0aaed995 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -501,13 +501,13 @@ logpath = %(solidpop3d_log)s
 [exim]
 
 port   = smtp,465,submission
-logpath = /var/log/exim/mainlog
+logpath = %(exim_main_log)s
 
 
 [exim-spam]
 
 port   = smtp,465,submission
-logpath = /var/log/exim/mainlog
+logpath = %(exim_main_log)s
 
 
 [kerio]
diff --git a/config/paths-common.conf b/config/paths-common.conf
index 008dab4e..a2c9f7af 100644
--- a/config/paths-common.conf
+++ b/config/paths-common.conf
@@ -22,6 +22,7 @@ syslog_user =
 # from /etc/audit/auditd.conf
 auditd_log = /var/log/audit/audit.log
 
+exim_main_log = /var/log/exim/mainlog
 
 nginx_error_log = /var/log/nginx/error.log
 
diff --git a/config/paths-debian.conf b/config/paths-debian.conf
index 50ff948b..eff4fdae 100644
--- a/config/paths-debian.conf
+++ b/config/paths-debian.conf
@@ -30,6 +30,7 @@ apache_error_log = /var/log/apache2/*error.log
 
 apache_access_log = /var/log/apache2/*access.log
 
+exim_main_log = /var/log/exim4/mainlog
 
 # was in debian squeezy but not in wheezy
 # /etc/proftpd/proftpd.conf (SystemLog)

From 6cddc65ceeba8d5fe40ed367e5e650c60bc721b1 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 14 Jul 2014 12:15:07 -0400
Subject: [PATCH 04/82] BF: path to exim's mainlog on Fedora (Thanks Frantisek
 Sumsal) + changelog entry

---
 ChangeLog                | 1 +
 config/paths-fedora.conf | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index bdae885c..0309b828 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -36,6 +36,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
      Thanks Serg G. Brester
    * Correct times for non-timezone date times formats during DST
    * Pass a copy of, not original, aInfo into actions to avoid side-effects
+   * Per-distribution paths to the exim's main log
 
 - New features:
    - Added monit filter thanks Jason H Martin.
diff --git a/config/paths-fedora.conf b/config/paths-fedora.conf
index 69322e43..cc574b39 100644
--- a/config/paths-fedora.conf
+++ b/config/paths-fedora.conf
@@ -32,4 +32,6 @@ apache_access_log = /var/log/httpd/*access_log
 # proftpd_log = /var/log/proftpd/auth.log
 # Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.
 
+exim_main_log = /var/log/exim/main.log
+
 mysql_log = /var/lib/mysql/mysqld.log

From 84b7e93a4786e89921739e61d4c97dc87eba9cab Mon Sep 17 00:00:00 2001
From: Sean DuBois <sean@siobud.com>
Date: Fri, 11 Jul 2014 05:08:36 +0000
Subject: [PATCH 05/82] ENH: Add version command to protocol TST: Add test for
 version server command

---
 ChangeLog                        | 1 +
 THANKS                           | 1 +
 fail2ban/client/beautifier.py    | 2 ++
 fail2ban/protocol.py             | 1 +
 fail2ban/server/transmitter.py   | 5 ++++-
 fail2ban/tests/servertestcase.py | 4 ++++
 man/fail2ban-client.1            | 3 +++
 7 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index bdae885c..d453e67b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
 
 - New features:
    - Added monit filter thanks Jason H Martin.
+   - fail2ban-client can fetch the running server version
 
 - Enhancements
    * Fail2ban-regex - add print-all-matched option. Closes gh-652
diff --git a/THANKS b/THANKS
index 5752c475..656a4ad4 100644
--- a/THANKS
+++ b/THANKS
@@ -88,6 +88,7 @@ Rolf Fokkens
 Roman Gelfand
 Russell Odom
 SATO Kentaro
+Sean DuBois
 Sebastian Arcus
 Serg G. Brester
 Sireyessire
diff --git a/fail2ban/client/beautifier.py b/fail2ban/client/beautifier.py
index cf17e54f..d94216c8 100644
--- a/fail2ban/client/beautifier.py
+++ b/fail2ban/client/beautifier.py
@@ -51,6 +51,8 @@ class Beautifier:
 		try:
 			if inC[0] == "ping":
 				msg = "Server replied: " + response
+			elif inC[0] == "version":
+				msg = response
 			elif inC[0] == "start":
 				msg = "Jail started"
 			elif inC[0] == "stop":
diff --git a/fail2ban/protocol.py b/fail2ban/protocol.py
index 8d053501..9a6ee675 100644
--- a/fail2ban/protocol.py
+++ b/fail2ban/protocol.py
@@ -38,6 +38,7 @@ protocol = [
 ["status", "gets the current status of the server"], 
 ["ping", "tests if the server is alive"], 
 ["help", "return this output"], 
+["version", "return the server version"],
 ['', "LOGGING", ""],
 ["set loglevel <LEVEL>", "sets logging level to <LEVEL>. Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG"], 
 ["get loglevel", "gets the logging level"], 
diff --git a/fail2ban/server/transmitter.py b/fail2ban/server/transmitter.py
index 0cd30515..39157128 100644
--- a/fail2ban/server/transmitter.py
+++ b/fail2ban/server/transmitter.py
@@ -28,6 +28,7 @@ import time
 import json
 
 from ..helpers import getLogger
+from .. import version
 
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
@@ -102,7 +103,9 @@ class Transmitter:
 		elif command[0] == "get":
 			return self.__commandGet(command[1:])
 		elif command[0] == "status":
-			return self.status(command[1:])			
+			return self.status(command[1:])
+		elif command[0] == "version":
+			return version.version
 		raise Exception("Invalid command")
 	
 	def __commandSet(self, command):
diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
index 9b78fda8..fd2a22cc 100644
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@@ -37,6 +37,7 @@ from ..server.jail import Jail
 from ..server.jailthread import JailThread
 from .utils import LogCaptureTestCase
 from ..helpers import getLogger
+from .. import version
 
 try:
 	from ..server import filtersystemd
@@ -148,6 +149,9 @@ class Transmitter(TransmitterBase):
 	def testPing(self):
 		self.assertEqual(self.transm.proceed(["ping"]), (0, "pong"))
 
+	def testVersion(self):
+		self.assertEqual(self.transm.proceed(["version"]), (0, version.version))
+
 	def testSleep(self):
 		t0 = time.time()
 		self.assertEqual(self.transm.proceed(["sleep", "1"]), (0, None))
diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1
index 32580e20..e2df68ed 100644
--- a/man/fail2ban-client.1
+++ b/man/fail2ban-client.1
@@ -71,6 +71,9 @@ tests if the server is alive
 .TP
 \fBhelp\fR
 return this output
+.TP
+\fBversion\fR
+return the server version
 .IP
 LOGGING
 .TP

From 2f42ab00ad33342abc0a681e79312d19d735adb4 Mon Sep 17 00:00:00 2001
From: Florian Pelgrim <florian.pelgrim@craneworks.de>
Date: Thu, 17 Jul 2014 16:44:45 +0200
Subject: [PATCH 06/82] Adding vagrant support

Vagrant will provide you with a default devel box where code
can be tested. No further arguments like "On my system it is
running. Has to be yours".
I choosed a Debian wheezy based box with saltstack installed.
Wheezy because it is stable and ships mostly older packages
than other distros. Saltstack is used for pre-installing
packeges when bringing up our box. So any requierements from
fail2ban can be saved here and shipped out with git.

You can add multiple other boxes. For example adding CentOS
to check if the tests are passing also there.
---
 .gitignore  |   1 +
 Vagrantfile | 122 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 123 insertions(+)
 create mode 100644 Vagrantfile

diff --git a/.gitignore b/.gitignore
index 76a33e60..a8942050 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,4 @@ htmlcov
 *.rej
 *.bak
 __pycache__
+.vagrant/
diff --git a/Vagrantfile b/Vagrantfile
new file mode 100644
index 00000000..d39b6201
--- /dev/null
+++ b/Vagrantfile
@@ -0,0 +1,122 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  # All Vagrant configuration is done here. The most common configuration
+  # options are documented and commented below. For a complete reference,
+  # please see the online documentation at vagrantup.com.
+
+  # Every Vagrant virtual environment requires a box to build off of.
+  config.vm.box = "h2ometrics/salty-wheezy64"
+
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # config.vm.network "forwarded_port", guest: 80, host: 8080
+
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+  # config.vm.network "private_network", ip: "192.168.33.10"
+
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+
+  # If true, then any SSH connections made will enable agent forwarding.
+  # Default value: false
+  # config.ssh.forward_agent = true
+
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  # config.vm.provider "virtualbox" do |vb|
+  #   # Don't boot with headless mode
+  #   vb.gui = true
+  #
+  #   # Use VBoxManage to customize the VM. For example to change memory:
+  #   vb.customize ["modifyvm", :id, "--memory", "1024"]
+  # end
+  #
+  # View the documentation for the provider you're using for more
+  # information on available options.
+
+  # Enable provisioning with CFEngine. CFEngine Community packages are
+  # automatically installed. For example, configure the host as a
+  # policy server and optionally a policy file to run:
+  #
+  # config.vm.provision "cfengine" do |cf|
+  #   cf.am_policy_hub = true
+  #   # cf.run_file = "motd.cf"
+  # end
+  #
+  # You can also configure and bootstrap a client to an existing
+  # policy server:
+  #
+  # config.vm.provision "cfengine" do |cf|
+  #   cf.policy_server_address = "10.0.2.15"
+  # end
+
+  # Enable provisioning with Puppet stand alone.  Puppet manifests
+  # are contained in a directory path relative to this Vagrantfile.
+  # You will need to create the manifests directory and a manifest in
+  # the file default.pp in the manifests_path directory.
+  #
+  # config.vm.provision "puppet" do |puppet|
+  #   puppet.manifests_path = "manifests"
+  #   puppet.manifest_file  = "site.pp"
+  # end
+
+  # Enable provisioning with chef solo, specifying a cookbooks path, roles
+  # path, and data_bags path (all relative to this Vagrantfile), and adding
+  # some recipes and/or roles.
+  #
+  # config.vm.provision "chef_solo" do |chef|
+  #   chef.cookbooks_path = "../my-recipes/cookbooks"
+  #   chef.roles_path = "../my-recipes/roles"
+  #   chef.data_bags_path = "../my-recipes/data_bags"
+  #   chef.add_recipe "mysql"
+  #   chef.add_role "web"
+  #
+  #   # You may also specify custom JSON attributes:
+  #   chef.json = { mysql_password: "foo" }
+  # end
+
+  # Enable provisioning with chef server, specifying the chef server URL,
+  # and the path to the validation key (relative to this Vagrantfile).
+  #
+  # The Opscode Platform uses HTTPS. Substitute your organization for
+  # ORGNAME in the URL and validation key.
+  #
+  # If you have your own Chef Server, use the appropriate URL, which may be
+  # HTTP instead of HTTPS depending on your configuration. Also change the
+  # validation key to validation.pem.
+  #
+  # config.vm.provision "chef_client" do |chef|
+  #   chef.chef_server_url = "https://api.opscode.com/organizations/ORGNAME"
+  #   chef.validation_key_path = "ORGNAME-validator.pem"
+  # end
+  #
+  # If you're using the Opscode platform, your validator client is
+  # ORGNAME-validator, replacing ORGNAME with your organization name.
+  #
+  # If you have your own Chef Server, the default validation client name is
+  # chef-validator, unless you changed the configuration.
+  #
+  #   chef.validation_client_name = "ORGNAME-validator"
+end

From ac9fa906258e53509b5d5385008d1f4e53b40e5a Mon Sep 17 00:00:00 2001
From: Sean DuBois <sean@siobud.com>
Date: Thu, 17 Jul 2014 21:57:52 +0000
Subject: [PATCH 07/82] BF: Round timeofban before inserting into the
 persistant database

---
 fail2ban/server/database.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fail2ban/server/database.py b/fail2ban/server/database.py
index 51161911..47f1a485 100644
--- a/fail2ban/server/database.py
+++ b/fail2ban/server/database.py
@@ -368,7 +368,7 @@ class Fail2BanDb(object):
 		#TODO: Implement data parts once arbitrary match keys completed
 		cur.execute(
 			"INSERT INTO bans(jail, ip, timeofban, data) VALUES(?, ?, ?, ?)",
-			(jail.name, ticket.getIP(), ticket.getTime(),
+			(jail.name, ticket.getIP(), round(ticket.getTime()),
 				{"matches": ticket.getMatches(),
 					"failures": ticket.getAttempt()}))
 

From 5471e99ebe3065120ff148260bc55e202b7feeed Mon Sep 17 00:00:00 2001
From: leftyfb <leftyfb@left-click.org>
Date: Thu, 17 Jul 2014 22:54:30 -0400
Subject: [PATCH 08/82] Added cloudflare action

---
 config/action.d/cloudflare.conf | 53 +++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 config/action.d/cloudflare.conf

diff --git a/config/action.d/cloudflare.conf b/config/action.d/cloudflare.conf
new file mode 100644
index 00000000..ead0d23e
--- /dev/null
+++ b/config/action.d/cloudflare.conf
@@ -0,0 +1,53 @@
+#
+# Author: Mike Rushton
+#
+# $Revision$
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    &lt;ip&gt;  IP address
+#          &lt;failures&gt;  number of failures
+#          &lt;time&gt;  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = curl -s "https://www.cloudflare.com/api.html?a=ban&key=<ip>&u=<cfuser>&tkn=<cftoken>"
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    &lt;ip&gt;  IP address
+#          &lt;failures&gt;  number of failures
+#          &lt;time&gt;  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = curl -s "https://www.cloudflare.com/api.html?a=nul&key=<ip>&u=<cfuser>&tkn=<cftoken>"
+
+
+[Init]
+
+# Default Cloudflare API token 
+cftoken = 
+
+# Default Cloudflare username
+cfuser = 

From cba570cabdb8cc04f18ab7c46a0044364590772a Mon Sep 17 00:00:00 2001
From: leftyfb <leftyfb@left-click.org>
Date: Thu, 17 Jul 2014 23:49:35 -0400
Subject: [PATCH 09/82] Updated comments

---
 config/action.d/cloudflare.conf | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/config/action.d/cloudflare.conf b/config/action.d/cloudflare.conf
index ead0d23e..790a00a9 100644
--- a/config/action.d/cloudflare.conf
+++ b/config/action.d/cloudflare.conf
@@ -1,7 +1,9 @@
 #
 # Author: Mike Rushton
 #
-# $Revision$
+# Referenced from from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE
+#
+# To get your Cloudflare API key: https://www.cloudflare.com/my-account
 #
 
 [Definition]
@@ -27,18 +29,18 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    &lt;ip&gt;  IP address
-#          &lt;failures&gt;  number of failures
-#          &lt;time&gt;  unix timestamp of the ban time
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionban = curl -s "https://www.cloudflare.com/api.html?a=ban&key=<ip>&u=<cfuser>&tkn=<cftoken>"
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    &lt;ip&gt;  IP address
-#          &lt;failures&gt;  number of failures
-#          &lt;time&gt;  unix timestamp of the ban time
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = curl -s "https://www.cloudflare.com/api.html?a=nul&key=<ip>&u=<cfuser>&tkn=<cftoken>"

From fc7eaac77ae1eed84e96eb91b4847f25b8358b00 Mon Sep 17 00:00:00 2001
From: Florian Pelgrim <florian.pelgrim@craneworks.de>
Date: Fri, 18 Jul 2014 17:51:06 +0200
Subject: [PATCH 10/82] Vagrant with two Ubuntu Trusty64 boxes

Added Vagrantfile with Ubuntu Trusty64 configured.
Both VMs are sharing the same network 192.168.200.0/24. Options for using
saltstack are pre-configured but commented out.

VM "secure" can be used for testing fail2ban code.

VM "attacker" can be used to perform attack against our "secure" VM.
---
 Vagrantfile | 138 +++++++++-------------------------------------------
 1 file changed, 23 insertions(+), 115 deletions(-)

diff --git a/Vagrantfile b/Vagrantfile
index d39b6201..120ffd7f 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -1,122 +1,30 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
+Vagrant.configure("2") do |config|
 
-# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
-VAGRANTFILE_API_VERSION = "2"
+    config.vm.define "secure" do |secure|
+        secure.vm.box = "ubuntu/trusty64"
+        secure.vm.hostname = "secure.dev.fail2ban.org"
+        secure.vm.network "private_network", ip: "192.168.200.100"
 
-Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  # All Vagrant configuration is done here. The most common configuration
-  # options are documented and commented below. For a complete reference,
-  # please see the online documentation at vagrantup.com.
+#        secure.vm.synced_folder 'salt/roots', '/srv/salt'
 
-  # Every Vagrant virtual environment requires a box to build off of.
-  config.vm.box = "h2ometrics/salty-wheezy64"
+#        secure.vm.provision :salt do |salt|
+#            salt.minion_config = 'salt/minion'
+#            salt.run_highstate = true
+#            salt.verbose = true
+#        end
+    end
 
-  # Disable automatic box update checking. If you disable this, then
-  # boxes will only be checked for updates when the user runs
-  # `vagrant box outdated`. This is not recommended.
-  # config.vm.box_check_update = false
+    config.vm.define "attacker" do |attacker|
+        attacker.vm.box = "ubuntu/trusty64"
+        attacker.vm.hostname = "attacker.dev.fail2ban.org"
+        attacker.vm.network "private_network", ip: "192.168.200.150"
 
-  # Create a forwarded port mapping which allows access to a specific port
-  # within the machine from a port on the host machine. In the example below,
-  # accessing "localhost:8080" will access port 80 on the guest machine.
-  # config.vm.network "forwarded_port", guest: 80, host: 8080
+#        attacker.vm.synced_folder 'salt/roots', '/srv/salt'
 
-  # Create a private network, which allows host-only access to the machine
-  # using a specific IP.
-  # config.vm.network "private_network", ip: "192.168.33.10"
-
-  # Create a public network, which generally matched to bridged network.
-  # Bridged networks make the machine appear as another physical device on
-  # your network.
-  # config.vm.network "public_network"
-
-  # If true, then any SSH connections made will enable agent forwarding.
-  # Default value: false
-  # config.ssh.forward_agent = true
-
-  # Share an additional folder to the guest VM. The first argument is
-  # the path on the host to the actual folder. The second argument is
-  # the path on the guest to mount the folder. And the optional third
-  # argument is a set of non-required options.
-  # config.vm.synced_folder "../data", "/vagrant_data"
-
-  # Provider-specific configuration so you can fine-tune various
-  # backing providers for Vagrant. These expose provider-specific options.
-  # Example for VirtualBox:
-  #
-  # config.vm.provider "virtualbox" do |vb|
-  #   # Don't boot with headless mode
-  #   vb.gui = true
-  #
-  #   # Use VBoxManage to customize the VM. For example to change memory:
-  #   vb.customize ["modifyvm", :id, "--memory", "1024"]
-  # end
-  #
-  # View the documentation for the provider you're using for more
-  # information on available options.
-
-  # Enable provisioning with CFEngine. CFEngine Community packages are
-  # automatically installed. For example, configure the host as a
-  # policy server and optionally a policy file to run:
-  #
-  # config.vm.provision "cfengine" do |cf|
-  #   cf.am_policy_hub = true
-  #   # cf.run_file = "motd.cf"
-  # end
-  #
-  # You can also configure and bootstrap a client to an existing
-  # policy server:
-  #
-  # config.vm.provision "cfengine" do |cf|
-  #   cf.policy_server_address = "10.0.2.15"
-  # end
-
-  # Enable provisioning with Puppet stand alone.  Puppet manifests
-  # are contained in a directory path relative to this Vagrantfile.
-  # You will need to create the manifests directory and a manifest in
-  # the file default.pp in the manifests_path directory.
-  #
-  # config.vm.provision "puppet" do |puppet|
-  #   puppet.manifests_path = "manifests"
-  #   puppet.manifest_file  = "site.pp"
-  # end
-
-  # Enable provisioning with chef solo, specifying a cookbooks path, roles
-  # path, and data_bags path (all relative to this Vagrantfile), and adding
-  # some recipes and/or roles.
-  #
-  # config.vm.provision "chef_solo" do |chef|
-  #   chef.cookbooks_path = "../my-recipes/cookbooks"
-  #   chef.roles_path = "../my-recipes/roles"
-  #   chef.data_bags_path = "../my-recipes/data_bags"
-  #   chef.add_recipe "mysql"
-  #   chef.add_role "web"
-  #
-  #   # You may also specify custom JSON attributes:
-  #   chef.json = { mysql_password: "foo" }
-  # end
-
-  # Enable provisioning with chef server, specifying the chef server URL,
-  # and the path to the validation key (relative to this Vagrantfile).
-  #
-  # The Opscode Platform uses HTTPS. Substitute your organization for
-  # ORGNAME in the URL and validation key.
-  #
-  # If you have your own Chef Server, use the appropriate URL, which may be
-  # HTTP instead of HTTPS depending on your configuration. Also change the
-  # validation key to validation.pem.
-  #
-  # config.vm.provision "chef_client" do |chef|
-  #   chef.chef_server_url = "https://api.opscode.com/organizations/ORGNAME"
-  #   chef.validation_key_path = "ORGNAME-validator.pem"
-  # end
-  #
-  # If you're using the Opscode platform, your validator client is
-  # ORGNAME-validator, replacing ORGNAME with your organization name.
-  #
-  # If you have your own Chef Server, the default validation client name is
-  # chef-validator, unless you changed the configuration.
-  #
-  #   chef.validation_client_name = "ORGNAME-validator"
+#        attacker.vm.provision :salt do |salt|
+#            salt.minion_config = 'salt/minion'
+#            salt.run_highstate = true
+#            salt.verbose = true
+#        end
+    end
 end

From e301d6c840363f04f320e66a8b0ad4d9b926c775 Mon Sep 17 00:00:00 2001
From: Steven Hiscocks <steven@hiscocks.me.uk>
Date: Sat, 19 Jul 2014 15:15:38 +0100
Subject: [PATCH 11/82] DOC: Update ChangeLog for change in b73ed9b

---
 ChangeLog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 73d696e0..60ec9cbc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,8 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Correct times for non-timezone date times formats during DST
    * Pass a copy of, not original, aInfo into actions to avoid side-effects
    * Per-distribution paths to the exim's main log
+   * Ignored IPs are no longer banned when being restored from persistent
+     database
 
 - New features:
    - Added monit filter thanks Jason H Martin.

From 01d02ca5e69d3f16e8740f08ada09d736d1a13d1 Mon Sep 17 00:00:00 2001
From: Steven Hiscocks <steven@hiscocks.me.uk>
Date: Sat, 19 Jul 2014 15:17:32 +0100
Subject: [PATCH 12/82] BF: Remove manually unbanned IPs from persistent
 database

Stops them being restored when Fail2Ban is restarted. Particularly this
is an issue with bantime < 0

Fixes gh-768
---
 ChangeLog                          |  2 ++
 fail2ban/server/actions.py         |  2 ++
 fail2ban/server/database.py        | 17 ++++++++++++++++-
 fail2ban/tests/databasetestcase.py |  6 ++++++
 4 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 60ec9cbc..9ae7b8c3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,8 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Per-distribution paths to the exim's main log
    * Ignored IPs are no longer banned when being restored from persistent
      database
+   * Manually unbanned IPs are now removed from persistent database, such they
+     wont be banned again when Fail2Ban is restarted
 
 - New features:
    - Added monit filter thanks Jason H Martin.
diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py
index fa0e94df..c8e9c5d9 100644
--- a/fail2ban/server/actions.py
+++ b/fail2ban/server/actions.py
@@ -197,6 +197,8 @@ class Actions(JailThread, Mapping):
 		if ticket is not None:
 			# Unban the IP.
 			self.__unBan(ticket)
+			if self._jail.database is not None:
+				self._jail.database.delBan(self._jail, ticket)
 		else:
 			raise ValueError("IP %s is not banned" % ip)
 
diff --git a/fail2ban/server/database.py b/fail2ban/server/database.py
index 47f1a485..351d1829 100644
--- a/fail2ban/server/database.py
+++ b/fail2ban/server/database.py
@@ -368,10 +368,25 @@ class Fail2BanDb(object):
 		#TODO: Implement data parts once arbitrary match keys completed
 		cur.execute(
 			"INSERT INTO bans(jail, ip, timeofban, data) VALUES(?, ?, ?, ?)",
-			(jail.name, ticket.getIP(), round(ticket.getTime()),
+			(jail.name, ticket.getIP(), int(round(ticket.getTime())),
 				{"matches": ticket.getMatches(),
 					"failures": ticket.getAttempt()}))
 
+	@commitandrollback
+	def delBan(self, cur, jail, ticket):
+		"""Delete a ban from the database.
+
+		Parameters
+		----------
+		jail : Jail
+			Jail in which the ban has occurred.
+		ticket : BanTicket
+			Ticket of the ban to be removed.
+		"""
+		cur.execute(
+			"DELETE FROM bans WHERE jail = ? AND ip = ? AND timeofban = ?",
+			(jail.name, ticket.getIP(), int(round(ticket.getTime()))))
+
 	@commitandrollback
 	def _getBans(self, cur, jail=None, bantime=None, ip=None):
 		query = "SELECT ip, timeofban, data FROM bans WHERE 1"
diff --git a/fail2ban/tests/databasetestcase.py b/fail2ban/tests/databasetestcase.py
index 2cf8577e..f0757e5b 100644
--- a/fail2ban/tests/databasetestcase.py
+++ b/fail2ban/tests/databasetestcase.py
@@ -173,6 +173,12 @@ class DatabaseTest(unittest.TestCase):
 		self.assertTrue(
 			isinstance(self.db.getBans(jail=self.jail)[0], FailTicket))
 
+	def testDelBan(self):
+		self.testAddBan()
+		ticket = self.db.getBans(jail=self.jail)[0]
+		self.db.delBan(self.jail, ticket)
+		self.assertEqual(len(self.db.getBans(jail=self.jail)), 0)
+
 	def testGetBansWithTime(self):
 		if Fail2BanDb is None: # pragma: no cover
 			return

From 3d7504c19eb04d4756808805ad34998ed4dbe8e6 Mon Sep 17 00:00:00 2001
From: Pierre-Alain Dupont <pad@melix.net>
Date: Sun, 20 Jul 2014 16:25:59 +0200
Subject: [PATCH 13/82] Forwards bantime to action scripts

That way, ipset and afctl will use a real timeout and not default to a fixed value for all jails
---
 config/jail.conf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/jail.conf b/config/jail.conf
index 0aaed995..45031755 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -151,22 +151,22 @@ port = 0:65535
 banaction = iptables-multiport
 
 # The simplest action to take: ban only
-action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
 # ban & send an e-mail with whois report to the destemail.
-action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 
 # ban & send an e-mail with whois report and relevant log lines
 # to the destemail.
-action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
 # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
 #
 # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
 # to the destemail.
-action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
 
 

From a786e8a29b29748084c6d375d9bfc6e44c71e0d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sz=C3=A9pe=20Viktor?= <viktor@szepe.net>
Date: Sun, 20 Jul 2014 19:59:54 +0200
Subject: [PATCH 14/82] named users + smtp atuh probes

---
 config/filter.d/courier-smtp.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/courier-smtp.conf b/config/filter.d/courier-smtp.conf
index 2b9a13f2..7a3b9895 100644
--- a/config/filter.d/courier-smtp.conf
+++ b/config/filter.d/courier-smtp.conf
@@ -12,7 +12,8 @@ before = common.conf
 
 _daemon = courieresmtpd
 
-failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
+failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User (<.*> )?unknown(\.)?$
+            ^%(__prefix_line)serror,relay=<HOST>,msg="535 Authentication failed\.",cmd: (AUTH PLAIN )?[0-9a-zA-Z\+/=]+$
 
 ignoreregex = 
 

From d757ef584f7928086f439da5653031019eeb4110 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sz=C3=A9pe=20Viktor?= <viktor@szepe.net>
Date: Sun, 20 Jul 2014 21:09:10 +0200
Subject: [PATCH 15/82] Update courier-smtp.conf

---
 config/filter.d/courier-smtp.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/courier-smtp.conf b/config/filter.d/courier-smtp.conf
index 7a3b9895..9447de40 100644
--- a/config/filter.d/courier-smtp.conf
+++ b/config/filter.d/courier-smtp.conf
@@ -13,7 +13,7 @@ before = common.conf
 _daemon = courieresmtpd
 
 failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User (<.*> )?unknown(\.)?$
-            ^%(__prefix_line)serror,relay=<HOST>,msg="535 Authentication failed\.",cmd: (AUTH PLAIN )?[0-9a-zA-Z\+/=]+$
+            ^%(__prefix_line)serror,relay=<HOST>,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?$
 
 ignoreregex = 
 

From 9c4f9a3de8c2394a2f098365756c6d0853727366 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sz=C3=A9pe=20Viktor?= <viktor@szepe.net>
Date: Sun, 20 Jul 2014 21:13:55 +0200
Subject: [PATCH 16/82] added Jul 3 & Jul 4

---
 fail2ban/tests/files/logs/courier-smtp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fail2ban/tests/files/logs/courier-smtp b/fail2ban/tests/files/logs/courier-smtp
index 212df3b4..33463bab 100644
--- a/fail2ban/tests/files/logs/courier-smtp
+++ b/fail2ban/tests/files/logs/courier-smtp
@@ -1,5 +1,9 @@
 # failJSON: { "time": "2005-04-10T03:47:57", "match": true , "host": "1.2.3.4" }
 Apr 10 03:47:57 web courieresmtpd: error,relay=::ffff:1.2.3.4,ident=tmf,from=<tmf@example.com>,to=<mailman-subscribe@example.com>: 550 User unknown.
+# failJSON: { "time": "2004-07-03T23:07:20", "match": true , "host": "1.2.3.4" }
+Jul  3 23:07:20 szerver courieresmtpd: error,relay=::ffff:1.2.3.4,msg="535 Authentication failed.",cmd: YWRvYmVhZG9iZQ==
+# failJSON: { "time": "2004-07-04T18:39:39", "match": true , "host": "1.2.3.4" }
+Jul  4 18:39:39 mail courieresmtpd: error,relay=::ffff:1.2.3.4,from=<picaro@astroboymail.com>,to=<user@update.net>: 550 User <benny> unknown
 # failJSON: { "time": "2005-07-06T03:42:28", "match": true , "host": "1.2.3.4" }
 Jul  6 03:42:28 whistler courieresmtpd: error,relay=::ffff:1.2.3.4,from=<>,to=<admin at memcpy>: 550 User unknown.
 # failJSON: { "time": "2004-11-21T23:16:17", "match": true , "host": "1.2.3.4" }

From 68bf5a1c3638732a3ef520dc7638eacda2a9b393 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sz=C3=A9pe=20Viktor?= <viktor@szepe.net>
Date: Sun, 20 Jul 2014 21:23:57 +0200
Subject: [PATCH 17/82] I don't understand those years.

---
 fail2ban/tests/files/logs/courier-smtp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fail2ban/tests/files/logs/courier-smtp b/fail2ban/tests/files/logs/courier-smtp
index 33463bab..7beaf856 100644
--- a/fail2ban/tests/files/logs/courier-smtp
+++ b/fail2ban/tests/files/logs/courier-smtp
@@ -1,8 +1,8 @@
 # failJSON: { "time": "2005-04-10T03:47:57", "match": true , "host": "1.2.3.4" }
 Apr 10 03:47:57 web courieresmtpd: error,relay=::ffff:1.2.3.4,ident=tmf,from=<tmf@example.com>,to=<mailman-subscribe@example.com>: 550 User unknown.
-# failJSON: { "time": "2004-07-03T23:07:20", "match": true , "host": "1.2.3.4" }
+# failJSON: { "time": "2005-07-03T23:07:20", "match": true , "host": "1.2.3.4" }
 Jul  3 23:07:20 szerver courieresmtpd: error,relay=::ffff:1.2.3.4,msg="535 Authentication failed.",cmd: YWRvYmVhZG9iZQ==
-# failJSON: { "time": "2004-07-04T18:39:39", "match": true , "host": "1.2.3.4" }
+# failJSON: { "time": "2005-07-04T18:39:39", "match": true , "host": "1.2.3.4" }
 Jul  4 18:39:39 mail courieresmtpd: error,relay=::ffff:1.2.3.4,from=<picaro@astroboymail.com>,to=<user@update.net>: 550 User <benny> unknown
 # failJSON: { "time": "2005-07-06T03:42:28", "match": true , "host": "1.2.3.4" }
 Jul  6 03:42:28 whistler courieresmtpd: error,relay=::ffff:1.2.3.4,from=<>,to=<admin at memcpy>: 550 User unknown.

From 3e5c598b79fe4e179ca40d7bc97613c8c9b4af59 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 25 Jul 2014 10:02:40 -0400
Subject: [PATCH 18/82] BF: cyrus-imaps -- catch also for secured daemons

---
 ChangeLog                            | 3 +++
 config/filter.d/cyrus-imap.conf      | 2 +-
 fail2ban/tests/files/logs/cyrus-imap | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 60ec9cbc..53e2e705 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,9 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Per-distribution paths to the exim's main log
    * Ignored IPs are no longer banned when being restored from persistent
      database
+   * Catch also failed logins via secured (imaps/pop3s) for cyrus-imap.
+     Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
+     Debian bug #755173
 
 - New features:
    - Added monit filter thanks Jason H Martin.
diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf
index 3560234e..f8bee060 100644
--- a/config/filter.d/cyrus-imap.conf
+++ b/config/filter.d/cyrus-imap.conf
@@ -11,7 +11,7 @@ before = common.conf
 
 [Definition]
 
-_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
+_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?)
 
 failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
 
diff --git a/fail2ban/tests/files/logs/cyrus-imap b/fail2ban/tests/files/logs/cyrus-imap
index 9bf271f6..c46cb1ee 100644
--- a/fail2ban/tests/files/logs/cyrus-imap
+++ b/fail2ban/tests/files/logs/cyrus-imap
@@ -1,5 +1,7 @@
 # failJSON: { "time": "2005-01-04T21:51:05", "match": true , "host": "127.0.0.1" }
 Jan 4 21:51:05 hostname cyrus/imap[5355]: badlogin: localhost.localdomain [127.0.0.1] plaintext cyrus@localdomain SASL(-13): authentication failure: checkpass failed
+# failJSON: { "time": "2005-01-04T21:51:05", "match": true , "host": "127.0.0.1", "desc": "For secure imaps" }
+Jan 4 21:51:05 hostname cyrus/imaps[5355]: badlogin: localhost.localdomain [127.0.0.1] plaintext cyrus@localdomain SASL(-13): authentication failure: checkpass failed
 # failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "198.51.100.23" }
 Feb 20 17:23:32 domain cyrus/pop3[18635]: badlogin: localhost [198.51.100.23] plaintext administrator SASL(-13): authentication failure: checkpass failed
 # failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "1.2.3.4" }

From 3339dc8d84aa30e029cf066a92ddbde8a2c0cc4e Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 25 Jul 2014 10:12:17 -0400
Subject: [PATCH 19/82] ENH: cyrus-imap -- catch also 'user not found' attempts

---
 ChangeLog                            | 1 +
 THANKS                               | 1 +
 config/filter.d/cyrus-imap.conf      | 2 +-
 fail2ban/tests/files/logs/cyrus-imap | 5 ++++-
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 53e2e705..33ecc095 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -55,6 +55,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Realign fail2ban log output with white space to improve readability. Does
      not affect SYSLOG output
    * Log unhandled exceptions
+   * cyrus-imap: catch "user not found" attempts
 
 ver. 0.9.0 (2014/03/14) - beta
 ----------
diff --git a/THANKS b/THANKS
index 656a4ad4..023ec601 100644
--- a/THANKS
+++ b/THANKS
@@ -80,6 +80,7 @@ onorua
 Paul Marrapese
 Noel Butler
 Patrick Börjesson
+Pressy
 Raphaël Marichez
 RealRancor
 René Berber
diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf
index f8bee060..73764d9d 100644
--- a/config/filter.d/cyrus-imap.conf
+++ b/config/filter.d/cyrus-imap.conf
@@ -13,7 +13,7 @@ before = common.conf
 
 _daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?)
 
-failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$
 
 ignoreregex = 
 
diff --git a/fail2ban/tests/files/logs/cyrus-imap b/fail2ban/tests/files/logs/cyrus-imap
index c46cb1ee..f1edff06 100644
--- a/fail2ban/tests/files/logs/cyrus-imap
+++ b/fail2ban/tests/files/logs/cyrus-imap
@@ -12,4 +12,7 @@ Jun 8 18:11:13 lampserver imap[4480]: badlogin: example.com [198.51.100.45] DIGE
 Dec 21 10:01:57 hostname imapd[18454]: badlogin: example.com [198.51.100.57] CRAM-MD5 [SASL(-13): authentication failure: incorrect digest response]
 # failJSON: { "time": "2004-12-30T16:03:27", "match": true , "host": "1.2.3.4" }
 Dec 30 16:03:27 somehost imapd[2517]: badlogin: local-somehost[1.2.3.4] OTP [SASL(-13): authentication failure: External SSF not good enough]
-
+# failJSON: { "time": "2005-07-17T22:55:56", "match": true , "host": "1.2.3.4" }
+Jul 17 22:55:56 derry cyrus/imaps[7568]: badlogin: serafinat.xxxxxx [1.2.3.4] plain [SASL(-13): user not found: user: pressy@derry property: cmusaslsecretPLAIN not found in sasldb]
+# failJSON: { "time": "2005-07-18T16:46:42", "match": true , "host": "1.2.3.4" }
+Jul 18 16:46:42 derry cyrus/imaps[27449]: badlogin: serafinat.xxxxxx [1.2.3.4] PLAIN [SASL(-13): user not found: Password verification failed]

From edfdeecfe64b7ed43903c6dfae7219647c88f4e6 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 27 Jul 2014 21:48:55 -0400
Subject: [PATCH 20/82] DOC: Changelog for recent merge

---
 ChangeLog | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 60ec9cbc..ea92ce04 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,7 +41,9 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
      database
 
 - New features:
-   - Added monit filter thanks Jason H Martin.
+   - Added
+     - monit filter. Thanks Jason H Martin
+     - directadmin filter. Thanks niorg
    - fail2ban-client can fetch the running server version
 
 - Enhancements

From 143a55bf26de76ecac332f43c03cd9542e2ccd48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sz=C3=A9pe=20Viktor?= <viktor@szepe.net>
Date: Mon, 28 Jul 2014 12:51:38 +0200
Subject: [PATCH 21/82] Update courier-smtp.conf

---
 config/filter.d/courier-smtp.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/courier-smtp.conf b/config/filter.d/courier-smtp.conf
index 9447de40..7df385bf 100644
--- a/config/filter.d/courier-smtp.conf
+++ b/config/filter.d/courier-smtp.conf
@@ -12,7 +12,7 @@ before = common.conf
 
 _daemon = courieresmtpd
 
-failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User (<.*> )?unknown(\.)?$
+failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User (<.*> )?unknown\.?$
             ^%(__prefix_line)serror,relay=<HOST>,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?$
 
 ignoreregex = 

From a35b62500fabd0002b88db22564673c228863b5e Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 28 Jul 2014 10:18:33 -0400
Subject: [PATCH 22/82] changelog entries for already merged and upcoming merge

---
 ChangeLog | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index a190b79c..d89a50f9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,8 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
      database
    * Manually unbanned IPs are now removed from persistent database, such they
      wont be banned again when Fail2Ban is restarted
+   * Pass "bantime" parameter to the actions in default jail's action
+     definition(s)
 
 - New features:
    - Added
@@ -52,6 +54,9 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Fail2ban-regex - add print-all-matched option. Closes gh-652
    * Suppress fail2ban-client warnings for non-critical config options
    * Match non "Bye Bye" disconnect messages for sshd locked account regex
+   * courier-smtp filter:
+     - match lines with user names
+     - match lines containing "535 Authentication failed" attempts
    * Add <chain> tag to iptables-ipsets
    * Realign fail2ban log output with white space to improve readability. Does
      not affect SYSLOG output

From 2e7b8adb3be1eab8be7f05f71f1cf41c53f55ba4 Mon Sep 17 00:00:00 2001
From: Jisoo Park <xxxyel@gmail.com>
Date: Mon, 28 Jul 2014 23:42:02 +0900
Subject: [PATCH 23/82] Fix sieve filter to use correct option

---
 config/filter.d/sieve.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/sieve.conf b/config/filter.d/sieve.conf
index 999b68a4..4ec9c458 100644
--- a/config/filter.d/sieve.conf
+++ b/config/filter.d/sieve.conf
@@ -9,7 +9,7 @@ before = common.conf
 
 [Definition]
 
-_deamon = (?:cyrus/)?(?:tim)?sieved?
+_daemon = (?:cyrus/)?(?:tim)?sieved?
 
 failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
 

From 6dbd449f777efe7edc9ff6c3d4229dc15cc23a0f Mon Sep 17 00:00:00 2001
From: leftyfb <leftyfb@left-click.org>
Date: Mon, 28 Jul 2014 11:10:50 -0400
Subject: [PATCH 24/82] Changed to Cloudflare JSON API

---
 config/action.d/cloudflare.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/action.d/cloudflare.conf b/config/action.d/cloudflare.conf
index 790a00a9..4d5e2dc8 100644
--- a/config/action.d/cloudflare.conf
+++ b/config/action.d/cloudflare.conf
@@ -34,7 +34,7 @@ actioncheck =
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = curl -s "https://www.cloudflare.com/api.html?a=ban&key=<ip>&u=<cfuser>&tkn=<cftoken>"
+actionban = curl https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
@@ -43,7 +43,7 @@ actionban = curl -s "https://www.cloudflare.com/api.html?a=ban&key=<ip>&u=<cfuse
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = curl -s "https://www.cloudflare.com/api.html?a=nul&key=<ip>&u=<cfuser>&tkn=<cftoken>"
+actionunban = curl https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
 
 
 [Init]

From 2179c8293ca0e7ff640eeec1b9f183ca588c8a0e Mon Sep 17 00:00:00 2001
From: leftyfb <leftyfb@left-click.org>
Date: Mon, 28 Jul 2014 11:24:38 -0400
Subject: [PATCH 25/82] ChangeLog Added and entry about Cloudflare action

---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index d453e67b..10302bfc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -40,6 +40,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
 - New features:
    - Added monit filter thanks Jason H Martin.
    - fail2ban-client can fetch the running server version
+   - Added Cloudflare API action
 
 - Enhancements
    * Fail2ban-regex - add print-all-matched option. Closes gh-652

From 11010218960dcc8aee20f05ca6271af1015ef9f1 Mon Sep 17 00:00:00 2001
From: leftyfb <leftyfb@left-click.org>
Date: Mon, 28 Jul 2014 11:26:08 -0400
Subject: [PATCH 26/82] Added entry for Cloudflare action

---
 THANKS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/THANKS b/THANKS
index 656a4ad4..df8dbb3f 100644
--- a/THANKS
+++ b/THANKS
@@ -62,6 +62,7 @@ kjohnsonecl
 kojiro
 Lars Kneschke
 Lee Clemens
+leftyfb (Mike Rushton)
 Manuel Arostegui Ramirez
 Marcel Dopita
 Mark Edgington

From 2756bbe12a85fafcba76130e21309e32e68ecd36 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 28 Jul 2014 12:46:52 -0400
Subject: [PATCH 27/82] changelog and thanks for the preceding fix

Conflicts:
	ChangeLog
	THANKS
---
 ChangeLog | 1 +
 THANKS    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index d89a50f9..1080def5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -43,6 +43,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
      wont be banned again when Fail2Ban is restarted
    * Pass "bantime" parameter to the actions in default jail's action
      definition(s)
+   * filters.d/sieve.conf - fixed typo in _daemon.  Thanks Jisoo Park
 
 - New features:
    - Added
diff --git a/THANKS b/THANKS
index 656a4ad4..78533eba 100644
--- a/THANKS
+++ b/THANKS
@@ -49,6 +49,7 @@ John Thoe
 Jacques Lav!gnotte
 Ioan Indreias
 Jason H Martin
+Jisoo Park
 Joel M Snyder
 Jonathan Kamens
 Jonathan Lanning

From 7b76322898327447f0b2c7dbba4fc29ed1288558 Mon Sep 17 00:00:00 2001
From: Markus Amalthea Magnuson <markus.magnuson@gmail.com>
Date: Sat, 2 Aug 2014 12:21:59 +0200
Subject: [PATCH 28/82] Fix typos.

---
 config/action.d/ufw.conf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf
index c826729d..04b8b32c 100644
--- a/config/action.d/ufw.conf
+++ b/config/action.d/ufw.conf
@@ -1,9 +1,9 @@
 # Fail2Ban action configuration file for ufw
 #
-# You are required to run "ufw enable" before this will have an effect.
+# You are required to run "ufw enable" before this will have any effect.
 #
-# The insert position should be approprate to block the required traffic.
-# A number after an allow rule to the application won't be much use.
+# The insert position should be appropriate to block the required traffic.
+# A number after an allow rule to the application won't be of much use.
 
 [Definition]
 
@@ -19,7 +19,7 @@ actionunban = [ -n "<application>" ] && app="app <application>" ; ufw delete <bl
 
 [Init]
 # Option: insertpos
-# Notes.:  The postition number in the firewall list to insert the block rule
+# Notes.:  The position number in the firewall list to insert the block rule
 insertpos = 1
 
 # Option: blocktype

From 818dd59d652f38fe1edd499f23f49c812a99389e Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 8 Aug 2014 11:57:30 -0400
Subject: [PATCH 29/82] ENH: symbiosis-blacklist-allports action

---
 ChangeLog                                     |  8 +--
 .../symbiosis-blacklist-allports.conf         | 52 +++++++++++++++++++
 2 files changed, 57 insertions(+), 3 deletions(-)
 create mode 100644 config/action.d/symbiosis-blacklist-allports.conf

diff --git a/ChangeLog b/ChangeLog
index afd151ae..9e47e987 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -46,9 +46,11 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * filters.d/sieve.conf - fixed typo in _daemon.  Thanks Jisoo Park
 
 - New features:
-   - Added
-     - monit filter. Thanks Jason H Martin
-     - directadmin filter. Thanks niorg
+   - New filters:
+     - monit  Thanks Jason H Martin
+     - directadmin  Thanks niorg
+   - New actions:
+     - symbiosis-blacklist-allports  for Bytemark symbiosis firewall
    - fail2ban-client can fetch the running server version
    - Added Cloudflare API action
 
diff --git a/config/action.d/symbiosis-blacklist-allports.conf b/config/action.d/symbiosis-blacklist-allports.conf
new file mode 100644
index 00000000..c3ce44b0
--- /dev/null
+++ b/config/action.d/symbiosis-blacklist-allports.conf
@@ -0,0 +1,52 @@
+# Fail2Ban configuration file for Bytemark Symbiosis firewall
+#
+# Author: Yaroslav Halchenko
+#
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L <chain>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP.
+# Values:  CMD
+#
+actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto
+            iptables -I <chain> 1 -s <ip> -j <blocktype>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP.
+# Values:  CMD
+#
+actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto
+              iptables -D <chain> -s <ip> -j <blocktype>
+
+[Init]
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added to.  blacklist is a chain initiated by symbiosis firewall.
+# Values:  STRING  Default: blacklist
+chain = blacklist
+
+# Option:  blocktype
+# Note:    This is to match default symbiosis firewall type for blacklisted IPs
+# Values:  STRING
+blocktype = DROP

From 6b554fbe983a7c40558f5710bd30f412de3731d2 Mon Sep 17 00:00:00 2001
From: Orion Poplawski <orion@cora.nwra.com>
Date: Fri, 8 Aug 2014 13:27:32 -0600
Subject: [PATCH 30/82] Fxi jail.conf to use more syslog macros

---
 config/jail.conf | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/jail.conf b/config/jail.conf
index fc54e2fb..c48e6a7b 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -376,7 +376,7 @@ logpath  = /var/log/monit
 [webmin-auth]
 
 port    = 10000
-logpath = /var/log/auth.log
+logpath = %(syslog_authpriv)s
 
 
 #
@@ -429,7 +429,7 @@ maxretry = 6
 
 [vsftpd]
 # or overwrite it in jails.local to be
-# logpath = /var/log/auth.log
+# logpath = %(syslog_authpriv)s
 # if you want to rely on PAM failed login attempts
 # vsftpd's failregex should match both of those formats
 port     = ftp,ftp-data,ftps,ftps-data
@@ -539,7 +539,7 @@ logpath  = %(postfix_log)s
 [perdition]
 
 port   = imap3,imaps,pop3,pop3s
-logpath = /var/log/maillog
+logpath = %(syslog_mail)s
 
 
 [squirrelmail]
@@ -663,13 +663,13 @@ maxretry = 5
 [pam-generic]
 # pam-generic filter can be customized to monitor specific subset of 'tty's
 banaction = iptables-allports
-logpath  = /var/log/auth.log
+logpath  = %(syslog_authpriv)s
 
 
 [xinetd-fail]
 
 banaction = iptables-multiport-log
-logpath   = /var/log/daemon.log
+logpath   = %(syslog_daemon)s
 maxretry  = 2
 
 
@@ -699,7 +699,7 @@ action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp
 [nagios]
 
 enabled  = false
-logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
+logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
 maxretry = 1
 
 

From b79a82ebdd6aa7b5fc972cc3081d2aff34ed03be Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 8 Aug 2014 15:57:41 -0400
Subject: [PATCH 31/82] minor typo

---
 config/paths-common.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/paths-common.conf b/config/paths-common.conf
index a2c9f7af..c634e73d 100644
--- a/config/paths-common.conf
+++ b/config/paths-common.conf
@@ -12,7 +12,7 @@ sshd_log = %(syslog_authpriv)s
 dropbear_log = %(syslog_authpriv)s
 
 # There is no sensible generic defaults for syslog log targets, thus
-# leaving them empty here so that no errors while parsing/interpollatin configs
+# leaving them empty here so that no errors while parsing/interpolating configs
 syslog_daemon =
 syslog_ftp =
 syslog_local0 =

From 7e902a1320137afb56246185d168866c6f947a8b Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 11 Aug 2014 12:44:46 -0400
Subject: [PATCH 32/82] 1.5 version of Fail2ban logwatch file

as copied from Debian package 7.4.0+svn20131108rev175-1
---
 3rdparty/logwatch/fail2ban | 181 +++++++++++++++++++++++++++++++++++++
 1 file changed, 181 insertions(+)
 create mode 100755 3rdparty/logwatch/fail2ban

diff --git a/3rdparty/logwatch/fail2ban b/3rdparty/logwatch/fail2ban
new file mode 100755
index 00000000..087eb529
--- /dev/null
+++ b/3rdparty/logwatch/fail2ban
@@ -0,0 +1,181 @@
+#!/usr/bin/perl
+##########################################################################
+# $Id: fail2ban 150 2013-06-18 22:19:38Z mtremaine $
+##########################################################################
+# $Log: fail2ban,v $
+# Revision 1.5  2008/08/18 16:07:46  mike
+# Patches from Paul Gear <paul at libertysys.com> -mgt
+#
+# Revision 1.4  2008/06/30 23:07:51  kirk
+# fixed copyright holders for files where I know who they should be
+#
+# Revision 1.3  2008/03/24 23:31:26  kirk
+# added copyright/license notice to each script
+#
+# Revision 1.2  2006/12/15 04:53:59  bjorn
+# Additional filtering, by Willi Mann.
+#
+# Revision 1.1  2006/05/30 19:04:26  bjorn
+# Added fail2ban service, written by Yaroslav Halchenko.
+#
+# Written by Yaroslav Halchenko <debian@onerussian.com> for fail2ban
+#
+##########################################################################
+
+########################################################
+## Copyright (c) 2008  Yaroslav Halchenko
+## Covered under the included MIT/X-Consortium License:
+##    http://www.opensource.org/licenses/mit-license.php
+## All modifications and contributions by other persons to
+## this script are assumed to have been donated to the
+## Logwatch project and thus assume the above copyright
+## and licensing terms.  If you want to make contributions
+## under your own copyright or a different license this
+## must be explicitly stated in the contribution an the
+## Logwatch project reserves the right to not accept such
+## contributions.  If you have made significant
+## contributions to this script and want to claim
+## copyright please contact logwatch-devel@lists.sourceforge.net.
+#########################################################
+
+use strict;
+use Logwatch ':all';
+
+my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
+my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
+my $IgnoreHost = $ENV{'sshd_ignore_host'} || "";
+my $DebugCounter = 0;
+my $ReInitializations = 0;
+my @IptablesErrors = ();
+my @ActionErrors = ();
+my $NotValidIP = 0;		# reported invalid IPs number
+my @OtherList = ();
+
+my %ServicesBans = ();
+
+if ( $Debug >= 5 ) {
+	print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
+	$DebugCounter = 1;
+}
+
+while (defined(my $ThisLine = <STDIN>)) {
+    if ( $Debug >= 5 ) {
+	print STDERR "DEBUG($DebugCounter): $ThisLine";
+	$DebugCounter++;
+    }
+    chomp($ThisLine);
+    if ( ($ThisLine =~ /..,... DEBUG: /) or
+	 ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
+	 ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
+	 ($ThisLine =~ /INFO\s+Log rotation detected for/) or
+	 ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller)/) or
+	 ($ThisLine =~ /INFO\s+Changed logging target to/) or
+	 ($ThisLine =~ /INFO\s+Creating new jail/) or
+	 ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban
+	 ($ThisLine =~ /..,... WARNING: Verbose level is /) or
+	 ($ThisLine =~ /..,... WARNING: Restoring firewall rules/)
+       )
+    {
+	if ( $Debug >= 6 ) {
+	    print STDERR "DEBUG($DebugCounter): line ignored\n";
+	}
+    } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/WARNING:?\s\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {
+	if ( $Debug >= 6 ) {
+	    print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
+	}
+	$ServicesBans{$Service}{$Host}{$Action}++;
+	$ServicesBans{$Service}{"(all)"}{$Action}++;
+    } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/INFO: (\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
+	if ($Debug >= 4) {
+	    print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
+	}
+	push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) {
+   	 $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/WARNING\s*\[(.*)\]\s*(\S+)\s*already banned/)) {
+       $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) {
+	    $ServicesBans{$Service}{$Host}{'ReBan'}++;
+    } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
+	    push @IptablesErrors, "$ThisLine\n";
+    } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
+       push @ActionErrors, "$ThisLine\n";
+    } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
+	    ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
+	    $ReInitializations++;
+    } elsif ($ThisLine =~ /..,... WARNING:  is not a valid IP address/) {
+	# just ignore - this will be fixed within fail2ban and is harmless warning
+    }
+    else
+    {
+	# Report any unmatched entries...
+	push @OtherList, "$ThisLine\n";
+    }
+}
+
+###########################################################
+
+
+if (keys %ServicesBans) {
+    printf("\nBanned services with Fail2Ban:				 Bans:Unbans\n");
+    foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
+	printf("   %-55s [%3d:%-3d]\n", "$service:",
+	       $ServicesBans{$service}{'(all)'}{'Ban'},
+	       $ServicesBans{$service}{'(all)'}{'Unban'});
+	delete $ServicesBans{$service}{'(all)'};
+	my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
+	if ($Detail >= 5) {
+	    foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
+		   my $name = LookupIP($ip);
+		   printf("      %-53s %3d:%-3d\n",
+		       $name,
+		       $ServicesBans{$service}{$ip}{'Ban'},
+		       $ServicesBans{$service}{$ip}{'Unban'});
+		   if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
+		      print "	   Failed ";
+		      foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
+			      print " $fails";
+		      }
+		    print " times";
+		    printf("\n	   %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
+		    printf("\n	   %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ;
+		    print "\n";
+		   }
+	    }
+	   }
+    }
+}
+
+
+if ($Detail>0) {
+    if ($#IptablesErrors > 0) {
+	   printf("\n%d faulty iptables invocation(s)", $#IptablesErrors);
+	   if ($Detail > 5) {
+	    print ":\n";
+	    print @IptablesErrors ;
+	   }
+    }
+    if ($#ActionErrors > 0) {
+       printf("\n%d error(s) returned from actions", $#ActionErrors);
+       if ($Detail > 5) {
+           print ":\n";
+           print @ActionErrors ;
+       }
+    }
+    if ($ReInitializations > 0) {
+	   printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
+    }
+    if ($#OtherList >= 0) {
+	   print "\n**Unmatched Entries**\n";
+	   print @OtherList;
+    }
+}
+
+exit(0);
+
+# vi: shiftwidth=3 tabstop=3 syntax=perl et
+# Local Variables:
+# mode: perl
+# perl-indent-level: 3
+# indent-tabs-mode: nil
+# End:

From b0f26fa391ad2582804fd2b70689b8bb0bcdba3c Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 11 Aug 2014 12:45:50 -0400
Subject: [PATCH 33/82] Adjusting fail2ban logwatch script to match lines from
 0.9 as well

File itself includes additional log information about changes
---
 3rdparty/logwatch/fail2ban | 86 ++++++++++++++++++++++++--------------
 1 file changed, 54 insertions(+), 32 deletions(-)

diff --git a/3rdparty/logwatch/fail2ban b/3rdparty/logwatch/fail2ban
index 087eb529..46dd11b5 100755
--- a/3rdparty/logwatch/fail2ban
+++ b/3rdparty/logwatch/fail2ban
@@ -3,6 +3,12 @@
 # $Id: fail2ban 150 2013-06-18 22:19:38Z mtremaine $
 ##########################################################################
 # $Log: fail2ban,v $
+#
+# Revision 1.6  2014/08/11 16:07:46  yoh
+# Patches from Yaroslav Halchenko to match adjusted in 0.9.x lines.
+# Also reports now total number of hits (matches) along with Ban:Unban
+# and relaxed regular expressions for matching any log level
+#
 # Revision 1.5  2008/08/18 16:07:46  mike
 # Patches from Paul Gear <paul at libertysys.com> -mgt
 #
@@ -46,8 +52,8 @@ my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
 my $IgnoreHost = $ENV{'sshd_ignore_host'} || "";
 my $DebugCounter = 0;
 my $ReInitializations = 0;
-my @IptablesErrors = ();
-my @ActionErrors = ();
+my @ActionsErrors = ();
+my @CommandsErrors = ();
 my $NotValidIP = 0;		# reported invalid IPs number
 my @OtherList = ();
 
@@ -66,40 +72,55 @@ while (defined(my $ThisLine = <STDIN>)) {
     chomp($ThisLine);
     if ( ($ThisLine =~ /..,... DEBUG: /) or
 	 ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
-	 ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
-	 ($ThisLine =~ /INFO\s+Log rotation detected for/) or
-	 ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller)/) or
-	 ($ThisLine =~ /INFO\s+Changed logging target to/) or
-	 ($ThisLine =~ /INFO\s+Creating new jail/) or
+	 ($ThisLine =~ /..,... \S+: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
+	 ($ThisLine =~ /\S+\s+rollover performed on/) or
+	 ($ThisLine =~ /\S+\s+Connected to .* persistent database/) or
+	 ($ThisLine =~ /\S+\s+Jail '.*' uses .*/) or
+	 ($ThisLine =~ /\S+\s+Initiated '.*' backend/) or
+	 ($ThisLine =~ /\S+\s+Jail .* is not a JournalFilter instance/) or
+	 ($ThisLine =~ /\S+\s+Log rotation detected for/) or
+	 ($ThisLine =~ /\S+\s+Jail.+(?:stopped|started|uses poller)/) or
+	 ($ThisLine =~ /\S+\s+Changed logging target to/) or
+	 ($ThisLine =~ /\S+\s+Creating new jail/) or
 	 ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban
-	 ($ThisLine =~ /..,... WARNING: Verbose level is /) or
-	 ($ThisLine =~ /..,... WARNING: Restoring firewall rules/)
+	 ($ThisLine =~ /..,... \S+: Verbose level is /) or
+	 ($ThisLine =~ /..,... \S+: Restoring firewall rules/)
        )
     {
 	if ( $Debug >= 6 ) {
 	    print STDERR "DEBUG($DebugCounter): line ignored\n";
 	}
-    } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/WARNING:?\s\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {
+    } elsif ( my ($LogLevel,$Service,$Action,$Host) = ($ThisLine =~ m/(WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {
 	if ( $Debug >= 6 ) {
 	    print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
 	}
 	$ServicesBans{$Service}{$Host}{$Action}++;
 	$ServicesBans{$Service}{"(all)"}{$Action}++;
-    } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/INFO: (\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
+    } elsif ( my ($LogLevel,$Service,$Host) = ($ThisLine =~ m/(INFO|WARNING|NOTICE):?\s+\[?(.*?)[]:]?\sFound[^\.]* (\S+)/)) {
+	if ( $Debug >= 6 ) {
+	    print STDERR "DEBUG($DebugCounter): Found hit for $Service from $Host\n";
+	}
+	$ServicesBans{$Service}{$Host}{"Hit"}++;
+	$ServicesBans{$Service}{"(all)"}{"Hit"}++;
+    } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/\S+:\s+(\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
 	if ($Debug >= 4) {
 	    print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
 	}
 	push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
-    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) {
-   	 $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
-    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/WARNING\s*\[(.*)\]\s*(\S+)\s*already banned/)) {
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\s(\S+)\salready in ban list/)) {
+	 $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/\S+\s*\[(.*)\]\s*(\S+)\s*already banned/)) {
        $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
-    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) {
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\sReBan (\S+)/)) {
 	    $ServicesBans{$Service}{$Host}{'ReBan'}++;
     } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
-	    push @IptablesErrors, "$ThisLine\n";
+	    push @ActionsErrors, "$ThisLine\n";
+    } elsif ($ThisLine =~ / ERROR\s*Failed to execute.*action/) {
+	    push @ActionsErrors, "$ThisLine\n";
+    } elsif ($ThisLine =~ / WARNING Command \[.*\] has failed. Received/) {
+	    push @CommandsErrors, "$ThisLine\n";
     } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
-       push @ActionErrors, "$ThisLine\n";
+	    push @ActionsErrors, "$ThisLine\n";
     } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
 	    ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
 	    $ReInitializations++;
@@ -117,20 +138,22 @@ while (defined(my $ThisLine = <STDIN>)) {
 
 
 if (keys %ServicesBans) {
-    printf("\nBanned services with Fail2Ban:				 Bans:Unbans\n");
+    printf("\nBanned services with Fail2Ban:				 Bans:Unbans:Hits\n");
     foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
-	printf("   %-55s [%3d:%-3d]\n", "$service:",
+	printf("   %-55s [%3d:%d:%-3d]\n", "$service:",
 	       $ServicesBans{$service}{'(all)'}{'Ban'},
-	       $ServicesBans{$service}{'(all)'}{'Unban'});
+	       $ServicesBans{$service}{'(all)'}{'Unban'},
+	       $ServicesBans{$service}{'(all)'}{'Hit'});
 	delete $ServicesBans{$service}{'(all)'};
 	my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
 	if ($Detail >= 5) {
 	    foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
 		   my $name = LookupIP($ip);
-		   printf("      %-53s %3d:%-3d\n",
+		   printf("      %-53s %3d:%d:%-3d\n",
 		       $name,
 		       $ServicesBans{$service}{$ip}{'Ban'},
-		       $ServicesBans{$service}{$ip}{'Unban'});
+		       $ServicesBans{$service}{$ip}{'Unban'},
+		       $ServicesBans{$service}{$ip}{'Hit'});
 		   if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
 		      print "	   Failed ";
 		      foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
@@ -146,21 +169,20 @@ if (keys %ServicesBans) {
     }
 }
 
-
 if ($Detail>0) {
-    if ($#IptablesErrors > 0) {
-	   printf("\n%d faulty iptables invocation(s)", $#IptablesErrors);
+    if ($#ActionsErrors >= 0) {
+	   printf("\n%d faulty action invocation(s)", $#ActionsErrors+1);
 	   if ($Detail > 5) {
 	    print ":\n";
-	    print @IptablesErrors ;
+	    print @ActionsErrors ;
 	   }
     }
-    if ($#ActionErrors > 0) {
-       printf("\n%d error(s) returned from actions", $#ActionErrors);
-       if ($Detail > 5) {
-           print ":\n";
-           print @ActionErrors ;
-       }
+    if ($#CommandsErrors >= 0) {
+	   printf("\n%d faulty command invocation(s) from client(s)", $#CommandsErrors+1);
+	   if ($Detail > 5) {
+	    print ":\n";
+	    print @CommandsErrors ;
+	   }
     }
     if ($ReInitializations > 0) {
 	   printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);

From 763115b1eb5009189819c57dbe97e127f93f4656 Mon Sep 17 00:00:00 2001
From: Luc Maisonobe <luc@spaceroots.org>
Date: Mon, 11 Aug 2014 21:54:27 +0200
Subject: [PATCH 34/82] added systemd configuration for postfix-sasl.conf

---
 config/filter.d/postfix-sasl.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/filter.d/postfix-sasl.conf b/config/filter.d/postfix-sasl.conf
index d232f86e..c5f8e3bc 100644
--- a/config/filter.d/postfix-sasl.conf
+++ b/config/filter.d/postfix-sasl.conf
@@ -11,4 +11,9 @@ _daemon = postfix/smtpd
 
 failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
 
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=postfix.service
+
+
 # Author: Yaroslav Halchenko

From 3576c509f548c2d65cebea8398eef412a948a8c2 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue, 12 Aug 2014 11:08:39 -0400
Subject: [PATCH 35/82] changelog entry for postfix-sasl fix

---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index 8283be40..037a844a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -47,6 +47,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
      Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
      Debian bug #755173
+   * postfix-sasl -- added journalmatch.  Thanks Luc Maisonobe
 
 - New features:
    - Added

From b2a1032f5738575f1c368360ba93fc7da5991225 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue, 12 Aug 2014 11:31:42 -0400
Subject: [PATCH 36/82] ENH/BF(TST): making permissions restrictive is not
 sufficient -- really remove file to test

---
 fail2ban/tests/filtertestcase.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py
index c02e8616..1fa3116e 100644
--- a/fail2ban/tests/filtertestcase.py
+++ b/fail2ban/tests/filtertestcase.py
@@ -24,6 +24,7 @@ __license__ = "GPL"
 
 from __builtin__ import open as fopen
 import unittest
+import getpass
 import os
 import sys
 import time
@@ -349,10 +350,20 @@ class LogFileMonitor(LogCaptureTestCase):
 		# shorter wait time for not modified status
 		return not self.isModified(0.4)
 
-	def testNoLogFile(self):
+	def testUnaccessibleLogFile(self):
 		os.chmod(self.name, 0)
 		self.filter.getFailures(self.name)
-		self.assertTrue(self._is_logged('Unable to open %s' % self.name))
+		failure_was_logged = self._is_logged('Unable to open %s' % self.name)
+		is_root = getpass.getuser() == 'root'
+		# If ran as root, those restrictive permissions would not
+		# forbid log to be read.
+		self.assertTrue(failure_was_logged != is_root)
+
+	def testNoLogFile(self):
+		_killfile(self.file, self.name)
+		self.filter.getFailures(self.name)
+		failure_was_logged = self._is_logged('Unable to open %s' % self.name)
+		self.assertTrue(failure_was_logged)
 
 	def testRemovingFailRegex(self):
 		self.filter.delFailRegex(0)

From f756278fe511305869b91ed5947df72d1ad6b29b Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue, 12 Aug 2014 11:53:54 -0400
Subject: [PATCH 37/82] ENH: just a bit more descriptive exception ;-)

---
 fail2ban/tests/servertestcase.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
index fd2a22cc..062284f7 100644
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@@ -804,7 +804,7 @@ class RegexTests(unittest.TestCase):
 
 class _BadThread(JailThread):
 	def run(self):
-		int("cat")
+		int("ignore this exception -- raised for testing")
 
 class LoggingTests(LogCaptureTestCase):
 

From 93243e7d578a382f41af9a6b418571b15d5a3a2b Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue, 12 Aug 2014 11:57:07 -0400
Subject: [PATCH 38/82] ENH: Ignore errors while unbaning in symbiosis firewall

Fail2Ban at times "interfers" with the firewall reflashing thus leading
to the sporadic errors.  IMHO should be safe to ignore
---
 config/action.d/symbiosis-blacklist-allports.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/action.d/symbiosis-blacklist-allports.conf b/config/action.d/symbiosis-blacklist-allports.conf
index c3ce44b0..c4979302 100644
--- a/config/action.d/symbiosis-blacklist-allports.conf
+++ b/config/action.d/symbiosis-blacklist-allports.conf
@@ -36,7 +36,7 @@ actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto
 # Values:  CMD
 #
 actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto
-              iptables -D <chain> -s <ip> -j <blocktype>
+              iptables -D <chain> -s <ip> -j <blocktype> || :
 
 [Init]
 

From 3bd36ba40a67542a7201e86c8602927a23c7ee69 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 13 Aug 2014 23:15:31 -0400
Subject: [PATCH 39/82] Sample logfiles to test logwatch services script

---
 3rdparty/logwatch/fail2ban-0.8.log |  2 ++
 3rdparty/logwatch/fail2ban-0.9.log | 52 ++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 3rdparty/logwatch/fail2ban-0.8.log
 create mode 100644 3rdparty/logwatch/fail2ban-0.9.log

diff --git a/3rdparty/logwatch/fail2ban-0.8.log b/3rdparty/logwatch/fail2ban-0.8.log
new file mode 100644
index 00000000..f9d5f3d5
--- /dev/null
+++ b/3rdparty/logwatch/fail2ban-0.8.log
@@ -0,0 +1,2 @@
+2014-08-04 03:06:26,161 fail2ban.actions[4822]: WARNING [apache-badbots] Ban 37.152.91.34
+2014-08-05 03:06:26,448 fail2ban.actions[4822]: WARNING [apache-badbots] Unban 37.152.91.34
diff --git a/3rdparty/logwatch/fail2ban-0.9.log b/3rdparty/logwatch/fail2ban-0.9.log
new file mode 100644
index 00000000..ad996a1c
--- /dev/null
+++ b/3rdparty/logwatch/fail2ban-0.9.log
@@ -0,0 +1,52 @@
+2014-08-08 14:59:35,013 fail2ban.server.server[31122]: INFO    Exiting Fail2ban
+2014-08-08 14:59:36,041 fail2ban.server.server[21667]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0
+2014-08-08 14:59:36,043 fail2ban.server.database[21667]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
+2014-08-08 14:59:36,072 fail2ban.server.jail[21667]: INFO    Creating new jail 'exim'
+2014-08-08 14:59:36,137 fail2ban.server.jail[21667]: INFO    Jail 'exim' uses pyinotify
+2014-08-08 14:59:36,172 fail2ban.server.filter[21667]: INFO    Set jail log file encoding to UTF-8
+2014-08-08 14:59:36,172 fail2ban.server.jail[21667]: INFO    Initiated 'pyinotify' backend
+2014-08-08 14:59:36,233 fail2ban.server.filter[21667]: INFO    Added logfile = /var/log/exim4/mainlog
+2014-08-08 14:59:36,249 fail2ban.server.filter[21667]: INFO    Set maxRetry = 5
+2014-08-08 14:59:36,251 fail2ban.server.filter[21667]: INFO    Set jail log file encoding to UTF-8
+2014-08-08 14:59:36,252 fail2ban.server.actions[21667]: INFO    Set banTime = 600
+2014-08-08 14:59:36,254 fail2ban.server.filter[21667]: INFO    Set findtime = 600
+2014-08-08 14:59:36,284 fail2ban.server.jail[21667]: INFO    Creating new jail 'sshd'
+2014-08-08 14:59:36,284 fail2ban.server.jail[21667]: INFO    Jail 'sshd' uses pyinotify
+2014-08-08 14:59:36,286 fail2ban.server.filter[21667]: INFO    Set jail log file encoding to UTF-8
+2014-08-08 14:59:36,286 fail2ban.server.jail[21667]: INFO    Initiated 'pyinotify' backend
+2014-08-08 14:59:36,499 fail2ban.server.filter[21667]: INFO    Added logfile = /var/log/auth.log
+2014-08-08 14:59:36,510 fail2ban.server.filter[21667]: INFO    Set maxRetry = 5
+2014-08-08 14:59:36,512 fail2ban.server.filter[21667]: INFO    Set jail log file encoding to UTF-8
+2014-08-08 14:59:36,513 fail2ban.server.actions[21667]: INFO    Set banTime = 600
+2014-08-08 14:59:36,514 fail2ban.server.filter[21667]: INFO    Set findtime = 600
+2014-08-08 14:59:36,515 fail2ban.server.filter[21667]: INFO    Set maxlines = 10
+2014-08-08 14:59:36,788 fail2ban.server.server[21667]: INFO    Jail sshd is not a JournalFilter instance
+2014-08-08 14:59:36,798 fail2ban.server.jail[21667]: INFO    Jail 'exim' started
+2014-08-08 14:59:36,802 fail2ban.server.jail[21667]: INFO    Jail 'sshd' started
+2014-08-08 15:01:30,120 fail2ban.server.transmitter[21667]: WARNING Command ['status', 'ssh'] has failed. Received UnknownJailException('ssh',)
+2014-08-08 15:09:36,978 fail2ban.server.actions[21667]: NOTICE  [sshd] Unban 116.10.191.199
+2014-08-08 15:09:37,187 fail2ban.server.action[21667]: ERROR   rm -f /etc/symbiosis/firewall/blacklist.d/116.10.191.199.auto
+iptables -D INPUT -s 116.10.191.199 -j DROP -- stdout: ''
+2014-08-08 15:09:37,188 fail2ban.server.action[21667]: ERROR   rm -f /etc/symbiosis/firewall/blacklist.d/116.10.191.199.auto
+iptables -D INPUT -s 116.10.191.199 -j DROP -- stderr: 'iptables: Bad rule (does a matching rule exist in that chain?).\n'
+2014-08-08 15:09:37,188 fail2ban.server.action[21667]: ERROR   rm -f /etc/symbiosis/firewall/blacklist.d/116.10.191.199.auto
+iptables -D INPUT -s 116.10.191.199 -j DROP -- returned 1
+2014-08-08 15:09:37,188 fail2ban.server.actions[21667]: ERROR   Failed to execute unban jail 'sshd' action 'symbiosis-blacklist': Error unbanning 116.10.191.199
+2014-08-10 02:27:27,235 fail2ban.server.server[21667]: INFO    rollover performed on /var/log/fail2ban.log
+2014-08-10 02:27:28,109 fail2ban.server.filter[21667]: INFO    Log rotation detected for /var/log/exim4/mainlog
+2014-08-10 02:28:01,747 fail2ban.server.filter[21667]: INFO    Log rotation detected for /var/log/auth.log
+2014-08-10 02:33:29,500 fail2ban.server.filter[21667]: INFO    [sshd] Found 86.101.234.57
+2014-08-10 02:46:06,846 fail2ban.server.filter[21667]: INFO    [sshd] Found 220.130.163.247
+2014-08-10 03:10:43,794 fail2ban.server.filter[21667]: INFO    [sshd] Found 220.130.163.247
+2014-08-10 06:49:27,446 fail2ban.server.actions[21667]: NOTICE  [sshd] Ban 116.10.191.181
+2014-08-10 06:59:28,375 fail2ban.server.actions[21667]: NOTICE  [sshd] Unban 116.10.191.181
+2014-08-10 20:06:41,576 fail2ban.server.actions[21667]: NOTICE  [sshd] Unban 50.30.34.7
+2014-08-13 17:55:50,401 fail2ban.server.actions[17436]: NOTICE  [sshd] 144.0.0.25 already banned
+2014-08-10 20:06:41,785 fail2ban.server.action[21667]: ERROR   rm -f /etc/symbiosis/firewall/blacklist.d/50.30.34.7.auto
+iptables -D INPUT -s 50.30.34.7 -j DROP -- stdout: ''
+2014-08-10 20:06:41,785 fail2ban.server.action[21667]: ERROR   rm -f /etc/symbiosis/firewall/blacklist.d/50.30.34.7.auto
+iptables -D INPUT -s 50.30.34.7 -j DROP -- stderr: 'iptables: Bad rule (does a matching rule exist in that chain?).\n'
+2014-08-10 20:06:41,786 fail2ban.server.action[21667]: ERROR   rm -f /etc/symbiosis/firewall/blacklist.d/50.30.34.7.auto
+iptables -D INPUT -s 50.30.34.7 -j DROP -- returned 1
+2014-08-10 20:06:41,786 fail2ban.server.actions[21667]: ERROR   Failed to execute unban jail 'sshd' action 'symbiosis-blacklist': Error unbanning 50.30.34.7
+2014-08-11 02:27:35,433 fail2ban.server.filter[21667]: INFO    Log rotation detected for /var/log/exim4/mainlog

From 8b62353ab06369023f8e71bdc1d3228ad1f988f6 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 13 Aug 2014 23:24:38 -0400
Subject: [PATCH 40/82] BF: logwatch -- fixing up regex for 'already banned'

---
 3rdparty/logwatch/fail2ban | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/3rdparty/logwatch/fail2ban b/3rdparty/logwatch/fail2ban
index 46dd11b5..117c7521 100755
--- a/3rdparty/logwatch/fail2ban
+++ b/3rdparty/logwatch/fail2ban
@@ -108,11 +108,14 @@ while (defined(my $ThisLine = <STDIN>)) {
 	}
 	push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
     } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\s(\S+)\salready in ban list/)) {
-	 $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
-    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/\S+\s*\[(.*)\]\s*(\S+)\s*already banned/)) {
-       $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+	$ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/\S+:?\s+\[?([^[]*?)[]:]?\s+(\S+)\salready banned/)) {
+	if ( $Debug >= 6 ) {
+	    print STDERR "DEBUG($DebugCounter): Found hit for already banned $Host against $Service\n";
+	}
+	$ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
     } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\sReBan (\S+)/)) {
-	    $ServicesBans{$Service}{$Host}{'ReBan'}++;
+	$ServicesBans{$Service}{$Host}{'ReBan'}++;
     } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
 	    push @ActionsErrors, "$ThisLine\n";
     } elsif ($ThisLine =~ / ERROR\s*Failed to execute.*action/) {

From decea64cf998d7252616625bfb8857f422cb46b8 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 13 Aug 2014 23:28:03 -0400
Subject: [PATCH 41/82] ENH: untabified and reindented entire script for sane
 formatting (no functional changes)

---
 3rdparty/logwatch/fail2ban | 222 ++++++++++++++++++-------------------
 1 file changed, 111 insertions(+), 111 deletions(-)

diff --git a/3rdparty/logwatch/fail2ban b/3rdparty/logwatch/fail2ban
index 117c7521..2b028d63 100755
--- a/3rdparty/logwatch/fail2ban
+++ b/3rdparty/logwatch/fail2ban
@@ -54,87 +54,87 @@ my $DebugCounter = 0;
 my $ReInitializations = 0;
 my @ActionsErrors = ();
 my @CommandsErrors = ();
-my $NotValidIP = 0;		# reported invalid IPs number
+my $NotValidIP = 0;             # reported invalid IPs number
 my @OtherList = ();
 
 my %ServicesBans = ();
 
 if ( $Debug >= 5 ) {
-	print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
-	$DebugCounter = 1;
+   print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
+   $DebugCounter = 1;
 }
 
 while (defined(my $ThisLine = <STDIN>)) {
-    if ( $Debug >= 5 ) {
-	print STDERR "DEBUG($DebugCounter): $ThisLine";
-	$DebugCounter++;
-    }
-    chomp($ThisLine);
-    if ( ($ThisLine =~ /..,... DEBUG: /) or
-	 ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
-	 ($ThisLine =~ /..,... \S+: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
-	 ($ThisLine =~ /\S+\s+rollover performed on/) or
-	 ($ThisLine =~ /\S+\s+Connected to .* persistent database/) or
-	 ($ThisLine =~ /\S+\s+Jail '.*' uses .*/) or
-	 ($ThisLine =~ /\S+\s+Initiated '.*' backend/) or
-	 ($ThisLine =~ /\S+\s+Jail .* is not a JournalFilter instance/) or
-	 ($ThisLine =~ /\S+\s+Log rotation detected for/) or
-	 ($ThisLine =~ /\S+\s+Jail.+(?:stopped|started|uses poller)/) or
-	 ($ThisLine =~ /\S+\s+Changed logging target to/) or
-	 ($ThisLine =~ /\S+\s+Creating new jail/) or
-	 ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban
-	 ($ThisLine =~ /..,... \S+: Verbose level is /) or
-	 ($ThisLine =~ /..,... \S+: Restoring firewall rules/)
+   if ( $Debug >= 5 ) {
+      print STDERR "DEBUG($DebugCounter): $ThisLine";
+      $DebugCounter++;
+   }
+   chomp($ThisLine);
+   if ( ($ThisLine =~ /..,... DEBUG: /) or
+        ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
+        ($ThisLine =~ /..,... \S+: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
+        ($ThisLine =~ /\S+\s+rollover performed on/) or
+        ($ThisLine =~ /\S+\s+Connected to .* persistent database/) or
+        ($ThisLine =~ /\S+\s+Jail '.*' uses .*/) or
+        ($ThisLine =~ /\S+\s+Initiated '.*' backend/) or
+        ($ThisLine =~ /\S+\s+Jail .* is not a JournalFilter instance/) or
+        ($ThisLine =~ /\S+\s+Log rotation detected for/) or
+        ($ThisLine =~ /\S+\s+Jail.+(?:stopped|started|uses poller)/) or
+        ($ThisLine =~ /\S+\s+Changed logging target to/) or
+        ($ThisLine =~ /\S+\s+Creating new jail/) or
+        ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban
+        ($ThisLine =~ /..,... \S+: Verbose level is /) or
+        ($ThisLine =~ /..,... \S+: Restoring firewall rules/)
        )
-    {
-	if ( $Debug >= 6 ) {
-	    print STDERR "DEBUG($DebugCounter): line ignored\n";
-	}
-    } elsif ( my ($LogLevel,$Service,$Action,$Host) = ($ThisLine =~ m/(WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {
-	if ( $Debug >= 6 ) {
-	    print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
-	}
-	$ServicesBans{$Service}{$Host}{$Action}++;
-	$ServicesBans{$Service}{"(all)"}{$Action}++;
-    } elsif ( my ($LogLevel,$Service,$Host) = ($ThisLine =~ m/(INFO|WARNING|NOTICE):?\s+\[?(.*?)[]:]?\sFound[^\.]* (\S+)/)) {
-	if ( $Debug >= 6 ) {
-	    print STDERR "DEBUG($DebugCounter): Found hit for $Service from $Host\n";
-	}
-	$ServicesBans{$Service}{$Host}{"Hit"}++;
-	$ServicesBans{$Service}{"(all)"}{"Hit"}++;
-    } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/\S+:\s+(\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
-	if ($Debug >= 4) {
-	    print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
-	}
-	push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
-    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\s(\S+)\salready in ban list/)) {
-	$ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
-    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/\S+:?\s+\[?([^[]*?)[]:]?\s+(\S+)\salready banned/)) {
-	if ( $Debug >= 6 ) {
-	    print STDERR "DEBUG($DebugCounter): Found hit for already banned $Host against $Service\n";
-	}
-	$ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
-    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\sReBan (\S+)/)) {
-	$ServicesBans{$Service}{$Host}{'ReBan'}++;
-    } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
-	    push @ActionsErrors, "$ThisLine\n";
-    } elsif ($ThisLine =~ / ERROR\s*Failed to execute.*action/) {
-	    push @ActionsErrors, "$ThisLine\n";
-    } elsif ($ThisLine =~ / WARNING Command \[.*\] has failed. Received/) {
-	    push @CommandsErrors, "$ThisLine\n";
-    } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
-	    push @ActionsErrors, "$ThisLine\n";
-    } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
-	    ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
-	    $ReInitializations++;
-    } elsif ($ThisLine =~ /..,... WARNING:  is not a valid IP address/) {
-	# just ignore - this will be fixed within fail2ban and is harmless warning
-    }
-    else
-    {
-	# Report any unmatched entries...
-	push @OtherList, "$ThisLine\n";
-    }
+   {
+      if ( $Debug >= 6 ) {
+         print STDERR "DEBUG($DebugCounter): line ignored\n";
+      }
+   } elsif ( my ($LogLevel,$Service,$Action,$Host) = ($ThisLine =~ m/(WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {
+      if ( $Debug >= 6 ) {
+         print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
+      }
+      $ServicesBans{$Service}{$Host}{$Action}++;
+      $ServicesBans{$Service}{"(all)"}{$Action}++;
+   } elsif ( my ($LogLevel,$Service,$Host) = ($ThisLine =~ m/(INFO|WARNING|NOTICE):?\s+\[?(.*?)[]:]?\sFound[^\.]* (\S+)/)) {
+      if ( $Debug >= 6 ) {
+         print STDERR "DEBUG($DebugCounter): Found hit for $Service from $Host\n";
+      }
+      $ServicesBans{$Service}{$Host}{"Hit"}++;
+      $ServicesBans{$Service}{"(all)"}{"Hit"}++;
+   } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/\S+:\s+(\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
+      if ($Debug >= 4) {
+         print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
+      }
+      push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
+   } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\s(\S+)\salready in ban list/)) {
+      $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+   } elsif ( my ($Service,$Host) = ($ThisLine =~ m/\S+:?\s+\[?([^[]*?)[]:]?\s+(\S+)\salready banned/)) {
+      if ( $Debug >= 6 ) {
+         print STDERR "DEBUG($DebugCounter): Found hit for already banned $Host against $Service\n";
+      }
+      $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+   } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ \S+:\s(.*):\sReBan (\S+)/)) {
+      $ServicesBans{$Service}{$Host}{'ReBan'}++;
+   } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
+      push @ActionsErrors, "$ThisLine\n";
+   } elsif ($ThisLine =~ / ERROR\s*Failed to execute.*action/) {
+      push @ActionsErrors, "$ThisLine\n";
+   } elsif ($ThisLine =~ / WARNING Command \[.*\] has failed. Received/) {
+      push @CommandsErrors, "$ThisLine\n";
+   } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
+      push @ActionsErrors, "$ThisLine\n";
+   } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
+            ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
+      $ReInitializations++;
+   } elsif ($ThisLine =~ /..,... WARNING:  is not a valid IP address/) {
+      # just ignore - this will be fixed within fail2ban and is harmless warning
+   }
+   else
+   {
+      # Report any unmatched entries...
+      push @OtherList, "$ThisLine\n";
+   }
 }
 
 ###########################################################
@@ -143,56 +143,56 @@ while (defined(my $ThisLine = <STDIN>)) {
 if (keys %ServicesBans) {
     printf("\nBanned services with Fail2Ban:				 Bans:Unbans:Hits\n");
     foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
-	printf("   %-55s [%3d:%d:%-3d]\n", "$service:",
-	       $ServicesBans{$service}{'(all)'}{'Ban'},
-	       $ServicesBans{$service}{'(all)'}{'Unban'},
-	       $ServicesBans{$service}{'(all)'}{'Hit'});
-	delete $ServicesBans{$service}{'(all)'};
-	my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
-	if ($Detail >= 5) {
-	    foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
-		   my $name = LookupIP($ip);
-		   printf("      %-53s %3d:%d:%-3d\n",
-		       $name,
-		       $ServicesBans{$service}{$ip}{'Ban'},
-		       $ServicesBans{$service}{$ip}{'Unban'},
-		       $ServicesBans{$service}{$ip}{'Hit'});
-		   if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
-		      print "	   Failed ";
-		      foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
-			      print " $fails";
-		      }
-		    print " times";
-		    printf("\n	   %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
-		    printf("\n	   %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ;
-		    print "\n";
-		   }
-	    }
-	   }
+        printf("   %-55s [%3d:%d:%-3d]\n", "$service:",
+               $ServicesBans{$service}{'(all)'}{'Ban'},
+               $ServicesBans{$service}{'(all)'}{'Unban'},
+               $ServicesBans{$service}{'(all)'}{'Hit'});
+        delete $ServicesBans{$service}{'(all)'};
+        my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
+        if ($Detail >= 5) {
+            foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
+               my $name = LookupIP($ip);
+               printf("      %-53s %3d:%d:%-3d\n",
+                      $name,
+                      $ServicesBans{$service}{$ip}{'Ban'},
+                      $ServicesBans{$service}{$ip}{'Unban'},
+                      $ServicesBans{$service}{$ip}{'Hit'});
+               if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
+                  print "      Failed ";
+                  foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
+                     print " $fails";
+                  }
+                  print " times";
+                  printf("\n     %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
+                  printf("\n     %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ;
+                  print "\n";
+               }
+            }
+        }
     }
 }
 
 if ($Detail>0) {
     if ($#ActionsErrors >= 0) {
-	   printf("\n%d faulty action invocation(s)", $#ActionsErrors+1);
-	   if ($Detail > 5) {
-	    print ":\n";
-	    print @ActionsErrors ;
-	   }
+       printf("\n%d faulty action invocation(s)", $#ActionsErrors+1);
+       if ($Detail > 5) {
+          print ":\n";
+          print @ActionsErrors ;
+       }
     }
     if ($#CommandsErrors >= 0) {
-	   printf("\n%d faulty command invocation(s) from client(s)", $#CommandsErrors+1);
-	   if ($Detail > 5) {
-	    print ":\n";
-	    print @CommandsErrors ;
-	   }
+       printf("\n%d faulty command invocation(s) from client(s)", $#CommandsErrors+1);
+       if ($Detail > 5) {
+          print ":\n";
+          print @CommandsErrors ;
+       }
     }
     if ($ReInitializations > 0) {
-	   printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
+       printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
     }
     if ($#OtherList >= 0) {
-	   print "\n**Unmatched Entries**\n";
-	   print @OtherList;
+       print "\n**Unmatched Entries**\n";
+       print @OtherList;
     }
 }
 

From b1c04f5fa2b2ee2641588ecef005dd86105f7554 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 13 Aug 2014 23:37:17 -0400
Subject: [PATCH 42/82] ENH: print rebans stats even if no "Failures" are
 logged, and reduce indentation in output

---
 3rdparty/logwatch/fail2ban | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/3rdparty/logwatch/fail2ban b/3rdparty/logwatch/fail2ban
index 2b028d63..56ae070b 100755
--- a/3rdparty/logwatch/fail2ban
+++ b/3rdparty/logwatch/fail2ban
@@ -143,7 +143,7 @@ while (defined(my $ThisLine = <STDIN>)) {
 if (keys %ServicesBans) {
     printf("\nBanned services with Fail2Ban:				 Bans:Unbans:Hits\n");
     foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
-        printf("   %-55s [%3d:%d:%-3d]\n", "$service:",
+        printf("  %-55s [%3d:%d:%-3d]\n", "$service:",
                $ServicesBans{$service}{'(all)'}{'Ban'},
                $ServicesBans{$service}{'(all)'}{'Unban'},
                $ServicesBans{$service}{'(all)'}{'Hit'});
@@ -152,7 +152,7 @@ if (keys %ServicesBans) {
         if ($Detail >= 5) {
             foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
                my $name = LookupIP($ip);
-               printf("      %-53s %3d:%d:%-3d\n",
+               printf("    %-53s %3d:%d:%-3d\n",
                       $name,
                       $ServicesBans{$service}{$ip}{'Ban'},
                       $ServicesBans{$service}{$ip}{'Unban'},
@@ -162,10 +162,13 @@ if (keys %ServicesBans) {
                   foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
                      print " $fails";
                   }
-                  print " times";
-                  printf("\n     %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
-                  printf("\n     %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ;
-                  print "\n";
+                  print " times\n";
+               }
+               if ($ServicesBans{$service}{$ip}{'AlreadyInTheList'}>0) {
+                  printf("      %d Duplicate Ban attempt(s)\n", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
+               }
+               if ($ServicesBans{$service}{$ip}{'ReBan'}>0) {
+                  printf("      %d ReBan(s) due to rules reinitilizations\n", $ServicesBans{$service}{$ip}{'ReBan'}) ;
                }
             }
         }

From 544cfaff2c582945abb188e0e32e6ed249694fa3 Mon Sep 17 00:00:00 2001
From: Paul Traina <mail@gitcommit.st.pst.org>
Date: Sat, 6 Sep 2014 10:23:38 -0700
Subject: [PATCH 43/82] Add support for postfix/submission/smtpd matching.

---
 config/filter.d/postfix-sasl.conf | 2 +-
 config/filter.d/postfix.conf      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/filter.d/postfix-sasl.conf b/config/filter.d/postfix-sasl.conf
index c5f8e3bc..52cff8c8 100644
--- a/config/filter.d/postfix-sasl.conf
+++ b/config/filter.d/postfix-sasl.conf
@@ -7,7 +7,7 @@ before = common.conf
 
 [Definition]
 
-_daemon = postfix/smtpd
+_daemon = postfix/(submission/)?smtpd
 
 failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
 
diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf
index ff58c58c..9e34d9cc 100644
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@@ -10,7 +10,7 @@ before = common.conf
 
 [Definition]
 
-_daemon = postfix/smtpd
+_daemon = postfix/(submission/)?smtpd
 
 failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
             ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$

From 218ffe862e49d8b65a389b09ad60b649c6129d5a Mon Sep 17 00:00:00 2001
From: weberho <jweberhofer@weberhofer.at>
Date: Mon, 8 Sep 2014 10:23:07 +0200
Subject: [PATCH 44/82] fixed encoding

---
 config/filter.d/pure-ftpd.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf
index b6d36603..eb5f6167 100644
--- a/config/filter.d/pure-ftpd.conf
+++ b/config/filter.d/pure-ftpd.conf
@@ -16,6 +16,7 @@ _daemon = pure-ftpd
 
 # Error message specified in multiple languages
 __errmsg = (?:�ϥΪ�\[.*\]���ҥ���|ʹ����\[.*\]��֤ʧ��|\[.*\] kullan�c�s� i�in giri� hatal�|����������� �� ������� ������������ \[.*\]|Godkjennelse mislyktes for \[.*\]|Beh�righetskontroll misslyckas f�r anv�ndare \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentica��o falhou para usu�rio \[.*\]|Autentyfikacja nie powiod�a si� dla u�ytkownika \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|\[.*\] ��� ���� ����|Autenticazione falita per l'utente \[.*\]|Azonos�t�s sikertelen \[.*\] felhaszn�l�nak|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Autentificaci�n fallida para el usuario \[.*\]|Authentication failed for user \[.*\]|Authentifizierung fehlgeschlagen f�r Benutzer \[.*\].|Godkendelse mislykkedes for \[.*\]|Autentifikace u�ivatele selhala \[.*\])
+__errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗)
 
 failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
 

From d2c086b18707aacd212ea9448f9d59ecc8ff7d94 Mon Sep 17 00:00:00 2001
From: weberho <jweberhofer@weberhofer.at>
Date: Mon, 8 Sep 2014 10:26:08 +0200
Subject: [PATCH 45/82] fixed encoding

---
 config/filter.d/pure-ftpd.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf
index eb5f6167..a1fcdbc2 100644
--- a/config/filter.d/pure-ftpd.conf
+++ b/config/filter.d/pure-ftpd.conf
@@ -15,7 +15,6 @@ before = common.conf
 _daemon = pure-ftpd
 
 # Error message specified in multiple languages
-__errmsg = (?:�ϥΪ�\[.*\]���ҥ���|ʹ����\[.*\]��֤ʧ��|\[.*\] kullan�c�s� i�in giri� hatal�|����������� �� ������� ������������ \[.*\]|Godkjennelse mislyktes for \[.*\]|Beh�righetskontroll misslyckas f�r anv�ndare \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentica��o falhou para usu�rio \[.*\]|Autentyfikacja nie powiod�a si� dla u�ytkownika \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|\[.*\] ��� ���� ����|Autenticazione falita per l'utente \[.*\]|Azonos�t�s sikertelen \[.*\] felhaszn�l�nak|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Autentificaci�n fallida para el usuario \[.*\]|Authentication failed for user \[.*\]|Authentifizierung fehlgeschlagen f�r Benutzer \[.*\].|Godkendelse mislykkedes for \[.*\]|Autentifikace u�ivatele selhala \[.*\])
 __errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗)
 
 failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$

From 1864f75b3bc8e55e727e8b76d0978a954eb39864 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Mon, 8 Sep 2014 19:02:37 +1000
Subject: [PATCH 46/82] Credits and notes from #806

---
 ChangeLog                      | 1 +
 THANKS                         | 3 ++-
 config/filter.d/pure-ftpd.conf | 8 +++++++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b6c52eef..6a9bf03f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
      provides defaults for the chain, port, protocol and name tags
 
 - Fixes:
+   * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
    * systemd backend error on bad utf-8 in python3
    * badips.py action error when logging HTTP error raised with badips request
    * fail2ban-regex failed to work in python3 due to space/tab mix
diff --git a/THANKS b/THANKS
index 38a71889..b9288d4d 100644
--- a/THANKS
+++ b/THANKS
@@ -44,10 +44,11 @@ Hank Leininger
 Hanno 'Rince' Wagner
 Helmut Grohne
 Iain Lea
+Ioan Indreias
 Ivo Truxa
 John Thoe
 Jacques Lav!gnotte
-Ioan Indreias
+Johannes Weberhofer
 Jason H Martin
 Jisoo Park
 Joel M Snyder
diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf
index a1fcdbc2..be3d0ae5 100644
--- a/config/filter.d/pure-ftpd.conf
+++ b/config/filter.d/pure-ftpd.conf
@@ -24,7 +24,13 @@ ignoreregex =
 # Author: Cyril Jaquier
 # Modified: Yaroslav Halchenko for pure-ftpd
 # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
+# UTF-8 editing and mechanism thanks to Johannes Weberhofer
 #
 # Only logs to syslog though facility can be changed configuration file/command line
 #
-# fgrep -r MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src
+# To get messages in the right encoding:
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages

From 249e169d8e36ae7b5b15164918304d7d04d831cf Mon Sep 17 00:00:00 2001
From: Paul Traina <mail@github.st.pst.org>
Date: Mon, 8 Sep 2014 11:53:51 -0700
Subject: [PATCH 47/82] Update test cases and also suport smtps per request.

---
 config/filter.d/postfix-sasl.conf      | 2 +-
 config/filter.d/postfix.conf           | 4 +++-
 fail2ban/tests/files/logs/postfix      | 6 ++++++
 fail2ban/tests/files/logs/postfix-sasl | 3 +++
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/config/filter.d/postfix-sasl.conf b/config/filter.d/postfix-sasl.conf
index 52cff8c8..7e70a423 100644
--- a/config/filter.d/postfix-sasl.conf
+++ b/config/filter.d/postfix-sasl.conf
@@ -7,7 +7,7 @@ before = common.conf
 
 [Definition]
 
-_daemon = postfix/(submission/)?smtpd
+_daemon = postfix/(submission/)?smtp(d|s)
 
 failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
 
diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf
index 9e34d9cc..1d7c63ac 100644
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@@ -10,11 +10,13 @@ before = common.conf
 
 [Definition]
 
-_daemon = postfix/(submission/)?smtpd
+_daemon = postfix/(submission/)?smtp(d|s)
 
 failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
             ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
             ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
+            ^%(__prefix_line)swarning: Connection concurrency limit exceeded: \d+ from \S+\[<HOST>\] for service.*$
+            ^%(__prefix_line)slost connection after AUTH from \S+\[<HOST>\]$
             ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
 
 ignoreregex = 
diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix
index ccf2f8bc..9cb4fa79 100644
--- a/fail2ban/tests/files/logs/postfix
+++ b/fail2ban/tests/files/logs/postfix
@@ -20,3 +20,9 @@ Dec 25 02:35:54 platypus postfix/smtpd[9144]: improper command pipelining after
 
 # failJSON: { "time": "2004-12-18T02:05:46", "match": true , "host": "216.245.198.245" }
 Dec 18 02:05:46 platypus postfix/smtpd[16349]: improper command pipelining after NOOP from unknown[216.245.198.245]
+
+# failJSON: { "time": "2004-09-07T08:24:30", "match": true , "host": "83.110.98.15" }
+Sep  7 08:24:30 umkc postfix/smtpd[2282]: lost connection after AUTH from bba453913.alshamil.net.ae[83.110.98.15]
+
+# failJSON: { "time": "2004-09-05T12:45:53", "match": true , "host": "213.123.185.20" }
+Sep  5 12:45:53 umkc postfix/smtpd[20286]: warning: Connection concurrency limit exceeded: 6 from mail.baileysbodybuilders.co.uk[213.123.185.20] for service smtp
diff --git a/fail2ban/tests/files/logs/postfix-sasl b/fail2ban/tests/files/logs/postfix-sasl
index ca306098..697ac424 100644
--- a/fail2ban/tests/files/logs/postfix-sasl
+++ b/fail2ban/tests/files/logs/postfix-sasl
@@ -5,3 +5,6 @@ Dec  2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.n
 # failJSON: { "time": "2005-03-10T13:33:30", "match": true , "host": "1.1.1.1" }
 Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure
 
+#3 Example from postfix post-debian changes to rename to add "submission" to syslog name
+# failJSON: { "time": "2004-09-06T00:44:56", "match": true , "host": "82.221.106.233" }
+Sep  6 00:44:56 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

From c58c4de9bc05f6ee73fa3af0ea2942a917b990db Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sat, 13 Sep 2014 10:18:37 -0400
Subject: [PATCH 48/82] ENH: add empty ignoreregex to avoid a warning (Close
 #805)

---
 config/filter.d/postfix-sasl.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/filter.d/postfix-sasl.conf b/config/filter.d/postfix-sasl.conf
index c5f8e3bc..9cbcb324 100644
--- a/config/filter.d/postfix-sasl.conf
+++ b/config/filter.d/postfix-sasl.conf
@@ -11,6 +11,8 @@ _daemon = postfix/smtpd
 
 failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
 
+ignoreregex = 
+
 [Init]
 
 journalmatch = _SYSTEMD_UNIT=postfix.service

From 0e1f8f7f39e0a700e8ebc8cd103e5a7ade701682 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sat, 13 Sep 2014 10:25:27 -0400
Subject: [PATCH 49/82] RF: remove those two additional failregexes for the
 postfix

see comment
https://github.com/fail2ban/fail2ban/pull/804\#discussion_r17512426
---
 config/filter.d/postfix.conf      | 2 --
 fail2ban/tests/files/logs/postfix | 6 ------
 2 files changed, 8 deletions(-)

diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf
index 1d7c63ac..a7a05e47 100644
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@@ -15,8 +15,6 @@ _daemon = postfix/(submission/)?smtp(d|s)
 failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
             ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
             ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
-            ^%(__prefix_line)swarning: Connection concurrency limit exceeded: \d+ from \S+\[<HOST>\] for service.*$
-            ^%(__prefix_line)slost connection after AUTH from \S+\[<HOST>\]$
             ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
 
 ignoreregex = 
diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix
index 9cb4fa79..ccf2f8bc 100644
--- a/fail2ban/tests/files/logs/postfix
+++ b/fail2ban/tests/files/logs/postfix
@@ -20,9 +20,3 @@ Dec 25 02:35:54 platypus postfix/smtpd[9144]: improper command pipelining after
 
 # failJSON: { "time": "2004-12-18T02:05:46", "match": true , "host": "216.245.198.245" }
 Dec 18 02:05:46 platypus postfix/smtpd[16349]: improper command pipelining after NOOP from unknown[216.245.198.245]
-
-# failJSON: { "time": "2004-09-07T08:24:30", "match": true , "host": "83.110.98.15" }
-Sep  7 08:24:30 umkc postfix/smtpd[2282]: lost connection after AUTH from bba453913.alshamil.net.ae[83.110.98.15]
-
-# failJSON: { "time": "2004-09-05T12:45:53", "match": true , "host": "213.123.185.20" }
-Sep  5 12:45:53 umkc postfix/smtpd[20286]: warning: Connection concurrency limit exceeded: 6 from mail.baileysbodybuilders.co.uk[213.123.185.20] for service smtp

From 8f521b85516b2e51cd86878e89a1481b518cba8e Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sat, 13 Sep 2014 10:27:37 -0400
Subject: [PATCH 50/82] DOC: Changelog and THANKS for  previous changes

---
 ChangeLog | 4 +++-
 THANKS    | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 6a9bf03f..0d2ffcc6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -48,7 +48,9 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
      Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
      Debian bug #755173
-   * postfix-sasl -- added journalmatch.  Thanks Luc Maisonobe
+   * postfix-sasl - added journalmatch.  Thanks Luc Maisonobe
+   * postfix* - match with a new daemon string (postfix/submission/smtpd).
+     Closes gh-804 .  Thanks Paul Traina
 
 - New features:
    - New filters:
diff --git a/THANKS b/THANKS
index b9288d4d..42887a05 100644
--- a/THANKS
+++ b/THANKS
@@ -81,6 +81,7 @@ Mika (mkl)
 Nick Munger
 onorua
 Paul Marrapese
+Paul Traina
 Noel Butler
 Patrick Börjesson
 Pressy

From caa851e5c8f432088f933399e92a166d08fa0278 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 14 Sep 2014 09:48:14 -0400
Subject: [PATCH 51/82] RF: moving logwatch setup/sample logs under
 files/logwatch

---
 {3rdparty => files}/logwatch/fail2ban         | 0
 {3rdparty => files}/logwatch/fail2ban-0.8.log | 0
 {3rdparty => files}/logwatch/fail2ban-0.9.log | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename {3rdparty => files}/logwatch/fail2ban (100%)
 rename {3rdparty => files}/logwatch/fail2ban-0.8.log (100%)
 rename {3rdparty => files}/logwatch/fail2ban-0.9.log (100%)

diff --git a/3rdparty/logwatch/fail2ban b/files/logwatch/fail2ban
similarity index 100%
rename from 3rdparty/logwatch/fail2ban
rename to files/logwatch/fail2ban
diff --git a/3rdparty/logwatch/fail2ban-0.8.log b/files/logwatch/fail2ban-0.8.log
similarity index 100%
rename from 3rdparty/logwatch/fail2ban-0.8.log
rename to files/logwatch/fail2ban-0.8.log
diff --git a/3rdparty/logwatch/fail2ban-0.9.log b/files/logwatch/fail2ban-0.9.log
similarity index 100%
rename from 3rdparty/logwatch/fail2ban-0.9.log
rename to files/logwatch/fail2ban-0.9.log

From 2c158fe16890b9e9f98a3428cc009f792618ba75 Mon Sep 17 00:00:00 2001
From: Nick Weeds <nick@nickweeds.me.uk>
Date: Sat, 13 Sep 2014 21:43:39 +0100
Subject: [PATCH 52/82] Add apache filter for AH01630 client denied by server
 configuration

---
 ChangeLog                             | 1 +
 config/filter.d/apache-auth.conf      | 2 +-
 fail2ban/tests/files/logs/apache-auth | 3 +++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 0d2ffcc6..1a98c1a0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -51,6 +51,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * postfix-sasl - added journalmatch.  Thanks Luc Maisonobe
    * postfix* - match with a new daemon string (postfix/submission/smtpd).
      Closes gh-804 .  Thanks Paul Traina
+   * apache - added filter for AH01630 client denied by server configuration.
 
 - New features:
    - New filters:
diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf
index f4213487..8a63858d 100644
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@@ -10,7 +10,7 @@ before = apache-common.conf
 [Definition]
 
 
-failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
+failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
             ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
             ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
             ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
diff --git a/fail2ban/tests/files/logs/apache-auth b/fail2ban/tests/files/logs/apache-auth
index a01d2c76..5b7b3c48 100644
--- a/fail2ban/tests/files/logs/apache-auth
+++ b/fail2ban/tests/files/logs/apache-auth
@@ -19,6 +19,9 @@
 # failJSON: { "time": "2013-07-20T21:34:49", "match": true , "host": "127.0.0.1" } 
 [Sat Jul 20 21:34:49.453232 2013] [access_compat:error] [pid 17512:tid 140123104306944] [client 127.0.0.1:51380] AH01797: client denied by server configuration: /var/www/html/noentry/cant_get_me.html
 
+# failJSON: { "time": "2014-09-14T21:44:43", "match": true , "host": "192.3.9.178" } 
+[Sun Sep 14 21:44:43.008606 2014] [authz_core:error] [pid 10691] [client 192.3.9.178:44271] AH01630: client denied by server configuration: /var/www/html/noentry/cant_get_me.html
+
 # wget --http-user='' --http-password='' http://localhost/basic/file/cant_get_me.html -O /dev/null
 # failJSON: { "time": "2013-07-17T23:14:37", "match": true , "host": "127.0.0.1" }
 [Wed Jul 17 23:14:37 2013] [error] [client 127.0.0.1] user  not found: /basic/anon/cant_get_me.html

From 4f636eb0e3295ee1e8a35f1398926e95ab8b39ba Mon Sep 17 00:00:00 2001
From: SlowRiot <slowriot@voxelstorm.com>
Date: Fri, 26 Sep 2014 16:25:07 +0100
Subject: [PATCH 53/82] adding filter to detect Shellshock attack attempts
 against bash scripts through apache.  See
 http://seclists.org/oss-sec/2014/q3/650

---
 config/filter.d/apache-shellshock.conf | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 config/filter.d/apache-shellshock.conf

diff --git a/config/filter.d/apache-shellshock.conf b/config/filter.d/apache-shellshock.conf
new file mode 100644
index 00000000..39df1704
--- /dev/null
+++ b/config/filter.d/apache-shellshock.conf
@@ -0,0 +1,26 @@
+# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug
+#
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \S+)?\s*$
+
+ignoreregex = 
+
+
+# DEV Notes:
+#
+# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
+#
+# example log lines: 
+# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
+# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'
+#
+# Author: Eugene Hopkinson (riot@riot.so)

From fc5f729f01dfaa8aae21e7f7a9603caf2e6fa626 Mon Sep 17 00:00:00 2001
From: SlowRiot <slowriot@voxelstorm.com>
Date: Fri, 26 Sep 2014 16:37:50 +0100
Subject: [PATCH 54/82] adding jail conf for shellshock filter

---
 config/jail.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/jail.conf b/config/jail.conf
index c48e6a7b..99729350 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -283,6 +283,11 @@ port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 
+[apache-shellshock]
+
+port    = http,https
+logpath = $(apache_error_log)s
+maxretry = 1
 
 [nginx-http-auth]
 

From 7b5dc9f24f5624ebe6d42048b3e81920a214c7fe Mon Sep 17 00:00:00 2001
From: SlowRiot <slowriot@voxelstorm.com>
Date: Fri, 26 Sep 2014 18:48:56 +0100
Subject: [PATCH 55/82] adding test case, changelog and thanks entries for
 apache shellshock filter

---
 ChangeLog | 1 +
 THANKS    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 1a98c1a0..d92aec4a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -57,6 +57,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    - New filters:
      - monit  Thanks Jason H Martin
      - directadmin  Thanks niorg
+     - apache-shellshock  Thanks Eugene Hopkinson (SlowRiot)
    - New actions:
      - symbiosis-blacklist-allports  for Bytemark symbiosis firewall
    - fail2ban-client can fetch the running server version
diff --git a/THANKS b/THANKS
index 42887a05..0433f7ed 100644
--- a/THANKS
+++ b/THANKS
@@ -34,6 +34,7 @@ David Nutter
 Derek Atkins
 Eric Gerbier
 Enrico Labedzki
+Eugene Hopkinson (SlowRiot)
 ftoppi
 François Boulogne
 Frédéric

From 5d526bbeb15d484039c86ce655e42ce31b462714 Mon Sep 17 00:00:00 2001
From: SlowRiot <slowriot@voxelstorm.com>
Date: Mon, 29 Sep 2014 00:49:22 +0100
Subject: [PATCH 56/82] forgot to add test case to last commit

---
 fail2ban/tests/files/logs/apache-shellshock | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 fail2ban/tests/files/logs/apache-shellshock

diff --git a/fail2ban/tests/files/logs/apache-shellshock b/fail2ban/tests/files/logs/apache-shellshock
new file mode 100644
index 00000000..0acf4546
--- /dev/null
+++ b/fail2ban/tests/files/logs/apache-shellshock
@@ -0,0 +1,4 @@
+# failJSON: { "time": "2014-09-25T09:27:18", "match": true , "host": "89.207.132.76" }
+[Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
+# failJSON: { "time": "2014-09-25T09:29:56", "match": true , "host": "162.247.73.206" }
+[Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'

From 270ea363d35dd71fc2ca378e1606aaffe1863ec3 Mon Sep 17 00:00:00 2001
From: Daniel Schaal <farbing@web.de>
Date: Sun, 14 Sep 2014 08:38:39 +0200
Subject: [PATCH 57/82] tests: define CONFIG_DIR in utils.

---
 fail2ban/tests/action_d/test_badips.py | 6 +-----
 fail2ban/tests/action_d/test_smtp.py   | 5 +----
 fail2ban/tests/clientreadertestcase.py | 4 +++-
 fail2ban/tests/samplestestcase.py      | 6 +-----
 fail2ban/tests/utils.py                | 9 +++++++++
 5 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/fail2ban/tests/action_d/test_badips.py b/fail2ban/tests/action_d/test_badips.py
index 30e016ea..a7f148b1 100644
--- a/fail2ban/tests/action_d/test_badips.py
+++ b/fail2ban/tests/action_d/test_badips.py
@@ -22,11 +22,7 @@ import unittest
 import sys
 
 from ..dummyjail import DummyJail
-
-if os.path.exists('config/fail2ban.conf'):
-	CONFIG_DIR = "config"
-else:
-	CONFIG_DIR='/etc/fail2ban'
+from ..utils import CONFIG_DIR
 
 if sys.version_info >= (2,7):
 	class BadIPsActionTest(unittest.TestCase):
diff --git a/fail2ban/tests/action_d/test_smtp.py b/fail2ban/tests/action_d/test_smtp.py
index a8a8a1a9..440db55c 100644
--- a/fail2ban/tests/action_d/test_smtp.py
+++ b/fail2ban/tests/action_d/test_smtp.py
@@ -30,10 +30,7 @@ else:
 
 from ..dummyjail import DummyJail
 
-if os.path.exists('config/fail2ban.conf'):
-	CONFIG_DIR = "config"
-else:
-	CONFIG_DIR='/etc/fail2ban'
+from ..utils import CONFIG_DIR
 
 class TestSMTPServer(smtpd.SMTPServer):
 
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index ce19a50e..0ad3c66e 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -32,8 +32,10 @@ from ..client.configurator import Configurator
 from .utils import LogCaptureTestCase
 
 TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files")
+
+from .utils import CONFIG_DIR
+
 STOCK = os.path.exists(os.path.join('config','fail2ban.conf'))
-CONFIG_DIR='config' if STOCK else '/etc/fail2ban'
 
 IMPERFECT_CONFIG = os.path.join(os.path.dirname(__file__), 'config')
 
diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py
index 132ade7b..e0831184 100644
--- a/fail2ban/tests/samplestestcase.py
+++ b/fail2ban/tests/samplestestcase.py
@@ -32,13 +32,9 @@ else:
 
 from ..server.filter import Filter
 from ..client.filterreader import FilterReader
-from .utils import setUpMyTime, tearDownMyTime
+from .utils import setUpMyTime, tearDownMyTime, CONFIG_DIR
 
 TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files")
-if os.path.exists('config/fail2ban.conf'):
-	CONFIG_DIR = "config"
-else:
-	CONFIG_DIR='/etc/fail2ban'
 
 class FilterSamplesRegex(unittest.TestCase):
 
diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py
index 0cb8d5b8..912c5a90 100644
--- a/fail2ban/tests/utils.py
+++ b/fail2ban/tests/utils.py
@@ -34,6 +34,15 @@ from ..helpers import getLogger
 
 logSys = getLogger(__name__)
 
+CONFIG_DIR = os.environ.get('FAIL2BAN_CONFIG_DIR', None)
+
+if not CONFIG_DIR:
+# Use heuristic to figure out where configuration files are
+	if os.path.exists(os.path.join('config','fail2ban.conf')):
+		CONFIG_DIR = 'config'
+	else:
+		CONFIG_DIR = '/etc/fail2ban'
+
 def mtimesleep():
 	# no sleep now should be necessary since polling tracks now not only
 	# mtime but also ino and size

From d00af327c54eb57991600e5d2c61b15eb31f4c18 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Thu, 2 Oct 2014 22:29:09 +0200
Subject: [PATCH 58/82] caching of read config files, to make start of fail2ban
 faster, see issue #820

---
 fail2ban/client/configparserinc.py     | 186 ++++++++++++++++++-------
 fail2ban/client/configreader.py        |  21 +--
 fail2ban/tests/clientreadertestcase.py |  16 ++-
 3 files changed, 158 insertions(+), 65 deletions(-)

diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
index 80b99517..ad0a255c 100644
--- a/fail2ban/client/configparserinc.py
+++ b/fail2ban/client/configparserinc.py
@@ -65,7 +65,136 @@ logSys = getLogger(__name__)
 
 __all__ = ['SafeConfigParserWithIncludes']
 
-class SafeConfigParserWithIncludes(SafeConfigParser):
+class SafeConfigParserWithIncludes(object):
+
+	SECTION_NAME = "INCLUDES"
+	CFG_CACHE = {}
+	CFG_INC_CACHE = {}
+	CFG_EMPY_CFG = None
+
+	def __init__(self):
+		self.__cr = None
+
+	def __check_read(self, attr):
+		if self.__cr is None:
+			# raise RuntimeError("Access to wrapped attribute \"%s\" before read call" % attr)
+			if SafeConfigParserWithIncludes.CFG_EMPY_CFG is None: 
+				SafeConfigParserWithIncludes.CFG_EMPY_CFG = _SafeConfigParserWithIncludes()
+			self.__cr = SafeConfigParserWithIncludes.CFG_EMPY_CFG
+
+	def __getattr__(self,attr):
+		# check we access local implementation
+		try:
+			orig_attr = self.__getattribute__(attr)
+		except AttributeError:
+			self.__check_read(attr)
+			orig_attr = self.__cr.__getattribute__(attr)
+		return orig_attr
+
+	@staticmethod
+	def _resource_mtime(resource):
+		mt = []
+		dirnames = []
+		for filename in resource:
+			if os.path.exists(filename):
+				s = os.stat(filename)
+				mt.append(s.st_mtime)
+				mt.append(s.st_mode)
+				mt.append(s.st_size)
+				dirname = os.path.dirname(filename)
+				if dirname not in dirnames:
+					dirnames.append(dirname)
+		for dirname in dirnames:
+			if os.path.exists(dirname):
+				s = os.stat(dirname)
+				mt.append(s.st_mtime)
+				mt.append(s.st_mode)
+				mt.append(s.st_size)
+		return mt
+
+	def read(self, resource, get_includes=True, log_info=None):
+		SCPWI = SafeConfigParserWithIncludes
+		# check includes :
+		fileNamesFull = []
+		if not isinstance(resource, list):
+			resource = [ resource ]
+		if get_includes:
+			for filename in resource:
+				fileNamesFull += SCPWI.getIncludes(filename)
+		else:
+			fileNamesFull = resource
+		# check cache
+		hashv = '///'.join(fileNamesFull)
+		cr, ret, mtime = SCPWI.CFG_CACHE.get(hashv, (None, False, 0))
+		curmt = SCPWI._resource_mtime(fileNamesFull)
+		if cr is not None and mtime == curmt:
+			self.__cr = cr
+			logSys.debug("Cached config files: %s", resource)
+			#logSys.debug("Cached config files: %s", fileNamesFull)
+			return ret
+		# not yet in cache - create/read and add to cache:
+		if log_info is not None:
+			logSys.info(*log_info)
+		cr = _SafeConfigParserWithIncludes()
+		ret = cr.read(fileNamesFull)
+		SCPWI.CFG_CACHE[hashv] = (cr, ret, curmt)
+		self.__cr = cr
+		return ret
+
+	def getOptions(self, *args, **kwargs):
+		self.__check_read('getOptions')
+		return self.__cr.getOptions(*args, **kwargs)
+
+	@staticmethod
+	def getIncludes(resource, seen = []):
+		"""
+		Given 1 config resource returns list of included files
+		(recursively) with the original one as well
+		Simple loops are taken care about
+		"""
+		
+		# Use a short class name ;)
+		SCPWI = SafeConfigParserWithIncludes
+
+		resources = seen + [resource]
+		# check cache
+		hashv = '///'.join(resources)
+		cinc, mtime = SCPWI.CFG_INC_CACHE.get(hashv, (None, 0))
+		curmt = SCPWI._resource_mtime(resources)
+		if cinc is not None and mtime == curmt:
+			return cinc
+		
+		parser = SCPWI()
+		try:
+			# read without includes
+			parser.read(resource, get_includes = False)
+		except UnicodeDecodeError, e:
+			logSys.error("Error decoding config file '%s': %s" % (resource, e))
+			return []
+		
+		resourceDir = os.path.dirname(resource)
+
+		newFiles = [ ('before', []), ('after', []) ]
+		if SCPWI.SECTION_NAME in parser.sections():
+			for option_name, option_list in newFiles:
+				if option_name in parser.options(SCPWI.SECTION_NAME):
+					newResources = parser.get(SCPWI.SECTION_NAME, option_name)
+					for newResource in newResources.split('\n'):
+						if os.path.isabs(newResource):
+							r = newResource
+						else:
+							r = os.path.join(resourceDir, newResource)
+						if r in seen:
+							continue
+						option_list += SCPWI.getIncludes(r, resources)
+		# combine lists
+		cinc = newFiles[0][1] + [resource] + newFiles[1][1]
+		# cache and return :
+		SCPWI.CFG_INC_CACHE[hashv] = (cinc, curmt)
+		return cinc
+		#print "Includes list for " + resource + " is " + `resources`
+
+class _SafeConfigParserWithIncludes(SafeConfigParser, object):
 	"""
 	Class adds functionality to SafeConfigParser to handle included
 	other configuration files (or may be urls, whatever in the future)
@@ -94,69 +223,22 @@ after = 1.conf
 
 	"""
 
-	SECTION_NAME = "INCLUDES"
-
 	if sys.version_info >= (3,2):
 		# overload constructor only for fancy new Python3's
 		def __init__(self, *args, **kwargs):
 			kwargs = kwargs.copy()
 			kwargs['interpolation'] = BasicInterpolationWithName()
 			kwargs['inline_comment_prefixes'] = ";"
-			super(SafeConfigParserWithIncludes, self).__init__(
+			super(_SafeConfigParserWithIncludes, self).__init__(
 				*args, **kwargs)
 
-	#@staticmethod
-	def getIncludes(resource, seen = []):
-		"""
-		Given 1 config resource returns list of included files
-		(recursively) with the original one as well
-		Simple loops are taken care about
-		"""
-		
-		# Use a short class name ;)
-		SCPWI = SafeConfigParserWithIncludes
-		
-		parser = SafeConfigParser()
-		try:
-			if sys.version_info >= (3,2): # pragma: no cover
-				parser.read(resource, encoding='utf-8')
-			else:
-				parser.read(resource)
-		except UnicodeDecodeError, e:
-			logSys.error("Error decoding config file '%s': %s" % (resource, e))
-			return []
-		
-		resourceDir = os.path.dirname(resource)
-
-		newFiles = [ ('before', []), ('after', []) ]
-		if SCPWI.SECTION_NAME in parser.sections():
-			for option_name, option_list in newFiles:
-				if option_name in parser.options(SCPWI.SECTION_NAME):
-					newResources = parser.get(SCPWI.SECTION_NAME, option_name)
-					for newResource in newResources.split('\n'):
-						if os.path.isabs(newResource):
-							r = newResource
-						else:
-							r = os.path.join(resourceDir, newResource)
-						if r in seen:
-							continue
-						s = seen + [resource]
-						option_list += SCPWI.getIncludes(r, s)
-		# combine lists
-		return newFiles[0][1] + [resource] + newFiles[1][1]
-		#print "Includes list for " + resource + " is " + `resources`
-	getIncludes = staticmethod(getIncludes)
-
 
 	def read(self, filenames):
-		fileNamesFull = []
 		if not isinstance(filenames, list):
 			filenames = [ filenames ]
-		for filename in filenames:
-			fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
-		logSys.debug("Reading files: %s" % fileNamesFull)
+		logSys.debug("Reading files: %s", filenames)
 		if sys.version_info >= (3,2): # pragma: no cover
-			return SafeConfigParser.read(self, fileNamesFull, encoding='utf-8')
+			return SafeConfigParser.read(self, filenames, encoding='utf-8')
 		else:
-			return SafeConfigParser.read(self, fileNamesFull)
+			return SafeConfigParser.read(self, filenames)
 
diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
index 22115d3a..ada48803 100644
--- a/fail2ban/client/configreader.py
+++ b/fail2ban/client/configreader.py
@@ -55,7 +55,7 @@ class ConfigReader(SafeConfigParserWithIncludes):
 			raise ValueError("Base configuration directory %s does not exist "
 							  % self._basedir)
 		basename = os.path.join(self._basedir, filename)
-		logSys.info("Reading configs for %s under %s "  % (basename, self._basedir))
+		logSys.debug("Reading configs for %s under %s " , filename, self._basedir)
 		config_files = [ basename + ".conf" ]
 
 		# possible further customizations under a .conf.d directory
@@ -71,14 +71,15 @@ class ConfigReader(SafeConfigParserWithIncludes):
 
 		if len(config_files):
 			# at least one config exists and accessible
-			logSys.debug("Reading config files: " + ', '.join(config_files))
-			config_files_read = SafeConfigParserWithIncludes.read(self, config_files)
+			logSys.debug("Reading config files: %s", ', '.join(config_files))
+			config_files_read = SafeConfigParserWithIncludes.read(self, config_files,
+				log_info=("Cache configs for %s under %s " , filename, self._basedir))
 			missed = [ cf for cf in config_files if cf not in config_files_read ]
 			if missed:
-				logSys.error("Could not read config files: " + ', '.join(missed))
+				logSys.error("Could not read config files: %s", ', '.join(missed))
 			if config_files_read:
 				return True
-			logSys.error("Found no accessible config files for %r under %s" %
+			logSys.error("Found no accessible config files for %r under %s",
 						 ( filename, self.getBaseDir() ))
 			return False
 		else:
@@ -133,12 +134,12 @@ class ConfigReader(SafeConfigParserWithIncludes):
 
 class DefinitionInitConfigReader(ConfigReader):
 	"""Config reader for files with options grouped in [Definition] and
-       [Init] sections.
+			 [Init] sections.
 
-       Is a base class for readers of filters and actions, where definitions
-       in jails might provide custom values for options defined in [Init]
-       section.
-       """
+			 Is a base class for readers of filters and actions, where definitions
+			 in jails might provide custom values for options defined in [Init]
+			 section.
+			 """
 
 	_configOpts = []
 	
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index 0ad3c66e..b57a0562 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-import os, glob, shutil, tempfile, unittest
+import os, glob, shutil, tempfile, unittest, time
 
 from ..client.configreader import ConfigReader
 from ..client.jailreader import JailReader
@@ -39,6 +39,8 @@ STOCK = os.path.exists(os.path.join('config','fail2ban.conf'))
 
 IMPERFECT_CONFIG = os.path.join(os.path.dirname(__file__), 'config')
 
+LAST_WRITE_TIME = 0
+
 class ConfigReaderTest(unittest.TestCase):
 
 	def setUp(self):
@@ -57,7 +59,8 @@ class ConfigReaderTest(unittest.TestCase):
 			d_ = os.path.join(self.d, d)
 			if not os.path.exists(d_):
 				os.makedirs(d_)
-		f = open("%s/%s" % (self.d, fname), "w")
+		fname = "%s/%s" % (self.d, fname)
+		f = open(fname, "w")
 		if value is not None:
 			f.write("""
 [section]
@@ -66,6 +69,14 @@ option = %s
 		if content is not None:
 			f.write(content)
 		f.close()
+		# set modification time to another second to revalidate cache (if milliseconds not supported) :
+		global LAST_WRITE_TIME
+		mtime = os.path.getmtime(fname)
+		if LAST_WRITE_TIME == mtime:
+			mtime += 1
+			os.utime(fname, (mtime, mtime))
+		LAST_WRITE_TIME = mtime
+		
 
 	def _remove(self, fname):
 		os.unlink("%s/%s" % (self.d, fname))
@@ -91,7 +102,6 @@ option = %s
 			# raise unittest.SkipTest("Skipping on %s -- access rights are not enforced" % platform)
 			pass
 
-
 	def testOptionalDotDDir(self):
 		self.assertFalse(self.c.read('c'))	# nothing is there yet
 		self._write("c.conf", "1")

From af4b48e841f6f2a6754c891f391e419c998819d5 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 7 Oct 2014 14:07:50 +0200
Subject: [PATCH 59/82] test case for check the read of config files will be
 cached;

---
 fail2ban/tests/clientreadertestcase.py | 32 +++++++++++++++++++++++++-
 fail2ban/tests/utils.py                |  4 ++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index b57a0562..68de2e8b 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-import os, glob, shutil, tempfile, unittest, time
+import os, glob, shutil, tempfile, unittest, time, re
 
 from ..client.configreader import ConfigReader
 from ..client.jailreader import JailReader
@@ -345,6 +345,36 @@ class FilterReaderTest(unittest.TestCase):
 		self.assertRaises(ValueError, FilterReader.convert, filterReader)
 
 
+class JailsReaderTestCache(LogCaptureTestCase):
+
+	def testTestJailConfCache(self):
+		basedir = tempfile.mkdtemp("fail2ban_conf")
+		try:
+			shutil.rmtree(basedir)
+			shutil.copytree(CONFIG_DIR, basedir)
+			shutil.copy(CONFIG_DIR + '/jail.conf', basedir + '/jail.local')
+			shutil.copy(CONFIG_DIR + '/fail2ban.conf', basedir + '/fail2ban.local')
+
+			# read whole configuration like a file2ban-client ...
+			configurator = Configurator()
+			configurator.setBaseDir(basedir)
+			configurator.readEarly()
+			configurator.getEarlyOptions()
+			configurator.readAll()
+			# from here we test a cache :
+			self.assertTrue(configurator.getOptions(None))
+			cnt = 0
+			for s in self.getLog().rsplit('\n'):
+				if re.match(r"^Reading files: .*jail.local", s):
+					cnt += 1
+			# if cnt > 2:
+			# 	self.printLog()
+			self.assertFalse(cnt > 2, "Too many times reading of config files, cnt = %s" % cnt)
+			self.assertFalse(cnt <= 0)
+		finally:
+			shutil.rmtree(basedir)
+
+
 class JailsReaderTest(LogCaptureTestCase):
 
 	def testProvidingBadBasedir(self):
diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py
index 912c5a90..ad504703 100644
--- a/fail2ban/tests/utils.py
+++ b/fail2ban/tests/utils.py
@@ -111,6 +111,7 @@ def gatherTests(regexps=None, no_network=False):
 	tests.addTest(unittest.makeSuite(clientreadertestcase.JailReaderTest))
 	tests.addTest(unittest.makeSuite(clientreadertestcase.FilterReaderTest))
 	tests.addTest(unittest.makeSuite(clientreadertestcase.JailsReaderTest))
+	tests.addTest(unittest.makeSuite(clientreadertestcase.JailsReaderTestCache))
 	# CSocket and AsyncServer
 	tests.addTest(unittest.makeSuite(sockettestcase.Socket))
 	# Misc helpers
@@ -216,5 +217,8 @@ class LogCaptureTestCase(unittest.TestCase):
 	def _is_logged(self, s):
 		return s in self._log.getvalue()
 
+	def getLog(self):
+		return self._log.getvalue()
+
 	def printLog(self):
 		print(self._log.getvalue())

From 2a54e612382609495b50579c2a75cfb8999aaa8e Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Wed, 8 Oct 2014 15:44:32 +0200
Subject: [PATCH 60/82] config cache optimized - prevent to read the same
 config file inside different resources multiple times; test case: read jail
 file only once;

---
 fail2ban/client/configparserinc.py     | 40 ++++++++++++++++++++++++--
 fail2ban/tests/clientreadertestcase.py |  6 ++--
 2 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
index ad0a255c..7aac111b 100644
--- a/fail2ban/client/configparserinc.py
+++ b/fail2ban/client/configparserinc.py
@@ -124,7 +124,7 @@ class SafeConfigParserWithIncludes(object):
 		else:
 			fileNamesFull = resource
 		# check cache
-		hashv = '///'.join(fileNamesFull)
+		hashv = '\x01'.join(fileNamesFull)
 		cr, ret, mtime = SCPWI.CFG_CACHE.get(hashv, (None, False, 0))
 		curmt = SCPWI._resource_mtime(fileNamesFull)
 		if cr is not None and mtime == curmt:
@@ -167,7 +167,7 @@ class SafeConfigParserWithIncludes(object):
 		parser = SCPWI()
 		try:
 			# read without includes
-			parser.read(resource, get_includes = False)
+			parser.read(resource, get_includes=False)
 		except UnicodeDecodeError, e:
 			logSys.error("Error decoding config file '%s': %s" % (resource, e))
 			return []
@@ -232,11 +232,45 @@ after = 1.conf
 			super(_SafeConfigParserWithIncludes, self).__init__(
 				*args, **kwargs)
 
+	def get_defaults(self):
+		return self._defaults
+
+	def get_sections(self):
+		return self._sections
 
 	def read(self, filenames):
 		if not isinstance(filenames, list):
 			filenames = [ filenames ]
-		logSys.debug("Reading files: %s", filenames)
+		if len(filenames) > 1:
+			# read multiple configs:
+			ret = []
+			alld = self.get_defaults()
+			alls = self.get_sections()
+			for filename in filenames:
+				# read single one, add to return list:
+				cfg = SafeConfigParserWithIncludes()
+				i = cfg.read(filename, get_includes=False)
+				if i:
+					ret += i
+					# merge defaults and all sections to self:
+					for (n, v) in cfg.get_defaults().items():
+						alld[n] = v
+					for (n, s) in cfg.get_sections().items():
+						if isinstance(s, dict):
+							s2 = alls.get(n)
+							if s2 is not None:
+								for (n, v) in s.items():
+									s2[n] = v
+							else:
+								s2 = s.copy()
+								alls[n] = s2
+						else:
+							alls[n] = s
+
+			return ret
+
+		# read one config :
+		logSys.debug("Reading file: %s", filenames[0])
 		if sys.version_info >= (3,2): # pragma: no cover
 			return SafeConfigParser.read(self, filenames, encoding='utf-8')
 		else:
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index 68de2e8b..5c5c75bc 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -365,11 +365,11 @@ class JailsReaderTestCache(LogCaptureTestCase):
 			self.assertTrue(configurator.getOptions(None))
 			cnt = 0
 			for s in self.getLog().rsplit('\n'):
-				if re.match(r"^Reading files: .*jail.local", s):
+				if re.match(r"^Reading files?: .*jail.local", s):
 					cnt += 1
-			# if cnt > 2:
+			# if cnt > 1:
 			# 	self.printLog()
-			self.assertFalse(cnt > 2, "Too many times reading of config files, cnt = %s" % cnt)
+			self.assertFalse(cnt > 1, "Too many times reading of config files, cnt = %s" % cnt)
 			self.assertFalse(cnt <= 0)
 		finally:
 			shutil.rmtree(basedir)

From 4244c87802f0cc88072a7bac3574d1fb1377eb3d Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Thu, 9 Oct 2014 14:51:08 +0200
Subject: [PATCH 61/82] ConfigWrapper class introduced: sharing of the same
 ConfigReader object between JailsReader and JailReader (don't read jail
 config each jail); sharing of the same DefinitionInitConfigReader
 (ActionReader, FilterReader) between all jails using that; cache of read a
 config files was optimized; test case extended for all types of config
 readers;

---
 fail2ban/client/actionreader.py        | 12 +++--
 fail2ban/client/configparserinc.py     | 13 ++---
 fail2ban/client/configreader.py        | 75 ++++++++++++++++++++++----
 fail2ban/client/configurator.py        |  4 +-
 fail2ban/client/fail2banreader.py      | 13 ++---
 fail2ban/client/filterreader.py        | 10 ++--
 fail2ban/client/jailreader.py          | 20 +++----
 fail2ban/client/jailsreader.py         | 19 ++++---
 fail2ban/tests/clientreadertestcase.py | 49 ++++++++++++-----
 9 files changed, 153 insertions(+), 62 deletions(-)

diff --git a/fail2ban/client/actionreader.py b/fail2ban/client/actionreader.py
index 91f3322b..8022ecc1 100644
--- a/fail2ban/client/actionreader.py
+++ b/fail2ban/client/actionreader.py
@@ -26,7 +26,7 @@ __license__ = "GPL"
 
 import os
 
-from .configreader import ConfigReader, DefinitionInitConfigReader
+from .configreader import DefinitionInitConfigReader
 from ..helpers import getLogger
 
 # Gets the instance of the logger.
@@ -47,15 +47,19 @@ class ActionReader(DefinitionInitConfigReader):
 		DefinitionInitConfigReader.__init__(
 			self, file_, jailName, initOpts, **kwargs)
 
+	def setFile(self, fileName):
+		self.__file = fileName
+		DefinitionInitConfigReader.setFile(self, os.path.join("action.d", fileName))
+	
+	def getFile(self):
+		return self.__file
+
 	def setName(self, name):
 		self._name = name
 
 	def getName(self):
 		return self._name
 
-	def read(self):
-		return ConfigReader.read(self, os.path.join("action.d", self._file))
-
 	def convert(self):
 		head = ["set", self._jailName]
 		stream = list()
diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
index 7aac111b..31945849 100644
--- a/fail2ban/client/configparserinc.py
+++ b/fail2ban/client/configparserinc.py
@@ -253,17 +253,14 @@ after = 1.conf
 				if i:
 					ret += i
 					# merge defaults and all sections to self:
-					for (n, v) in cfg.get_defaults().items():
-						alld[n] = v
-					for (n, s) in cfg.get_sections().items():
+					alld.update(cfg.get_defaults())
+					for n, s in cfg.get_sections().iteritems():
 						if isinstance(s, dict):
 							s2 = alls.get(n)
-							if s2 is not None:
-								for (n, v) in s.items():
-									s2[n] = v
+							if isinstance(s2, dict):
+								s2.update(s)
 							else:
-								s2 = s.copy()
-								alls[n] = s2
+								alls[n] = s.copy()
 						else:
 							alls[n] = s
 
diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
index ada48803..d1cc7924 100644
--- a/fail2ban/client/configreader.py
+++ b/fail2ban/client/configreader.py
@@ -32,6 +32,65 @@ from ..helpers import getLogger
 
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
+logLevel = 6
+
+class ConfigWrapper():
+
+	def __init__(self, use_config=None, share_config=None, **kwargs):
+		# use given shared config if possible (see read):
+		self._cfg_share = None
+		self._cfg = None
+		if use_config is not None:
+			self._cfg = use_config
+		else:
+			# share config if possible:
+			if share_config is not None:
+				self._cfg_share = share_config
+				self._cfg_share_kwargs = kwargs
+			else:
+				self._cfg = ConfigReader(**kwargs)
+
+	def setBaseDir(self, basedir):
+		self._cfg.setBaseDir(basedir)
+
+	def getBaseDir(self):
+		return self._cfg.getBaseDir()
+
+	def read(self, name, once=True):
+		# shared ?
+		if not self._cfg and self._cfg_share is not None:
+			self._cfg = self._cfg_share.get(name)
+			if not self._cfg:
+				self._cfg = ConfigReader(**self._cfg_share_kwargs)
+				self._cfg_share[name] = self._cfg
+		# performance feature - read once if using shared config reader:
+		rc = self._cfg.read_cfg_files
+		if once and rc.get(name) is not None:
+			return rc.get(name)
+
+		# read:
+		ret = self._cfg.read(name)
+
+		# save already read:
+		if once:
+			rc[name] = ret
+		return ret
+
+	def sections(self):
+		return self._cfg.sections()
+
+	def has_section(self, sec):
+		return self._cfg.has_section(sec)
+
+	def options(self, *args):
+		return self._cfg.options(*args)
+
+	def get(self, sec, opt):
+		return self._cfg.get(sec, opt)
+
+	def getOptions(self, *args, **kwargs):
+		return self._cfg.getOptions(*args, **kwargs)
+
 
 class ConfigReader(SafeConfigParserWithIncludes):
 
@@ -39,8 +98,8 @@ class ConfigReader(SafeConfigParserWithIncludes):
 	
 	def __init__(self, basedir=None):
 		SafeConfigParserWithIncludes.__init__(self)
+		self.read_cfg_files = dict()
 		self.setBaseDir(basedir)
-		self.__opts = None
 	
 	def setBaseDir(self, basedir):
 		if basedir is None:
@@ -122,17 +181,15 @@ class ConfigReader(SafeConfigParserWithIncludes):
 					logSys.warning("'%s' not defined in '%s'. Using default one: %r"
 								% (option[1], sec, option[2]))
 					values[option[1]] = option[2]
-				else:
-					logSys.debug(
-						"Non essential option '%s' not defined in '%s'.",
-						option[1], sec)
+				elif logSys.getEffectiveLevel() <= logLevel:
+					logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", option[1], sec)
 			except ValueError:
 				logSys.warning("Wrong value for '" + option[1] + "' in '" + sec +
 							"'. Using default one: '" + `option[2]` + "'")
 				values[option[1]] = option[2]
 		return values
 
-class DefinitionInitConfigReader(ConfigReader):
+class DefinitionInitConfigReader(ConfigWrapper):
 	"""Config reader for files with options grouped in [Definition] and
 			 [Init] sections.
 
@@ -144,7 +201,7 @@ class DefinitionInitConfigReader(ConfigReader):
 	_configOpts = []
 	
 	def __init__(self, file_, jailName, initOpts, **kwargs):
-		ConfigReader.__init__(self, **kwargs)
+		ConfigWrapper.__init__(self, **kwargs)
 		self.setFile(file_)
 		self.setJailName(jailName)
 		self._initOpts = initOpts
@@ -163,14 +220,14 @@ class DefinitionInitConfigReader(ConfigReader):
 		return self._jailName
 	
 	def read(self):
-		return ConfigReader.read(self, self._file)
+		return ConfigWrapper.read(self, self._file)
 
 	# needed for fail2ban-regex that doesn't need fancy directories
 	def readexplicit(self):
 		return SafeConfigParserWithIncludes.read(self, self._file)
 	
 	def getOptions(self, pOpts):
-		self._opts = ConfigReader.getOptions(
+		self._opts = ConfigWrapper.getOptions(
 			self, "Definition", self._configOpts, pOpts)
 		
 		if self.has_section("Init"):
diff --git a/fail2ban/client/configurator.py b/fail2ban/client/configurator.py
index 0dd9f955..a29fe94d 100644
--- a/fail2ban/client/configurator.py
+++ b/fail2ban/client/configurator.py
@@ -33,11 +33,11 @@ logSys = getLogger(__name__)
 
 class Configurator:
 	
-	def __init__(self):
+	def __init__(self, force_enable=False):
 		self.__settings = dict()
 		self.__streams = dict()
 		self.__fail2ban = Fail2banReader()
-		self.__jails = JailsReader()
+		self.__jails = JailsReader(force_enable=force_enable)
 	
 	def setBaseDir(self, folderName):
 		self.__fail2ban.setBaseDir(folderName)
diff --git a/fail2ban/client/fail2banreader.py b/fail2ban/client/fail2banreader.py
index 361a5e54..a151ebf0 100644
--- a/fail2ban/client/fail2banreader.py
+++ b/fail2ban/client/fail2banreader.py
@@ -24,31 +24,32 @@ __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-from .configreader import ConfigReader
+from .configreader import ConfigWrapper
 from ..helpers import getLogger
 
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
 
-class Fail2banReader(ConfigReader):
+class Fail2banReader(ConfigWrapper):
 	
 	def __init__(self, **kwargs):
-		ConfigReader.__init__(self, **kwargs)
+		self.__opts = None
+		ConfigWrapper.__init__(self, **kwargs)
 	
 	def read(self):
-		ConfigReader.read(self, "fail2ban")
+		ConfigWrapper.read(self, "fail2ban")
 	
 	def getEarlyOptions(self):
 		opts = [["string", "socket", "/var/run/fail2ban/fail2ban.sock"],
 				["string", "pidfile", "/var/run/fail2ban/fail2ban.pid"]]
-		return ConfigReader.getOptions(self, "Definition", opts)
+		return ConfigWrapper.getOptions(self, "Definition", opts)
 	
 	def getOptions(self):
 		opts = [["string", "loglevel", "INFO" ],
 				["string", "logtarget", "STDERR"],
 				["string", "dbfile", "/var/lib/fail2ban/fail2ban.sqlite3"],
 				["int", "dbpurgeage", 86400]]
-		self.__opts = ConfigReader.getOptions(self, "Definition", opts)
+		self.__opts = ConfigWrapper.getOptions(self, "Definition", opts)
 	
 	def convert(self):
 		stream = list()
diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py
index 40d74c45..fe657025 100644
--- a/fail2ban/client/filterreader.py
+++ b/fail2ban/client/filterreader.py
@@ -26,7 +26,7 @@ __license__ = "GPL"
 
 import os, shlex
 
-from .configreader import ConfigReader, DefinitionInitConfigReader
+from .configreader import DefinitionInitConfigReader
 from ..server.action import CommandAction
 from ..helpers import getLogger
 
@@ -40,8 +40,12 @@ class FilterReader(DefinitionInitConfigReader):
 		["string", "failregex", ""],
 	]
 
-	def read(self):
-		return ConfigReader.read(self, os.path.join("filter.d", self._file))
+	def setFile(self, fileName):
+		self.__file = fileName
+		DefinitionInitConfigReader.setFile(self, os.path.join("filter.d", fileName))
+	
+	def getFile(self):
+		return self.__file
 	
 	def convert(self):
 		stream = list()
diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py
index a4bf5174..a3cc939c 100644
--- a/fail2ban/client/jailreader.py
+++ b/fail2ban/client/jailreader.py
@@ -27,7 +27,7 @@ __license__ = "GPL"
 import re, glob, os.path
 import json
 
-from .configreader import ConfigReader
+from .configreader import ConfigReader, ConfigWrapper
 from .filterreader import FilterReader
 from .actionreader import ActionReader
 from ..helpers import getLogger
@@ -35,17 +35,19 @@ from ..helpers import getLogger
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
 
-class JailReader(ConfigReader):
+class JailReader(ConfigWrapper):
 	
 	optionCRE = re.compile("^((?:\w|-|_|\.)+)(?:\[(.*)\])?$")
 	optionExtractRE = re.compile(
 		r'([\w\-_\.]+)=(?:"([^"]*)"|\'([^\']*)\'|([^,]*))(?:,|$)')
 	
-	def __init__(self, name, force_enable=False, **kwargs):
-		ConfigReader.__init__(self, **kwargs)
+	def __init__(self, name, force_enable=False, cfg_share=None, **kwargs):
+		# use shared config if possible:
+		ConfigWrapper.__init__(self, **kwargs)
 		self.__name = name
 		self.__filter = None
 		self.__force_enable = force_enable
+		self.__cfg_share = cfg_share
 		self.__actions = list()
 		self.__opts = None
 	
@@ -60,7 +62,7 @@ class JailReader(ConfigReader):
 		return self.__name
 	
 	def read(self):
-		out = ConfigReader.read(self, "jail")
+		out = ConfigWrapper.read(self, "jail")
 		# Before returning -- verify that requested section
 		# exists at all
 		if not (self.__name in self.sections()):
@@ -101,7 +103,7 @@ class JailReader(ConfigReader):
 				["string", "ignoreip", None],
 				["string", "filter", ""],
 				["string", "action", ""]]
-		self.__opts = ConfigReader.getOptions(self, self.__name, opts)
+		self.__opts = ConfigWrapper.getOptions(self, self.__name, opts)
 		if not self.__opts:
 			return False
 		
@@ -111,7 +113,7 @@ class JailReader(ConfigReader):
 				filterName, filterOpt = JailReader.extractOptions(
 					self.__opts["filter"])
 				self.__filter = FilterReader(
-					filterName, self.__name, filterOpt, basedir=self.getBaseDir())
+					filterName, self.__name, filterOpt, share_config=self.__cfg_share, basedir=self.getBaseDir())
 				ret = self.__filter.read()
 				if ret:
 					self.__filter.getOptions(self.__opts)
@@ -141,7 +143,7 @@ class JailReader(ConfigReader):
 					else:
 						action = ActionReader(
 							actName, self.__name, actOpt,
-							basedir=self.getBaseDir())
+							share_config=self.__cfg_share, basedir=self.getBaseDir())
 						ret = action.read()
 						if ret:
 							action.getOptions(self.__opts)
@@ -213,7 +215,7 @@ class JailReader(ConfigReader):
 		if self.__filter:
 			stream.extend(self.__filter.convert())
 		for action in self.__actions:
-			if isinstance(action, ConfigReader):
+			if isinstance(action, (ConfigReader, ConfigWrapper)):
 				stream.extend(action.convert())
 			else:
 				stream.append(action)
diff --git a/fail2ban/client/jailsreader.py b/fail2ban/client/jailsreader.py
index 84c614b9..37d37e01 100644
--- a/fail2ban/client/jailsreader.py
+++ b/fail2ban/client/jailsreader.py
@@ -24,14 +24,14 @@ __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-from .configreader import ConfigReader
+from .configreader import ConfigReader, ConfigWrapper
 from .jailreader import JailReader
 from ..helpers import getLogger
 
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
 
-class JailsReader(ConfigReader):
+class JailsReader(ConfigWrapper):
 
 	def __init__(self, force_enable=False, **kwargs):
 		"""
@@ -41,7 +41,9 @@ class JailsReader(ConfigReader):
 		  Passed to JailReader to force enable the jails.
 		  It is for internal use
 		"""
-		ConfigReader.__init__(self, **kwargs)
+		# use shared config if possible:
+		ConfigWrapper.__init__(self, **kwargs)
+		self.__cfg_share = dict()
 		self.__jails = list()
 		self.__force_enable = force_enable
 
@@ -50,13 +52,13 @@ class JailsReader(ConfigReader):
 		return self.__jails
 
 	def read(self):
-		return ConfigReader.read(self, "jail")
+		return ConfigWrapper.read(self, "jail")
 
 	def getOptions(self, section=None):
 		"""Reads configuration for jail(s) and adds enabled jails to __jails
 		"""
 		opts = []
-		self.__opts = ConfigReader.getOptions(self, "Definition", opts)
+		self.__opts = ConfigWrapper.getOptions(self, "Definition", opts)
 
 		if section is None:
 			sections = self.sections()
@@ -68,9 +70,10 @@ class JailsReader(ConfigReader):
 		for sec in sections:
 			if sec == 'INCLUDES':
 				continue
-			jail = JailReader(sec, basedir=self.getBaseDir(),
-							  force_enable=self.__force_enable)
-			jail.read()
+			# use the cfg_share for filter/action caching and the same config for all 
+			# jails (use_config=...), therefore don't read it here:
+			jail = JailReader(sec, force_enable=self.__force_enable, 
+				cfg_share=self.__cfg_share, use_config=self._cfg)
 			ret = jail.getOptions()
 			if ret:
 				if jail.isEnabled():
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index 5c5c75bc..a5fe7b6e 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -347,6 +347,23 @@ class FilterReaderTest(unittest.TestCase):
 
 class JailsReaderTestCache(LogCaptureTestCase):
 
+	def _readWholeConf(self, basedir, force_enable=False):
+		# read whole configuration like a file2ban-client ...
+		configurator = Configurator(force_enable=force_enable)
+		configurator.setBaseDir(basedir)
+		configurator.readEarly()
+		configurator.getEarlyOptions()
+		configurator.readAll()
+		# from here we test a cache with all includes / before / after :
+		self.assertTrue(configurator.getOptions(None))
+
+	def _getLoggedReadCount(self, filematch):
+		cnt = 0
+		for s in self.getLog().rsplit('\n'):
+			if re.match(r"^Reading files?: .*/"+filematch, s):
+				cnt += 1
+		return cnt
+
 	def testTestJailConfCache(self):
 		basedir = tempfile.mkdtemp("fail2ban_conf")
 		try:
@@ -356,21 +373,27 @@ class JailsReaderTestCache(LogCaptureTestCase):
 			shutil.copy(CONFIG_DIR + '/fail2ban.conf', basedir + '/fail2ban.local')
 
 			# read whole configuration like a file2ban-client ...
-			configurator = Configurator()
-			configurator.setBaseDir(basedir)
-			configurator.readEarly()
-			configurator.getEarlyOptions()
-			configurator.readAll()
-			# from here we test a cache :
-			self.assertTrue(configurator.getOptions(None))
-			cnt = 0
-			for s in self.getLog().rsplit('\n'):
-				if re.match(r"^Reading files?: .*jail.local", s):
-					cnt += 1
+			self._readWholeConf(basedir)
+			# how many times jail.local was read:
+			cnt = self._getLoggedReadCount('jail.local')
 			# if cnt > 1:
 			# 	self.printLog()
-			self.assertFalse(cnt > 1, "Too many times reading of config files, cnt = %s" % cnt)
-			self.assertFalse(cnt <= 0)
+			self.assertFalse(cnt > 1, "Too many times reading of jail files, cnt = %s" % cnt)
+			self.assertNotEqual(cnt, 0)
+
+			# read whole configuration like a file2ban-client, again ...
+			# but this time force enable all jails, to check filter and action cached also:
+			self._readWholeConf(basedir, force_enable=True)
+			cnt = self._getLoggedReadCount(r'jail\.local')
+			# still one (no more reads):
+			self.assertFalse(cnt > 1, "Too many times second reading of jail files, cnt = %s" % cnt)
+
+			# same with filter:
+			cnt = self._getLoggedReadCount(r'filter\.d/common\.conf')
+			self.assertFalse(cnt > 1, "Too many times reading of filter files, cnt = %s" % cnt)
+			# same with action:
+			cnt = self._getLoggedReadCount(r'action\.d/iptables-common\.conf')
+			self.assertFalse(cnt > 1, "Too many times reading of action files, cnt = %s" % cnt)
 		finally:
 			shutil.rmtree(basedir)
 

From 51cae63bf0cbdcfe1bdc142a65166e2002101b50 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Thu, 9 Oct 2014 15:39:58 +0200
Subject: [PATCH 62/82] more precise by test

---
 fail2ban/tests/clientreadertestcase.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index a5fe7b6e..a24856da 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -378,22 +378,21 @@ class JailsReaderTestCache(LogCaptureTestCase):
 			cnt = self._getLoggedReadCount('jail.local')
 			# if cnt > 1:
 			# 	self.printLog()
-			self.assertFalse(cnt > 1, "Too many times reading of jail files, cnt = %s" % cnt)
-			self.assertNotEqual(cnt, 0)
+			self.assertTrue(cnt == 1, "Unexpected count by reading of jail files, cnt = %s" % cnt)
 
 			# read whole configuration like a file2ban-client, again ...
 			# but this time force enable all jails, to check filter and action cached also:
 			self._readWholeConf(basedir, force_enable=True)
 			cnt = self._getLoggedReadCount(r'jail\.local')
 			# still one (no more reads):
-			self.assertFalse(cnt > 1, "Too many times second reading of jail files, cnt = %s" % cnt)
+			self.assertTrue(cnt == 1, "Unexpected count by second reading of jail files, cnt = %s" % cnt)
 
 			# same with filter:
 			cnt = self._getLoggedReadCount(r'filter\.d/common\.conf')
-			self.assertFalse(cnt > 1, "Too many times reading of filter files, cnt = %s" % cnt)
+			self.assertTrue(cnt == 1, "Unexpected count by reading of filter files, cnt = %s" % cnt)
 			# same with action:
 			cnt = self._getLoggedReadCount(r'action\.d/iptables-common\.conf')
-			self.assertFalse(cnt > 1, "Too many times reading of action files, cnt = %s" % cnt)
+			self.assertTrue(cnt == 1, "Unexpected count by reading of action files, cnt = %s" % cnt)
 		finally:
 			shutil.rmtree(basedir)
 

From f31607ded102c8fb8edca29b16af5994f78b999c Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 7 Oct 2014 14:07:50 +0200
Subject: [PATCH 63/82] test case for check the read of config files will be
 cached;

Conflicts:
	fail2ban/tests/clientreadertestcase.py -- removed not needed
        time in imports
---
 fail2ban/tests/clientreadertestcase.py | 32 +++++++++++++++++++++++++-
 fail2ban/tests/utils.py                |  4 ++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index 0ad3c66e..f65ef87a 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-import os, glob, shutil, tempfile, unittest
+import os, glob, shutil, tempfile, unittest, re
 
 from ..client.configreader import ConfigReader
 from ..client.jailreader import JailReader
@@ -335,6 +335,36 @@ class FilterReaderTest(unittest.TestCase):
 		self.assertRaises(ValueError, FilterReader.convert, filterReader)
 
 
+class JailsReaderTestCache(LogCaptureTestCase):
+
+	def testTestJailConfCache(self):
+		basedir = tempfile.mkdtemp("fail2ban_conf")
+		try:
+			shutil.rmtree(basedir)
+			shutil.copytree(CONFIG_DIR, basedir)
+			shutil.copy(CONFIG_DIR + '/jail.conf', basedir + '/jail.local')
+			shutil.copy(CONFIG_DIR + '/fail2ban.conf', basedir + '/fail2ban.local')
+
+			# read whole configuration like a file2ban-client ...
+			configurator = Configurator()
+			configurator.setBaseDir(basedir)
+			configurator.readEarly()
+			configurator.getEarlyOptions()
+			configurator.readAll()
+			# from here we test a cache :
+			self.assertTrue(configurator.getOptions(None))
+			cnt = 0
+			for s in self.getLog().rsplit('\n'):
+				if re.match(r"^Reading files: .*jail.local", s):
+					cnt += 1
+			# if cnt > 2:
+			# 	self.printLog()
+			self.assertFalse(cnt > 2, "Too many times reading of config files, cnt = %s" % cnt)
+			self.assertFalse(cnt <= 0)
+		finally:
+			shutil.rmtree(basedir)
+
+
 class JailsReaderTest(LogCaptureTestCase):
 
 	def testProvidingBadBasedir(self):
diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py
index 912c5a90..ad504703 100644
--- a/fail2ban/tests/utils.py
+++ b/fail2ban/tests/utils.py
@@ -111,6 +111,7 @@ def gatherTests(regexps=None, no_network=False):
 	tests.addTest(unittest.makeSuite(clientreadertestcase.JailReaderTest))
 	tests.addTest(unittest.makeSuite(clientreadertestcase.FilterReaderTest))
 	tests.addTest(unittest.makeSuite(clientreadertestcase.JailsReaderTest))
+	tests.addTest(unittest.makeSuite(clientreadertestcase.JailsReaderTestCache))
 	# CSocket and AsyncServer
 	tests.addTest(unittest.makeSuite(sockettestcase.Socket))
 	# Misc helpers
@@ -216,5 +217,8 @@ class LogCaptureTestCase(unittest.TestCase):
 	def _is_logged(self, s):
 		return s in self._log.getvalue()
 
+	def getLog(self):
+		return self._log.getvalue()
+
 	def printLog(self):
 		print(self._log.getvalue())

From 0c5f11079c6d1cb817a4218f707be37cd1897398 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 9 Oct 2014 10:46:17 -0400
Subject: [PATCH 64/82] ENH: keep spitting out logging to the screen in
 LogCaptureTestCases if HEAVYDEBUG

---
 fail2ban/tests/utils.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py
index ad504703..b56c0988 100644
--- a/fail2ban/tests/utils.py
+++ b/fail2ban/tests/utils.py
@@ -25,6 +25,7 @@ __license__ = "GPL"
 import logging
 import os
 import re
+import sys
 import time
 import unittest
 from StringIO import StringIO
@@ -205,6 +206,8 @@ class LogCaptureTestCase(unittest.TestCase):
 		# Let's log everything into a string
 		self._log = StringIO()
 		logSys.handlers = [logging.StreamHandler(self._log)]
+		if self._old_level < logging.DEBUG: # so if HEAVYDEBUG etc -- show them!
+			logSys.handlers += self._old_handlers
 		logSys.setLevel(getattr(logging, 'DEBUG'))
 
 	def tearDown(self):

From b62ce14ccd4dd0307264493122caac824c0a9e49 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Thu, 9 Oct 2014 18:00:45 +0200
Subject: [PATCH 65/82] Partially merge remote-tracking from
 'sebres:cache-config-read-820': test cases extended, configurator.py adapted
 for test case.

---
 fail2ban/client/configurator.py        |  4 +-
 fail2ban/tests/clientreadertestcase.py | 66 +++++++++++++++++++-------
 2 files changed, 51 insertions(+), 19 deletions(-)

diff --git a/fail2ban/client/configurator.py b/fail2ban/client/configurator.py
index 0dd9f955..a29fe94d 100644
--- a/fail2ban/client/configurator.py
+++ b/fail2ban/client/configurator.py
@@ -33,11 +33,11 @@ logSys = getLogger(__name__)
 
 class Configurator:
 	
-	def __init__(self):
+	def __init__(self, force_enable=False):
 		self.__settings = dict()
 		self.__streams = dict()
 		self.__fail2ban = Fail2banReader()
-		self.__jails = JailsReader()
+		self.__jails = JailsReader(force_enable=force_enable)
 	
 	def setBaseDir(self, folderName):
 		self.__fail2ban.setBaseDir(folderName)
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index f65ef87a..a24856da 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-import os, glob, shutil, tempfile, unittest, re
+import os, glob, shutil, tempfile, unittest, time, re
 
 from ..client.configreader import ConfigReader
 from ..client.jailreader import JailReader
@@ -39,6 +39,8 @@ STOCK = os.path.exists(os.path.join('config','fail2ban.conf'))
 
 IMPERFECT_CONFIG = os.path.join(os.path.dirname(__file__), 'config')
 
+LAST_WRITE_TIME = 0
+
 class ConfigReaderTest(unittest.TestCase):
 
 	def setUp(self):
@@ -57,7 +59,8 @@ class ConfigReaderTest(unittest.TestCase):
 			d_ = os.path.join(self.d, d)
 			if not os.path.exists(d_):
 				os.makedirs(d_)
-		f = open("%s/%s" % (self.d, fname), "w")
+		fname = "%s/%s" % (self.d, fname)
+		f = open(fname, "w")
 		if value is not None:
 			f.write("""
 [section]
@@ -66,6 +69,14 @@ option = %s
 		if content is not None:
 			f.write(content)
 		f.close()
+		# set modification time to another second to revalidate cache (if milliseconds not supported) :
+		global LAST_WRITE_TIME
+		mtime = os.path.getmtime(fname)
+		if LAST_WRITE_TIME == mtime:
+			mtime += 1
+			os.utime(fname, (mtime, mtime))
+		LAST_WRITE_TIME = mtime
+		
 
 	def _remove(self, fname):
 		os.unlink("%s/%s" % (self.d, fname))
@@ -91,7 +102,6 @@ option = %s
 			# raise unittest.SkipTest("Skipping on %s -- access rights are not enforced" % platform)
 			pass
 
-
 	def testOptionalDotDDir(self):
 		self.assertFalse(self.c.read('c'))	# nothing is there yet
 		self._write("c.conf", "1")
@@ -337,6 +347,23 @@ class FilterReaderTest(unittest.TestCase):
 
 class JailsReaderTestCache(LogCaptureTestCase):
 
+	def _readWholeConf(self, basedir, force_enable=False):
+		# read whole configuration like a file2ban-client ...
+		configurator = Configurator(force_enable=force_enable)
+		configurator.setBaseDir(basedir)
+		configurator.readEarly()
+		configurator.getEarlyOptions()
+		configurator.readAll()
+		# from here we test a cache with all includes / before / after :
+		self.assertTrue(configurator.getOptions(None))
+
+	def _getLoggedReadCount(self, filematch):
+		cnt = 0
+		for s in self.getLog().rsplit('\n'):
+			if re.match(r"^Reading files?: .*/"+filematch, s):
+				cnt += 1
+		return cnt
+
 	def testTestJailConfCache(self):
 		basedir = tempfile.mkdtemp("fail2ban_conf")
 		try:
@@ -346,21 +373,26 @@ class JailsReaderTestCache(LogCaptureTestCase):
 			shutil.copy(CONFIG_DIR + '/fail2ban.conf', basedir + '/fail2ban.local')
 
 			# read whole configuration like a file2ban-client ...
-			configurator = Configurator()
-			configurator.setBaseDir(basedir)
-			configurator.readEarly()
-			configurator.getEarlyOptions()
-			configurator.readAll()
-			# from here we test a cache :
-			self.assertTrue(configurator.getOptions(None))
-			cnt = 0
-			for s in self.getLog().rsplit('\n'):
-				if re.match(r"^Reading files: .*jail.local", s):
-					cnt += 1
-			# if cnt > 2:
+			self._readWholeConf(basedir)
+			# how many times jail.local was read:
+			cnt = self._getLoggedReadCount('jail.local')
+			# if cnt > 1:
 			# 	self.printLog()
-			self.assertFalse(cnt > 2, "Too many times reading of config files, cnt = %s" % cnt)
-			self.assertFalse(cnt <= 0)
+			self.assertTrue(cnt == 1, "Unexpected count by reading of jail files, cnt = %s" % cnt)
+
+			# read whole configuration like a file2ban-client, again ...
+			# but this time force enable all jails, to check filter and action cached also:
+			self._readWholeConf(basedir, force_enable=True)
+			cnt = self._getLoggedReadCount(r'jail\.local')
+			# still one (no more reads):
+			self.assertTrue(cnt == 1, "Unexpected count by second reading of jail files, cnt = %s" % cnt)
+
+			# same with filter:
+			cnt = self._getLoggedReadCount(r'filter\.d/common\.conf')
+			self.assertTrue(cnt == 1, "Unexpected count by reading of filter files, cnt = %s" % cnt)
+			# same with action:
+			cnt = self._getLoggedReadCount(r'action\.d/iptables-common\.conf')
+			self.assertTrue(cnt == 1, "Unexpected count by reading of action files, cnt = %s" % cnt)
 		finally:
 			shutil.rmtree(basedir)
 

From f67053c2ece28888f38c4f19d19c92e4cbfa91a1 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Thu, 9 Oct 2014 19:01:49 +0200
Subject: [PATCH 66/82] ConfigReader/ConfigWrapper renamed as suggested from
 @yarikoptic; + code clarifying (suggested also);

---
 fail2ban/client/configparserinc.py     |  6 ++---
 fail2ban/client/configreader.py        | 33 ++++++++++++++++----------
 fail2ban/client/fail2banreader.py      | 12 +++++-----
 fail2ban/client/jailreader.py          | 12 +++++-----
 fail2ban/client/jailsreader.py         | 10 ++++----
 fail2ban/tests/clientreadertestcase.py |  6 ++---
 6 files changed, 44 insertions(+), 35 deletions(-)

diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
index 31945849..25e15213 100644
--- a/fail2ban/client/configparserinc.py
+++ b/fail2ban/client/configparserinc.py
@@ -92,7 +92,7 @@ class SafeConfigParserWithIncludes(object):
 		return orig_attr
 
 	@staticmethod
-	def _resource_mtime(resource):
+	def _get_resource_fingerprint(resource):
 		mt = []
 		dirnames = []
 		for filename in resource:
@@ -126,7 +126,7 @@ class SafeConfigParserWithIncludes(object):
 		# check cache
 		hashv = '\x01'.join(fileNamesFull)
 		cr, ret, mtime = SCPWI.CFG_CACHE.get(hashv, (None, False, 0))
-		curmt = SCPWI._resource_mtime(fileNamesFull)
+		curmt = SCPWI._get_resource_fingerprint(fileNamesFull)
 		if cr is not None and mtime == curmt:
 			self.__cr = cr
 			logSys.debug("Cached config files: %s", resource)
@@ -160,7 +160,7 @@ class SafeConfigParserWithIncludes(object):
 		# check cache
 		hashv = '///'.join(resources)
 		cinc, mtime = SCPWI.CFG_INC_CACHE.get(hashv, (None, 0))
-		curmt = SCPWI._resource_mtime(resources)
+		curmt = SCPWI._get_resource_fingerprint(resources)
 		if cinc is not None and mtime == curmt:
 			return cinc
 		
diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
index d1cc7924..a3b5645e 100644
--- a/fail2ban/client/configreader.py
+++ b/fail2ban/client/configreader.py
@@ -32,9 +32,13 @@ from ..helpers import getLogger
 
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
-logLevel = 6
+_logLevel = 6
 
-class ConfigWrapper():
+class ConfigReader():
+	"""Config reader class (previously ConfigWrapper).
+
+	Automatically shares or use already shared instance of ConfigReaderUnshared.
+			 """
 
 	def __init__(self, use_config=None, share_config=None, **kwargs):
 		# use given shared config if possible (see read):
@@ -48,7 +52,7 @@ class ConfigWrapper():
 				self._cfg_share = share_config
 				self._cfg_share_kwargs = kwargs
 			else:
-				self._cfg = ConfigReader(**kwargs)
+				self._cfg = ConfigReaderUnshared(**kwargs)
 
 	def setBaseDir(self, basedir):
 		self._cfg.setBaseDir(basedir)
@@ -61,7 +65,7 @@ class ConfigWrapper():
 		if not self._cfg and self._cfg_share is not None:
 			self._cfg = self._cfg_share.get(name)
 			if not self._cfg:
-				self._cfg = ConfigReader(**self._cfg_share_kwargs)
+				self._cfg = ConfigReaderUnshared(**self._cfg_share_kwargs)
 				self._cfg_share[name] = self._cfg
 		# performance feature - read once if using shared config reader:
 		rc = self._cfg.read_cfg_files
@@ -92,7 +96,12 @@ class ConfigWrapper():
 		return self._cfg.getOptions(*args, **kwargs)
 
 
-class ConfigReader(SafeConfigParserWithIncludes):
+class ConfigReaderUnshared(SafeConfigParserWithIncludes):
+	"""Unshared config reader (previously ConfigReader).
+
+	Does not use this class (internal not shared/cached represenation).
+	Use ConfigReader instead.
+			 """
 
 	DEFAULT_BASEDIR = '/etc/fail2ban'
 	
@@ -103,7 +112,7 @@ class ConfigReader(SafeConfigParserWithIncludes):
 	
 	def setBaseDir(self, basedir):
 		if basedir is None:
-			basedir = ConfigReader.DEFAULT_BASEDIR	# stock system location
+			basedir = ConfigReaderUnshared.DEFAULT_BASEDIR	# stock system location
 		self._basedir = basedir.rstrip('/')
 	
 	def getBaseDir(self):
@@ -181,15 +190,15 @@ class ConfigReader(SafeConfigParserWithIncludes):
 					logSys.warning("'%s' not defined in '%s'. Using default one: %r"
 								% (option[1], sec, option[2]))
 					values[option[1]] = option[2]
-				elif logSys.getEffectiveLevel() <= logLevel:
-					logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", option[1], sec)
+				elif logSys.getEffectiveLevel() <= _logLevel:
+					logSys.log(_logLevel, "Non essential option '%s' not defined in '%s'.", option[1], sec)
 			except ValueError:
 				logSys.warning("Wrong value for '" + option[1] + "' in '" + sec +
 							"'. Using default one: '" + `option[2]` + "'")
 				values[option[1]] = option[2]
 		return values
 
-class DefinitionInitConfigReader(ConfigWrapper):
+class DefinitionInitConfigReader(ConfigReader):
 	"""Config reader for files with options grouped in [Definition] and
 			 [Init] sections.
 
@@ -201,7 +210,7 @@ class DefinitionInitConfigReader(ConfigWrapper):
 	_configOpts = []
 	
 	def __init__(self, file_, jailName, initOpts, **kwargs):
-		ConfigWrapper.__init__(self, **kwargs)
+		ConfigReader.__init__(self, **kwargs)
 		self.setFile(file_)
 		self.setJailName(jailName)
 		self._initOpts = initOpts
@@ -220,14 +229,14 @@ class DefinitionInitConfigReader(ConfigWrapper):
 		return self._jailName
 	
 	def read(self):
-		return ConfigWrapper.read(self, self._file)
+		return ConfigReader.read(self, self._file)
 
 	# needed for fail2ban-regex that doesn't need fancy directories
 	def readexplicit(self):
 		return SafeConfigParserWithIncludes.read(self, self._file)
 	
 	def getOptions(self, pOpts):
-		self._opts = ConfigWrapper.getOptions(
+		self._opts = ConfigReader.getOptions(
 			self, "Definition", self._configOpts, pOpts)
 		
 		if self.has_section("Init"):
diff --git a/fail2ban/client/fail2banreader.py b/fail2ban/client/fail2banreader.py
index a151ebf0..4d46c156 100644
--- a/fail2ban/client/fail2banreader.py
+++ b/fail2ban/client/fail2banreader.py
@@ -24,32 +24,32 @@ __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-from .configreader import ConfigWrapper
+from .configreader import ConfigReader
 from ..helpers import getLogger
 
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
 
-class Fail2banReader(ConfigWrapper):
+class Fail2banReader(ConfigReader):
 	
 	def __init__(self, **kwargs):
 		self.__opts = None
-		ConfigWrapper.__init__(self, **kwargs)
+		ConfigReader.__init__(self, **kwargs)
 	
 	def read(self):
-		ConfigWrapper.read(self, "fail2ban")
+		ConfigReader.read(self, "fail2ban")
 	
 	def getEarlyOptions(self):
 		opts = [["string", "socket", "/var/run/fail2ban/fail2ban.sock"],
 				["string", "pidfile", "/var/run/fail2ban/fail2ban.pid"]]
-		return ConfigWrapper.getOptions(self, "Definition", opts)
+		return ConfigReader.getOptions(self, "Definition", opts)
 	
 	def getOptions(self):
 		opts = [["string", "loglevel", "INFO" ],
 				["string", "logtarget", "STDERR"],
 				["string", "dbfile", "/var/lib/fail2ban/fail2ban.sqlite3"],
 				["int", "dbpurgeage", 86400]]
-		self.__opts = ConfigWrapper.getOptions(self, "Definition", opts)
+		self.__opts = ConfigReader.getOptions(self, "Definition", opts)
 	
 	def convert(self):
 		stream = list()
diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py
index a3cc939c..e4394e59 100644
--- a/fail2ban/client/jailreader.py
+++ b/fail2ban/client/jailreader.py
@@ -27,7 +27,7 @@ __license__ = "GPL"
 import re, glob, os.path
 import json
 
-from .configreader import ConfigReader, ConfigWrapper
+from .configreader import ConfigReaderUnshared, ConfigReader
 from .filterreader import FilterReader
 from .actionreader import ActionReader
 from ..helpers import getLogger
@@ -35,7 +35,7 @@ from ..helpers import getLogger
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
 
-class JailReader(ConfigWrapper):
+class JailReader(ConfigReader):
 	
 	optionCRE = re.compile("^((?:\w|-|_|\.)+)(?:\[(.*)\])?$")
 	optionExtractRE = re.compile(
@@ -43,7 +43,7 @@ class JailReader(ConfigWrapper):
 	
 	def __init__(self, name, force_enable=False, cfg_share=None, **kwargs):
 		# use shared config if possible:
-		ConfigWrapper.__init__(self, **kwargs)
+		ConfigReader.__init__(self, **kwargs)
 		self.__name = name
 		self.__filter = None
 		self.__force_enable = force_enable
@@ -62,7 +62,7 @@ class JailReader(ConfigWrapper):
 		return self.__name
 	
 	def read(self):
-		out = ConfigWrapper.read(self, "jail")
+		out = ConfigReader.read(self, "jail")
 		# Before returning -- verify that requested section
 		# exists at all
 		if not (self.__name in self.sections()):
@@ -103,7 +103,7 @@ class JailReader(ConfigWrapper):
 				["string", "ignoreip", None],
 				["string", "filter", ""],
 				["string", "action", ""]]
-		self.__opts = ConfigWrapper.getOptions(self, self.__name, opts)
+		self.__opts = ConfigReader.getOptions(self, self.__name, opts)
 		if not self.__opts:
 			return False
 		
@@ -215,7 +215,7 @@ class JailReader(ConfigWrapper):
 		if self.__filter:
 			stream.extend(self.__filter.convert())
 		for action in self.__actions:
-			if isinstance(action, (ConfigReader, ConfigWrapper)):
+			if isinstance(action, (ConfigReaderUnshared, ConfigReader)):
 				stream.extend(action.convert())
 			else:
 				stream.append(action)
diff --git a/fail2ban/client/jailsreader.py b/fail2ban/client/jailsreader.py
index 37d37e01..3bb713f6 100644
--- a/fail2ban/client/jailsreader.py
+++ b/fail2ban/client/jailsreader.py
@@ -24,14 +24,14 @@ __author__ = "Cyril Jaquier"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-from .configreader import ConfigReader, ConfigWrapper
+from .configreader import ConfigReader
 from .jailreader import JailReader
 from ..helpers import getLogger
 
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
 
-class JailsReader(ConfigWrapper):
+class JailsReader(ConfigReader):
 
 	def __init__(self, force_enable=False, **kwargs):
 		"""
@@ -42,7 +42,7 @@ class JailsReader(ConfigWrapper):
 		  It is for internal use
 		"""
 		# use shared config if possible:
-		ConfigWrapper.__init__(self, **kwargs)
+		ConfigReader.__init__(self, **kwargs)
 		self.__cfg_share = dict()
 		self.__jails = list()
 		self.__force_enable = force_enable
@@ -52,13 +52,13 @@ class JailsReader(ConfigWrapper):
 		return self.__jails
 
 	def read(self):
-		return ConfigWrapper.read(self, "jail")
+		return ConfigReader.read(self, "jail")
 
 	def getOptions(self, section=None):
 		"""Reads configuration for jail(s) and adds enabled jails to __jails
 		"""
 		opts = []
-		self.__opts = ConfigWrapper.getOptions(self, "Definition", opts)
+		self.__opts = ConfigReader.getOptions(self, "Definition", opts)
 
 		if section is None:
 			sections = self.sections()
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index a24856da..0aaa8890 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -21,9 +21,9 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-import os, glob, shutil, tempfile, unittest, time, re
+import os, glob, shutil, tempfile, unittest, re
 
-from ..client.configreader import ConfigReader
+from ..client.configreader import ConfigReaderUnshared
 from ..client.jailreader import JailReader
 from ..client.filterreader import FilterReader
 from ..client.jailsreader import JailsReader
@@ -46,7 +46,7 @@ class ConfigReaderTest(unittest.TestCase):
 	def setUp(self):
 		"""Call before every test case."""
 		self.d = tempfile.mkdtemp(prefix="f2b-temp")
-		self.c = ConfigReader(basedir=self.d)
+		self.c = ConfigReaderUnshared(basedir=self.d)
 
 	def tearDown(self):
 		"""Call after every test case."""

From 37952ab75f4cb34ffa9180a5a35344a2dfa53475 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Thu, 9 Oct 2014 19:51:53 +0200
Subject: [PATCH 67/82] code review

---
 fail2ban/client/configreader.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
index a3b5645e..096f8e78 100644
--- a/fail2ban/client/configreader.py
+++ b/fail2ban/client/configreader.py
@@ -35,9 +35,9 @@ logSys = getLogger(__name__)
 _logLevel = 6
 
 class ConfigReader():
-	"""Config reader class (previously ConfigWrapper).
+	"""Generic config reader class.
 
-	Automatically shares or use already shared instance of ConfigReaderUnshared.
+  A caching adapter which automatically reuses already shared configuration.
 			 """
 
 	def __init__(self, use_config=None, share_config=None, **kwargs):
@@ -200,12 +200,12 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 
 class DefinitionInitConfigReader(ConfigReader):
 	"""Config reader for files with options grouped in [Definition] and
-			 [Init] sections.
+       [Init] sections.
 
-			 Is a base class for readers of filters and actions, where definitions
-			 in jails might provide custom values for options defined in [Init]
-			 section.
-			 """
+       Is a base class for readers of filters and actions, where definitions
+       in jails might provide custom values for options defined in [Init]
+       section.
+       """
 
 	_configOpts = []
 	

From c35b4b24d21445690e4c51a335adf270136bd7d3 Mon Sep 17 00:00:00 2001
From: sebres <info@sebres.de>
Date: Fri, 10 Oct 2014 02:10:13 +0200
Subject: [PATCH 68/82] rewritten caching resp. sharing of ConfigReader and
 SafeConfigParserWithIncludes (v.2, first and second level cache, without
 fingerprinting etc.);

---
 fail2ban/client/configparserinc.py     | 296 +++++++++++--------------
 fail2ban/client/configreader.py        |  43 ++--
 fail2ban/client/configurator.py        |   6 +-
 fail2ban/client/jailreader.py          |   7 +-
 fail2ban/client/jailsreader.py         |   3 +-
 fail2ban/tests/clientreadertestcase.py |  27 +--
 6 files changed, 178 insertions(+), 204 deletions(-)

diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
index 25e15213..d6ad4e34 100644
--- a/fail2ban/client/configparserinc.py
+++ b/fail2ban/client/configparserinc.py
@@ -65,136 +65,7 @@ logSys = getLogger(__name__)
 
 __all__ = ['SafeConfigParserWithIncludes']
 
-class SafeConfigParserWithIncludes(object):
-
-	SECTION_NAME = "INCLUDES"
-	CFG_CACHE = {}
-	CFG_INC_CACHE = {}
-	CFG_EMPY_CFG = None
-
-	def __init__(self):
-		self.__cr = None
-
-	def __check_read(self, attr):
-		if self.__cr is None:
-			# raise RuntimeError("Access to wrapped attribute \"%s\" before read call" % attr)
-			if SafeConfigParserWithIncludes.CFG_EMPY_CFG is None: 
-				SafeConfigParserWithIncludes.CFG_EMPY_CFG = _SafeConfigParserWithIncludes()
-			self.__cr = SafeConfigParserWithIncludes.CFG_EMPY_CFG
-
-	def __getattr__(self,attr):
-		# check we access local implementation
-		try:
-			orig_attr = self.__getattribute__(attr)
-		except AttributeError:
-			self.__check_read(attr)
-			orig_attr = self.__cr.__getattribute__(attr)
-		return orig_attr
-
-	@staticmethod
-	def _get_resource_fingerprint(resource):
-		mt = []
-		dirnames = []
-		for filename in resource:
-			if os.path.exists(filename):
-				s = os.stat(filename)
-				mt.append(s.st_mtime)
-				mt.append(s.st_mode)
-				mt.append(s.st_size)
-				dirname = os.path.dirname(filename)
-				if dirname not in dirnames:
-					dirnames.append(dirname)
-		for dirname in dirnames:
-			if os.path.exists(dirname):
-				s = os.stat(dirname)
-				mt.append(s.st_mtime)
-				mt.append(s.st_mode)
-				mt.append(s.st_size)
-		return mt
-
-	def read(self, resource, get_includes=True, log_info=None):
-		SCPWI = SafeConfigParserWithIncludes
-		# check includes :
-		fileNamesFull = []
-		if not isinstance(resource, list):
-			resource = [ resource ]
-		if get_includes:
-			for filename in resource:
-				fileNamesFull += SCPWI.getIncludes(filename)
-		else:
-			fileNamesFull = resource
-		# check cache
-		hashv = '\x01'.join(fileNamesFull)
-		cr, ret, mtime = SCPWI.CFG_CACHE.get(hashv, (None, False, 0))
-		curmt = SCPWI._get_resource_fingerprint(fileNamesFull)
-		if cr is not None and mtime == curmt:
-			self.__cr = cr
-			logSys.debug("Cached config files: %s", resource)
-			#logSys.debug("Cached config files: %s", fileNamesFull)
-			return ret
-		# not yet in cache - create/read and add to cache:
-		if log_info is not None:
-			logSys.info(*log_info)
-		cr = _SafeConfigParserWithIncludes()
-		ret = cr.read(fileNamesFull)
-		SCPWI.CFG_CACHE[hashv] = (cr, ret, curmt)
-		self.__cr = cr
-		return ret
-
-	def getOptions(self, *args, **kwargs):
-		self.__check_read('getOptions')
-		return self.__cr.getOptions(*args, **kwargs)
-
-	@staticmethod
-	def getIncludes(resource, seen = []):
-		"""
-		Given 1 config resource returns list of included files
-		(recursively) with the original one as well
-		Simple loops are taken care about
-		"""
-		
-		# Use a short class name ;)
-		SCPWI = SafeConfigParserWithIncludes
-
-		resources = seen + [resource]
-		# check cache
-		hashv = '///'.join(resources)
-		cinc, mtime = SCPWI.CFG_INC_CACHE.get(hashv, (None, 0))
-		curmt = SCPWI._get_resource_fingerprint(resources)
-		if cinc is not None and mtime == curmt:
-			return cinc
-		
-		parser = SCPWI()
-		try:
-			# read without includes
-			parser.read(resource, get_includes=False)
-		except UnicodeDecodeError, e:
-			logSys.error("Error decoding config file '%s': %s" % (resource, e))
-			return []
-		
-		resourceDir = os.path.dirname(resource)
-
-		newFiles = [ ('before', []), ('after', []) ]
-		if SCPWI.SECTION_NAME in parser.sections():
-			for option_name, option_list in newFiles:
-				if option_name in parser.options(SCPWI.SECTION_NAME):
-					newResources = parser.get(SCPWI.SECTION_NAME, option_name)
-					for newResource in newResources.split('\n'):
-						if os.path.isabs(newResource):
-							r = newResource
-						else:
-							r = os.path.join(resourceDir, newResource)
-						if r in seen:
-							continue
-						option_list += SCPWI.getIncludes(r, resources)
-		# combine lists
-		cinc = newFiles[0][1] + [resource] + newFiles[1][1]
-		# cache and return :
-		SCPWI.CFG_INC_CACHE[hashv] = (cinc, curmt)
-		return cinc
-		#print "Includes list for " + resource + " is " + `resources`
-
-class _SafeConfigParserWithIncludes(SafeConfigParser, object):
+class SafeConfigParserWithIncludes(SafeConfigParser):
 	"""
 	Class adds functionality to SafeConfigParser to handle included
 	other configuration files (or may be urls, whatever in the future)
@@ -223,14 +94,99 @@ after = 1.conf
 
 	"""
 
+	SECTION_NAME = "INCLUDES"
+
 	if sys.version_info >= (3,2):
 		# overload constructor only for fancy new Python3's
-		def __init__(self, *args, **kwargs):
+		def __init__(self, share_config=None, *args, **kwargs):
 			kwargs = kwargs.copy()
 			kwargs['interpolation'] = BasicInterpolationWithName()
 			kwargs['inline_comment_prefixes'] = ";"
-			super(_SafeConfigParserWithIncludes, self).__init__(
+			super(SafeConfigParserWithIncludes, self).__init__(
 				*args, **kwargs)
+			self._cfg_share = share_config
+
+	else:
+		def __init__(self, share_config=None, *args, **kwargs):
+			SafeConfigParser.__init__(self, *args, **kwargs)
+			self._cfg_share = share_config
+
+	@property
+	def share_config(self):
+		return self._cfg_share
+
+	def _getSharedSCPWI(self, filename):
+		SCPWI = SafeConfigParserWithIncludes
+		# read single one, add to return list, use sharing if possible:
+		if self._cfg_share:
+			# cache/share each file as include (ex: filter.d/common could be included in each filter config):
+			hashv = 'inc:'+(filename if not isinstance(filename, list) else '\x01'.join(filename))
+			cfg, i = self._cfg_share.get(hashv, (None, None))
+			if cfg is None:
+				cfg = SCPWI(share_config=self._cfg_share)
+				i = cfg.read(filename, get_includes=False)
+				self._cfg_share[hashv] = (cfg, i)
+			else:
+				logSys.debug("    Shared file: %s", filename)
+		else:
+			# don't have sharing:
+			cfg = SCPWI()
+			i = cfg.read(filename, get_includes=False)
+		return (cfg, i)
+
+	def _getIncludes(self, filenames, seen=[]):
+		if not isinstance(filenames, list):
+			filenames = [ filenames ]
+		# retrieve or cache include paths:
+		if self._cfg_share:
+			# cache/share include list:
+			hashv = 'inc-path:'+('\x01'.join(filenames))
+			fileNamesFull = self._cfg_share.get(hashv)
+			if fileNamesFull is None:
+				fileNamesFull = []
+				for filename in filenames:
+					fileNamesFull += self.__getIncludesUncached(filename, seen)
+				self._cfg_share[hashv] = fileNamesFull
+			return fileNamesFull
+		# don't have sharing:
+		fileNamesFull = []
+		for filename in filenames:
+			fileNamesFull += self.__getIncludesUncached(filename, seen)
+		return fileNamesFull
+
+	def __getIncludesUncached(self, resource, seen=[]):
+		"""
+		Given 1 config resource returns list of included files
+		(recursively) with the original one as well
+		Simple loops are taken care about
+		"""
+		SCPWI = SafeConfigParserWithIncludes
+		try:
+			parser, i = self._getSharedSCPWI(resource)
+			if not i:
+				return []
+		except UnicodeDecodeError, e:
+			logSys.error("Error decoding config file '%s': %s" % (resource, e))
+			return []
+		
+		resourceDir = os.path.dirname(resource)
+
+		newFiles = [ ('before', []), ('after', []) ]
+		if SCPWI.SECTION_NAME in parser.sections():
+			for option_name, option_list in newFiles:
+				if option_name in parser.options(SCPWI.SECTION_NAME):
+					newResources = parser.get(SCPWI.SECTION_NAME, option_name)
+					for newResource in newResources.split('\n'):
+						if os.path.isabs(newResource):
+							r = newResource
+						else:
+							r = os.path.join(resourceDir, newResource)
+						if r in seen:
+							continue
+						s = seen + [resource]
+						option_list += self._getIncludes(r, s)
+		# combine lists
+		return newFiles[0][1] + [resource] + newFiles[1][1]
 
 	def get_defaults(self):
 		return self._defaults
@@ -238,38 +194,52 @@ after = 1.conf
 	def get_sections(self):
 		return self._sections
 
-	def read(self, filenames):
+	def read(self, filenames, get_includes=True, log_info=None):
 		if not isinstance(filenames, list):
 			filenames = [ filenames ]
-		if len(filenames) > 1:
-			# read multiple configs:
-			ret = []
-			alld = self.get_defaults()
-			alls = self.get_sections()
-			for filename in filenames:
-				# read single one, add to return list:
-				cfg = SafeConfigParserWithIncludes()
-				i = cfg.read(filename, get_includes=False)
-				if i:
-					ret += i
-					# merge defaults and all sections to self:
-					alld.update(cfg.get_defaults())
-					for n, s in cfg.get_sections().iteritems():
-						if isinstance(s, dict):
-							s2 = alls.get(n)
-							if isinstance(s2, dict):
-								s2.update(s)
-							else:
-								alls[n] = s.copy()
-						else:
-							alls[n] = s
-
-			return ret
-
-		# read one config :
-		logSys.debug("Reading file: %s", filenames[0])
-		if sys.version_info >= (3,2): # pragma: no cover
-			return SafeConfigParser.read(self, filenames, encoding='utf-8')
+		# retrieve (and cache) includes:
+		fileNamesFull = []
+		if get_includes:
+			fileNamesFull += self._getIncludes(filenames)
 		else:
-			return SafeConfigParser.read(self, filenames)
+			fileNamesFull = filenames
+
+		if self._cfg_share is not None:
+			logSys.debug("  Sharing files: %s", fileNamesFull)
+
+			if len(fileNamesFull) > 1:
+				# read multiple configs:
+				ret = []
+				alld = self.get_defaults()
+				alls = self.get_sections()
+				for filename in fileNamesFull:
+					# read single one, add to return list, use sharing if possible:
+					cfg, i = self._getSharedSCPWI(filename)
+					if i:
+						ret += i
+						# merge defaults and all sections to self:
+						alld.update(cfg.get_defaults())
+						for n, s in cfg.get_sections().iteritems():
+							if isinstance(s, dict):
+								s2 = alls.get(n)
+								if isinstance(s2, dict):
+									s2.update(s)
+								else:
+									alls[n] = s.copy()
+							else:
+								alls[n] = s
+
+				return ret
+
+			# read one config :
+			logSys.debug("  Reading file: %s", fileNamesFull[0])
+		else:
+			# don't have sharing - read one or multiple at once:
+			logSys.debug("  Reading files: %s", fileNamesFull)
+
+		# read file(s) :
+		if sys.version_info >= (3,2): # pragma: no cover
+			return SafeConfigParser.read(self, fileNamesFull, encoding='utf-8')
+		else:
+			return SafeConfigParser.read(self, fileNamesFull)
 
diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
index 096f8e78..657800fa 100644
--- a/fail2ban/client/configreader.py
+++ b/fail2ban/client/configreader.py
@@ -46,26 +46,38 @@ class ConfigReader():
 		self._cfg = None
 		if use_config is not None:
 			self._cfg = use_config
-		else:
-			# share config if possible:
-			if share_config is not None:
-				self._cfg_share = share_config
-				self._cfg_share_kwargs = kwargs
-			else:
-				self._cfg = ConfigReaderUnshared(**kwargs)
+		# share config if possible:
+		if share_config is not None:
+			self._cfg_share = share_config
+			self._cfg_share_kwargs = kwargs
+			self._cfg_share_basedir = None
+		elif self._cfg is None:
+			self._cfg = ConfigReaderUnshared(**kwargs)
 
 	def setBaseDir(self, basedir):
-		self._cfg.setBaseDir(basedir)
+		if self._cfg:
+			self._cfg.setBaseDir(basedir)
+		else:
+			self._cfg_share_basedir = basedir
 
 	def getBaseDir(self):
-		return self._cfg.getBaseDir()
+		if self._cfg:
+			return self._cfg.getBaseDir()
+		else:
+			return self._cfg_share_basedir
+
+	@property
+	def share_config(self):
+		return self._cfg_share
 
 	def read(self, name, once=True):
 		# shared ?
 		if not self._cfg and self._cfg_share is not None:
 			self._cfg = self._cfg_share.get(name)
 			if not self._cfg:
-				self._cfg = ConfigReaderUnshared(**self._cfg_share_kwargs)
+				self._cfg = ConfigReaderUnshared(share_config=self._cfg_share, **self._cfg_share_kwargs)
+				if self._cfg_share_basedir is not None:
+					self._cfg.setBaseDir(self._cfg_share_basedir)
 				self._cfg_share[name] = self._cfg
 		# performance feature - read once if using shared config reader:
 		rc = self._cfg.read_cfg_files
@@ -73,6 +85,8 @@ class ConfigReader():
 			return rc.get(name)
 
 		# read:
+		if self._cfg_share is not None:
+			logSys.info("Sharing configs for %s under %s ", name, self._cfg.getBaseDir())
 		ret = self._cfg.read(name)
 
 		# save already read:
@@ -105,8 +119,8 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 
 	DEFAULT_BASEDIR = '/etc/fail2ban'
 	
-	def __init__(self, basedir=None):
-		SafeConfigParserWithIncludes.__init__(self)
+	def __init__(self, basedir=None, *args, **kwargs):
+		SafeConfigParserWithIncludes.__init__(self, *args, **kwargs)
 		self.read_cfg_files = dict()
 		self.setBaseDir(basedir)
 	
@@ -123,7 +137,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 			raise ValueError("Base configuration directory %s does not exist "
 							  % self._basedir)
 		basename = os.path.join(self._basedir, filename)
-		logSys.debug("Reading configs for %s under %s " , filename, self._basedir)
+		logSys.info("Reading configs for %s under %s " , filename, self._basedir)
 		config_files = [ basename + ".conf" ]
 
 		# possible further customizations under a .conf.d directory
@@ -140,8 +154,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 		if len(config_files):
 			# at least one config exists and accessible
 			logSys.debug("Reading config files: %s", ', '.join(config_files))
-			config_files_read = SafeConfigParserWithIncludes.read(self, config_files,
-				log_info=("Cache configs for %s under %s " , filename, self._basedir))
+			config_files_read = SafeConfigParserWithIncludes.read(self, config_files)
 			missed = [ cf for cf in config_files if cf not in config_files_read ]
 			if missed:
 				logSys.error("Could not read config files: %s", ', '.join(missed))
diff --git a/fail2ban/client/configurator.py b/fail2ban/client/configurator.py
index a29fe94d..4c0c0428 100644
--- a/fail2ban/client/configurator.py
+++ b/fail2ban/client/configurator.py
@@ -33,11 +33,11 @@ logSys = getLogger(__name__)
 
 class Configurator:
 	
-	def __init__(self, force_enable=False):
+	def __init__(self, force_enable=False, share_config=None):
 		self.__settings = dict()
 		self.__streams = dict()
-		self.__fail2ban = Fail2banReader()
-		self.__jails = JailsReader(force_enable=force_enable)
+		self.__fail2ban = Fail2banReader(share_config=share_config)
+		self.__jails = JailsReader(force_enable=force_enable, share_config=share_config)
 	
 	def setBaseDir(self, folderName):
 		self.__fail2ban.setBaseDir(folderName)
diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py
index e4394e59..99891c0f 100644
--- a/fail2ban/client/jailreader.py
+++ b/fail2ban/client/jailreader.py
@@ -41,13 +41,12 @@ class JailReader(ConfigReader):
 	optionExtractRE = re.compile(
 		r'([\w\-_\.]+)=(?:"([^"]*)"|\'([^\']*)\'|([^,]*))(?:,|$)')
 	
-	def __init__(self, name, force_enable=False, cfg_share=None, **kwargs):
+	def __init__(self, name, force_enable=False, **kwargs):
 		# use shared config if possible:
 		ConfigReader.__init__(self, **kwargs)
 		self.__name = name
 		self.__filter = None
 		self.__force_enable = force_enable
-		self.__cfg_share = cfg_share
 		self.__actions = list()
 		self.__opts = None
 	
@@ -113,7 +112,7 @@ class JailReader(ConfigReader):
 				filterName, filterOpt = JailReader.extractOptions(
 					self.__opts["filter"])
 				self.__filter = FilterReader(
-					filterName, self.__name, filterOpt, share_config=self.__cfg_share, basedir=self.getBaseDir())
+					filterName, self.__name, filterOpt, share_config=self.share_config, basedir=self.getBaseDir())
 				ret = self.__filter.read()
 				if ret:
 					self.__filter.getOptions(self.__opts)
@@ -143,7 +142,7 @@ class JailReader(ConfigReader):
 					else:
 						action = ActionReader(
 							actName, self.__name, actOpt,
-							share_config=self.__cfg_share, basedir=self.getBaseDir())
+							share_config=self.share_config, basedir=self.getBaseDir())
 						ret = action.read()
 						if ret:
 							action.getOptions(self.__opts)
diff --git a/fail2ban/client/jailsreader.py b/fail2ban/client/jailsreader.py
index 3bb713f6..7043aa67 100644
--- a/fail2ban/client/jailsreader.py
+++ b/fail2ban/client/jailsreader.py
@@ -43,7 +43,6 @@ class JailsReader(ConfigReader):
 		"""
 		# use shared config if possible:
 		ConfigReader.__init__(self, **kwargs)
-		self.__cfg_share = dict()
 		self.__jails = list()
 		self.__force_enable = force_enable
 
@@ -73,7 +72,7 @@ class JailsReader(ConfigReader):
 			# use the cfg_share for filter/action caching and the same config for all 
 			# jails (use_config=...), therefore don't read it here:
 			jail = JailReader(sec, force_enable=self.__force_enable, 
-				cfg_share=self.__cfg_share, use_config=self._cfg)
+				share_config=self.share_config, use_config=self._cfg)
 			ret = jail.getOptions()
 			if ret:
 				if jail.isEnabled():
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index 0aaa8890..dadbef0f 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -39,8 +39,6 @@ STOCK = os.path.exists(os.path.join('config','fail2ban.conf'))
 
 IMPERFECT_CONFIG = os.path.join(os.path.dirname(__file__), 'config')
 
-LAST_WRITE_TIME = 0
-
 class ConfigReaderTest(unittest.TestCase):
 
 	def setUp(self):
@@ -59,8 +57,7 @@ class ConfigReaderTest(unittest.TestCase):
 			d_ = os.path.join(self.d, d)
 			if not os.path.exists(d_):
 				os.makedirs(d_)
-		fname = "%s/%s" % (self.d, fname)
-		f = open(fname, "w")
+		f = open("%s/%s" % (self.d, fname), "w")
 		if value is not None:
 			f.write("""
 [section]
@@ -69,14 +66,6 @@ option = %s
 		if content is not None:
 			f.write(content)
 		f.close()
-		# set modification time to another second to revalidate cache (if milliseconds not supported) :
-		global LAST_WRITE_TIME
-		mtime = os.path.getmtime(fname)
-		if LAST_WRITE_TIME == mtime:
-			mtime += 1
-			os.utime(fname, (mtime, mtime))
-		LAST_WRITE_TIME = mtime
-		
 
 	def _remove(self, fname):
 		os.unlink("%s/%s" % (self.d, fname))
@@ -102,6 +91,7 @@ option = %s
 			# raise unittest.SkipTest("Skipping on %s -- access rights are not enforced" % platform)
 			pass
 
+
 	def testOptionalDotDDir(self):
 		self.assertFalse(self.c.read('c'))	# nothing is there yet
 		self._write("c.conf", "1")
@@ -347,9 +337,9 @@ class FilterReaderTest(unittest.TestCase):
 
 class JailsReaderTestCache(LogCaptureTestCase):
 
-	def _readWholeConf(self, basedir, force_enable=False):
+	def _readWholeConf(self, basedir, force_enable=False, share_config=None):
 		# read whole configuration like a file2ban-client ...
-		configurator = Configurator(force_enable=force_enable)
+		configurator = Configurator(force_enable=force_enable, share_config=share_config)
 		configurator.setBaseDir(basedir)
 		configurator.readEarly()
 		configurator.getEarlyOptions()
@@ -360,7 +350,7 @@ class JailsReaderTestCache(LogCaptureTestCase):
 	def _getLoggedReadCount(self, filematch):
 		cnt = 0
 		for s in self.getLog().rsplit('\n'):
-			if re.match(r"^Reading files?: .*/"+filematch, s):
+			if re.match(r"^\s*Reading files?: .*/"+filematch, s):
 				cnt += 1
 		return cnt
 
@@ -372,8 +362,11 @@ class JailsReaderTestCache(LogCaptureTestCase):
 			shutil.copy(CONFIG_DIR + '/jail.conf', basedir + '/jail.local')
 			shutil.copy(CONFIG_DIR + '/fail2ban.conf', basedir + '/fail2ban.local')
 
+			# common sharing handle for this test:
+			share_cfg = dict()
+
 			# read whole configuration like a file2ban-client ...
-			self._readWholeConf(basedir)
+			self._readWholeConf(basedir, share_config=share_cfg)
 			# how many times jail.local was read:
 			cnt = self._getLoggedReadCount('jail.local')
 			# if cnt > 1:
@@ -382,7 +375,7 @@ class JailsReaderTestCache(LogCaptureTestCase):
 
 			# read whole configuration like a file2ban-client, again ...
 			# but this time force enable all jails, to check filter and action cached also:
-			self._readWholeConf(basedir, force_enable=True)
+			self._readWholeConf(basedir, force_enable=True, share_config=share_cfg)
 			cnt = self._getLoggedReadCount(r'jail\.local')
 			# still one (no more reads):
 			self.assertTrue(cnt == 1, "Unexpected count by second reading of jail files, cnt = %s" % cnt)

From e0eb4f2358049b4427282aaa2a8ddf65972ed05b Mon Sep 17 00:00:00 2001
From: sebres <info@sebres.de>
Date: Fri, 10 Oct 2014 02:47:42 +0200
Subject: [PATCH 69/82] code review: use the same code (corresponding test
 cases - with sharing on and without it);

---
 fail2ban/client/configparserinc.py | 57 +++++++++++++++---------------
 1 file changed, 29 insertions(+), 28 deletions(-)

diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
index d6ad4e34..196c2ae6 100644
--- a/fail2ban/client/configparserinc.py
+++ b/fail2ban/client/configparserinc.py
@@ -204,39 +204,40 @@ after = 1.conf
 		else:
 			fileNamesFull = filenames
 
+		if not fileNamesFull:
+			return []
+
 		if self._cfg_share is not None:
 			logSys.debug("  Sharing files: %s", fileNamesFull)
-
-			if len(fileNamesFull) > 1:
-				# read multiple configs:
-				ret = []
-				alld = self.get_defaults()
-				alls = self.get_sections()
-				for filename in fileNamesFull:
-					# read single one, add to return list, use sharing if possible:
-					cfg, i = self._getSharedSCPWI(filename)
-					if i:
-						ret += i
-						# merge defaults and all sections to self:
-						alld.update(cfg.get_defaults())
-						for n, s in cfg.get_sections().iteritems():
-							if isinstance(s, dict):
-								s2 = alls.get(n)
-								if isinstance(s2, dict):
-									s2.update(s)
-								else:
-									alls[n] = s.copy()
-							else:
-								alls[n] = s
-
-				return ret
-
-			# read one config :
-			logSys.debug("  Reading file: %s", fileNamesFull[0])
 		else:
-			# don't have sharing - read one or multiple at once:
 			logSys.debug("  Reading files: %s", fileNamesFull)
 
+		if len(fileNamesFull) > 1:
+			# read multiple configs:
+			ret = []
+			alld = self.get_defaults()
+			alls = self.get_sections()
+			for filename in fileNamesFull:
+				# read single one, add to return list, use sharing if possible:
+				cfg, i = self._getSharedSCPWI(filename)
+				if i:
+					ret += i
+					# merge defaults and all sections to self:
+					alld.update(cfg.get_defaults())
+					for n, s in cfg.get_sections().iteritems():
+						if isinstance(s, dict):
+							s2 = alls.get(n)
+							if isinstance(s2, dict):
+								s2.update(s)
+							else:
+								alls[n] = s.copy()
+						else:
+							alls[n] = s
+
+			return ret
+
+		# read one config :
+		logSys.debug("  Reading file: %s", fileNamesFull[0])
 		# read file(s) :
 		if sys.version_info >= (3,2): # pragma: no cover
 			return SafeConfigParser.read(self, fileNamesFull, encoding='utf-8')

From 02a46d0901b99aedfebaae6b2eb6070d97ad4246 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Fri, 10 Oct 2014 12:05:49 +0200
Subject: [PATCH 70/82] code review; more stable config sharing, configurator
 always shares it config readers now;

---
 fail2ban/client/configparserinc.py     | 16 +++----
 fail2ban/client/configreader.py        | 64 +++++++++++++++-----------
 fail2ban/client/configurator.py        |  3 ++
 fail2ban/client/fail2banreader.py      |  1 -
 fail2ban/client/jailreader.py          |  1 -
 fail2ban/client/jailsreader.py         |  1 -
 fail2ban/tests/clientreadertestcase.py |  7 ++-
 7 files changed, 54 insertions(+), 39 deletions(-)

diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
index 196c2ae6..1687f87f 100644
--- a/fail2ban/client/configparserinc.py
+++ b/fail2ban/client/configparserinc.py
@@ -62,6 +62,7 @@ else: # pragma: no cover
 
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
+logLevel = 7
 
 __all__ = ['SafeConfigParserWithIncludes']
 
@@ -126,8 +127,8 @@ after = 1.conf
 				cfg = SCPWI(share_config=self._cfg_share)
 				i = cfg.read(filename, get_includes=False)
 				self._cfg_share[hashv] = (cfg, i)
-			else:
-				logSys.debug("    Shared file: %s", filename)
+			elif logSys.getEffectiveLevel() <= logLevel:
+				logSys.log(logLevel, "    Shared file: %s", filename)
 		else:
 			# don't have sharing:
 			cfg = SCPWI()
@@ -207,10 +208,9 @@ after = 1.conf
 		if not fileNamesFull:
 			return []
 
-		if self._cfg_share is not None:
-			logSys.debug("  Sharing files: %s", fileNamesFull)
-		else:
-			logSys.debug("  Reading files: %s", fileNamesFull)
+		if logSys.getEffectiveLevel() <= logLevel:
+			logSys.log(logLevel, ("  Sharing files: %s" if self._cfg_share is not None else \
+			                       "  Reading files: %s"), fileNamesFull)
 
 		if len(fileNamesFull) > 1:
 			# read multiple configs:
@@ -237,10 +237,10 @@ after = 1.conf
 			return ret
 
 		# read one config :
-		logSys.debug("  Reading file: %s", fileNamesFull[0])
+		if logSys.getEffectiveLevel() <= logLevel:
+			logSys.log(logLevel, "  Reading file: %s", fileNamesFull[0])
 		# read file(s) :
 		if sys.version_info >= (3,2): # pragma: no cover
 			return SafeConfigParser.read(self, fileNamesFull, encoding='utf-8')
 		else:
 			return SafeConfigParser.read(self, fileNamesFull)
-
diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
index 657800fa..bd2e5f0c 100644
--- a/fail2ban/client/configreader.py
+++ b/fail2ban/client/configreader.py
@@ -27,12 +27,11 @@ __license__ = "GPL"
 import glob, os
 from ConfigParser import NoOptionError, NoSectionError
 
-from .configparserinc import SafeConfigParserWithIncludes
+from .configparserinc import SafeConfigParserWithIncludes, logLevel
 from ..helpers import getLogger
 
 # Gets the instance of the logger.
 logSys = getLogger(__name__)
-_logLevel = 6
 
 class ConfigReader():
 	"""Generic config reader class.
@@ -72,6 +71,22 @@ class ConfigReader():
 
 	def read(self, name, once=True):
 		# shared ?
+		if not self._cfg:
+			self.touch(name)
+		# performance feature - read once if using shared config reader:
+		if once and self._cfg.read_cfg_files is not None:
+			return self._cfg.read_cfg_files
+
+		# read:
+		if self._cfg_share is not None:
+			logSys.info("Sharing configs for %s under %s ", name, self._cfg.getBaseDir())
+		ret = self._cfg.read(name)
+
+		# save already read and return:
+		self._cfg.read_cfg_files = ret
+		return ret
+
+	def touch(self, name = ''):
 		if not self._cfg and self._cfg_share is not None:
 			self._cfg = self._cfg_share.get(name)
 			if not self._cfg:
@@ -79,36 +94,33 @@ class ConfigReader():
 				if self._cfg_share_basedir is not None:
 					self._cfg.setBaseDir(self._cfg_share_basedir)
 				self._cfg_share[name] = self._cfg
-		# performance feature - read once if using shared config reader:
-		rc = self._cfg.read_cfg_files
-		if once and rc.get(name) is not None:
-			return rc.get(name)
-
-		# read:
-		if self._cfg_share is not None:
-			logSys.info("Sharing configs for %s under %s ", name, self._cfg.getBaseDir())
-		ret = self._cfg.read(name)
-
-		# save already read:
-		if once:
-			rc[name] = ret
-		return ret
+		else:
+			self._cfg = ConfigReaderUnshared(**self._cfg_share_kwargs)
 
 	def sections(self):
-		return self._cfg.sections()
+		if self._cfg is not None:
+			return self._cfg.sections()
+		return []
 
 	def has_section(self, sec):
-		return self._cfg.has_section(sec)
+		if self._cfg is not None:
+			return self._cfg.has_section(sec)
+		return False
 
 	def options(self, *args):
-		return self._cfg.options(*args)
+		if self._cfg is not None:
+			return self._cfg.options(*args)
+		return {}
 
 	def get(self, sec, opt):
-		return self._cfg.get(sec, opt)
+		if self._cfg is not None:
+			return self._cfg.get(sec, opt)
+		return None
 
 	def getOptions(self, *args, **kwargs):
-		return self._cfg.getOptions(*args, **kwargs)
-
+		if self._cfg is not None:
+			return self._cfg.getOptions(*args, **kwargs)
+		return {}
 
 class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 	"""Unshared config reader (previously ConfigReader).
@@ -121,7 +133,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 	
 	def __init__(self, basedir=None, *args, **kwargs):
 		SafeConfigParserWithIncludes.__init__(self, *args, **kwargs)
-		self.read_cfg_files = dict()
+		self.read_cfg_files = None
 		self.setBaseDir(basedir)
 	
 	def setBaseDir(self, basedir):
@@ -137,7 +149,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 			raise ValueError("Base configuration directory %s does not exist "
 							  % self._basedir)
 		basename = os.path.join(self._basedir, filename)
-		logSys.info("Reading configs for %s under %s " , filename, self._basedir)
+		logSys.debug("Reading configs for %s under %s " , filename, self._basedir)
 		config_files = [ basename + ".conf" ]
 
 		# possible further customizations under a .conf.d directory
@@ -203,8 +215,8 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 					logSys.warning("'%s' not defined in '%s'. Using default one: %r"
 								% (option[1], sec, option[2]))
 					values[option[1]] = option[2]
-				elif logSys.getEffectiveLevel() <= _logLevel:
-					logSys.log(_logLevel, "Non essential option '%s' not defined in '%s'.", option[1], sec)
+				elif logSys.getEffectiveLevel() <= logLevel:
+					logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", option[1], sec)
 			except ValueError:
 				logSys.warning("Wrong value for '" + option[1] + "' in '" + sec +
 							"'. Using default one: '" + `option[2]` + "'")
diff --git a/fail2ban/client/configurator.py b/fail2ban/client/configurator.py
index 4c0c0428..b3ddc5d0 100644
--- a/fail2ban/client/configurator.py
+++ b/fail2ban/client/configurator.py
@@ -36,6 +36,9 @@ class Configurator:
 	def __init__(self, force_enable=False, share_config=None):
 		self.__settings = dict()
 		self.__streams = dict()
+		# always share all config readers:
+		if share_config is None:
+			share_config = dict()
 		self.__fail2ban = Fail2banReader(share_config=share_config)
 		self.__jails = JailsReader(force_enable=force_enable, share_config=share_config)
 	
diff --git a/fail2ban/client/fail2banreader.py b/fail2ban/client/fail2banreader.py
index 4d46c156..361a5e54 100644
--- a/fail2ban/client/fail2banreader.py
+++ b/fail2ban/client/fail2banreader.py
@@ -33,7 +33,6 @@ logSys = getLogger(__name__)
 class Fail2banReader(ConfigReader):
 	
 	def __init__(self, **kwargs):
-		self.__opts = None
 		ConfigReader.__init__(self, **kwargs)
 	
 	def read(self):
diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py
index 99891c0f..ffdc5e26 100644
--- a/fail2ban/client/jailreader.py
+++ b/fail2ban/client/jailreader.py
@@ -42,7 +42,6 @@ class JailReader(ConfigReader):
 		r'([\w\-_\.]+)=(?:"([^"]*)"|\'([^\']*)\'|([^,]*))(?:,|$)')
 	
 	def __init__(self, name, force_enable=False, **kwargs):
-		# use shared config if possible:
 		ConfigReader.__init__(self, **kwargs)
 		self.__name = name
 		self.__filter = None
diff --git a/fail2ban/client/jailsreader.py b/fail2ban/client/jailsreader.py
index 7043aa67..40255ce7 100644
--- a/fail2ban/client/jailsreader.py
+++ b/fail2ban/client/jailsreader.py
@@ -41,7 +41,6 @@ class JailsReader(ConfigReader):
 		  Passed to JailReader to force enable the jails.
 		  It is for internal use
 		"""
-		# use shared config if possible:
 		ConfigReader.__init__(self, **kwargs)
 		self.__jails = list()
 		self.__force_enable = force_enable
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index dadbef0f..e4dc2189 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -21,9 +21,9 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-import os, glob, shutil, tempfile, unittest, re
-
+import os, glob, shutil, tempfile, unittest, re, logging
 from ..client.configreader import ConfigReaderUnshared
+from ..client import configparserinc
 from ..client.jailreader import JailReader
 from ..client.filterreader import FilterReader
 from ..client.jailsreader import JailsReader
@@ -355,6 +355,8 @@ class JailsReaderTestCache(LogCaptureTestCase):
 		return cnt
 
 	def testTestJailConfCache(self):
+		saved_ll = configparserinc.logLevel
+		configparserinc.logLevel = logging.DEBUG
 		basedir = tempfile.mkdtemp("fail2ban_conf")
 		try:
 			shutil.rmtree(basedir)
@@ -388,6 +390,7 @@ class JailsReaderTestCache(LogCaptureTestCase):
 			self.assertTrue(cnt == 1, "Unexpected count by reading of action files, cnt = %s" % cnt)
 		finally:
 			shutil.rmtree(basedir)
+			configparserinc.logLevel = saved_ll
 
 
 class JailsReaderTest(LogCaptureTestCase):

From 95bdcdecaaa0419785614c22afc57165fcbb29dc Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Fri, 10 Oct 2014 16:49:08 +0200
Subject: [PATCH 71/82] cache-config-read-v2 merged; logging normalized, set
 log level for loading (read or use shared) file(s) to INFO; prevent to read
 some files twice by read inside "_getIncludes" and by "read" self (occurred
 by only one file);

---
 fail2ban/client/configparserinc.py | 10 ++++------
 fail2ban/client/configreader.py    |  5 ++---
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
index 1687f87f..d819281b 100644
--- a/fail2ban/client/configparserinc.py
+++ b/fail2ban/client/configparserinc.py
@@ -195,7 +195,7 @@ after = 1.conf
 	def get_sections(self):
 		return self._sections
 
-	def read(self, filenames, get_includes=True, log_info=None):
+	def read(self, filenames, get_includes=True):
 		if not isinstance(filenames, list):
 			filenames = [ filenames ]
 		# retrieve (and cache) includes:
@@ -208,11 +208,9 @@ after = 1.conf
 		if not fileNamesFull:
 			return []
 
-		if logSys.getEffectiveLevel() <= logLevel:
-			logSys.log(logLevel, ("  Sharing files: %s" if self._cfg_share is not None else \
-			                       "  Reading files: %s"), fileNamesFull)
+		logSys.info("  Loading files: %s", fileNamesFull)
 
-		if len(fileNamesFull) > 1:
+		if get_includes or len(fileNamesFull) > 1:
 			# read multiple configs:
 			ret = []
 			alld = self.get_defaults()
@@ -238,7 +236,7 @@ after = 1.conf
 
 		# read one config :
 		if logSys.getEffectiveLevel() <= logLevel:
-			logSys.log(logLevel, "  Reading file: %s", fileNamesFull[0])
+			logSys.log(logLevel, "    Reading file: %s", fileNamesFull[0])
 		# read file(s) :
 		if sys.version_info >= (3,2): # pragma: no cover
 			return SafeConfigParser.read(self, fileNamesFull, encoding='utf-8')
diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
index bd2e5f0c..9e3bf90f 100644
--- a/fail2ban/client/configreader.py
+++ b/fail2ban/client/configreader.py
@@ -77,9 +77,8 @@ class ConfigReader():
 		if once and self._cfg.read_cfg_files is not None:
 			return self._cfg.read_cfg_files
 
-		# read:
-		if self._cfg_share is not None:
-			logSys.info("Sharing configs for %s under %s ", name, self._cfg.getBaseDir())
+		# load:
+		logSys.info("Loading configs for %s under %s ", name, self._cfg.getBaseDir())
 		ret = self._cfg.read(name)
 
 		# save already read and return:

From 7f5d4aa7a6c5acc5f29893e9d0f5b4c78e5c4053 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Fri, 10 Oct 2014 16:59:40 +0200
Subject: [PATCH 72/82] normalize tabs/spaces in docstrings;

---
 fail2ban/client/configreader.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
index 9e3bf90f..ea86a36f 100644
--- a/fail2ban/client/configreader.py
+++ b/fail2ban/client/configreader.py
@@ -36,8 +36,8 @@ logSys = getLogger(__name__)
 class ConfigReader():
 	"""Generic config reader class.
 
-  A caching adapter which automatically reuses already shared configuration.
-			 """
+	A caching adapter which automatically reuses already shared configuration.
+	"""
 
 	def __init__(self, use_config=None, share_config=None, **kwargs):
 		# use given shared config if possible (see read):
@@ -126,7 +126,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 
 	Does not use this class (internal not shared/cached represenation).
 	Use ConfigReader instead.
-			 """
+	"""
 
 	DEFAULT_BASEDIR = '/etc/fail2ban'
 	
@@ -224,12 +224,12 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 
 class DefinitionInitConfigReader(ConfigReader):
 	"""Config reader for files with options grouped in [Definition] and
-       [Init] sections.
+	[Init] sections.
 
-       Is a base class for readers of filters and actions, where definitions
-       in jails might provide custom values for options defined in [Init]
-       section.
-       """
+	Is a base class for readers of filters and actions, where definitions
+	in jails might provide custom values for options defined in [Init]
+	section.
+	"""
 
 	_configOpts = []
 	

From 73a06d55a8ed5996e959952a616c9d9a8b209dc7 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Fri, 10 Oct 2014 18:50:24 +0200
Subject: [PATCH 73/82] reset share/cache storage (if we use 'reload' in client
 with interactive mode)

---
 bin/fail2ban-client             | 1 +
 fail2ban/client/configurator.py | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/bin/fail2ban-client b/bin/fail2ban-client
index 89e0a903..0c6999c1 100755
--- a/bin/fail2ban-client
+++ b/bin/fail2ban-client
@@ -409,6 +409,7 @@ class Fail2banClient:
 		# TODO: get away from stew of return codes and exception
 		# handling -- handle via exceptions
 		try:
+			self.__configurator.Reload()
 			self.__configurator.readAll()
 			ret = self.__configurator.getOptions(jail)
 			self.__configurator.convertToProtocol()
diff --git a/fail2ban/client/configurator.py b/fail2ban/client/configurator.py
index b3ddc5d0..8667501c 100644
--- a/fail2ban/client/configurator.py
+++ b/fail2ban/client/configurator.py
@@ -39,9 +39,14 @@ class Configurator:
 		# always share all config readers:
 		if share_config is None:
 			share_config = dict()
+		self.__share_config = share_config
 		self.__fail2ban = Fail2banReader(share_config=share_config)
 		self.__jails = JailsReader(force_enable=force_enable, share_config=share_config)
-	
+
+	def Reload(self):
+		# clear all shared handlers:
+		self.__share_config.clear()
+
 	def setBaseDir(self, folderName):
 		self.__fail2ban.setBaseDir(folderName)
 		self.__jails.setBaseDir(folderName)

From 7d3e6e9935a22de7c7225576e649ed8592d65e55 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Fri, 10 Oct 2014 20:06:58 +0200
Subject: [PATCH 74/82] code review, change log entries added;

---
 ChangeLog                       |  6 ++++++
 fail2ban/client/configreader.py | 18 ++++++++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d92aec4a..0515823a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,8 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
      provides defaults for the chain, port, protocol and name tags
 
 - Fixes:
+   * start of file2ban aborted (on slow hosts, systemd considers the server has been 
+     timed out and kills him), see gh-824
    * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
    * systemd backend error on bad utf-8 in python3
    * badips.py action error when logging HTTP error raised with badips request
@@ -64,6 +66,10 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    - Added Cloudflare API action
 
 - Enhancements
+   * Start performance of fail2ban-client (and tests) increased, start time
+     and cpu usage rapidly reduced. Introduced a shared storage logic, to bypass
+     reading lots of config files (see gh-824).
+     Thanks to Joost Molenaar for good catch (reported gh-820).
    * Fail2ban-regex - add print-all-matched option. Closes gh-652
    * Suppress fail2ban-client warnings for non-critical config options
    * Match non "Bye Bye" disconnect messages for sshd locked account regex
diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
index ea86a36f..82bf0fdc 100644
--- a/fail2ban/client/configreader.py
+++ b/fail2ban/client/configreader.py
@@ -70,7 +70,12 @@ class ConfigReader():
 		return self._cfg_share
 
 	def read(self, name, once=True):
-		# shared ?
+		""" Overloads a default (not shared) read of config reader.
+
+	  To prevent mutiple reads of config files with it includes, reads into 
+	  the config reader, if it was not yet cached/shared by 'name'.
+	  """
+		# already shared ?
 		if not self._cfg:
 			self.touch(name)
 		# performance feature - read once if using shared config reader:
@@ -85,7 +90,12 @@ class ConfigReader():
 		self._cfg.read_cfg_files = ret
 		return ret
 
-	def touch(self, name = ''):
+	def touch(self, name=''):
+		""" Allocates and share a config file by it name.
+
+	  Automatically allocates unshared or reuses shared handle by given 'name' and 
+	  init arguments inside a given shared storage.
+	  """
 		if not self._cfg and self._cfg_share is not None:
 			self._cfg = self._cfg_share.get(name)
 			if not self._cfg:
@@ -124,7 +134,7 @@ class ConfigReader():
 class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 	"""Unshared config reader (previously ConfigReader).
 
-	Does not use this class (internal not shared/cached represenation).
+	Do not use this class (internal not shared/cached represenation).
 	Use ConfigReader instead.
 	"""
 
@@ -191,7 +201,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
 	# 1 -> the name of the option
 	# 2 -> the default value for the option
 	
-	def getOptions(self, sec, options, pOptions = None):
+	def getOptions(self, sec, options, pOptions=None):
 		values = dict()
 		for option in options:
 			try:

From 86a5f42f736ffe2b776deff6c76d9a78dd70312c Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 12 Oct 2014 16:40:29 -0400
Subject: [PATCH 75/82] BF: made tests util digest.py friendly to python3

---
 .../tests/files/config/apache-auth/digest.py  | 43 +++++++++++--------
 1 file changed, 25 insertions(+), 18 deletions(-)

diff --git a/fail2ban/tests/files/config/apache-auth/digest.py b/fail2ban/tests/files/config/apache-auth/digest.py
index baac36d2..9906c652 100755
--- a/fail2ban/tests/files/config/apache-auth/digest.py
+++ b/fail2ban/tests/files/config/apache-auth/digest.py
@@ -1,14 +1,21 @@
 #!/bin/env python
 import requests
-import md5
 
+try:
+    import hashlib
+    md5sum = hashlib.md5
+except ImportError: # pragma: no cover
+    # hashlib was introduced in Python 2.5.  For compatibility with those
+    # elderly Pythons, import from md5
+    import md5
+    md5sum = md5.new
 
 def auth(v):
 
-    ha1 = md5.new(username + ':' + realm + ':' + password).hexdigest()
-    ha2 = md5.new("GET:" + url).hexdigest()
+    ha1 = md5sum(username + ':' + realm + ':' + password).hexdigest()
+    ha2 = md5sum("GET:" + url).hexdigest()
     
-    #response = md5.new(ha1 + ':' + v['nonce'][1:-1] + ':' + v['nc'] + ':' + v['cnonce'][1:-1]
+    #response = md5sum(ha1 + ':' + v['nonce'][1:-1] + ':' + v['nc'] + ':' + v['cnonce'][1:-1]
     #                  + ':' + v['qop'][1:-1] + ':' + ha2).hexdigest()
     
     nonce = v['nonce'][1:-1]
@@ -17,7 +24,7 @@ def auth(v):
     #opaque = v.get('opaque') or ''
     qop = v['qop'][1:-1]
     algorithm = v['algorithm']
-    response = md5.new(ha1 + ':' + nonce + ':' + nc + ':' + cnonce + ':' + qop + ':' + ha2).hexdigest()
+    response = md5sum(ha1 + ':' + nonce + ':' + nc + ':' + cnonce + ':' + qop + ':' + ha2).hexdigest()
     
     p = requests.Request('GET', host + url).prepare()
     #p.headers['Authentication-Info'] = response 
@@ -33,13 +40,13 @@ def auth(v):
         response="%s"
     """ % ( username, algorithm, realm, url, nonce, qop, response )
 #        opaque="%s",
-    print p.method, p.url, p.headers
+    print(p.method, p.url, p.headers)
     s =  requests.Session()
     return s.send(p)
 
 def preauth():
     r = requests.get(host + url)
-    print r
+    print(r)
     r.headers['www-authenticate'].split(', ')
     return dict([ a.split('=',1) for a in r.headers['www-authenticate'].split(', ') ])
 
@@ -51,7 +58,7 @@ v = preauth()
 
 username="username"
 password = "password"
-print v
+print(v)
 
 realm = 'so far away'
 r = auth(v)
@@ -67,18 +74,18 @@ r = auth(v)
 
 # [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/
 
-print r.status_code,r.headers, r.text
+print(r.status_code,r.headers, r.text)
 v['algorithm'] = algorithm
 
 
 r = auth(v)
-print r.status_code,r.headers, r.text
+print(r.status_code,r.headers, r.text)
 
 nonce = v['nonce']
 v['nonce']=v['nonce'][5:-5]
 
 r = auth(v)
-print r.status_code,r.headers, r.text
+print(r.status_code,r.headers, r.text)
 
 # [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/
 
@@ -86,7 +93,7 @@ print r.status_code,r.headers, r.text
 v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:]
 
 r = auth(v)
-print r.status_code,r.headers, r.text
+print(r.status_code,r.headers, r.text)
 
 #[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b
 
@@ -98,7 +105,7 @@ import time
 time.sleep(1)
 
 r = auth(v)
-print r.status_code,r.headers, r.text
+print(r.status_code,r.headers, r.text)
 
 # Obtained by putting the following code in modules/aaa/mod_auth_digest.c
 # in the function initialize_secret
@@ -128,7 +135,7 @@ s = sha.sha(apachesecret)
 
 v=preauth()
 
-print v['nonce']
+print(v['nonce'])
 realm = v['Digest realm'][1:-1]
 
 (t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13]))
@@ -143,17 +150,17 @@ s.update(timepac)
 
 v['nonce'] =  v['nonce'][0] + timepac + s.hexdigest() + v['nonce'][-1]
 
-print v
+print(v)
 
 r = auth(v)
 #[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel
-print r.status_code,r.headers, r.text
+print(r.status_code,r.headers, r.text)
 
 url='/digest_onetime/'
 v=preauth()
 
 # Need opaque header handling in auth
 r = auth(v)
-print r.status_code,r.headers, r.text
+print(r.status_code,r.headers, r.text)
 r = auth(v)
-print r.status_code,r.headers, r.text
+print(r.status_code,r.headers, r.text)

From 5ac496d0309c0901fef00efdea39fa1eec40b4f4 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sun, 12 Oct 2014 17:28:35 -0400
Subject: [PATCH 76/82] We better check that installation doesn't cause any
 errors as well

---
 .travis.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 9a92a7f6..bd2d294c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,6 +16,8 @@ install:
   - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cd ..; pip install -q coveralls; cd -; fi
 script:
   - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc setup.py test; else python setup.py test; fi
+# test installation
+  - sudo python setup.py install
 after_success:
 # Coverage config file must be .coveragerc for coveralls
   - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cp -v .travis_coveragerc .coveragerc; fi

From e2f49b7334c20f01ddc3f88a1a4fc50799d7775b Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 23 Oct 2014 14:34:17 -0400
Subject: [PATCH 77/82] DOC: very minor (tabs/spaces)

---
 ChangeLog | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0515823a..ad92a55e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,8 +16,8 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
      provides defaults for the chain, port, protocol and name tags
 
 - Fixes:
-   * start of file2ban aborted (on slow hosts, systemd considers the server has been 
-     timed out and kills him), see gh-824
+   * start of file2ban aborted (on slow hosts, systemd considers the server has
+     been timed out and kills him), see gh-824
    * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
    * systemd backend error on bad utf-8 in python3
    * badips.py action error when logging HTTP error raised with badips request
@@ -67,8 +67,8 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
 
 - Enhancements
    * Start performance of fail2ban-client (and tests) increased, start time
-     and cpu usage rapidly reduced. Introduced a shared storage logic, to bypass
-     reading lots of config files (see gh-824).
+     and cpu usage rapidly reduced. Introduced a shared storage logic, to
+     bypass reading lots of config files (see gh-824).
      Thanks to Joost Molenaar for good catch (reported gh-820).
    * Fail2ban-regex - add print-all-matched option. Closes gh-652
    * Suppress fail2ban-client warnings for non-critical config options

From d4015d6566e15a005ad6fd6cdfb2c477bce5e946 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 23 Oct 2014 14:51:51 -0400
Subject: [PATCH 78/82] ENH:  remove obsolete code for python < 2.6 (we support
 >= 2.6)

---
 fail2ban/server/asyncserver.py    | 8 ++------
 fail2ban/tests/samplestestcase.py | 6 +-----
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/fail2ban/server/asyncserver.py b/fail2ban/server/asyncserver.py
index 14673a99..6e71da77 100644
--- a/fail2ban/server/asyncserver.py
+++ b/fail2ban/server/asyncserver.py
@@ -149,12 +149,8 @@ class AsyncServer(asyncore.dispatcher):
 		self.__init = True
 		# TODO Add try..catch
 		# There's a bug report for Python 2.6/3.0 that use_poll=True yields some 2.5 incompatibilities:
-		if sys.version_info >= (2, 6): # if python 2.6 or greater...
-			logSys.debug("Detected Python 2.6 or greater. asyncore.loop() not using poll")
-			asyncore.loop(use_poll = False) # fixes the "Unexpected communication problem" issue on Python 2.6 and 3.0
-		else: # pragma: no cover
-			logSys.debug("NOT Python 2.6/3.* - asyncore.loop() using poll")
-			asyncore.loop(use_poll = True)
+		logSys.debug("Detected Python 2.6 or greater. asyncore.loop() not using poll")
+		asyncore.loop(use_poll=False) # fixes the "Unexpected communication problem" issue on Python 2.6 and 3.0
 	
 	##
 	# Stops the communication server.
diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py
index e0831184..2c18a504 100644
--- a/fail2ban/tests/samplestestcase.py
+++ b/fail2ban/tests/samplestestcase.py
@@ -24,11 +24,7 @@ __license__ = "GPL"
 
 import unittest, sys, os, fileinput, re, time, datetime, inspect
 
-if sys.version_info >= (2, 6):
-	import json
-else:
-	import simplejson as json
-	next = lambda x: x.next()
+import json
 
 from ..server.filter import Filter
 from ..client.filterreader import FilterReader

From caa6006a3179513962f960d57a8fca9e6199951b Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sat, 25 Oct 2014 09:25:18 -0400
Subject: [PATCH 79/82] ENH: do use @staticmethod (we are well beyond support
 of 2.4 now)

---
 bin/fail2ban-client            |  3 +--
 fail2ban/client/csocket.py     |  3 +--
 fail2ban/client/jailreader.py  |  3 +--
 fail2ban/server/asyncserver.py |  3 +--
 fail2ban/server/banmanager.py  |  3 +--
 fail2ban/server/filter.py      | 21 +++++++--------------
 fail2ban/server/mytime.py      | 14 +++++---------
 7 files changed, 17 insertions(+), 33 deletions(-)

diff --git a/bin/fail2ban-client b/bin/fail2ban-client
index 0c6999c1..866a5287 100755
--- a/bin/fail2ban-client
+++ b/bin/fail2ban-client
@@ -419,12 +419,11 @@ class Fail2banClient:
 			ret = False
 		return ret
 
-	#@staticmethod
+	@staticmethod
 	def dumpConfig(cmd):
 		for c in cmd:
 			print c
 		return True
-	dumpConfig = staticmethod(dumpConfig)
 
 
 class ServerExecutionException(Exception):
diff --git a/fail2ban/client/csocket.py b/fail2ban/client/csocket.py
index 1d522f6c..921b0de5 100644
--- a/fail2ban/client/csocket.py
+++ b/fail2ban/client/csocket.py
@@ -57,7 +57,7 @@ class CSocket:
 		self.__csock.close()
 		return ret
 	
-	#@staticmethod
+	@staticmethod
 	def receive(sock):
 		msg = EMPTY_BYTES
 		while msg.rfind(CSocket.END_STRING) == -1:
@@ -66,4 +66,3 @@ class CSocket:
 				raise RuntimeError, "socket connection broken"
 			msg = msg + chunk
 		return loads(msg)
-	receive = staticmethod(receive)
diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py
index ffdc5e26..84cc5e2a 100644
--- a/fail2ban/client/jailreader.py
+++ b/fail2ban/client/jailreader.py
@@ -220,7 +220,7 @@ class JailReader(ConfigReader):
 		stream.insert(0, ["add", self.__name, backend])
 		return stream
 	
-	#@staticmethod
+	@staticmethod
 	def extractOptions(option):
 		match = JailReader.optionCRE.match(option)
 		if not match:
@@ -235,4 +235,3 @@ class JailReader(ConfigReader):
 					val for val in optmatch.group(2,3,4) if val is not None][0]
 				option_opts[opt.strip()] = value.strip()
 		return option_name, option_opts
-	extractOptions = staticmethod(extractOptions)
diff --git a/fail2ban/server/asyncserver.py b/fail2ban/server/asyncserver.py
index 6e71da77..a54d41a1 100644
--- a/fail2ban/server/asyncserver.py
+++ b/fail2ban/server/asyncserver.py
@@ -171,12 +171,11 @@ class AsyncServer(asyncore.dispatcher):
 
 	# @param sock: socket file.
 	
-	#@staticmethod
+	@staticmethod
 	def __markCloseOnExec(sock):
 		fd = sock.fileno()
 		flags = fcntl.fcntl(fd, fcntl.F_GETFD)
 		fcntl.fcntl(fd, fcntl.F_SETFD, flags|fcntl.FD_CLOEXEC)
-	__markCloseOnExec = staticmethod(__markCloseOnExec)
 
 ##
 # AsyncServerException is used to wrap communication exceptions.
diff --git a/fail2ban/server/banmanager.py b/fail2ban/server/banmanager.py
index b24fa9e5..c21cad45 100644
--- a/fail2ban/server/banmanager.py
+++ b/fail2ban/server/banmanager.py
@@ -126,7 +126,7 @@ class BanManager:
 	# @param ticket the FailTicket
 	# @return a BanTicket
 	
-	#@staticmethod
+	@staticmethod
 	def createBanTicket(ticket):
 		ip = ticket.getIP()
 		#lastTime = ticket.getTime()
@@ -134,7 +134,6 @@ class BanManager:
 		banTicket = BanTicket(ip, lastTime, ticket.getMatches())
 		banTicket.setAttempt(ticket.getAttempt())
 		return banTicket
-	createBanTicket = staticmethod(createBanTicket)
 	
 	##
 	# Add a ban ticket.
diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py
index d1c9d2ad..c886bf35 100644
--- a/fail2ban/server/filter.py
+++ b/fail2ban/server/filter.py
@@ -838,7 +838,7 @@ class DNSUtils:
 
 	IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
 
-	#@staticmethod
+	@staticmethod
 	def dnsToIp(dns):
 		""" Convert a DNS into an IP address using the Python socket module.
 			Thanks to Kevin Drapel.
@@ -853,9 +853,8 @@ class DNSUtils:
 			logSys.warning("Socket error raised trying to resolve hostname %s: %s"
 						% (dns, e))
 			return list()
-	dnsToIp = staticmethod(dnsToIp)
 
-	#@staticmethod
+	@staticmethod
 	def searchIP(text):
 		""" Search if an IP address if directly available and return
 			it.
@@ -865,9 +864,8 @@ class DNSUtils:
 			return match
 		else:
 			return None
-	searchIP = staticmethod(searchIP)
 
-	#@staticmethod
+	@staticmethod
 	def isValidIP(string):
 		""" Return true if str is a valid IP
 		"""
@@ -877,9 +875,8 @@ class DNSUtils:
 			return True
 		except socket.error:
 			return False
-	isValidIP = staticmethod(isValidIP)
 
-	#@staticmethod
+	@staticmethod
 	def textToIp(text, useDns):
 		""" Return the IP of DNS found in a given text.
 		"""
@@ -901,9 +898,8 @@ class DNSUtils:
 					text, ipList)
 
 		return ipList
-	textToIp = staticmethod(textToIp)
 
-	#@staticmethod
+	@staticmethod
 	def cidr(i, n):
 		""" Convert an IP address string with a CIDR mask into a 32-bit
 			integer.
@@ -911,18 +907,15 @@ class DNSUtils:
 		# 32-bit IPv4 address mask
 		MASK = 0xFFFFFFFFL
 		return ~(MASK >> n) & MASK & DNSUtils.addr2bin(i)
-	cidr = staticmethod(cidr)
 
-	#@staticmethod
+	@staticmethod
 	def addr2bin(string):
 		""" Convert a string IPv4 address into an unsigned integer.
 		"""
 		return struct.unpack("!L", socket.inet_aton(string))[0]
-	addr2bin = staticmethod(addr2bin)
 
-	#@staticmethod
+	@staticmethod
 	def bin2addr(addr):
 		""" Convert a numeric IPv4 address into string n.n.n.n form.
 		"""
 		return socket.inet_ntoa(struct.pack("!L", addr))
-	bin2addr = staticmethod(bin2addr)
diff --git a/fail2ban/server/mytime.py b/fail2ban/server/mytime.py
index 96c7f8ab..a27f575b 100644
--- a/fail2ban/server/mytime.py
+++ b/fail2ban/server/mytime.py
@@ -43,48 +43,44 @@ class MyTime:
 	#
 	# @param t the time to set or None
 	
-	#@staticmethod
+	@staticmethod
 	def setTime(t):
 		MyTime.myTime = t
-	setTime = staticmethod(setTime)
 	
 	##
 	# Equivalent to time.time()
 	#
 	# @return time.time() if setTime was called with None
 	
-	#@staticmethod
+	@staticmethod
 	def time():
 		if MyTime.myTime is None:
 			return time.time()
 		else:
 			return MyTime.myTime
-	time = staticmethod(time)
 	
 	##
 	# Equivalent to time.gmtime()
 	#
 	# @return time.gmtime() if setTime was called with None
 	
-	#@staticmethod
+	@staticmethod
 	def gmtime():
 		if MyTime.myTime is None:
 			return time.gmtime()
 		else:
 			return time.gmtime(MyTime.myTime)
-	gmtime = staticmethod(gmtime)
 
-	#@staticmethod
+	@staticmethod
 	def now():
 		if MyTime.myTime is None:
 			return datetime.datetime.now()
 		else:
 			return datetime.datetime.fromtimestamp(MyTime.myTime)
-	now = staticmethod(now)
 
+	@staticmethod
 	def localtime(x=None):
 		if MyTime.myTime is None or x is not None:
 			return time.localtime(x)
 		else:
 			return time.localtime(MyTime.myTime)
-	localtime = staticmethod(localtime)

From e1a5decc00a49bf24702b02de9f5ece81a1b84b9 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Sat, 25 Oct 2014 09:34:37 -0400
Subject: [PATCH 80/82] DOC: adjust docs in mytime to place docs into
 docstrings

---
 fail2ban/server/mytime.py | 62 +++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 26 deletions(-)

diff --git a/fail2ban/server/mytime.py b/fail2ban/server/mytime.py
index a27f575b..f284379e 100644
--- a/fail2ban/server/mytime.py
+++ b/fail2ban/server/mytime.py
@@ -26,46 +26,48 @@ import time, datetime
 ##
 # MyTime class.
 #
-# This class is a wrapper around time.time()  and time.gmtime(). When
-# performing unit test, it is very useful to get a fixed value from these
-# functions.
-# Thus, time.time() and time.gmtime() should never be called directly.
-# This wrapper should be called instead. The API are equivalent.
 
 class MyTime:
-	
+	"""A wrapper around time module primarily for testing purposes
+
+	This class is a wrapper around time.time()  and time.gmtime(). When
+	performing unit test, it is very useful to get a fixed value from
+	these functions.  Thus, time.time() and time.gmtime() should never
+	be called directly.  This wrapper should be called instead. The API
+	are equivalent.
+	"""
+
 	myTime = None
-	
-	##
-	# Sets the current time.
-	#
-	# Use None in order to always get the real current time.
-	#
-	# @param t the time to set or None
-	
+
 	@staticmethod
 	def setTime(t):
+		"""Set current time.
+
+		Use None in order to always get the real current time.
+
+		@param t the time to set or None
+		"""
+
 		MyTime.myTime = t
-	
-	##
-	# Equivalent to time.time()
-	#
-	# @return time.time() if setTime was called with None
-	
+
 	@staticmethod
 	def time():
+		"""Decorate time.time() for the purpose of testing mocking
+
+		@return time.time() if setTime was called with None
+		"""
+
 		if MyTime.myTime is None:
 			return time.time()
 		else:
 			return MyTime.myTime
-	
-	##
-	# Equivalent to time.gmtime()
-	#
-	# @return time.gmtime() if setTime was called with None
-	
+
 	@staticmethod
 	def gmtime():
+		"""Decorate time.gmtime() for the purpose of testing mocking
+
+		@return time.gmtime() if setTime was called with None
+		"""
 		if MyTime.myTime is None:
 			return time.gmtime()
 		else:
@@ -73,6 +75,10 @@ class MyTime:
 
 	@staticmethod
 	def now():
+		"""Decorate datetime.now() for the purpose of testing mocking
+
+		@return datetime.now() if setTime was called with None
+		"""
 		if MyTime.myTime is None:
 			return datetime.datetime.now()
 		else:
@@ -80,6 +86,10 @@ class MyTime:
 
 	@staticmethod
 	def localtime(x=None):
+		"""Decorate time.localtime() for the purpose of testing mocking
+
+		@return time.localtime() if setTime was called with None
+		"""
 		if MyTime.myTime is None or x is not None:
 			return time.localtime(x)
 		else:

From 6293e448895cc342ef83f005a92f304a5d783c3d Mon Sep 17 00:00:00 2001
From: Florian Pelgrim <florian.pelgrim@craneworks.de>
Date: Wed, 13 Aug 2014 17:34:02 +0200
Subject: [PATCH 81/82] Added myself into THANKS

---
 THANKS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/THANKS b/THANKS
index 0433f7ed..61e99466 100644
--- a/THANKS
+++ b/THANKS
@@ -26,6 +26,7 @@ Christian Rauch
 Christophe Carles
 Christoph Haas
 Christos Psonis
+craneworks
 Cyril Jaquier
 Daniel B. Cid
 Daniel B.

From 3dabd5fc833e2546d4715366126ac600a2088614 Mon Sep 17 00:00:00 2001
From: Florian Pelgrim <florian.pelgrim@craneworks.de>
Date: Sat, 25 Oct 2014 10:38:18 -0400
Subject: [PATCH 82/82] DOC: documentation about available vagrantfile setup

manually picked up from a commit within
https://github.com/fail2ban/fail2ban/pull/786
---
 DEVELOP | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/DEVELOP b/DEVELOP
index f1426561..1384a6ac 100644
--- a/DEVELOP
+++ b/DEVELOP
@@ -81,6 +81,18 @@ some quick commands::
   status test
 
 
+Testing with vagrant
+--------------------
+
+Testing can now be done inside a vagrant VM.  Vagrantfile provided in
+source code repository established two VMs:
+
+- VM "secure" which can be used for testing fail2ban code.
+- VM "attacker" which hcan be used to perform attack against our "secure" VM.
+
+Both VMs are sharing the 192.168.200/24 network. If you are using this network
+take a look into the Vagrantfile and change the IP.
+
 
 Coding Standards
 ================