Merge branch 'master' into nginx-botsearch

2015-02-04 02:13:33 +01:00 · 2015-02-04 02:13:33 +01:00 · eb0d086ed0
parent 1c6d2074fb 991096e599
commit eb0d086ed0
43 changed files with 180 additions and 33 deletions
--- a/12
+++ b/12
@ -29,10 +29,18 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released
   * recidive uses iptables-allports banaction by default now.
     Avoids problems with iptables versions not understanding 'all' for
     protocols and ports
   * filter.d/dovecot.conf
     - match pam_authenticate line from EL7
     - match unknown user line from EL7
   * Use use_poll=True for Python 2.7 to overcome "Bad file descriptor" msgs
     issue (gh-161)
   * filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore
     system authentication issues
 - New Features:
   - New filter:
     - postfix-rbl  Thanks Lee Clemens
     - apache-fakegooglebot.conf  Thanks Lee Clemens
   - New recursive embedded substitution feature added:
     - `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
     - `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
@ -54,6 +62,10 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released
   * Enable multiport for firewallcmd-new action.  Closes gh-834
   * files/debian-initd migrated from the debian branch and should be
     suitable for manual installations now (thanks Juan Karlo de Guzman)
   * Define empty ignoreregex in filters which didn't have it to avoid
     warnings (gh-934)
   * action.d/{sendmail-*,xarf-login-attack}.conf - report local
     timezone not UTC time/zone. Closes gh-911
 ver. 0.9.1 (2014/10/29) - better, faster, stronger
--- a/2
+++ b/2
@ -266,6 +266,8 @@ config/filter.d/groupoffice.conf
 config/filter.d/gssftpd.conf
 config/filter.d/guacamole.conf
 config/filter.d/horde.conf
 config/filter.d/ignorecommands
 config/filter.d/ignorecommands/apache-fakegooglebot
 config/filter.d/kerio.conf
 config/filter.d/lighttpd-auth.conf
 config/filter.d/monit.conf
--- a/MANIFEST.in
+++ b/MANIFEST.in
@ -2,3 +2,4 @@ include ChangeLog COPYING DEVELOP FILTERS README.* THANKS TODO CONTRIBUTING* Vag
 graft doc
 graft files
 recursive-include config *.conf *.py
 recursive-include config/filter.d/ignorecommands *
--- a/1
+++ b/1
@ -83,6 +83,7 @@ Michael Hanselmann
 Mika (mkl)
 Nick Munger
 onorua
 Orion Poplawski
 Paul Marrapese
 Paul Traina
 Noel Butler
--- a/config/action.d/sendmail-common.conf
+++ b/config/action.d/sendmail-common.conf
@ -15,7 +15,7 @@ after = sendmail-common.local
 # Values:  CMD
 #
 actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
-              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+              Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
              From: <sendername> <<sender>>
              To: <dest>\n
              Hi,\n
@ -28,7 +28,7 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
 # Values:  CMD
 #
 actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
-             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+             Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
             From: <sendername> <<sender>>
             To: <dest>\n
             Hi,\n
--- a/config/action.d/sendmail-whois-ipjailmatches.conf
+++ b/config/action.d/sendmail-whois-ipjailmatches.conf
@ -17,7 +17,7 @@ before = sendmail-common.conf
 # Values:  CMD
 #
 actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
-            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
--- a/config/action.d/sendmail-whois-ipmatches.conf
+++ b/config/action.d/sendmail-whois-ipmatches.conf
@ -17,7 +17,7 @@ before = sendmail-common.conf
 # Values:  CMD
 #
 actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
-            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
--- a/config/action.d/sendmail-whois-lines.conf
+++ b/config/action.d/sendmail-whois-lines.conf
@ -17,7 +17,7 @@ before = sendmail-common.conf
 # Values:  CMD
 #
 actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
-            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
--- a/config/action.d/sendmail-whois-matches.conf
+++ b/config/action.d/sendmail-whois-matches.conf
@ -17,7 +17,7 @@ before = sendmail-common.conf
 # Values:  CMD
 #
 actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
-            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
--- a/config/action.d/sendmail-whois.conf
+++ b/config/action.d/sendmail-whois.conf
@ -17,7 +17,7 @@ before = sendmail-common.conf
 # Values:  CMD
 #
 actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
-            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
--- a/config/action.d/sendmail.conf
+++ b/config/action.d/sendmail.conf
@ -17,7 +17,7 @@ before = sendmail-common.conf
 # Values:  CMD
 #
 actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
-            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
--- a/config/action.d/xarf-login-attack.conf
+++ b/config/action.d/xarf-login-attack.conf
@ -46,7 +46,7 @@ actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(di
            REPORTID=<time>@`uname -n`
            TLP=<tlp>
            PORT=<port>
-            DATE=`LC_TIME=C date -u --date=@<time> +"%%a, %%d %%h %%Y %%T +0000"`
+            DATE=`LC_TIME=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
            if [ ! -z "$ADDRESSES" ]; then
                (printf -- %%b "<header>\n<message>\n<report>\n";
                 date '+Note: Local timezone is %%z (%%Z)';
--- a/config/filter.d/apache-fakegooglebot.conf
+++ b/config/filter.d/apache-fakegooglebot.conf
@ -0,0 +1,14 @@
 # Fail2Ban filter for fake Googlebot User Agents
 [Definition]
 failregex = ^<HOST> .*Googlebot.*$
 ignoreregex =
 # DEV Notes:
 #
 # Author: Lee Clemens
 # Thanks: Johannes B. Ullrich, Ph.D.
 # Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
--- a/config/filter.d/common.conf
+++ b/config/filter.d/common.conf
@ -53,4 +53,8 @@ __bsd_syslog_verbose = (<[^.]+\.[^.]+>)
 # This can be optional (for instance if we match named native log files)
 __prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
 # PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
 # pam_ldap
 __pam_auth = pam_unix
 # Author: Yaroslav Halchenko
--- a/config/filter.d/counter-strike.conf
+++ b/config/filter.d/counter-strike.conf
@ -6,6 +6,7 @@
 failregex = ^: Bad Rcon: "rcon \d+ "\S+"  sv_contact ".*?"" from "<HOST>:\d+"$
 ignoreregex =
 [Init]
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@ -9,9 +9,10 @@ before = common.conf
 _daemon = (auth|dovecot(-auth)?|auth-worker)
-failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
+failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
-            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
+            ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            ^%(__prefix_line)sauth-worker\(\d+\): pam\(\S+,<HOST>\): unknown user\s*$
 ignoreregex = 
--- a/config/filter.d/groupoffice.conf
+++ b/config/filter.d/groupoffice.conf
@ -8,7 +8,7 @@
 failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$
-
+ignoreregex =
 # Author: Daniel Black
--- a/config/filter.d/ignorecommands/apache-fakegooglebot
+++ b/config/filter.d/ignorecommands/apache-fakegooglebot
@ -0,0 +1,32 @@
 #!/usr/bin/python
 # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
 #
 # Written in Python to reuse built-in Python batteries and not depend on
 # presence of host and cut commands
 #
 import sys
 def process_args(argv):
    if len(argv) != 2:
       sys.stderr.write("Please provide a single IP as an argument. Got: %s\n"
                        % (argv[1:]))
       sys.exit(2)
    ip = argv[1]
    from fail2ban.server.filter import DNSUtils
    if not DNSUtils.isValidIP(ip):
       sys.stderr.write("Argument must be a single valid IP. Got: %s\n"
                        % ip)
       sys.exit(3)
    return ip
 def is_googlebot(ip):
    import re
    from fail2ban.server.filter import DNSUtils
    host = DNSUtils.ipToName(ip)
    sys.exit(0 if (host and re.match('crawl-.*\.googlebot\.com', host)) else 1)
 if __name__ == '__main__':
    is_googlebot(process_args(sys.argv))
--- a/config/filter.d/kerio.conf
+++ b/config/filter.d/kerio.conf
@ -6,6 +6,9 @@ failregex = ^ SMTP Spam attack detected from <HOST>,
            ^ IP address <HOST> found in DNS blacklist \S+, mail from \S+ to \S+$
            ^ Relay attempt from IP address <HOST>
            ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
 ignoreregex =
 [Init]
 datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\]
--- a/config/filter.d/monit.conf
+++ b/config/filter.d/monit.conf
@ -7,3 +7,4 @@
 failregex = ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied unknown user '\w+' accessing monit httpd$
            ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied wrong password for user '\w+' accessing monit httpd$
 ignoreregex =
--- a/config/filter.d/nsd.conf
+++ b/config/filter.d/nsd.conf
@ -24,3 +24,5 @@ _daemon = nsd
 failregex =  ^\[\]%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
              ^\[\]%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
 ignoreregex =
--- a/config/filter.d/pam-generic.conf
+++ b/config/filter.d/pam-generic.conf
@ -13,7 +13,7 @@ before = common.conf
 # Default: catch all failed logins
 _ttys_re=\S*
-__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
 _daemon = \S+
 failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
--- a/config/filter.d/portsentry.conf
+++ b/config/filter.d/portsentry.conf
@ -6,5 +6,7 @@
 failregex = \/<HOST> Port\: [0-9]+ (TCP|UDP) Blocked$
 ignoreregex =
 # Author: Pacop <pacoparu@gmail.com>
--- a/config/filter.d/postfix-sasl.conf
+++ b/config/filter.d/postfix-sasl.conf
@ -9,9 +9,9 @@ before = common.conf
 _daemon = postfix/(submission/)?smtp(d|s)
-failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
-ignoreregex = 
+ignoreregex = authentication failed: Connection lost to authentication server$
 [Init]
--- a/config/filter.d/squid.conf
+++ b/config/filter.d/squid.conf
@ -7,7 +7,7 @@
 failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/403 .*$
            ^\s+\d\s<HOST>\s+NONE/405 .*$
-
+ignoreregex =
 # Author: Daniel Black
--- a/config/filter.d/squirrelmail.conf
+++ b/config/filter.d/squirrelmail.conf
@ -3,6 +3,7 @@
 failregex = ^ \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect\.$
 ignoreregex =
 [Init]
--- a/config/filter.d/stunnel.conf
+++ b/config/filter.d/stunnel.conf
@ -4,6 +4,8 @@
 failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from <HOST>:\d+ : (?P<CODE>[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$
 ignoreregex =
 # DEV NOTES:
 # 
 # Author: Daniel Black
--- a/config/filter.d/vsftpd.conf
+++ b/config/filter.d/vsftpd.conf
@ -10,7 +10,7 @@ before = common.conf
 [Definition]
-__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
 _daemon =  vsftpd
 failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
--- a/config/filter.d/wuftpd.conf
+++ b/config/filter.d/wuftpd.conf
@ -11,7 +11,7 @@ before = common.conf
 [Definition]
 _daemon = wu-ftpd
-__pam_re=\(?pam_unix(?:\(wu-ftpd:auth\))?\)?:?
+__pam_re=\(?%(__pam_auth)s(?:\(wu-ftpd:auth\))?\)?:?
 failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
            ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
--- a/config/jail.conf
+++ b/config/jail.conf
@ -277,6 +277,14 @@ logpath  = %(apache_error_log)s
 maxretry = 2
 [apache-fakegooglebot]
 port     = http,https
 logpath  = %(apache_access_log)s
 maxretry = 1
 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
 [apache-modsecurity]
 port     = http,https
--- a/config/paths-common.conf
+++ b/config/paths-common.conf
@ -61,3 +61,6 @@ dovecot_log = %(syslog_mail_warn)s
 solidpop3d_log = %(syslog_local0)s
 mysql_log = %(syslog_daemon)s
 # Directory with ignorecommand scripts
 ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands
--- a/fail2ban/client/filterreader.py
+++ b/fail2ban/client/filterreader.py
@ -50,17 +50,17 @@ class FilterReader(DefinitionInitConfigReader):
 	def getCombined(self):
 		combinedopts = dict(list(self._opts.items()) + list(self._initOpts.items()))
 		if not len(combinedopts):
-			return {};
+			return {}
 		opts = CommandAction.substituteRecursiveTags(combinedopts)
 		if not opts:
 			raise ValueError('recursive tag definitions unable to be resolved')
-		return opts;
+		return opts
 	def convert(self):
 		stream = list()
 		opts = self.getCombined()
 		if not len(opts):
-			return stream;
+			return stream
 		for opt, value in opts.iteritems():
 			if opt == "failregex":
 				for regex in value.split('\n'):
--- a/fail2ban/server/asyncserver.py
+++ b/fail2ban/server/asyncserver.py
@ -149,7 +149,10 @@ class AsyncServer(asyncore.dispatcher):
 		self.__init = True
 		# TODO Add try..catch
 		# There's a bug report for Python 2.6/3.0 that use_poll=True yields some 2.5 incompatibilities:
-		logSys.debug("Detected Python 2.6 or greater. asyncore.loop() not using poll")
+		if sys.version_info >= (2, 7) and sys.version_info < (2, 8): # if python 2.7 ...
 			logSys.debug("Detected Python 2.7. asyncore.loop() using poll")
 			asyncore.loop(use_poll=True) # workaround for the "Bad file descriptor" issue on Python 2.7, gh-161
 		else:
 			asyncore.loop(use_poll=False) # fixes the "Unexpected communication problem" issue on Python 2.6 and 3.0
 	##
--- a/fail2ban/server/filter.py
+++ b/fail2ban/server/filter.py
@ -338,6 +338,10 @@ class Filter(JailThread):
 		logSys.debug("Remove " + ip + " from ignore list")
 		self.__ignoreIpList.remove(ip)
 	def logIgnoreIp(self, ip, log_ignore, ignore_source="unknown source"):
 		if log_ignore:
 			logSys.info("[%s] Ignore %s by %s" % (self.jail.name, ip, ignore_source))
 	def getIgnoreIP(self):
 		return self.__ignoreIpList
@ -349,7 +353,7 @@ class Filter(JailThread):
 	# @param ip IP address
 	# @return True if IP address is in ignore list
-	def inIgnoreIPList(self, ip):
+	def inIgnoreIPList(self, ip, log_ignore=False):
 		for i in self.__ignoreIpList:
 			# An empty string is always false
 			if i == "":
@ -369,16 +373,20 @@ class Filter(JailThread):
 				# Check if IP in DNS
 				ips = DNSUtils.dnsToIp(i)
 				if ip in ips:
 					self.logIgnoreIp(ip, log_ignore, ignore_source="dns")
 					return True
 				else:
 					continue
 			if a == b:
 				self.logIgnoreIp(ip, log_ignore, ignore_source="ip")
 				return True
 		if self.__ignoreCommand:
 			command = CommandAction.replaceTag(self.__ignoreCommand, { 'ip': ip } )
 			logSys.debug('ignore command: ' + command)
-			return CommandAction.executeCmd(command)
+			ret_ignore = CommandAction.executeCmd(command)
 			self.logIgnoreIp(ip, log_ignore and ret_ignore, ignore_source="command")
 			return ret_ignore
 		return False
@ -418,8 +426,7 @@ class Filter(JailThread):
 				logSys.debug("Ignore line since time %s < %s - %s"
 							 % (unixTime, MyTime.time(), self.getFindTime()))
 				break
-			if self.inIgnoreIPList(ip):
+			if self.inIgnoreIPList(ip, log_ignore=True):
 				logSys.info("[%s] Ignore %s" % (self.jail.name, ip))
 				continue
 			logSys.info("[%s] Found %s" % (self.jail.name, ip))
 			## print "D: Adding a ticket for %s" % ((ip, unixTime, [line]),)
@ -852,6 +859,14 @@ class DNSUtils:
 						% (dns, e))
 			return list()
 	@staticmethod
 	def ipToName(ip):
 		try:
 			return socket.gethostbyaddr(ip)[0]
 		except socket.error, e:
 			logSys.debug("Unable to find a name for the IP %s: %s" % (ip, e))
 			return None
 	@staticmethod
 	def searchIP(text):
 		""" Search if an IP address if directly available and return
--- a/fail2ban/server/jail.py
+++ b/fail2ban/server/jail.py
@ -213,7 +213,7 @@ class Jail:
 		if self.database is not None:
 			for ticket in self.database.getBansMerged(
 				jail=self, bantime=self.actions.getBanTime()):
-				if not self.filter.inIgnoreIPList(ticket.getIP()):
+				if not self.filter.inIgnoreIPList(ticket.getIP(), log_ignore=True):
 					self.__queue.put(ticket)
 		logSys.info("Jail '%s' started" % self.name)
--- a/fail2ban/tests/files/logs/apache-fakegooglebot
+++ b/fail2ban/tests/files/logs/apache-fakegooglebot
@ -0,0 +1,5 @@
 # Apache 2.2
 # failJSON: { "time": "2015-01-31T14:29:44", "match": true, "host": "66.249.66.1" }
 66.249.66.1 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546
 # failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "93.184.216.34" }
 93.184.216.34 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546
--- a/fail2ban/tests/files/logs/dovecot
+++ b/fail2ban/tests/files/logs/dovecot
@ -31,6 +31,12 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER
 # failJSON: { "time": "2013-08-11T03:56:40", "match": true , "host": "1.2.3.4" }
 2013-08-11 03:56:40 auth-worker(default): Info: pam(username,1.2.3.4): pam_authenticate() failed: Authentication failure (password mismatch?)
 # failJSON: { "time": "2005-01-29T05:32:50", "match": true , "host": "1.2.3.4" }
 Jan 29 05:32:50 mail dovecot: auth-worker(304): pam(username,1.2.3.4): pam_authenticate() failed: Authentication failure (password mismatch?)
 # failJSON: { "time": "2005-01-29T05:13:40", "match": true , "host": "1.2.3.4" }
 Jan 29 05:13:40 mail dovecot: auth-worker(31326): pam(username,1.2.3.4): unknown user
 # failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" }
 Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104
--- a/fail2ban/tests/files/logs/postfix-sasl
+++ b/fail2ban/tests/files/logs/postfix-sasl
@ -12,3 +12,12 @@ Sep  6 00:44:56 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221
 #4 Example from postfix post-debian changes to rename to add "submission" to syslog name + downcase
 # failJSON: { "time": "2004-09-06T00:44:57", "match": true , "host": "82.221.106.233" }
 Sep  6 00:44:57 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL login authentication failed: UGFzc3dvcmQ6
 #5 Example to add :
 # failJSON: { "time": "2005-01-29T08:11:45", "match": true , "host": "1.1.1.1" }
 Jan 29 08:11:45 mail postfix/smtpd[10752]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Password:
 #6 Example to ignore because due to a failed attempt to connect to authentication service - no malicious activities whatsoever
 # failJSON: { "time": "2005-02-03T08:29:28", "match": false , "host": "1.1.1.1" }
 Feb  3 08:29:28 mail postfix/smtpd[21022]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Connection lost to authentication server
--- a/fail2ban/tests/filtertestcase.py
+++ b/fail2ban/tests/filtertestcase.py
@ -266,6 +266,15 @@ class IgnoreIP(LogCaptureTestCase):
 		self.assertTrue(self.filter.inIgnoreIPList("10.0.0.1"))
 		self.assertFalse(self.filter.inIgnoreIPList("10.0.0.0"))
 	def testIgnoreCauseOK(self):
 		ip = "93.184.216.34"
 		for ignore_source in ["dns", "ip", "command"]:
 			self.filter.logIgnoreIp(ip, True, ignore_source=ignore_source)
 			self.assertTrue(self._is_logged("[%s] Ignore %s by %s" % (self.jail.name, ip, ignore_source)))
 	def testIgnoreCauseNOK(self):
 		self.filter.logIgnoreIp("example.com", False, ignore_source="NOT_LOGGED")
 		self.assertFalse(self._is_logged("[%s] Ignore %s by %s" % (self.jail.name, "example.com", "NOT_LOGGED")))
 class IgnoreIPDNS(IgnoreIP):
@ -1011,6 +1020,12 @@ class DNSUtilsTests(unittest.TestCase):
 			else:
 				self.assertEqual(res, [])
 	def testIpToName(self):
 		res = DNSUtils.ipToName('66.249.66.1')
 		self.assertEqual(res, 'crawl-66-249-66-1.googlebot.com')
 		res = DNSUtils.ipToName('10.0.0.0')
 		self.assertEqual(res, None)
 class JailTests(unittest.TestCase):
 	def testSetBackend_gh83(self):
--- a/fail2ban/tests/misctestcase.py
+++ b/fail2ban/tests/misctestcase.py
@ -113,7 +113,7 @@ class SetupTest(unittest.TestCase):
 			# clean up
 			shutil.rmtree(tmp)
 			# remove build directory
-			os.system("%s %s clean --all >/dev/null"
+			os.system("%s %s clean --all >/dev/null 2>&1"
 					  % (sys.executable, self.setup))
 class TestsUtilsTest(unittest.TestCase):
--- a/fail2ban/tests/samplestestcase.py
+++ b/fail2ban/tests/samplestestcase.py
@ -141,7 +141,8 @@ def testSampleRegexsFactory(name):
 	return testFilter
-for filter_ in filter(lambda x: not x.endswith('common.conf'), os.listdir(os.path.join(CONFIG_DIR, "filter.d"))):
+for filter_ in filter(lambda x: not x.endswith('common.conf') and x.endswith('.conf'),
 					  os.listdir(os.path.join(CONFIG_DIR, "filter.d"))):
 	filterName = filter_.rpartition(".")[0]
 	if not filterName.startswith('.'):
 		setattr(
--- a/files/debian-initd
+++ b/files/debian-initd
@ -3,8 +3,8 @@
 # Provides:          fail2ban
 # Required-Start:    $local_fs $remote_fs
 # Required-Stop:     $local_fs $remote_fs
-# Should-Start:      $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm
+# Should-Start:      $time $network $syslog $named iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm ufw
-# Should-Stop:       $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm
+# Should-Stop:       $network $syslog $named iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm ufw
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start/stop fail2ban
--- a/setup.py
+++ b/setup.py
@ -124,6 +124,9 @@ setup(
 		('/etc/fail2ban/filter.d',
 			glob("config/filter.d/*.conf")
 		),
 		('/etc/fail2ban/filter.d/ignorecommands',
 			glob("config/filter.d/ignorecommands/*")
 		),
 		('/etc/fail2ban/action.d',
 			glob("config/action.d/*.conf") +
 			glob("config/action.d/*.py")