Merge tag '0.8.13' into debian

* tag '0.8.13': (48 commits) DOC: DEVELOP release note changes PKG: version release PKG: include nagios filter/log DOC/ENH: update man pages for release ENH: pull asterisk filter change to support syslog from 0.9 branch Sanity-check print-all-* vs print-no-* options. Add --print-no-{missed,ignored} and restore -all. Only remember log lines we need to print later. Fix the --print-all-{missed,ignored} options. ENH: sendmail-reject for all smtp ports. ENH: more sendmail-reject filter items thanks to fab23 BF: move to right location ENH: rename sendmail-spam to sendmail-reject BF: email address as arg1 in sendmail filters ENH: wider regex for RBL and sendmail-spam DOC: Add reference to action argument values which contain "," BF: add jail.conf definitions for sendmail* filters ENH: add filter for sendmail-{auth,spam}. Closes gh-20 ENH: Allow 255.255.255.0 style mask for ignoreip BF: Fix complain action for multiple recipients and misplaced ";" ...
2014-03-16 10:26:22 -04:00 · 2014-03-16 10:26:22 -04:00 · f04bae1366
parent 02effb1b0c eb66edd338
commit f04bae1366
31 changed files with 372 additions and 97 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -9,7 +9,7 @@ before_install:
 install:
  - pip install pyinotify
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then sudo apt-get install -qq python-gamin; fi
-  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then pip install -q coveralls; fi
+  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cd ..; pip install -q coveralls; cd -; fi
 script:
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then export PYTHONPATH="$PYTHONPATH:/usr/share/pyshared:/usr/lib/pyshared/python2.7"; fi
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi
--- a/25
+++ b/25
@ -4,9 +4,28 @@
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|
 ================================================================================
-Fail2Ban (version 0.8.12)                                             2014/01/22
+Fail2Ban (version 0.8.13)                                             2014/03/15
 ================================================================================
 ver. 0.8.13 (2014/03/15) - maintenance-only-from-now-on
 -----------
 - Fixes:
  - action firewallcmd-ipset had non-working actioncheck. Removed.
    redhat bug #1046816.
  - filter pureftpd - added _daemon which got removed. Added
 - New Features:
  - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
  - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
 - Enhancements:
  - filter asterisk now supports syslog format
  - filter pureftpd - added all translations of "Authentication failed for
    user"
  - filter dovecot - lip= was optional and extended TLS errors can occur.
    Thanks Noel Butler.
 ver. 0.8.12 (2014/01/22) - things-can-only-get-better
 -----------
@ -14,7 +33,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better
  - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name
    name length. As per gh-395
  - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog.
-	  Part of gh-447.
+    Part of gh-447.
 - Fixes:
  - allow for ",milliseconds" in the custom date format of proftpd.log
@ -31,7 +50,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better
  - Fix apache-common for apache-2.4 log file format. Thanks Mark White.
    Closes gh-516
  - Asynchat changed to use push method which verifys whether all data was
-	  send. This ensures that all data is sent before closing the connection.
+    send. This ensures that all data is sent before closing the connection.
  - Removed unnecessary reference to as yet undeclared $jail_name when checking
    a specific jail.
  - Filter dovecot reordered session and TLS items in regex with wider scope
--- a/8
+++ b/8
@ -316,23 +316,23 @@ Look for errors like:
 Which indicates that testcases/files/logs/mysqld.log has been moved or is a directory
-  tar -C /tmp -jxf dist/fail2ban-0.8.12.tar.bz2
+  tar -C /tmp -jxf dist/fail2ban-0.8.14.tar.bz2
 # clean up current direcory
-  diff -rul --exclude \*.pyc . /tmp/fail2ban-0.8.12/
+  diff -rul --exclude \*.pyc . /tmp/fail2ban-0.8.14/
  # Only differences should be files that you don't want distributed.
 # Ensure the tests work from the tarball
-  cd /tmp/fail2ban-0.8.12/ && ./fail2ban-testcases-all
+  cd /tmp/fail2ban-0.8.14/ && ./fail2ban-testcases-all
 # Add/finalize the corresponding entry in the ChangeLog
  To generate a list of committers use e.g.
-  git shortlog -sn 0.8.11.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g'
+  git shortlog -sn 0.8.13.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g'
  Ensure the top of the ChangeLog has the right version and current date.
--- a/6
+++ b/6
@ -67,6 +67,7 @@ testcases/files/logs/horde
 testcases/files/logs/suhosin
 testcases/files/logs/mysqld-auth
 testcases/files/logs/named-refused
 testcases/files/logs/nagios
 testcases/files/logs/nginx-http-auth
 testcases/files/logs/nsd
 testcases/files/logs/openwebmail
@ -103,6 +104,8 @@ testcases/files/logs/qmail
 testcases/files/logs/recidive
 testcases/files/logs/sieve
 testcases/files/logs/selinux-ssh
 testcases/files/logs/sendmail-auth
 testcases/files/logs/sendmail-reject
 testcases/files/logs/suhosin
 testcases/files/logs/uwimap-auth
 testcases/files/logs/wuftpd
@ -162,6 +165,7 @@ config/filter.d/freeswitch.conf
 config/filter.d/gssftpd.conf
 config/filter.d/horde.conf
 config/filter.d/suhosin.conf
 config/filter.d/nagios.conf
 config/filter.d/named-refused.conf
 config/filter.d/nsd.conf
 config/filter.d/openwebmail.conf
@ -172,6 +176,8 @@ config/filter.d/qmail.conf
 config/filter.d/pam-generic.conf
 config/filter.d/php-url-fopen.conf
 config/filter.d/postfix-sasl.conf
 config/filter.d/sendmail-auth.conf
 config/filter.d/sendmail-reject.conf
 config/filter.d/sieve.conf
 config/filter.d/solid-pop3d.conf
 config/filter.d/squid.conf
--- a/5
+++ b/5
@ -21,6 +21,7 @@ Bas van den Dikkenberg
 Beau Raines
 Bill Heaton
 Carlos Alberto Lopez Perez
 cepheid666
 Christian Rauch
 Christophe Carles
 Christoph Haas
@ -30,6 +31,7 @@ Daniel B. Cid
 Daniel B.
 Daniel Black
 David Nutter
 Derek Atkins
 Eric Gerbier
 Enrico Labedzki
 ftoppi
@ -48,6 +50,7 @@ Jonathan Lanning
 Jonathan Underwood
 Joël Bertrand
 JP Espinosa
 jserrachinha
 Justin Shore
 Kévin Drapel
 kjohnsonecl
@ -66,6 +69,7 @@ Merijn Schering
 Michael C. Haller
 Michael Hanselmann
 Nick Munger
 Noel Butler
 Patrick Börjesson
 Raphaël Marichez
 RealRancor
@ -90,5 +94,6 @@ Yaroslav Halchenko
 Winston Smith
 ykimon
 Yehuda Katz
 Zbigniew Jędrzejewski-Szmek
 zugeschmiert
 Zurd
--- a/common/version.py
+++ b/common/version.py
@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
-version = "0.8.12"
+version = "0.8.13"
--- a/config/action.d/complain.conf
+++ b/config/action.d/complain.conf
@ -1,17 +1,16 @@
 # Fail2Ban configuration file
 #
-# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
 # Sends a complaint e-mail to addresses listed in the whois record for an
 # offending IP address.
 # This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
 #
 # DEPENDANCIES:
 # This requires the dig command from bind-utils
 #
 # You should provide the <logpath> in the jail config - lines from the log
 # matching the given IP address will be provided in the complaint as evidence.
 #
 # Note that we will try to use e-mail addresses that are most likely to be abuse
 # addresses (based on various keywords). If they aren't found we fall back on
 # any other addresses found in the whois record, with a few exceptions.
 # If no addresses are found, no e-mail is sent.
 #
 # WARNING
 # -------
 #
@ -55,10 +54,10 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
+actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
 	    IP=<ip>
            if [ ! -z "$ADDRESSES" ]; then
-                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
+                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> ${ADDRESSES//,/\" \"}
            fi
 # Option:  actionunban
@ -70,7 +69,7 @@ actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed
 actionunban =
 [Init]
-message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
 # Path to the log files which contain relevant lines for the abuser IP
 #
--- a/config/action.d/firewallcmd-ipset.conf
+++ b/config/action.d/firewallcmd-ipset.conf
@ -25,8 +25,6 @@ actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <proto
             ipset flush fail2ban-<name>
             ipset destroy fail2ban-<name>
 actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$'
 actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
 actionunban = ipset del fail2ban-<name> <ip> -exist
--- a/config/action.d/iptables-xt_recent-echo.conf
+++ b/config/action.d/iptables-xt_recent-echo.conf
@ -33,13 +33,14 @@ before = iptables-blocktype.conf
 #    own rules. The 3600 second timeout is independent and acts as a
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
-actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>
+actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>;fi
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = echo / > /proc/net/xt_recent/fail2ban-<name>
             if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>;fi
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
--- a/config/filter.d/asterisk.conf
+++ b/config/filter.d/asterisk.conf
@ -1,24 +1,39 @@
 # Fail2Ban filter for asterisk authentication failures
 #
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = asterisk
 __pid_re = (?:\[\d+\])
 # All Asterisk log messages begin like this:
-log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*
+log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
-failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|No matching peer found|Username/auth name mismatch|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
+failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
-            ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
-            ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
-            ^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
-            ^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
-            ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
-            ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
-            ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
-            ^\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
+            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
 ignoreregex =
-# Author: Xavier Devlamynck
+# Author: Xavier Devlamynck / Daniel Black
 #
 # General log format - main/logger.c:ast_log
 # Address format - ast_sockaddr_stringify
 #
 # First regex: channels/chan_sip.c
 #
 # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@ -10,7 +10,7 @@ before = common.conf
 _daemon = (auth|dovecot(-auth)?|auth-worker)
 failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
-            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$
+            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
 ignoreregex = 
@ -18,6 +18,8 @@ ignoreregex =
 # DEV Notes:
 # * the first regex is essentially a copy of pam-generic.conf
 # * Probably doesn't do dovecot sql/ldap backends properly
 # * Removed the 'no auth attempts' log lines from the matches because produces
 #    lots of false positives on misconfigured MTAs making regexp unuseable
 #
 # Author: Martin Waschbuesch
 #         Daniel Black (rewrote with begin and end anchors)
--- a/config/filter.d/nagios.conf
+++ b/config/filter.d/nagios.conf
@ -0,0 +1,17 @@
 # Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
 # Detecting unauthorized access to the nrpe2 daemon 
 # typically logged in /var/log/messages syslog
 #
 [INCLUDES]
 # Read syslog common prefixes
 before = common.conf
 [Definition]
 _daemon     = nrpe
 failregex   = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
 ignoreregex =
 # DEV Notes:
 # 
 # Author: Ivo Truxa - 2014/02/03
--- a/config/filter.d/pure-ftpd.conf
+++ b/config/filter.d/pure-ftpd.conf
@ -12,13 +12,19 @@ before = common.conf
 [Definition]
-# Error message specified in multiple languages
+_daemon = pure-ftpd
 __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
-failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
+# Error message specified in multiple languages
 __errmsg = (?:<3A>ϥΪ<CFA5>\[.*\]<5D><><EFBFBD>ҥ<EFBFBD><D2A5><EFBFBD>|ʹ<><CAB9><EFBFBD><EFBFBD>\[.*\]<5D><>֤ʧ<D6A4><CAA7>|\[.*\] kullan<61>c<EFBFBD>s<EFBFBD> i<>in giri<72> hatal<61>|<7C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> \[.*\]|Godkjennelse mislyktes for \[.*\]|Beh<65>righetskontroll misslyckas f<>r anv<6E>ndare \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentica<63><61>o falhou para usu<73>rio \[.*\]|Autentyfikacja nie powiod<6F>a si<73> dla u<>ytkownika \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|\[.*\] <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>|Autenticazione falita per l'utente \[.*\]|Azonos<6F>t<EFBFBD>s sikertelen \[.*\] felhaszn<7A>l<EFBFBD>nak|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Autentificaci<63>n fallida para el usuario \[.*\]|Authentication failed for user \[.*\]|Authentifizierung fehlgeschlagen f<>r Benutzer \[.*\].|Godkendelse mislykkedes for \[.*\]|Autentifikace u<>ivatele selhala \[.*\])
 failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
 ignoreregex = 
 # Author: Cyril Jaquier
 # Modified: Yaroslav Halchenko for pure-ftpd
 # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
 #
 # Only logs to syslog though facility can be changed configuration file/command line
 #
 # fgrep -r MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src
--- a/config/filter.d/sendmail-auth.conf
+++ b/config/filter.d/sendmail-auth.conf
@ -0,0 +1,18 @@
 # Fail2Ban filter for sendmail authentication failures
 #
 [INCLUDES]
 before = common.conf
 [Definition]
 _daemon = (?:sm-(mta|acceptingconnections))
 failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
 ignoreregex =
 # DEV Notes:
 #
 # Author: Daniel Black
--- a/config/filter.d/sendmail-reject.conf
+++ b/config/filter.d/sendmail-reject.conf
@ -0,0 +1,34 @@
 # Fail2Ban filter for sendmail spam/relay type failures
 #
 # Some of the below failregex will only work properly, when the following
 # options are set in the .mc file (see your Sendmail documentation on how
 # to modify it and generate the corresponding .cf file):
 #
 # FEATURE(`delay_checks')
 # FEATURE(`greet_pause', `500')
 # FEATURE(`ratecontrol', `nodelay', `terminate')
 # FEATURE(`conncontrol', `nodelay', `terminate')
 #
 # ratecontrol and conncontrol also need corresponding options ClientRate:
 # and ClientConn: in the access file, see documentation for ratecontrol and
 # conncontrol in the sendmail/cf/README file.
 [INCLUDES]
 before = common.conf
 [Definition]
 _daemon = (?:sm-(mta|acceptingconnections))
 failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
            ^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
            ^%(__prefix_line)s\w{14}: rejecting commands from  (\S+ )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
            ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]: ((?i)expn|vrfy) \S+ \[rejected\]$
 ignoreregex =
 # DEV Notes:
 #
 # Author: Daniel Black and Fabian Wenk
--- a/config/jail.conf
+++ b/config/jail.conf
@ -157,6 +157,21 @@ logpath  = /var/log/daemon.log
 maxretry = 6
 [sendmail-auth]
 enabled  = false
 filter   = sendmail-auth
 action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
 logpath  = /var/log/mail.log
 [sendmail-reject]
 enabled  = false
 filter   = sendmail-reject
 action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
 logpath  = /var/log/mail.log
 # This jail forces the backend to "polling".
 [sasl-iptables]
@ -448,16 +463,6 @@ maxretry = 5
 # of usage in production environments.
 [php-url-fopen]
 enabled  = false
 action   = iptables-multiport[name=php-url-open, port="http,https"]
 filter   = php-url-fopen
 logpath  = /var/www/*/logs/access_log
 maxretry = 1
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
 [php-url-fopen]
 enabled  = false
 action   = iptables-multiport[name=php-url-open, port="http,https"]
 filter   = php-url-fopen
@ -758,3 +763,14 @@ action   = iptables[name=SSH, port=ssh, protocol=tcp]
           blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
 logpath  = /var/log/sshd.log
 maxretry = 20
 # consider low maxretry and a long bantime
 # nobody except your own Nagios server should ever probe nrpe
 [nagios]
 enabled  = false
 filter   = nagios
 action   = iptables[name=Nagios, port=5666, protocol=tcp]
           sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
 logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
 maxretry = 1
--- a/doc/run-rootless.txt
+++ b/doc/run-rootless.txt
@ -74,12 +74,6 @@ further configuration. To run not as root, further setup is necessary:
    with <name> suitably replaced.
  - suppress actionstart for iptables-xt_recent-echo action by creating an override file
    iptables-xt_recent-echo.local to accompany iptables-xt_recent-echo.conf with
     [Definition]
     actionstart =
 - Permissions:
  make sure that configuration files under /etc/fail2ban are readable by
--- a/6
+++ b/6
@ -145,7 +145,7 @@ class Fail2banClient:
 	def __processCmd(self, cmd, showRet = True):
 		beautifier = Beautifier()
-		ret = True
+		streamRet = True
 		for c in cmd:
 			beautifier.setInputCmd(c)
 			try:
@ -156,10 +156,10 @@ class Fail2banClient:
 					if showRet:
 						print beautifier.beautify(ret[1])
 				else:
 					ret = False
 					logSys.error("NOK: " + `ret[1].args`)
 					if showRet:
 						print beautifier.beautifyError(ret[1])
 					streamRet = False
 			except socket.error:
 				if showRet:
 					logSys.error("Unable to contact server. Is it running?")
@ -168,7 +168,7 @@ class Fail2banClient:
 				if showRet:
 					logSys.error(e)
 				return False
-		return ret
+		return streamRet
 	##
 	# Process a command line.
--- a/63
+++ b/63
@ -111,10 +111,14 @@ Report bugs to https://github.com/fail2ban/fail2ban/issues
 			   help="Be verbose in output"),
 		Option("-D", "--debuggex", action='store_true',
 			   help="Produce debuggex.com urls for debugging there"),
 		Option("--print-no-missed", action='store_true',
 			   help="Do not print any missed lines"),
 		Option("--print-no-ignored", action='store_true',
 			   help="Do not print any ignored lines"),
 		Option("--print-all-missed", action='store_true',
-			   help="Either to print all missed lines"),
+			   help="Print all missed lines, no matter how many"),
 		Option("--print-all-ignored", action='store_true',
-			   help="Either to print all ignored lines"),
+			   help="Print all ignored lines, no matter how many"),
 		Option("-t", "--log-traceback", action='store_true',
 			   help="Enrich log-messages with compressed tracebacks"),
 		Option("--full-traceback", action='store_true',
@ -156,22 +160,16 @@ class LineStats(object):
 	"""
 	def __init__(self):
 		self.tested = self.matched = 0
 		self.missed = 0
 		self.missed_lines = []
 		self.missed_lines_timeextracted = []
 		self.ignored = 0
 		self.ignored_lines = []
 		self.ignored_lines_timeextracted = []
 	def __str__(self):
 		return "%(tested)d lines, %(ignored)d ignored, %(matched)d matched, %(missed)d missed" % self
 	@property
 	def ignored(self):
 		return len(self.ignored_lines)
 	@property
 	def missed(self):
 		return self.tested - (self.ignored + self.matched)
 	# just for convenient str
 	def __getitem__(self, key):
 		return getattr(self, key)
@ -184,6 +182,9 @@ class Fail2banRegex(object):
 	def __init__(self, opts):
 		self._verbose = opts.verbose
 		self._debuggex = opts.debuggex
 		self._maxlines = 20
 		self._print_no_missed = opts.print_no_missed
 		self._print_no_ignored = opts.print_no_ignored
 		self._print_all_missed = opts.print_all_missed
 		self._print_all_ignored = opts.print_all_ignored
@ -267,16 +268,20 @@ class Fail2banRegex(object):
 			line_datetimestripped, ret = fail2banRegex.testRegex(line)
 			if is_ignored:
-				self._line_stats.ignored_lines.append(line)
+				self._line_stats.ignored += 1
-				self._line_stats.ignored_lines_timeextracted.append(line_datetimestripped)
+				if not self._print_no_ignored and (self._print_all_ignored or self._line_stats.ignored <= self._maxlines + 1):
 					self._line_stats.ignored_lines.append(line)
 					self._line_stats.ignored_lines_timeextracted.append(line_datetimestripped)
 			if len(ret) > 0:
 				assert(not is_ignored)
 				self._line_stats.matched += 1
 			else:
 				if not is_ignored:
-					self._line_stats.missed_lines.append(line)
+					self._line_stats.missed += 1
-					self._line_stats.missed_lines_timeextracted.append(line_datetimestripped)
+					if not self._print_no_missed and (self._print_all_missed or self._line_stats.missed <= self._maxlines + 1):
 						self._line_stats.missed_lines.append(line)
 						self._line_stats.missed_lines_timeextracted.append(line_datetimestripped)
 			self._line_stats.tested += 1
 			if line_no % 10 == 0:
@ -286,9 +291,10 @@ class Fail2banRegex(object):
 	def printLines(self, ltype):
 		lstats = self._line_stats
-		assert(len(lstats.missed_lines) == lstats.tested - (lstats.matched + lstats.ignored))
+		assert(self._line_stats.missed == lstats.tested - (lstats.matched + lstats.ignored))
 		lines = lstats[ltype]
 		l = lstats[ltype + '_lines']
-		if len(l):
+		if lines:
 			header = "%s line(s):" % (ltype.capitalize(),)
 			if self._debuggex:
 				if ltype == 'missed':
@ -296,21 +302,20 @@ class Fail2banRegex(object):
 				else:
 					regexlist = self._ignoreregex
 				l = lstats[ltype + '_lines_timeextracted']
-				lines = len(l)*len(regexlist)
+				if lines < self._maxlines or getattr(self, '_print_all_' + ltype):
 				if lines < 20 or getattr(self, '_print_all_' + ltype):
 					ans = [[]]
 					for arg in [l, regexlist]:
 					    ans = [ x + [y] for x in ans for y in arg ]
 					b = map(lambda a: a[0] +  ' | ' + a[1].getFailRegex() + ' |  ' + debuggexURL(a[0], a[1].getFailRegex()), ans)
 					pprint_list([x.rstrip() for x in b], header)
 				else:
-					print "%s: too many to print.  Use --print-all-%s " \
+					print "%s too many to print.  Use --print-all-%s " \
 						  "to print all %d lines" % (header, ltype, lines)
-			elif len(l) < 20 or getattr(self, '_print_all_' + ltype):
+			elif lines < self._maxlines or getattr(self, '_print_all_' + ltype):
 				pprint_list([x.rstrip() for x in l], header)
 			else:
-				print "%s: too many to print.  Use --print-all-%s " \
+				print "%s too many to print.  Use --print-all-%s " \
-					  "to print all %d lines" % (header, ltype, len(l))
+					  "to print all %d lines" % (header, ltype, lines)
 	def printStats(self):
 		print
@ -354,8 +359,10 @@ class Fail2banRegex(object):
 		print "\nLines: %s" % self._line_stats
-		self.printLines('ignored')
+		if not self._print_no_ignored:
-		self.printLines('missed')
+			self.printLines('ignored')
 		if not self._print_no_missed:
 			self.printLines('missed')
 		return True
@ -364,6 +371,14 @@ if __name__ == "__main__":
 	parser = get_opt_parser()
 	(opts, args) = parser.parse_args()
 	if opts.print_no_missed and opts.print_all_missed:
 		sys.stderr.write("ERROR: --print-no-missed and --print-all-missed are mutually exclusive.\n\n")
 		parser.print_help()
 	        sys.exit(-1)
 	if opts.print_no_ignored and opts.print_all_ignored:
 		sys.stderr.write("ERROR: --print-no-ignored and --print-all-ignored are mutually exclusive.\n\n")
 		parser.print_help()
 	        sys.exit(-1)
 	fail2banRegex = Fail2banRegex(opts)
--- a/man/fail2ban-client.1
+++ b/man/fail2ban-client.1
@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.41.2.
-.TH FAIL2BAN-CLIENT "1" "January 2014" "fail2ban-client v0.8.12" "User Commands"
+.TH FAIL2BAN-CLIENT "1" "March 2014" "fail2ban-client v0.8.13" "User Commands"
 .SH NAME
 fail2ban-client \- configure and control the server
 .SH SYNOPSIS
 .B fail2ban-client
 [\fIOPTIONS\fR] \fI<COMMAND>\fR
 .SH DESCRIPTION
-Fail2Ban v0.8.12 reads log file that contains password failure report
+Fail2Ban v0.8.13 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .SH OPTIONS
 .TP
--- a/man/fail2ban-regex.1
+++ b/man/fail2ban-regex.1
@ -1,5 +1,5 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.41.2.
-.TH FAIL2BAN-REGEX "1" "January 2014" "fail2ban-regex 0.8.12" "User Commands"
+.TH FAIL2BAN-REGEX "1" "March 2014" "fail2ban-regex 0.8.13" "User Commands"
 .SH NAME
 fail2ban-regex \- test Fail2ban "failregex" option
 .SH SYNOPSIS
@ -48,11 +48,17 @@ Be verbose in output
 \fB\-D\fR, \fB\-\-debuggex\fR
 Produce debuggex.com urls for debugging there
 .TP
 \fB\-\-print\-no\-missed\fR
 Do not print any missed lines
 .TP
 \fB\-\-print\-no\-ignored\fR
 Do not print any ignored lines
 .TP
 \fB\-\-print\-all\-missed\fR
-Either to print all missed lines
+Print all missed lines, no matter how many
 .TP
 \fB\-\-print\-all\-ignored\fR
-Either to print all ignored lines
+Print all ignored lines, no matter how many
 .TP
 \fB\-t\fR, \fB\-\-log\-traceback\fR
 Enrich log\-messages with compressed tracebacks
--- a/man/fail2ban-server.1
+++ b/man/fail2ban-server.1
@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.41.2.
-.TH FAIL2BAN-SERVER "1" "January 2014" "fail2ban-server v0.8.12" "User Commands"
+.TH FAIL2BAN-SERVER "1" "March 2014" "fail2ban-server v0.8.13" "User Commands"
 .SH NAME
 fail2ban-server \- start the server
 .SH SYNOPSIS
 .B fail2ban-server
 [\fIOPTIONS\fR]
 .SH DESCRIPTION
-Fail2Ban v0.8.12 reads log file that contains password failure report
+Fail2Ban v0.8.13 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .PP
 Only use this command for debugging purpose. Start the server with
--- a/man/jail.conf.5
+++ b/man/jail.conf.5
@ -133,7 +133,15 @@ filename(s) of the log files to be monitored. Globs -- paths containing * and ?
 Ensure syslog or the program that generates the log file isn't configured to compress repeated log messages to "\fI*last message repeated 5 time*s\fR" otherwise it will fail to detect. This is called \fIRepeatedMsgReduction\fR in rsyslog and should be \fIOff\fR.
 .TP
 .B action
-action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by [name=value,name2=value]. Values can also be quoted. More that one action can be specified (in separate lines).
+action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by:
 .RS
 .RS
 [name=value,name2=value,name3="values,values"]
 .RE
 Values can also be quoted (required when value includes a ","). More that one action can be specified (in separate lines).
 .RE
 .TP
 .B ignoreip
 list of IPs not to ban. They can include a CIDR mask too.
--- a/server/filter.py
+++ b/server/filter.py
@ -288,6 +288,9 @@ class Filter(JailThread):
 			# IP address without CIDR mask
 			if len(s) == 1:
 				s.insert(1, '32')
 			elif "." in s[1]: # 255.255.255.0 style mask
 				s[1] = len(re.search(
 					"(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group())
 			s[1] = long(s[1])
 			try:
 				a = DNSUtils.cidr(s[0], s[1])
--- a/server/filterpyinotify.py
+++ b/server/filterpyinotify.py
@ -209,4 +209,8 @@ class ProcessPyinotify(pyinotify.ProcessEvent):
 	# just need default, since using mask on watch to limit events
 	def process_default(self, event):
-		self.__FileFilter.callback(event, origin='Default ')
+		try:
 			self.__FileFilter.callback(event, origin='Default ')
 		except Exception as e:
 			logSys.error("Error in FilterPyinotify callback: %s",
 				e, exc_info=logSys.getEffectiveLevel() <= logging.DEBUG)
--- a/testcases/files/logs/asterisk
+++ b/testcases/files/logs/asterisk
@ -45,3 +45,7 @@
 # failJSON: { "time": "2013-11-11T14:33:38", "match": true , "host": "192.168.55.152" }
 [2013-11-11 14:33:38] WARNING[6756][C-0000001d] Ext. s: "Rejecting unknown SIP connection from 192.168.55.152"
 # failJSON: { "time": "2004-11-04T18:30:40", "match": true , "host": "192.168.200.100" }
 Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in handle_request_register: Registration from '<sip:301@example.com>' failed for '192.168.200.100:36998' - Wrong password
--- a/testcases/files/logs/dovecot
+++ b/testcases/files/logs/dovecot
@ -19,19 +19,11 @@ Dec 12 11:19:11 dunnart dovecot: pop3-login: Aborted login (tried to use disallo
 Jun 13 16:30:54 platypus dovecot: imap-login: Disconnected (auth failed, 2 attempts): user=<username.bob>, method=PLAIN, rip=49.176.98.87, lip=113.212.99.194, TLS
 # failJSON: { "time": "2005-06-14T00:48:21", "match": true , "host": "59.167.242.100" }
 Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=PLAIN, rip=59.167.242.100, lip=113.212.99.194, TLS: Disconnected
 # failJSON: { "time": "2005-06-13T20:48:11", "match": true , "host": "121.44.24.254" }
 Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected
 # failJSON: { "time": "2005-06-13T21:48:06", "match": true , "host": "180.200.180.81" }
 Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS
 # failJSON: { "time": "2005-06-13T20:20:21", "match": true , "host": "180.189.168.166" }
 Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected
 # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" }
 Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210
 # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" }
 Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
 # failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "192.51.100.13" }
 Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session=<LgDINsQCkttVIMPg>
 # failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "200.76.17.206" }
 Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSERVERNAME.com,200.76.17.206): pam_authenticate() failed: User not known to the underlying authentication module: 2 Time(s)
@ -48,3 +40,24 @@ Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth fai
 # failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" }
 Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ivo>, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session=<q454Xu/vMwBZApgg>
 # failJSON: { "time": "2005-01-29T09:33:58", "match": true , "host": "212.9.180.3" }
 Jan 29 09:33:58 pop3-login: Info: Aborted login (auth failed, 1 attempts in 2 secs): user=<grace>, method=PLAIN, rip=212.9.180.3
 # failJSON: { "time": "2005-01-29T09:34:17", "match": true , "host": "1.2.3.4" }
 Jan 29 09:34:17 pop3-login: Info: Aborted login (auth failed, 1 attempts in 62 secs): user=<carl.matx@sxxxxxxx.net>, method=PLAIN, rip=1.2.3.4, TLS
 # failJSON: { "time": "2005-01-29T09:38:03", "match": true , "host": "117.218.51.80" }
 Jan 29 09:38:03 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=<suzanne>, method=PLAIN, rip=117.218.51.80
 # failJSON: { "time": "2005-01-29T09:38:46", "match": false , "host": "176.61.137.100" }
 Jan 29 09:38:46 pop3-login: Info: Disconnected (no auth attempts in 10 secs): user=<>, rip=176.61.137.100, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
 # failJSON: { "time": "2005-06-13T20:48:11", "match": false , "host": "121.44.24.254" }
 Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected
 # failJSON: { "time": "2005-06-13T21:48:06", "match": false , "host": "180.200.180.81" }
 Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS
 # failJSON: { "time": "2005-06-13T20:20:21", "match": false , "host": "180.189.168.166" }
 Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected
 # failJSON: { "time": "2005-07-02T13:49:32", "match": false , "host": "192.51.100.13" }
 Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session=<LgDINsQCkttVIMPg>
--- a/testcases/files/logs/nagios
+++ b/testcases/files/logs/nagios
@ -0,0 +1,4 @@
 # Access of unauthorized host in /var/log/messages
 # failJSON: { "time": "2005-02-03T11:22:44", "match": true , "host": "50.97.225.132" }
 Feb  3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us!
--- a/testcases/files/logs/sendmail-auth
+++ b/testcases/files/logs/sendmail-auth
@ -0,0 +1,12 @@
 # failJSON: { "time": "2005-02-16T23:33:20", "match": true , "host": "190.5.230.178" }
 Feb 16 23:33:20 smtp1 sm-mta[5133]: s1GNXHYB005133: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5
 # failJSON: { "time": "2005-02-16T23:40:36", "match": true , "host": "75.176.164.191" }
 Feb 16 23:40:36 smtp1 sm-mta[5178]: s1GNeNqe005178: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
 # failJSON: { "time": "2005-02-24T12:10:15", "match": true , "host": "211.75.6.133" }
 Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-133.HINET-IP.hinet.net [211.75.6.133]: possible SMTP attack: command=AUTH, count=6
 # failJSON: { "time": "2005-02-24T13:00:17", "match": true , "host": "95.70.241.192" }
 Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6
--- a/testcases/files/logs/sendmail-reject
+++ b/testcases/files/logs/sendmail-reject
@ -0,0 +1,67 @@
 # failJSON: { "time": "2005-02-25T03:01:10", "match": true , "host": "128.68.136.133" }
 Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=<asservnew@freemailhost.ru>, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 <asservnew@freemailhost.ru>... Relaying denied. Proper authentication required.
 # failJSON: { "time": "2005-02-23T21:36:14", "match": true , "host": "80.253.155.119" }
 Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
 # failJSON: { "time": "2005-02-24T07:33:59", "match": true , "host": "118.161.66.57" }
 Feb 24 07:33:59 petermurray sm-mta[21134]: s1O7XtZJ021134: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
 # failJSON: { "time": "2005-02-23T07:57:28", "match": true , "host": "2.180.185.27" }
 Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=<camila.pinto@camilopinto.pt>, relay=[2.180.185.27], reject=553 5.1.8 <camila.pinto@camilopinto.pt>... Domain of sender address camila.pinto@andrewweitzman.com does not exist
 # failJSON: { "time": "2005-02-23T14:13:08", "match": true , "host": "85.60.238.161" }
 Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=<anabelaalvesd@camilopinto.pt>, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 <anabelaalvesd@camilopinto.pt>... Domain of sender address anabelaalvesd@dsldevice.lan does not exist
 # failJSON: { "time": "2005-02-24T05:07:40", "match": true , "host": "202.53.73.138" }
 Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=<camilo_pinto@camilopinto.pt>, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 <camilo_pinto@camilopinto.pt>... Domain of sender address root@srv.montserv.com does not exist
 # failJSON: { "time": "2005-02-23T07:00:08", "match": true , "host": "151.232.63.226" }
 Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=<joaofr@camilopinto.pt>, relay=[151.232.63.226], reject=550 5.7.1 <joaofr@camilopinto.pt>... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org
 # failJSON: { "time": "2005-02-23T04:36:21", "match": true , "host": "74.137.127.206" }
 Feb 23 04:36:21 kismet sm-acceptingconnections[12603]: s1N9aKAw012603: ruleset=check_rcpt, arg1=<user@host.com>, relay=74-137-127-206.dhcp.insightbb.com [74.137.127.206], reject=550 5.7.1 <user@host.com>... Rejected: IP in SpamCop blacklist, see: http://spamcop.net/bl.shtml?74.137.127.206
 # failJSON: { "time": "2005-02-23T04:38:57", "match": true , "host": "203.229.186.250" }
 Feb 23 04:38:57 kismet sm-acceptingconnections[16772]: s1N9csSZ016772: ruleset=check_rcpt, arg1=<user@host.com>, relay=[203.229.186.250], reject=550 5.7.1 <user@host.com>... Rejected: IP in Barracuda RBL, see: http://www.barracudacentral.org/reputation?ip=203.229.186.250
 # failJSON: { "time": "2005-02-23T06:06:04", "match": true , "host": "186.54.117.93" }
 Feb 23 06:06:04 kismet sm-acceptingconnections[18622]: s1NB63Bp018622: ruleset=check_rcpt, arg1=<user@host.com>, relay=r186-54-117-93.dialup.adsl.anteldata.net.uy [186.54.117.93], reject=550 5.7.1 <user@host.com>... Rejected: IP in SpamHaus PBL, see http://www.spamhaus.org/query/bl?ip=186.54.117.93
 # failJSON: { "time": "2005-02-24T01:46:44", "match": true , "host": "217.21.54.82" }
 Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
 # failJSON: { "time": "2005-02-27T15:49:07", "match": true , "host": "189.30.205.74" }
 Feb 27 15:49:07 batman sm-mta[88390]: ruleset=check_relay, arg1=189-30-205-74.paebv701.dsl.brasiltelecom.net.br, arg2=189.30.205.74, relay=189-30-205-74.paebv701.dsl.brasiltelecom.net.br [189.30.205.74], reject=421 4.3.2 Too many open connections.
 # failJSON: { "time": "2005-02-19T18:01:50", "match": true , "host": "196.213.73.146" }
 Feb 19 18:01:50 batman sm-mta[78152]: ruleset=check_relay, arg1=[196.213.73.146], arg2=196.213.73.146, relay=[196.213.73.146], reject=421 4.3.2 Connection rate limit exceeded.
 # failJSON: { "time": "2005-02-27T10:53:06", "match": true , "host": "209.15.212.253" }
 Feb 27 10:53:06 batman sm-mta[44307]: s1R9r60D044307: rejecting commands from  [209.15.212.253] due to pre-greeting traffic after 0 seconds
 # failJSON: { "time": "2005-02-27T15:44:18", "match": true , "host": "41.204.78.137" }
 Feb 27 15:44:18 batman sm-mta[87838]: s1REiHdq087838: ruleset=check_rcpt, arg1=<gert-jan@t-online.ch>, relay=[41.204.78.137], reject=550 5.7.1 <gert-jan@t-online.ch>... Relaying denied. IP name lookup failed [41.204.78.137]
 # failJSON: { "time": "2005-02-27T15:49:02", "match": true , "host": "189.30.205.74" }
 Feb 27 15:49:02 batman sm-mta[88377]: s1REn1un088377: ruleset=check_rcpt, arg1=<non-existing-user@example.com>, relay=189-30-205-74.paebv701.dsl.brasiltelecom.net.br [189.30.205.74], reject=550 5.1.1 <non-existing-user@example.com>... User unknown
 # failJSON: { "time": "2005-02-27T22:44:42", "match": true , "host": "123.69.106.50" }
 Feb 27 22:44:42 batman sm-mta[30972]: s1RLieRP030972: ruleset=check_rcpt, arg1=<existing-user@example.com>, relay=[123.69.106.50], reject=553 5.1.8 <existing-user@example.com>... Domain of sender address lf@ibuv.net does not exist
 # failJSON: { "time": "2005-02-23T21:18:47", "match": true , "host": "76.72.174.70" }
 Feb 23 21:18:47 batman sm-mta[93301]: s1NKIkZa093301: [76.72.174.70]: EXPN root [rejected]
 # failJSON: { "time": "2005-02-13T01:16:50", "match": true , "host": "217.193.142.180" }
 Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: expn info [rejected]
 # failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" }
 Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: EXPN root [rejected]
 # failJSON: { "time": "2005-02-13T01:16:50", "match": true , "host": "217.193.142.180" }
 Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: vrfy info [rejected]
 # failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" }
 Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: VRFY root [rejected]
--- a/testcases/filtertestcase.py
+++ b/testcases/filtertestcase.py
@ -188,6 +188,15 @@ class IgnoreIP(LogCaptureTestCase):
 		self.assertFalse(self.filter.inIgnoreIPList('192.168.1.255'))
 		self.assertFalse(self.filter.inIgnoreIPList('192.168.0.255'))
 	def testIgnoreIPMask(self):
 		self.filter.addIgnoreIP('192.168.1.0/255.255.255.128')
 		self.assertTrue(self.filter.inIgnoreIPList('192.168.1.0'))
 		self.assertTrue(self.filter.inIgnoreIPList('192.168.1.1'))
 		self.assertTrue(self.filter.inIgnoreIPList('192.168.1.127'))
 		self.assertFalse(self.filter.inIgnoreIPList('192.168.1.128'))
 		self.assertFalse(self.filter.inIgnoreIPList('192.168.1.255'))
 		self.assertFalse(self.filter.inIgnoreIPList('192.168.0.255'))
 	def testIgnoreInProcessLine(self):
 		self.filter.addIgnoreIP('192.168.1.0/25')
 		self.filter.addFailRegex('<HOST>')