Commit Graph

3740 Commits (d8469b39732ccf970f2819211e13c3bab414330b)

Author SHA1 Message Date
Yaroslav Halchenko 408bed5464 preliminary patch for backports to wheezy etc (systemd support "disabled")
also removing obsolete patch for lucid -- will just not build for it any longer
2014-10-27 23:15:38 -04:00
Yaroslav Halchenko 4e543da4ba changelog + policy boost 2014-10-27 22:02:23 -04:00
Yaroslav Halchenko b1d7c3f3ff What aught to be a bugfix release delayed into a featured release 0.9.1
ver. 0.9.1 (2014/10/29) - better, faster, stronger
 ----------
 
 - Refactoring (IMPORTANT -- Please review your setup and configuration):
    * iptables-common.conf replaced iptables-blocktype.conf
      (iptables-blocktype.local should still be read) and now also
      provides defaults for the chain, port, protocol and name tags
 
 - Fixes:
    * start of file2ban aborted (on slow hosts, systemd considers the server has
      been timed out and kills him), see gh-824
    * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
    * systemd backend error on bad utf-8 in python3
    * badips.py action error when logging HTTP error raised with badips request
    * fail2ban-regex failed to work in python3 due to space/tab mix
    * recidive regex samples incorrect log level
    * journalmatch for recidive incorrect PRIORITY
    * loglevel couldn't be changed in fail2ban.conf
    * Handle case when no sqlite library is available for persistent database
    * Only reban once per IP from database on fail2ban restart
    * Nginx filter to support missing server_name. Closes gh-676
    * fail2ban-regex assertion error caused by miscount missed lines with
      multiline regex
    * Fix actions failing to execute for Python 3.4.0. Workaround for
      http://bugs.python.org/issue21207
    * Database now returns persistent bans on restart (bantime < 0)
    * Recursive action tags now fully processed. Fixes issue with bsd-ipfw
      action
    * Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
      Thanks Serg G. Brester
    * Correct times for non-timezone date times formats during DST
    * Pass a copy of, not original, aInfo into actions to avoid side-effects
    * Per-distribution paths to the exim's main log
    * Ignored IPs are no longer banned when being restored from persistent
      database
    * Manually unbanned IPs are now removed from persistent database, such they
      wont be banned again when Fail2Ban is restarted
    * Pass "bantime" parameter to the actions in default jail's action
      definition(s)
    * filters.d/sieve.conf - fixed typo in _daemon.  Thanks Jisoo Park
    * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
      Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
      Debian bug #755173
    * postfix-sasl - added journalmatch.  Thanks Luc Maisonobe
    * postfix* - match with a new daemon string (postfix/submission/smtpd).
      Closes gh-804 .  Thanks Paul Traina
    * apache - added filter for AH01630 client denied by server configuration.
 
 - New features:
    - New filters:
      - monit  Thanks Jason H Martin
      - directadmin  Thanks niorg
      - apache-shellshock  Thanks Eugene Hopkinson (SlowRiot)
    - New actions:
      - symbiosis-blacklist-allports  for Bytemark symbiosis firewall
    - fail2ban-client can fetch the running server version
    - Added Cloudflare API action
 
 - Enhancements
    * Start performance of fail2ban-client (and tests) increased, start time
      and cpu usage rapidly reduced. Introduced a shared storage logic, to
      bypass reading lots of config files (see gh-824).
      Thanks to Joost Molenaar for good catch (reported gh-820).
    * Fail2ban-regex - add print-all-matched option. Closes gh-652
    * Suppress fail2ban-client warnings for non-critical config options
    * Match non "Bye Bye" disconnect messages for sshd locked account regex
    * courier-smtp filter:
      - match lines with user names
      - match lines containing "535 Authentication failed" attempts
    * Add <chain> tag to iptables-ipsets
    * Realign fail2ban log output with white space to improve readability. Does
      not affect SYSLOG output
    * Log unhandled exceptions
    * cyrus-imap: catch "user not found" attempts
    * Add support for Portsentry
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlRO9sEACgkQjRFFY3XAJMi/5wCgktRXWZyyjT/vBWPqYGbpjT0x
 29UAnAxPZaUBBuzenJ5ROMNA7Xbrmzoq
 =Fd3J
 -----END PGP SIGNATURE-----

Merge tag '0.9.1' into debian

What aught to be a bugfix release delayed into a featured release 0.9.1

ver. 0.9.1 (2014/10/29) - better, faster, stronger
----------

- Refactoring (IMPORTANT -- Please review your setup and configuration):
   * iptables-common.conf replaced iptables-blocktype.conf
     (iptables-blocktype.local should still be read) and now also
     provides defaults for the chain, port, protocol and name tags

- Fixes:
   * start of file2ban aborted (on slow hosts, systemd considers the server has
     been timed out and kills him), see gh-824
   * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
   * systemd backend error on bad utf-8 in python3
   * badips.py action error when logging HTTP error raised with badips request
   * fail2ban-regex failed to work in python3 due to space/tab mix
   * recidive regex samples incorrect log level
   * journalmatch for recidive incorrect PRIORITY
   * loglevel couldn't be changed in fail2ban.conf
   * Handle case when no sqlite library is available for persistent database
   * Only reban once per IP from database on fail2ban restart
   * Nginx filter to support missing server_name. Closes gh-676
   * fail2ban-regex assertion error caused by miscount missed lines with
     multiline regex
   * Fix actions failing to execute for Python 3.4.0. Workaround for
     http://bugs.python.org/issue21207
   * Database now returns persistent bans on restart (bantime < 0)
   * Recursive action tags now fully processed. Fixes issue with bsd-ipfw
     action
   * Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
     Thanks Serg G. Brester
   * Correct times for non-timezone date times formats during DST
   * Pass a copy of, not original, aInfo into actions to avoid side-effects
   * Per-distribution paths to the exim's main log
   * Ignored IPs are no longer banned when being restored from persistent
     database
   * Manually unbanned IPs are now removed from persistent database, such they
     wont be banned again when Fail2Ban is restarted
   * Pass "bantime" parameter to the actions in default jail's action
     definition(s)
   * filters.d/sieve.conf - fixed typo in _daemon.  Thanks Jisoo Park
   * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
     Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
     Debian bug #755173
   * postfix-sasl - added journalmatch.  Thanks Luc Maisonobe
   * postfix* - match with a new daemon string (postfix/submission/smtpd).
     Closes gh-804 .  Thanks Paul Traina
   * apache - added filter for AH01630 client denied by server configuration.

- New features:
   - New filters:
     - monit  Thanks Jason H Martin
     - directadmin  Thanks niorg
     - apache-shellshock  Thanks Eugene Hopkinson (SlowRiot)
   - New actions:
     - symbiosis-blacklist-allports  for Bytemark symbiosis firewall
   - fail2ban-client can fetch the running server version
   - Added Cloudflare API action

- Enhancements
   * Start performance of fail2ban-client (and tests) increased, start time
     and cpu usage rapidly reduced. Introduced a shared storage logic, to
     bypass reading lots of config files (see gh-824).
     Thanks to Joost Molenaar for good catch (reported gh-820).
   * Fail2ban-regex - add print-all-matched option. Closes gh-652
   * Suppress fail2ban-client warnings for non-critical config options
   * Match non "Bye Bye" disconnect messages for sshd locked account regex
   * courier-smtp filter:
     - match lines with user names
     - match lines containing "535 Authentication failed" attempts
   * Add <chain> tag to iptables-ipsets
   * Realign fail2ban log output with white space to improve readability. Does
     not affect SYSLOG output
   * Log unhandled exceptions
   * cyrus-imap: catch "user not found" attempts
   * Add support for Portsentry

* tag '0.9.1': (36 commits)
  ENH: additional versioning changes
  Refreshed manpages
  ENH: fail early in generate-man + provide PYTHONPATH upstairs
  Changes for the 0.9.1 release versioning
  Populated MANIFEST with more entries which were preiously missed or duplicated. Sorted within each "section"
  Add portsentry to changelog
  ConfigReader.touch renamed into protected _create_unshared
  DOC: documentation about available vagrantfile setup
  Added myself into THANKS
  DOC: adjust docs in mytime to place docs into docstrings
  ENH: do use @staticmethod (we are well beyond support of 2.4 now)
  testExecuteTimeout fixed: give a test still 1 second, because system could be too busy
  coverage: no cover (for failed except)
  fix: fail2ban-regex with filter file failed (after merging #824, because test case missing); test case for 'readexplicit' added;
  ENH:  remove obsolete code for python < 2.6 (we support >= 2.6)
  DOC: very minor (tabs/spaces)
  We better check that installation doesn't cause any errors as well
  code review, change log entries added;
  reset share/cache storage (if we use 'reload' in client with interactive mode)
  normalize tabs/spaces in docstrings;
  ...
2014-10-27 21:52:39 -04:00
Yaroslav Halchenko a0115ee458 ENH: additional versioning changes 2014-10-27 21:49:40 -04:00
Yaroslav Halchenko d0a5fe620f Refreshed manpages 2014-10-27 21:47:48 -04:00
Yaroslav Halchenko 564eb3389b ENH: fail early in generate-man + provide PYTHONPATH upstairs 2014-10-27 21:47:07 -04:00
Yaroslav Halchenko 987356d6c0 Changes for the 0.9.1 release versioning 2014-10-27 21:43:17 -04:00
Yaroslav Halchenko 9e8e4dde69 Populated MANIFEST with more entries which were preiously missed or duplicated. Sorted within each "section" 2014-10-27 21:43:11 -04:00
Yaroslav Halchenko fc145eb795 Merge pull request #748 from pacop/master
ENH: Add dateTime format for PortSentry
2014-10-25 12:34:00 -04:00
Yaroslav Halchenko 8a453018a9 Merge pull request #830 from sebres/_tent/cache-config-read-fix1
fix: fail2ban-regex with filter file failed
2014-10-25 12:30:55 -04:00
pacop b60e2bf42f Add portsentry to changelog 2014-10-25 18:17:57 +02:00
pacop e3a037ee3f merge master 2014-10-25 18:15:34 +02:00
sebres 3dac765598 ConfigReader.touch renamed into protected _create_unshared 2014-10-25 17:20:01 +02:00
Yaroslav Halchenko 0b5413ec0b Merge branch 'master' of git://github.com/fail2ban/fail2ban
* 'master' of git://github.com/fail2ban/fail2ban:
2014-10-25 10:38:28 -04:00
Florian Pelgrim 3dabd5fc83 DOC: documentation about available vagrantfile setup
manually picked up from a commit within
https://github.com/fail2ban/fail2ban/pull/786
2014-10-25 10:38:18 -04:00
Florian Pelgrim 6293e44889 Added myself into THANKS 2014-10-25 10:37:28 -04:00
Yaroslav Halchenko b2b5d0b41c Merge pull request #829 from yarikoptic/minimal_python2.6
ENH:  remove obsolete code for python < 2.6 (we support >= 2.6)
2014-10-25 10:32:10 -04:00
Yaroslav Halchenko e1a5decc00 DOC: adjust docs in mytime to place docs into docstrings 2014-10-25 09:34:37 -04:00
Yaroslav Halchenko caa6006a31 ENH: do use @staticmethod (we are well beyond support of 2.4 now) 2014-10-25 09:25:18 -04:00
sebres 07d4badfd0 testExecuteTimeout fixed: give a test still 1 second, because system could be too busy 2014-10-24 05:42:58 +02:00
sebres bef0502e6b coverage: no cover (for failed except) 2014-10-24 05:28:35 +02:00
sebres 0b0ea41f87 fix: fail2ban-regex with filter file failed (after merging #824, because test case missing);
test case for 'readexplicit' added;
2014-10-24 04:59:44 +02:00
Yaroslav Halchenko d4015d6566 ENH: remove obsolete code for python < 2.6 (we support >= 2.6) 2014-10-23 14:51:51 -04:00
Yaroslav Halchenko e2f49b7334 DOC: very minor (tabs/spaces) 2014-10-23 14:44:10 -04:00
Yaroslav Halchenko 78e1a13fad Merge branch '_tent/cache-config-read' of https://github.com/sebres/fail2ban
* '_tent/cache-config-read' of https://github.com/sebres/fail2ban:
  code review, change log entries added;
  reset share/cache storage (if we use 'reload' in client with interactive mode)
  normalize tabs/spaces in docstrings;
  cache-config-read-v2 merged; logging normalized, set log level for loading (read or use shared) file(s) to INFO; prevent to read some files twice by read inside "_getIncludes" and by "read" self (occurred by only one file);
  code review; more stable config sharing, configurator always shares it config readers now;
  code review: use the same code (corresponding test cases - with sharing on and without it);
  rewritten caching resp. sharing of ConfigReader and SafeConfigParserWithIncludes (v.2, first and second level cache, without fingerprinting etc.);
  code review
  ConfigReader/ConfigWrapper renamed as suggested from @yarikoptic; + code clarifying (suggested also);
  Partially merge remote-tracking from 'sebres:cache-config-read-820': test cases extended, configurator.py adapted for test case.
  ENH: keep spitting out logging to the screen in LogCaptureTestCases if HEAVYDEBUG
  test case for check the read of config files will be cached;
  more precise by test
  ConfigWrapper class introduced: sharing of the same ConfigReader object between JailsReader and JailReader (don't read jail config each jail); sharing of the same DefinitionInitConfigReader (ActionReader, FilterReader) between all jails using that; cache of read a config files was optimized; test case extended for all types of config readers;
  config cache optimized - prevent to read the same config file inside different resources multiple times; test case: read jail file only once;
  test case for check the read of config files will be cached;
  caching of read config files, to make start of fail2ban faster, see issue #820
2014-10-23 14:28:33 -04:00
Yaroslav Halchenko 5ac496d030 We better check that installation doesn't cause any errors as well 2014-10-12 17:28:35 -04:00
Yaroslav Halchenko fbce121967 adjusted changelog revision, apparently I fell into a trap of unannotated tag for 0.9.0 release 2014-10-12 16:45:57 -04:00
Yaroslav Halchenko 6f4e542eff Merge commit '0.9.0-252-g47441d1' into debian-releases/experimental
* commit '0.9.0-252-g47441d1':
  BF: made tests util digest.py friendly to python3
2014-10-12 16:45:30 -04:00
Yaroslav Halchenko 47441d1383 Merge remote-tracking branch 'origin/master'
* origin/master:
  RF: moving logwatch setup/sample logs under files/logwatch
  ENH: print rebans stats even if no "Failures" are logged, and reduce indentation in output
  ENH: untabified and reindented entire script for sane formatting (no functional changes)
  BF: logwatch -- fixing up regex for 'already banned'
  Sample logfiles to test logwatch services script
  Adjusting fail2ban logwatch script to match lines from 0.9 as well
2014-10-12 16:44:24 -04:00
Yaroslav Halchenko 86a5f42f73 BF: made tests util digest.py friendly to python3 2014-10-12 16:40:29 -04:00
Yaroslav Halchenko a33207bf87 changelog 2014-10-12 10:31:48 -04:00
Yaroslav Halchenko eb6cc726ff Merge branch 'debian-release/experimental' of https://github.com/schaal/fail2ban into debian-releases/experimental
* 'debian-release/experimental' of https://github.com/schaal/fail2ban:
  Switch debian packaging to use python3
2014-10-12 10:26:48 -04:00
Yaroslav Halchenko cb662e2368 Merge commit '0.9.0a2-814-g98dc084' into debian-releases/experimental
* commit '0.9.0a2-814-g98dc084':
  tests: define CONFIG_DIR in utils.
  forgot to add test case to last commit
  adding test case, changelog and thanks entries for apache shellshock filter
  adding jail conf for shellshock filter
  adding filter to detect Shellshock attack attempts against bash scripts through apache.  See http://seclists.org/oss-sec/2014/q3/650
  Add apache filter for AH01630 client denied by server configuration
  RF: moving logwatch setup/sample logs under files/logwatch
  DOC: Changelog and THANKS for  previous changes
  RF: remove those two additional failregexes for the postfix
  ENH: add empty ignoreregex to avoid a warning (Close #805)
  Update test cases and also suport smtps per request.
  Add support for postfix/submission/smtpd matching.
  ENH: print rebans stats even if no "Failures" are logged, and reduce indentation in output
  ENH: untabified and reindented entire script for sane formatting (no functional changes)
  BF: logwatch -- fixing up regex for 'already banned'
  Sample logfiles to test logwatch services script
  Adjusting fail2ban logwatch script to match lines from 0.9 as well
2014-10-12 10:26:36 -04:00
Yaroslav Halchenko 98dc0844ce Merge pull request #782 from yarikoptic/bf/logwatch
logwatch file (original 1.5 version + fixes for change of logs in 0.9)
2014-10-10 22:15:57 -04:00
sebres 7d3e6e9935 code review, change log entries added; 2014-10-10 20:06:58 +02:00
sebres 73a06d55a8 reset share/cache storage (if we use 'reload' in client with interactive mode) 2014-10-10 18:50:24 +02:00
sebres 7f5d4aa7a6 normalize tabs/spaces in docstrings; 2014-10-10 16:59:40 +02:00
sebres 95bdcdecaa cache-config-read-v2 merged;
logging normalized, set log level for loading (read or use shared) file(s) to INFO;
prevent to read some files twice by read inside "_getIncludes" and by "read" self (occurred by only one file);
2014-10-10 16:49:08 +02:00
sebres 02a46d0901 code review;
more stable config sharing, configurator always shares it config readers now;
2014-10-10 12:05:49 +02:00
sebres e0eb4f2358 code review: use the same code (corresponding test cases - with sharing on and without it); 2014-10-10 02:47:42 +02:00
sebres c35b4b24d2 rewritten caching resp. sharing of ConfigReader and SafeConfigParserWithIncludes (v.2, first and second level cache, without fingerprinting etc.); 2014-10-10 02:10:13 +02:00
sebres 37952ab75f code review 2014-10-09 19:51:53 +02:00
sebres f67053c2ec ConfigReader/ConfigWrapper renamed as suggested from @yarikoptic;
+ code clarifying (suggested also);
2014-10-09 19:01:49 +02:00
sebres f6723a12ff Merge branch 'cache-config-read-820' into _tent/cache-config-read 2014-10-09 18:01:31 +02:00
sebres b62ce14ccd Partially merge remote-tracking from 'sebres:cache-config-read-820':
test cases extended, configurator.py adapted for test case.
2014-10-09 18:00:45 +02:00
Yaroslav Halchenko 0c5f11079c ENH: keep spitting out logging to the screen in LogCaptureTestCases if HEAVYDEBUG 2014-10-09 10:47:00 -04:00
sebres f31607ded1 test case for check the read of config files will be cached;
Conflicts:
	fail2ban/tests/clientreadertestcase.py -- removed not needed
        time in imports
2014-10-09 10:30:17 -04:00
sebres 51cae63bf0 more precise by test 2014-10-09 15:39:58 +02:00
sebres 4244c87802 ConfigWrapper class introduced: sharing of the same ConfigReader object between JailsReader and JailReader (don't read jail config each jail);
sharing of the same DefinitionInitConfigReader (ActionReader, FilterReader) between all jails using that;
cache of read a config files was optimized;
test case extended for all types of config readers;
2014-10-09 14:51:08 +02:00
sebres 2a54e61238 config cache optimized - prevent to read the same config file inside different resources multiple times;
test case: read jail file only once;
2014-10-08 15:44:32 +02:00