__ _ _ ___ _ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ Fail2Ban (version 0.8.10) 2013/06/12 ================================================================================ ver. 0.8.10 (2013/06/12) - wanna-be-secure ----------- Primarily bugfix and enhancements release, triggered by "bugs" in apache- filters. If you are relying on listed below apache- filters, upgrade asap and seek your distributions to patch their fail2ban distribution with [6ccd5781]. - Fixes: Yaroslav Halchenko * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor failregex at the beginning (and where applicable at the end). Addresses a possible DoS. Closes gh-248 * action.d/{route,shorewall}.conf - blocktype must be defined within [Init]. Closes gh-232 - Enhancements Yaroslav Halchenko * jail.conf -- assure all jails have actions and remove unused ports specifications Terence Namusonge * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ Daniel Black * files/suse-initd -- update to the copy from stock SUSE silviogarbes & Daniel Black * Updates to asterisk filter. Closes gh-227/gh-230. Carlos Alberto Lopez Perez * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244. ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- Originally targeted as a bugfix release, it incorporated many new enhancements, few new features, and more importantly -- quite extended tests battery with current 94% coverage (from 56% of 0.8.8). This release introduces over 200 of non-merge commits from 16 contributors (sorted by number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki, ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither, Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli. Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom Hendrikx, Yehuda Katz and other TBN heroes supporting users on fail2ban-users mailing list and IRC. - Fixes: Yaroslav Halchenko * [6f4dad46] python-2.4 is the minimal version. * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. on Fedora. Closes gh-112. Thanks to Camusensei for the bug report. * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for insight. Closes gh-103. * [ab044b75] delay check for the existence of config directory until read. * [3b4084d4] fixing up for handling of TAI64N timestamps. * [154aa38e] do not shutdown logging until all jails stop. * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184. Thanks to Jon Foster for report and troubleshooting. Orion Poplawski * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories. Nicolas Collignon * [39667ff6] Avoid leaking file descriptors. Closes gh-167. Sergey Brester * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of sorting template list. Steven Hiscocks * [7a442f07] When changing log target with python2.{4,5} handle KeyError. Closes gh-147, gh-148. * [b6a68f51] Fix delaction on server side. Closes gh-124. Daniel Black * [f0610c01] Allow more that a one word command when changing and Action via the fail2ban-client. Closes gh-134. * [945ad3d9] Fix dates on email actions to work in different locals. Closes gh-70. Thanks to iGeorgeX for the idea. blotus * [96eb8986] ' and " should also be escaped in action tags Closes gh-109 Christoph Theis, Nick Hilliard, Daniel Black * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD - New features: Yaroslav Halchenko * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} to provide additional flexibility to system adminstrators. Thanks to beilber for the idea. Closes gh-114. * [3ce53e87] Add exim filter. Erwan Ben Souiden * [d7d5228] add nagios integration documentation and script to ensure fail2ban is running. Closes gh-166. Artur Penttinen * [29d0df5] Add mysqld filter. Closes gh-152. ArndRaphael Brandes * [bba3fd8] Add Sogo filter. Closes gh-117. Michael Gebetsriother * [f9b78ba] Add action route to block at routing level. Teodor Micu & Yaroslav Halchenko * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. Daniel Black * [be06b1b] Add action for iptables-ipsets. Closes gh-102. Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk * [b6d0e8a] Add and enhance the bsd-ipfw action from FreeBSD ports. Soulard Morgan * [f336d9f] Add filter for webmin. Closes gh-99. Steven Hiscocks * [..746c7d9] bash interactive shell completions for fail2ban-*'s Nick Hilliard * [0c5a9c5] Add pf action. - Enhancements: Enrico Labedzki * [24a8d07] Added new date format for ASSP SMTP Proxy. Steven Hiscocks * [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172. * [MANY] Improvements to test cases, travis, and code coverage (coveralls). * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124. * [ce3ab34] Added ability to specify PID file. Orion Poplawski * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. Closes gh-142. Yaroslav Halchenko * [MANY] Lots of improvements to log messages, man pages and test cases. * [91d5736] Postfix filter improvements - empty helo, from and rcpt to. Closes gh-126. Bug report by Michael Heuberger. * [40c5a2d] adding more of diagnostic messages into -client while starting the daemon. * [8e63d4c] Compare against None with 'is' instead of '=='. * [6fef85f] Strip CR and LF while analyzing the log line Daniel Black * [3aeb1a9] Add jail.conf manual page. Closes gh-143. * [MANY] man page edits. * [7cd6dab] Added help command to fail2ban-client. * [c8c7b0b,23bbc60] Better logging of log file read errors. * [3665e6d] Added code coverage to development process. * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh source. Also include BSD changes. * [1d9abd1] Action files can have tags in definition that refer to other tags. * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port unreachable rather than just a drop of the packet. Pascal Borreli * [a2b29b4] Fixed lots of typos in config files and documentation. hamilton5 * [7ede1e8] Update dovecot filter config. Romain Riviere * [0ac8746] Enhance named-refused filter for views. James Stout * [..2143cdf] Solaris support enhancements: - README.Solaris - failregex'es tune ups (sshd.conf) - hostsdeny: do not rely on support of '-i' in sed ver. 0.8.8 (2012/12/06) - stable ---------- - Fixes: Alan Jenkins * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid banning due to misconfigured DNS. Closes gh-64 Yaroslav Halchenko * [83109bc] IMPORTANT: escape the content of (if used in custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83 * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages in the console. Closes gh-91 - New features: David Engeset * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86 Yaroslav Halchenko - Enhancements: * [2d66f31] replaced uninformative "Invalid command" message with warning log exception why command actually failed * [958a1b0] improved failregex to "support" auth.backend = "htdigest" * [9e7a3b7] until we make it proper module -- adjusted sys.path only if system-wide run * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79 * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 for this gh-87) * Various others: travis-ci integration, script to run tests against all available Python versions, etc ver. 0.8.7.1 (2012/07/31) - stable ---------- - Fixes: Yaroslav Halchenko * [e9762f3] Removed sneaked in comment on sys.path.insert ver. 0.8.7 (2012/07/31) - stable ---------- - Fixes: Tom Hendrikx & Jeremy Olexa * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated. See http://forums.gentoo.org/viewtopic-t-899018.html Chris Reffett * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban, rather than just one failure. Yaroslav Halchenko * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf * [ed16ecc] enforce "ip" field returned as str, not unicode so that log message stays non-unicode. Close gh-32 * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if already present in the pattern * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be friend to developers stuck with Windows (Closes gh-66) * [80b191c] anchor grep regexp in actioncheck to not match partial names of the jails (Closes: #672228) (Thanks Szépe Viktor for the report) - New features: François Boulogne * [a7cb20e..] add lighttpd-auth filter/jail Lee Clemens & Yaroslav Halchenko * [e442503] pyinotify backend (default if backend='auto' and pyinotify is available) * [d73a71f,3989d24] usedns parameter for the jails to allow disabling use of DNS Tom Hendrikx * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban repeated offenders. Close gh-19 Xavier Devlamynck * [7d465f9..] Add asterisk support Zbigniew Jędrzejewski-Szmek * [de502cf..] allow running fail2ban as non-root user (disabled by default) via xt_recent. See doc/run-rootless.txt - Enhancements Lee Clemens * [47c03a2] files/nagios - spelling/grammar fixes * [b083038] updated Free Software Foundation's address * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606 * [642d9af,3282f86] reformated printing of jail's name to be consistent with init's info messages * [3282f86] uniform use of capitalized Jail in the messages Leonardo Chiquitto * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf to reflect code * [a7d47e8] Update Free Software Foundation's address Petr Voralek * [4007751] catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) Yaroslav Halchenko * [MANY] extended and robustified unittests: test different backends * [d9248a6] refactored Filter's to avoid duplicate functionality * [7821174] direct users to issues on github * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by default with -v to control verbosity * [b4099da] adjusted header for config/*.conf to mention .local and way to comment (Thanks Stefano Forli for the note) * [6ad55f6] added failregex for wu-ftpd to match against syslog instead of DoS-prone auth.log's rhost (Closes: #514239) * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for sshd filter (Closes: #648020) Yehuda Katz & Yaroslav Halchenko * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers ver. 0.8.6 (2011/11/28) - stable ---------- - Fixes: Markos Chandras & Yaroslav Halchenko * [492d8e5,bd658fc] Use hashlib (instead of deprecated md5) where available Robert Trace & Michael Lorant * [c48c2b1] gentoo-initd cleanup and fixes: assure /var/run + remove stale sock file Michael Saavedra * [3a58d0e] Lock server's executeCmd to prevent racing among iptables calls: see http://bugs.debian.org/554162 Yaroslav Halchenko * [3eb5e3b] Allow for trailing spaces in sasl logs * [1632244] Stop server-side communication before stopping the jails (prevents lockup if actions use fail2ban-client upon unban): see https://github.com/fail2ban/fail2ban/issues/7 * [5a2d518] Various changes to reincarnate unittests Yehuda Katz * Wiki was cleaned from SPAM - Enhancements: Adam Spiers * [3152afb] Recognise time-stamped kernel messages Guido Bozzetto * [713fea6] Added ipmasq rule file to restart fail2ban when iptables are wiped out: see http://bugs.debian.org/461417 Łukasz * [5f23542] Matching of month names in Polish (thanks michaelberg79 for QA) Tom Hendrikx * [9fa54cf] Added Date: header for sendmail*.conf actions Yaroslav Halchenko & Tom Hendrikx * [b52d420..22b7007] in action files now can be used to provide matched loglines which triggered action Yaroslav Halchenko * [ed0bf3a] Removed duplicate entry for DataCha0s/2\.0 in badbots: see http://bugs.debian.org/519557 * [dad91f7] sshd.conf: allow user names to have spaces and trailing spaces in the line * [a9be451] removed expansions for few Date and Revision SVN keywords * [a33135c] set/getFile for ticket.py -- found in source distribution of 0.8.4 * [fbce415] additional logging while stopping the jails ver. 0.8.5 (2011/07/28) - stable ---------- - Fix: use addfailregex instead of failregex while processing per-jail "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to Marat Khayrullin for the patch and Daniel T Chen for forwarding to Debian. - Fix: use os.path.join to generate full path - fixes includes in configs given local filename (5 weeks ago) [yarikoptic] - Fix: allowed for trailing spaces in proftpd logs - Fix: escaped () in pure-ftpd filter. Thanks to Teodor - Fix: allowed space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314 - Fix: use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs.debian.org/544232 - Fix: Tai64N stores time in GMT, needed to convert to local time before returning - Fix: disabled named-refused-udp jail entirely with a big fat warning - Fix: added time module. Bug reported in buanzo's blog: see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html - Fix: Patch to make log file descriptors cloexec to stop leaking file descriptors on fork/exec. Thanks to Jonathan Underwood: see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24 - Enhancement: added author for dovecot filter and pruned unneeded space in the regexp - Enhancement: proftpd filter -- if login failed -- count regardless of the reason for failure - Enhancement: added to action.d/iptables*. Thanks to Matthijs Kooijman: see http://bugs.debian.org/515599 - Enhancement: added filter.d/dovecot.conf from Martin Waschbuesch - Enhancement: made filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182 - Enhancement: added dropbear filter from Francis Russell and Zak B. Elep: see http://bugs.debian.org/546913 - Enhancement: changed default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 - Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer - Few minor cosmetic changes ver. 0.8.4 (2009/09/07) - stable ---------- - Check the inode number for rotation in addition to checking the first line of the file. Thanks to Jonathan Kamens. Red Hat #503852. Tracker #2800279. - Moved the shutdown of the logging subsystem out of Server.quit() to the end of Server.start(). Fixes the 'cannot release un-acquired lock' error. - Added "Ban IP" command. Thanks to Arturo 'Buanzo' Busleiman. - Added two new filters: lighttpd-fastcgi and php-url-fopen. - Fixed the 'unexpected communication error' problem by means of use_poll=False in Python >= 2.6. - Merged patches from Debian package. Thanks to Yaroslav Halchenko. - Use current day and month instead of Jan 1st if both are not available in the log. Thanks to Andreas Itzchak Rehberg. - Try to match the regex even if the line does not contain a valid date/time. Described in Debian #491253. Thanks to Yaroslav Halchenko. - Added/improved filters and date formats. - Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to Russell Odom. - Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to Detlef Reichelt. - Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824. - Added nagios script. Thanks to Sebastian Mueller. - Added CPanel date format. Thanks to David Collins. Tracker #1967610. - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410. - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115. - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953. - Changed template to be more restrictive. Debian bug #514163. - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct fix but seems to work. Tracker #2500276. - Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea. - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714. ver. 0.8.3 (2008/07/17) - stable ---------- - Process failtickets as long as failmanager is not empty. - Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav Halchenko. - Fixed socket path in redhat and suse init script. Thanks to Jim Wight. - Fixed PID file while started in daemon mode. Thanks to Christian Jobic who submitted a similar patch. - Fixed "fail2ban-client get logpath". Bug #1916986. - Added gssftpd filter. Thanks to Kevin Zembower. - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis Winter. - Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber. - Added ISO 8601 date/time format. - Added and changed some logging level and messages. - Added missing ignoreregex to filters. Thanks to Klaus Lehmann. - Use poll instead of select in asyncore.loop. This should solve the "Unknown error 514". Thanks to Michael Geiger and Klaus Lehmann. ver. 0.8.2 (2008/03/06) - stable ---------- - Fixed named filter. Thanks to Yaroslav Halchenko - Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines - Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann - Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection - Fixed ipfw action script. Thanks to Nick Munger - Removed date from logging message when using SYSLOG. Thanks to Iain Lea - Fixed "ignore IPs". Only the first value was taken into account. Thanks to Adrien Clerc - Moved socket to /var/run/fail2ban. - Rewrote the communication server. - Refactoring. Reduced number of files. - Removed Python 2.4. Minimum required version is now Python 2.3. - New log rotation detection algorithm. - Print monitored files in status. - Create a PID file in /var/run/fail2ban/. Thanks to Julien Perez. - Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks to Yaroslav Halchenko for the fix. - "reload " reloads a single jail and the parameters in fail2ban.conf. - Added Mac OS/X startup script. Thanks to Bill Heaton. - Absorbed some Debian patches. Thanks to Yaroslav Halchenko. - Replaced "echo" with "printf" in actions. Fix #1839673 - Replaced "reject" with "drop" in shorwall action. Fix #1854875 - Fixed Debian bug #456567, #468477, #462060, #461426 - readline is now optional in fail2ban-client (not needed in fail2ban-server). ver. 0.8.1 (2007/08/14) - stable ---------- - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid - Expand in ignoreregex. Thanks to Yaroslav Halchenko - Improved regular expressions. Thanks to Yaroslav Halchenko and others - Added sendmail actions. The action started with "mail" are now deprecated. Thanks to Raphaël Marichez - Added "ignoreregex" support to fail2ban-regex - Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch - Tightening up the pid check in redhat-initd. Thanks to David Nutter - Added webmin authentication filter. Thanks to Guillaume Delvit - Removed textToDns() which is not required anymore. Thanks to Yaroslav Halchenko - Added new action iptables-allports. Thanks to Yaroslav Halchenko - Added "named" date format to date detector. Thanks to Yaroslav Halchenko - Added filter file for named (bind9). Thanks to Yaroslav Halchenko - Fixed vsftpd filter. Thanks to Yaroslav Halchenko ver. 0.8.0 (2007/05/03) - stable ---------- - Fixed RedHat init script. Thanks to Jonathan Underwood - Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner ver. 0.7.9 (2007/04/19) - release candidate ---------- - Close opened handlers. Thanks to Yaroslav Halchenko - Fixed "reload" bug. Many many thanks to Yaroslav Halchenko - Added date format for asctime without year - Modified filters config. Thanks to Michael C. Haller - Fixed a small bug in mail-buffered.conf ver. 0.7.8 (2007/03/21) - release candidate ---------- - Fixed asctime pattern in datedetector.py - Added new filters/actions. Thanks to Yaroslav Halchenko - Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch - Moved every locking statements in a try..finally block ver. 0.7.7 (2007/02/08) - release candidate ---------- - Added signal handling in fail2ban-client - Added a wonderful visual effect when waiting on the server - fail2ban-client returns an error code if configuration is not valid - Added new filters/actions. Thanks to Yaroslav Halchenko - Call Python interpreter directly (instead of using "env") - Added file support to fail2ban-regex. Benchmark feature has been removed - Added cacti script and template. - Added IP list in "status ". Thanks to Eric Gerbier ver. 0.7.6 (2007/01/04) - beta ---------- - Added a "sleep 1" in redhat-initd. Thanks to Jim Wight - Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey - Use numeric output for iptables in "actioncheck" - Fixed removal of host in hosts.deny. Thanks to René Berber - Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI - Several "failregex" and "ignoreregex" are now accepted. Creation of rules should be easier now. - Added license in COPYING. Thanks to Axel Thimm - Allow comma in action options. The value of the option must be escaped with " or '. Thanks to Yaroslav Halchenko - Now Fail2ban goes in /usr/share/fail2ban instead of /usr/lib/fail2ban. This is more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko ver. 0.7.5 (2006/12/07) - beta ---------- - Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko - The supported tags in "action(un)ban" are , and