fail2ban (0.7.5-2etch1~pre3) stable-security; urgency=low * NOT RELEASED YET * Propagated fix for asctime pattern from 0.7.8 release (closes: #421848) * Propagated fix for not closed log files from 0.7.8-1 (closes: #439962,434368) * Propagated fix for "reload" bug which is as sever as #439962 and just never was hit by any Debian user yet * Added patch 00_numeric_iptables-L to avoid possible DoS attacks (introduced upstream in 0.7.6) -- Yaroslav Halchenko Tue, 01 May 2007 22:18:03 -0400 fail2ban (0.7.5-2) unstable; urgency=low * NEWS.Debian confusions - the latest NEWS entry and postinst message were rephrased (Closes: #402350) * Added mail-whois-lines action, which emails log lines containing abuser IP. Those lines are often required for proper abuse reports sent to the Internet providers. Forwarding of such received emails to the email addresses of abuse departments present in the output of whois is a tentative solution for semi-automatic abuse reporting (Closes: #358810) -- Yaroslav Halchenko Sun, 10 Dec 2006 18:55:37 -0500 fail2ban (0.7.5-1) unstable; urgency=low * New upstream release which fixes next issues + Socket parameter not work with other path (Closes: #400162) + fail2ban does not start with /etc/init.d/fail2ban start but with fail2ban-client start (Closes: #400278) * Removed obsolete patches left from 0.6 * Adjusted wsftpd patch to use tag to be in line with the other filter definitions -- Yaroslav Halchenko Thu, 7 Dec 2006 20:19:09 -0500 fail2ban (0.7.4-5) unstable; urgency=low * Added Suggests on mailx and relevant comments in README.Debian about invoking mail actions (closes: #396668) * Removed obsolete entries in TODO and README * README.Debian describes the use of interpolations vs parameters passed from jail.{conf,local} into an action definitions (closes: #398739) * Initial version of postfix filter has been present in 0.7 (closes: #377711) * Removed Uploaded field from control since I am a DD now. Big thanks to Barak Pearlmutter for being the sponsor of my packages for few years. -- Yaroslav O. Halchenko Wed, 6 Dec 2006 22:14:26 -0500 fail2ban (0.7.4-4) unstable; urgency=low * Added debian/backports to contain patches necessary for backporting. It gets used by pbuilder-ssh to create package for backports.org -- Yaroslav Halchenko Mon, 4 Dec 2006 08:55:48 -0500 fail2ban (0.7.4-3) unstable; urgency=low * Reincarnated logrotate configuration (Closes: #397878) * Only block new connects by using a new action iptables-new instead of iptables (Closes: #350746) * Updated README.Debian to reflect transition over to 0.7 branch and to comment on 350746 * "Clean" target removes generated .pyc files now (Closes: #398146) * Cleaned up debian/rules a bit -- Yaroslav Halchenko Sat, 11 Nov 2006 21:00:18 -0500 fail2ban (0.7.4-2) unstable; urgency=low * Added reload/force-reload actions to init script * Adjusted jail.conf a bit * Warning NEWS entry for 0.7.1 was not shown during installation on test boxes, thus postinst was adjusted accordingly to inform the user about the changes in the configuration files since 0.6. * no logrotation anymore? (Closes: #397878) -- Yaroslav Halchenko Fri, 10 Nov 2006 10:53:23 -0500 fail2ban (0.7.4-1) experimental; urgency=low * New upstream release -- Yaroslav Halchenko Wed, 1 Nov 2006 20:54:14 -0500 fail2ban (0.7.4~pre20061023.2-3) experimental; urgency=low * Corrected init.d script to properly perform restart due to server delay to react to client command to stop. Handling of status was adjusted as well -- Yaroslav Halchenko Sun, 29 Oct 2006 22:29:27 -0500 fail2ban (0.7.4~pre20061023.2-2) experimental; urgency=low * Added apache-noscript to jail.conf * Default action does not send emails to be inline with previous (0.6.x) behavior -- Yaroslav Halchenko Thu, 26 Oct 2006 13:27:20 -0400 fail2ban (0.7.4~pre20061023.2-1) experimental; urgency=low * Fresh upstream: fixed a bug with not handling error producing actioncheck call -- Yaroslav Halchenko Mon, 23 Oct 2006 17:00:03 -0400 fail2ban (0.7.4~pre2006102-1) experimental; urgency=low * Currrent snapshot of trunk * Removed outdated (applied in 0.7.4 or specific for 0.6.?) patches from debian/patches * Adjusted rule to install man pages -- only .1 files since there are also h2m sources * debian/{rules,control} adjusted to conform all points in recent python policy changes * install under /usr/share instead of /usr/lib -- Yaroslav Halchenko Mon, 23 Oct 2006 00:17:55 -0400 fail2ban (0.7.3-2) experimental; urgency=low * Added wuftpd section -- Yaroslav Halchenko Wed, 18 Oct 2006 01:15:00 -0400 fail2ban (0.7.3-1) experimental; urgency=low * New upstream release * Debian shipped jail.conf * Refreshen init.d script -- Yaroslav Halchenko Thu, 28 Sep 2006 22:17:16 -0400 fail2ban (0.7.1-0.2) experimental; urgency=low * New upstream release (closes: #370095,#366307) -- Yaroslav Halchenko Tue, 5 Sep 2006 00:26:08 -0400 fail2ban (0.6.1-11) unstable; urgency=low * Adjusted manpage for fail2ban.conf to point to shipped examples of configuration files as the source of details about available configuration options (closes: #382403) * Changes in man/fail2ban.conf.5 are managed via dpatch now -- Yaroslav Halchenko Wed, 16 Aug 2006 00:18:59 +0300 fail2ban (0.6.1-10) unstable; urgency=low * Adjusted to comply with recent changes in debian python policy and use pycentral to byte compile modules * Filtered out empty entries for ignoreip to reduce confusing WARNING log message * Added configuration parameter "locale" to specify LC_TIME for time pattern matching (closes: #367990,363391) * Verbosity is chosen to be max between cmdline parameters and config file -- Yaroslav Halchenko Thu, 6 Jul 2006 20:19:54 -0400 fail2ban (0.6.1-9) unstable; urgency=low * Adjusted rm commands in init script to don't use -r for removal of the pidfile (thanks Stephen Gran) * Added clarification about multiport banning to README.Debian (closes: #373592) -- Yaroslav Halchenko Wed, 14 Jun 2006 12:05:44 -0400 fail2ban (0.6.1-8) unstable; urgency=low * Removed bashism (arrays) from init.d script to make it POSIX shell complient (closes: #368218) * Added new proftpd section * Added new saslauthd section. Thanks to martin f krafft (closes: #369483) * Mentioned apache2 log file in Other. comment field for FILE in apache section. Nothing has to be changed besides the logfile path to work with apache2 (closes: #342144) -- Yaroslav Halchenko Mon, 22 May 2006 15:37:17 -0400 fail2ban (0.6.1-5) unstable; urgency=low * Further fixed debian packaging: to comply with policy empty target binary-arch was provided -- Yaroslav Halchenko Tue, 16 May 2006 16:43:37 -0400 fail2ban (0.6.1-4) unstable; urgency=low * Adjusted debian packaging: - Clean up of debian/rules: removed commented out dh_ scripts which definetly will never be used - debhelper and dpatch moved to Build-Depends - added --no-compile for python setup.py install, and removed explicit cleaning of .pyc's - fixed separation binary-indep and binary-arch in debian/rules - restricted depends on python >= 2.3 -- Yaroslav Halchenko Tue, 16 May 2006 15:53:06 -0400 fail2ban (0.6.1-3) unstable; urgency=low * Fixed vsftpd failregexp (closes: #366687) * Started to use dpatch -- Yaroslav Halchenko Wed, 10 May 2006 11:45:57 -0400 fail2ban (0.6.1-2) unstable; urgency=low * Assigned maxreinits to 1000 to be reasonable since otherwise logfile grows indefinetly if there is a real problem on the system (closes: #359218) * Adjusted debian/{copyright,watch} * New version of init.d script (Thanks to Aaron Isotton) (closes: #364278) -- Yaroslav Halchenko Mon, 27 Mar 2006 12:55:39 -0500 fail2ban (0.6.1-1) unstable; urgency=low * New upstream release * In config file added fwchain to ease switching to another input chain (closes: #357164) -- Yaroslav Halchenko Sat, 18 Mar 2006 23:11:53 -0500 fail2ban (0.6.0-8) unstable; urgency=low * Minor adjustments to reduce the deviation from the upstream code -- Yaroslav Halchenko Sat, 11 Mar 2006 00:48:14 -0500 fail2ban (0.6.0-7) unstable; urgency=low * Fixed a typo in failregex for SSH section (closes: #356112) -- Yaroslav Halchenko Thu, 9 Mar 2006 15:13:48 -0500 fail2ban (0.6.0-6) unstable; urgency=low * Updated README.Debian with information about some cases with not-as-shipped configurations of sshd on the boxes running older versions of openssh server * Included regexps for SSH in case iff authentication as root using keys was attempted whenever PermitRootLogin is set to something else than "yes" and key authentication fails * Included postrm script to remove log files during purge to comply with policy 10.8 (closes: #355443) -- Yaroslav Halchenko Fri, 3 Mar 2006 16:32:38 -0500 fail2ban (0.6.0-5) unstable; urgency=low * Fixed Apache section: changed filepath to point at error.log, thus I had to revert timeregex and timepattern to user RFC 2822 format (closes: #354346) -- Yaroslav Halchenko Sat, 25 Feb 2006 19:56:46 -0500 fail2ban (0.6.0-4) unstable; urgency=low * Modifications in README.Debian to reflect a "finding" on not-AllowedUsers banning which requires default Debian configuration of "ChallengeResponseAuthentication no" and "PasswordAuthentication yes" * Fixed Apache timeregex and timepattern to confirm the fomat of time stamp used in Debian's acccess.log (error.log uses RFC 2822 format) * Added section ApacheAttacks to specify some common patterns of attacks on a webserver (awstats.pl as a try). This section stays split from Apache since it is of different nature and might be not appropriate for some users * Forced owner/permissions of log file to be root:adm/640 in postinst and logrotate (closes: #352053) -- Yaroslav Halchenko Mon, 16 Jan 2006 04:05:19 -0500 fail2ban (0.6.0-3) unstable; urgency=low * ignoreip is now empty by default (closes: #347766) * increased verbosity in verbose=2 mode: now prints options accepted from the config file * to make fail2ban.conf more compact, thus to improve its readability, fail2ban.conf was converted to use "interpolations" provided by ConfigParser class. fw{start,end,{,un}ban} options were moved into DEFAULT section and required options (port, protocol) were added -- Yaroslav Halchenko Thu, 12 Jan 2006 18:32:14 -0500 fail2ban (0.6.0-2) unstable; urgency=low * fail2ban path is inserted first in the list to avoid a conflict with existing elsewhere modules with the same names. (Thanks for report and patch to Nick Craig-Wood) (closes: #343821) -- Yaroslav Halchenko Mon, 19 Dec 2005 17:44:58 +0200 fail2ban (0.6.0-1) unstable; urgency=low * Merged with the latest stable upstream release. That incure some changes for the Debian configuration of the package to be more upstream-like. Visible one is: subject in the sent email includes section outside of "[Fail2Ban]" * Updated README.Debian to answer possible question regarding effective bantime starting moment -- Yaroslav Halchenko Sun, 20 Nov 2005 14:56:41 -0500 fail2ban (0.5.4-10) unstable; urgency=low * Fixed the order of ssh and apache rules to avoid possible race condition (Thanks to Jefferson Cowart for the bug report) (closes: #339133) -- Yaroslav Halchenko Mon, 14 Nov 2005 23:44:45 -0500 fail2ban (0.5.4-9) unstable; urgency=low * Fixed init.d script so it doesn't return non-0 status if fail2ban is not running. That fixes issues with purging the package and leaving garbage in /usr/share/fail2ban (Thanx to Justin Pryzby for the insight) (closes: #337223) -- Yaroslav Halchenko Thu, 3 Nov 2005 17:05:20 -0500 fail2ban (0.5.4-8) unstable; urgency=low * Added config option MAIL.localtime (closes: #336449) -- Yaroslav Halchenko Mon, 31 Oct 2005 16:53:19 -0500 fail2ban (0.5.4-7) unstable; urgency=low * Adjusted init.d script so it is resistant to delayed shutdowns of fail2ban and in general more stable -- Yaroslav Halchenko Thu, 20 Oct 2005 21:22:03 -0400 fail2ban (0.5.4-6.2) unstable; urgency=low * Fixed typos (thanx to Ross Boylan). * Robust startup: if iptables module gets fully initialized after startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its own firewall. It will sleep between attempts for "polltime" number of seconds (closes: #334272). * To overcome possible conflict with other firewall solutions and as a secondary solution for the bug 334272, fail2ban startup is moved during bootup to the latest (S99) sequenece position. That should not cause any discomfort I believe. -- Yaroslav Halchenko Tue, 18 Oct 2005 15:54:38 -0400 fail2ban (0.5.4-5.14) unstable; urgency=low * Added a notification regarding the importance of 0.5.4-5 change of failregex in the config file. * Adjusted address to FSF. * Adjusted failregex for SSH so it bans "Illegal user" entries as well, and restricted full failregex more to include ":" at the beginning, because otherwise it might not be sufficient and would revive bug 330827 (closes: #333056). * Adjusted failregex for SSH to accommodate recent changes in logging of SSH: Illegal -> Invalid. Should match both now. * Fixed a problem of raise AttributeError exception reported as a side effect of crash during parsing of the config file. * Introduced fwcheck option to verify consistency of the chains. Implemented automatic restart of fail2ban main function in case check of fwban or fwunban command failed (closes: #329163, #331695). (Introduced patch was further adjusted by upstream author). * Added -f command line parameter for [findtime]. * Fixed the issue of not respecting command line parameters for parameters within sections. * Added -e command line parameter to provide enabled sections from command line. * Added a cleanup of firewall rules on emergency shutdown when unknown exception is catched. * Fail2ban should not crash now if a wrong file name is specified in config. -- Yaroslav Halchenko Mon, 3 Oct 2005 22:26:28 -1000 fail2ban (0.5.4-5) unstable; urgency=low * Made failregex'es more specific to don't allow usernames to be used as a tool for denial of service attacks. Config files (or at least failregex'es) must be updated from this package, otherwise the security breach would remain open and only warning gets issued (closes: #330827) -- Yaroslav Halchenko Sat, 1 Oct 2005 02:42:23 -1000 fail2ban (0.5.4-4) unstable; urgency=low * On a request from Calum Mackay added reporting of the enabled sections -- Yaroslav Halchenko Thu, 29 Sep 2005 11:20:43 -1000 fail2ban (0.5.4-3) unstable; urgency=low * Resolved the mystery of debug mode in which commands are not really executed: added verbose option to config file, removed -v from /etc/default/fail2ban, reordered code a bit so that log targets are setup right after background and then only loglevel (verbose,debug) is processed, so the warning could be seen in the logs -- Yaroslav Halchenko Thu, 29 Sep 2005 00:20:43 -1000 fail2ban (0.5.4-2) unstable; urgency=low * Now exporting PATH explicitely in init.d/fail2ban script, to avoid problems finding iptables in the cases when PATH was not exported outside (cfengine, broken shell environment) (closes: #329304) * Removed -b from start-stop-daemon because fail2ban detahes on its own * Added @localhost to MAIL:from and MAIL:to in fail2ban.conf and placed a note to README.Debian regarding necessity to specify full email address in MAIL:from (closes: #329722) * Added a keyword
in parsing of the subject and the body of an email sent out by fail2ban (closes: #330311) -- Yaroslav Halchenko Wed, 27 Sep 2005 08:09:06 -0400 fail2ban (0.5.4-1) unstable; urgency=low * New upstream release -- Yaroslav Halchenko Tue, 20 Sep 2005 12:19:19 -0400 fail2ban (0.5.3-2) unstable; urgency=low * Refined comments in README.Debian * Reindented init.d script P.S. Was not released -- Yaroslav Halchenko Sun, 11 Sep 2005 15:19:44 -0400 fail2ban (0.5.3-1) unstable; urgency=low * New upstream release -- Yaroslav Halchenko Fri, 9 Sep 2005 16:55:00 -0400 fail2ban (0.5.2-5) unstable; urgency=low * Included a patch from Stephen Gildea to provide "status" report by init.d script * Included a note in README.Debian regarding the fail2ban iptable's chains -- Yaroslav Halchenko Fri, 9 Sep 2005 14:52:24 -0400 fail2ban (0.5.2-4) unstable; urgency=low * Format of SYSLOG entries is up to the standard now -- Yaroslav Halchenko Fri, 19 Aug 2005 00:06:44 -1000 fail2ban (0.5.2-3) unstable; urgency=low * Fixed errata in /etc/default/fail2ban (closes: #323451) * Fixed handling of SYSLOG logging target. Now it can log to any syslog target and facility as directed by the config (revisions 160:166 patch from syslog branch) (closes: #323543) * Included upstream README and TODO * Mentioned in README.Debian that apache section is disabled by default * Adjusted man pages to cross-reference each other * Moved fail2ban man page under section 8 as in upstream * Introduced findtime configuration variable to control the lifetime of caught "failed" log entries (closes: #323840) -- Yaroslav Halchenko Tue, 16 Aug 2005 11:23:28 -1000 fail2ban (0.5.2-2) unstable; urgency=low * Updated description to reflect flexibility in application of fail2ban * Included logrotate (Thanks to Baruch Even) -- Yaroslav Halchenko Sat, 13 Aug 2005 04:51:57 -0400 fail2ban (0.5.2-1) unstable; urgency=low * New upstream release * No log4py any more * removed -i eth0 from config -- Yaroslav Halchenko Sat, 6 Aug 2005 09:21:07 -1000 fail2ban (0.5.1-1) unstable; urgency=low * New upstream release -- Yaroslav Halchenko Sat, 23 Jul 2005 08:50:00 -1000 fail2ban (0.5.0-1) unstable; urgency=low * New upstream release * Libraries placed under /usr/share/fail2ban instead of /usr/lib/fail2ban * Corrections to the description of the package -- Yaroslav Halchenko Tue, 12 Jul 2005 23:33:20 -1000 fail2ban (0.4.1-1) unstable; urgency=low * First upstream release of a Debian package -- Yaroslav Halchenko Mon, 04 Jul 2005 11:47:23 +0300