__ _ _ ___ _ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ Fail2Ban (version 0.8.9) 2013/04/XX ================================================================================ ver. 0.8.9 (2013/04/XX) - wanna-be-stable ---------- Although primarily a bugfix release, it incorporates many new enhancements, few new features, but more importantly -- quite extended tests battery with current 94% coverage. This release incorporates more than a 100 of non-merge commits from 14 contributors (sorted by number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks, ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither, Orion Poplawski, Artur Penttinen, sebres, Nicolas Collignon, Pascal Borreli, blotus: - Fixes: Yaroslav Halchenko * [6f4dad46] Documentation python-2.4 is the minimium version. * [1eb23cf8] do not rely on scripts being under /usr -- might differ eg on Fedora. Closes gh-112. Thanks to Camusensei for the bug report. * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for insight. Closes gh-103. * [ab044b75] delay check for the existence of config directory until read. * [3b4084d4] fixing up for handling of TAI64N timestamps. * [154aa38e] do not shutdown logging until all jails stop. * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184. Thanks to Jon Foster for report and troubleshooting. Orion Poplawski * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories. Nicolas Collignon * [39667ff6] Avoid leaking file descriptors. Closes gh-167. Sergey Brester * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of sorting template list. Steven Hiscocks * [7a442f07] When changing log target with python2.{4,5} handle KeyError. Closes gh-147, gh-148. * [b6a68f51] Fix delaction on server side. Closes gh-124. Daniel Black * [f0610c01] Allow more that a one word command when changing and Action via the fail2ban-client. Closes gh-134. * [945ad3d9] Fix dates on email actions to work in different locals. Closes gh-70. Thanks to iGeorgeX for the idea. blotus * [96eb8986] ' and " should also be escaped in action tags Closes gh-109 - New features: Yaroslav Halchenko * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} to provide additional flexibility to system adminstrators. Thanks to beilber for the idea. Closes gh-114. * [3ce53e87] Add exim filter. Erwan Ben Souiden * [d7d5228] add nagios integration documentation and script to ensure fail2ban is running. Closes gh-166. Artur Penttinen * [29d0df5] Add mysqld filter. Closes gh-152. ArndRaphael Brandes * [bba3fd8] Add Sogo filter. Closes gh-117. Michael Gebetsriother * [f9b78ba] Add action route to block at routing level. Teodor Micu & Yaroslav Halchenko * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. Daniel Black * [be06b1b] Add action for iptables-ipsets. Closes gh-102. Soulard Morgan * [f336d9f] Add filter for webmin. Closes gh-99. - Enhancements: Enrico Labedzki * [24a8d07] Added new date format for ASSP SMTP Proxy. Steven Hiscocks * [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172. * [MANY] Improvements to test cases, travis, and code coverage (coveralls). * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124. * [ce3ab34] Added ability to specify PID file. Orion Poplawski * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. Closes gh-142. Yaroslav Halchenko * [MANY] Lots of improvements to log messages, man pages and test cases. * [91d5736] Postfix filter improvements - empty helo, from and rcpt to. Closes gh-126. Bug report by Michael Heuberger. * [40c5a2d] adding more of diagnostic messages into -client while starting the daemon. * [8e63d4c] Compare against None with 'is' instead of '=='. Daniel Black * [3aeb1a9] Add jail.conf manual page. Closes gh-143. * [MANY] man page edits. * [7cd6dab] Added help command to fail2ban-client. * [c8c7b0b,23bbc60] Better logging of log file read errors. * [3665e6d] Added code coverage to development process. * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh source. Also include BSD changes. * [1d9abd1] Action files can have tags in definition that refer to other tags. Pascal Borreli * [a2b29b4] Fixed lots of typos in config files and documentation. hamilton5 * [7ede1e8] Update dovecot filter config. Romain Riviere * [0ac8746] Enhance named-refused filter for views. Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom Hendrikx and other TBN heroes supporting users on fail2ban-users mailing list and IRC. ver. 0.8.8 (2012/12/06) - stable ---------- - Fixes: Alan Jenkins * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid banning due to misconfigured DNS. Closes gh-64 Yaroslav Halchenko * [83109bc] IMPORTANT: escape the content of (if used in custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83 * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages in the console. Closes gh-91 - New features: David Engeset * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86 Yaroslav Halchenko - Enhancements: * [2d66f31] replaced uninformative "Invalid command" message with warning log exception why command actually failed * [958a1b0] improved failregex to "support" auth.backend = "htdigest" * [9e7a3b7] until we make it proper module -- adjusted sys.path only if system-wide run * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79 * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 for this gh-87) * Various others: travis-ci integration, script to run tests against all available Python versions, etc ver. 0.8.7.1 (2012/07/31) - stable ---------- - Fixes: Yaroslav Halchenko * [e9762f3] Removed sneaked in comment on sys.path.insert ver. 0.8.7 (2012/07/31) - stable ---------- - Fixes: Tom Hendrikx & Jeremy Olexa * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated. See http://forums.gentoo.org/viewtopic-t-899018.html Chris Reffett * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban, rather than just one failure. Yaroslav Halchenko * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf * [ed16ecc] enforce "ip" field returned as str, not unicode so that log message stays non-unicode. Close gh-32 * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if already present in the pattern * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be friend to developers stuck with Windows (Closes gh-66) * [80b191c] anchor grep regexp in actioncheck to not match partial names of the jails (Closes: #672228) (Thanks Szépe Viktor for the report) - New features: François Boulogne * [a7cb20e..] add lighttpd-auth filter/jail Lee Clemens & Yaroslav Halchenko * [e442503] pyinotify backend (default if backend='auto' and pyinotify is available) * [d73a71f,3989d24] usedns parameter for the jails to allow disabling use of DNS Tom Hendrikx * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban repeated offenders. Close gh-19 Xavier Devlamynck * [7d465f9..] Add asterisk support Zbigniew Jędrzejewski-Szmek * [de502cf..] allow running fail2ban as non-root user (disabled by default) via xt_recent. See doc/run-rootless.txt - Enhancements Lee Clemens * [47c03a2] files/nagios - spelling/grammar fixes * [b083038] updated Free Software Foundation's address * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606 * [642d9af,3282f86] reformated printing of jail's name to be consistent with init's info messages * [3282f86] uniform use of capitalized Jail in the messages Leonardo Chiquitto * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf to reflect code * [a7d47e8] Update Free Software Foundation's address Petr Voralek * [4007751] catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) Yaroslav Halchenko * [MANY] extended and robustified unittests: test different backends * [d9248a6] refactored Filter's to avoid duplicate functionality * [7821174] direct users to issues on github * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by default with -v to control verbosity * [b4099da] adjusted header for config/*.conf to mention .local and way to comment (Thanks Stefano Forli for the note) * [6ad55f6] added failregex for wu-ftpd to match against syslog instead of DoS-prone auth.log's rhost (Closes: #514239) * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for sshd filter (Closes: #648020) Yehuda Katz & Yaroslav Halchenko * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers ver. 0.8.6 (2011/11/28) - stable ---------- - Fixes: Markos Chandras & Yaroslav Halchenko * [492d8e5,bd658fc] Use hashlib (instead of deprecated md5) where available Robert Trace & Michael Lorant * [c48c2b1] gentoo-initd cleanup and fixes: assure /var/run + remove stale sock file Michael Saavedra * [3a58d0e] Lock server's executeCmd to prevent racing among iptables calls: see http://bugs.debian.org/554162 Yaroslav Halchenko * [3eb5e3b] Allow for trailing spaces in sasl logs * [1632244] Stop server-side communication before stopping the jails (prevents lockup if actions use fail2ban-client upon unban): see https://github.com/fail2ban/fail2ban/issues/7 * [5a2d518] Various changes to reincarnate unittests Yehuda Katz * Wiki was cleaned from SPAM - Enhancements: Adam Spiers * [3152afb] Recognise time-stamped kernel messages Guido Bozzetto * [713fea6] Added ipmasq rule file to restart fail2ban when iptables are wiped out: see http://bugs.debian.org/461417 Łukasz * [5f23542] Matching of month names in Polish (thanks michaelberg79 for QA) Tom Hendrikx * [9fa54cf] Added Date: header for sendmail*.conf actions Yaroslav Halchenko & Tom Hendrikx * [b52d420..22b7007] in action files now can be used to provide matched loglines which triggered action Yaroslav Halchenko * [ed0bf3a] Removed duplicate entry for DataCha0s/2\.0 in badbots: see http://bugs.debian.org/519557 * [dad91f7] sshd.conf: allow user names to have spaces and trailing spaces in the line * [a9be451] removed expansions for few Date and Revision SVN keywords * [a33135c] set/getFile for ticket.py -- found in source distribution of 0.8.4 * [fbce415] additional logging while stopping the jails ver. 0.8.5 (2011/07/28) - stable ---------- - Fix: use addfailregex instead of failregex while processing per-jail "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to Marat Khayrullin for the patch and Daniel T Chen for forwarding to Debian. - Fix: use os.path.join to generate full path - fixes includes in configs given local filename (5 weeks ago) [yarikoptic] - Fix: allowed for trailing spaces in proftpd logs - Fix: escaped () in pure-ftpd filter. Thanks to Teodor - Fix: allowed space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314 - Fix: use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs.debian.org/544232 - Fix: Tai64N stores time in GMT, needed to convert to local time before returning - Fix: disabled named-refused-udp jail entirely with a big fat warning - Fix: added time module. Bug reported in buanzo's blog: see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html - Fix: Patch to make log file descriptors cloexec to stop leaking file descriptors on fork/exec. Thanks to Jonathan Underwood: see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24 - Enhancement: added author for dovecot filter and pruned unneeded space in the regexp - Enhancement: proftpd filter -- if login failed -- count regardless of the reason for failure - Enhancement: added to action.d/iptables*. Thanks to Matthijs Kooijman: see http://bugs.debian.org/515599 - Enhancement: added filter.d/dovecot.conf from Martin Waschbuesch - Enhancement: made filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182 - Enhancement: added dropbear filter from Francis Russell and Zak B. Elep: see http://bugs.debian.org/546913 - Enhancement: changed default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 - Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer - Few minor cosmetic changes ver. 0.8.4 (2009/09/07) - stable ---------- - Check the inode number for rotation in addition to checking the first line of the file. Thanks to Jonathan Kamens. Red Hat #503852. Tracker #2800279. - Moved the shutdown of the logging subsystem out of Server.quit() to the end of Server.start(). Fixes the 'cannot release un-acquired lock' error. - Added "Ban IP" command. Thanks to Arturo 'Buanzo' Busleiman. - Added two new filters: lighttpd-fastcgi and php-url-fopen. - Fixed the 'unexpected communication error' problem by means of use_poll=False in Python >= 2.6. - Merged patches from Debian package. Thanks to Yaroslav Halchenko. - Use current day and month instead of Jan 1st if both are not available in the log. Thanks to Andreas Itzchak Rehberg. - Try to match the regex even if the line does not contain a valid date/time. Described in Debian #491253. Thanks to Yaroslav Halchenko. - Added/improved filters and date formats. - Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to Russell Odom. - Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to Detlef Reichelt. - Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824. - Added nagios script. Thanks to Sebastian Mueller. - Added CPanel date format. Thanks to David Collins. Tracker #1967610. - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410. - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115. - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953. - Changed template to be more restrictive. Debian bug #514163. - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct fix but seems to work. Tracker #2500276. - Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea. - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714. ver. 0.8.3 (2008/07/17) - stable ---------- - Process failtickets as long as failmanager is not empty. - Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav Halchenko. - Fixed socket path in redhat and suse init script. Thanks to Jim Wight. - Fixed PID file while started in daemon mode. Thanks to Christian Jobic who submitted a similar patch. - Fixed "fail2ban-client get logpath". Bug #1916986. - Added gssftpd filter. Thanks to Kevin Zembower. - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis Winter. - Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber. - Added ISO 8601 date/time format. - Added and changed some logging level and messages. - Added missing ignoreregex to filters. Thanks to Klaus Lehmann. - Use poll instead of select in asyncore.loop. This should solve the "Unknown error 514". Thanks to Michael Geiger and Klaus Lehmann. ver. 0.8.2 (2008/03/06) - stable ---------- - Fixed named filter. Thanks to Yaroslav Halchenko - Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines - Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann - Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection - Fixed ipfw action script. Thanks to Nick Munger - Removed date from logging message when using SYSLOG. Thanks to Iain Lea - Fixed "ignore IPs". Only the first value was taken into account. Thanks to Adrien Clerc - Moved socket to /var/run/fail2ban. - Rewrote the communication server. - Refactoring. Reduced number of files. - Removed Python 2.4. Minimum required version is now Python 2.3. - New log rotation detection algorithm. - Print monitored files in status. - Create a PID file in /var/run/fail2ban/. Thanks to Julien Perez. - Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks to Yaroslav Halchenko for the fix. - "reload " reloads a single jail and the parameters in fail2ban.conf. - Added Mac OS/X startup script. Thanks to Bill Heaton. - Absorbed some Debian patches. Thanks to Yaroslav Halchenko. - Replaced "echo" with "printf" in actions. Fix #1839673 - Replaced "reject" with "drop" in shorwall action. Fix #1854875 - Fixed Debian bug #456567, #468477, #462060, #461426 - readline is now optional in fail2ban-client (not needed in fail2ban-server). ver. 0.8.1 (2007/08/14) - stable ---------- - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid - Expand in ignoreregex. Thanks to Yaroslav Halchenko - Improved regular expressions. Thanks to Yaroslav Halchenko and others - Added sendmail actions. The action started with "mail" are now deprecated. Thanks to Raphaël Marichez - Added "ignoreregex" support to fail2ban-regex - Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch - Tightening up the pid check in redhat-initd. Thanks to David Nutter - Added webmin authentication filter. Thanks to Guillaume Delvit - Removed textToDns() which is not required anymore. Thanks to Yaroslav Halchenko - Added new action iptables-allports. Thanks to Yaroslav Halchenko - Added "named" date format to date detector. Thanks to Yaroslav Halchenko - Added filter file for named (bind9). Thanks to Yaroslav Halchenko - Fixed vsftpd filter. Thanks to Yaroslav Halchenko ver. 0.8.0 (2007/05/03) - stable ---------- - Fixed RedHat init script. Thanks to Jonathan Underwood - Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner ver. 0.7.9 (2007/04/19) - release candidate ---------- - Close opened handlers. Thanks to Yaroslav Halchenko - Fixed "reload" bug. Many many thanks to Yaroslav Halchenko - Added date format for asctime without year - Modified filters config. Thanks to Michael C. Haller - Fixed a small bug in mail-buffered.conf ver. 0.7.8 (2007/03/21) - release candidate ---------- - Fixed asctime pattern in datedetector.py - Added new filters/actions. Thanks to Yaroslav Halchenko - Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch - Moved every locking statements in a try..finally block ver. 0.7.7 (2007/02/08) - release candidate ---------- - Added signal handling in fail2ban-client - Added a wonderful visual effect when waiting on the server - fail2ban-client returns an error code if configuration is not valid - Added new filters/actions. Thanks to Yaroslav Halchenko - Call Python interpreter directly (instead of using "env") - Added file support to fail2ban-regex. Benchmark feature has been removed - Added cacti script and template. - Added IP list in "status ". Thanks to Eric Gerbier ver. 0.7.6 (2007/01/04) - beta ---------- - Added a "sleep 1" in redhat-initd. Thanks to Jim Wight - Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey - Use numeric output for iptables in "actioncheck" - Fixed removal of host in hosts.deny. Thanks to René Berber - Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI - Several "failregex" and "ignoreregex" are now accepted. Creation of rules should be easier now. - Added license in COPYING. Thanks to Axel Thimm - Allow comma in action options. The value of the option must be escaped with " or '. Thanks to Yaroslav Halchenko - Now Fail2ban goes in /usr/share/fail2ban instead of /usr/lib/fail2ban. This is more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko ver. 0.7.5 (2006/12/07) - beta ---------- - Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko - The supported tags in "action(un)ban" are , and