mirror of https://github.com/fail2ban/fail2ban
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2669 lines
144 KiB
2669 lines
144 KiB
<!-- vim: syntax=Markdown -->
|
|
__ _ _ ___ _
|
|
/ _|__ _(_) |_ ) |__ __ _ _ _
|
|
| _/ _` | | |/ /| '_ \/ _` | ' \
|
|
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
|
|
|
Fail2Ban: Changelog
|
|
===================
|
|
|
|
ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
|
|
-----------
|
|
|
|
### Fixes
|
|
* `jail.conf`:
|
|
- default banactions need to be specified in `paths-*.conf` (maintainer level) now
|
|
- since stock fail2ban includes `paths-debian.conf` by default, banactions are `nftables`
|
|
(can be overwritten in `jail.local` by user)
|
|
* `paths-debian.conf`:
|
|
- default banactions are `nftables`
|
|
- sshd backend switched to `systemd` (gh-3292)
|
|
* `action.d/firewallcmd-ipset.conf`:
|
|
- rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760)
|
|
* `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778)
|
|
* `filter.d/postfix.conf` - consider CONNECT and other rejected commands as a valid `_pref` (gh-3800)
|
|
* `filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (gh-3769)
|
|
* `filter.d/roundcube-auth.conf` - improved RE better matching log format of roundcube version 1.4+ (gh-3816)
|
|
* `filter.d/sshd.conf` - adapted to conform possible new daemon name sshd-session, since OpenSSH 9.8
|
|
several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782)
|
|
|
|
### New Features and Enhancements
|
|
* `action.d/*-ipset.conf`:
|
|
- parameter `ipsettype` to set type of ipset, e. g. hash:ip, hash:net, etc (gh-3760)
|
|
* `action.d/firewallcmd-rich-*.conf` - fixed incorrect quoting, disabling port variable expansion
|
|
by substitution of rich rule (gh-3815)
|
|
* `filter.d/proxmox.conf` - add support to Proxmox Web GUI (gh-2966)
|
|
|
|
ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km
|
|
-----------
|
|
|
|
### Compatibility
|
|
* the minimum supported python version is now 3.5, if you have previous python version
|
|
you can use the 0.11 or 1.0 version of fail2ban or upgrade python (or even build it from source).
|
|
|
|
### Fixes
|
|
* `jail.conf`:
|
|
- default banactions need to be specified in `paths-*.conf` (maintainer level) now
|
|
- since stock fail2ban includes `paths-debian.conf` by default, banactions are `nftables`
|
|
(can be overwritten in `jail.local` by user)
|
|
* `paths-debian.conf`:
|
|
- default banactions are `nftables`
|
|
- sshd backend switched to `systemd` (gh-3292)
|
|
* circumvent SEGFAULT in a python's socket module by getaddrinfo with disabled IPv6 (gh-3438)
|
|
* avoid sporadic error in pyinotify backend if pending file deleted in other thread, e. g. by flushing logs (gh-3635)
|
|
* `action.d/cloudflare-token.conf` - fixes gh-3479, url-encode args by unban
|
|
* `action.d/*ipset*`: make `maxelem` ipset option configurable through banaction arguments (gh-3564)
|
|
* `filter.d/apache-common.conf` - accepts remote besides client (gh-3622)
|
|
* `filter.d/mysqld-auth.conf` - matches also if no suffix in message (mariadb 10.3 log format, gh-3603)
|
|
* `filter.d/nginx-*.conf` - nginx error-log filters extended with support of journal format (gh-3646)
|
|
* `filter.d/postfix.conf`:
|
|
- "rejected" rule extended to match "Access denied" too (gh-3474)
|
|
- avoid double counting ('lost connection after AUTH' together with message 'disconnect ...', gh-3505)
|
|
- add Sender address rejected: Malformed DNS server reply (gh-3590)
|
|
- add to postfix syslog daemon format (gh-3690)
|
|
- change journalmatch postfix, allow sub-units with postfix@-.service (gh-3692)
|
|
* `filter.d/recidive.conf`: support for systemd-journal, conditional RE depending on logtype (for file or journal, gh-3693)
|
|
* `filter.d/slapd.conf` - filter rewritten for single-line processing, matches errored result without `text=...` (gh-3604)
|
|
|
|
### New Features and Enhancements
|
|
* supports python 3.12 and 3.13 (gh-3487)
|
|
* bundling async modules removed in python 3.12+ (fallback to local libraries pyasyncore/pyasynchat if import would miss them, gh-3487)
|
|
* `fail2ban-client` extended (gh-2975):
|
|
- `fail2ban-client status --all [flavor]` - returns status of fail2ban and all jails in usual form
|
|
- `fail2ban-client stats` - returns statistic in form of table (jail, backend, found and banned counts)
|
|
- `fail2ban-client statistic` or `fail2ban-client statistics` - same as `fail2ban-client stats` (aliases for stats)
|
|
- `fail2ban-client status --all stats` - (undocumented, flavor "stats") returns statistic of all jails in form of python dict
|
|
* `fail2ban-regex` extended to load settings from jail (by simple name it'd prefer jail to the filter now, gh-2655);
|
|
to load the settings from filter one could use:
|
|
```diff
|
|
- fail2ban-regex ... sshd ; # jail
|
|
+ fail2ban-regex ... sshd.conf ; # filter
|
|
# or:
|
|
+ fail2ban-regex ... filter.d/sshd ; # filter
|
|
```
|
|
* better auto-detection for IPv6 support (`allowipv6 = auto` by default), trying to check sysctl net.ipv6.conf.all.disable_ipv6
|
|
(value read from `/proc/sys/net/ipv6/conf/all/disable_ipv6`) if available, otherwise seeks over local IPv6 from network interfaces
|
|
if available for platform and uses DNS to find local IPv6 as a fallback only
|
|
* improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132)
|
|
* `action.d/mikrotik.conf` - new action for mikrotik routerOS, adds and removes entries from address lists on the router (gh-2860)
|
|
* `action.d/pf.conf` - pf action extended with support of `protocol=all` (gh-3503)
|
|
* `action.d/smtp.py` - added optional support for TLS connections via the `ssl` arg.
|
|
* `filter.d/dante.conf` - new filter for Dante SOCKS server (gh-2112)
|
|
* `filter.d/exim.conf`, `filter.d/exim-spam.conf`:
|
|
- messages are prefiltered by `prefregex` now
|
|
- filter can bypass additional timestamp or pid that may be logged via systemd-journal or syslog-ng (gh-3060)
|
|
- rewrite host line regex for all varied exim's log_selector states (gh-3263, gh-3701, gh-3702)
|
|
- fixed "dropped: too many ..." regex, also matching unrecognized commands now (gh-3502)
|
|
* `filter.d/named-refused.conf` - denied allows any reason in parenthesis as suffix (gh-3697)
|
|
* `filter.d/nginx-forbidden.conf` - new filter to ban forbidden locations, e. g. using `deny` directive (gh-2226)
|
|
* `filter.d/routeros-auth.conf` - new filter detecting failed login attempts in the log produced by MikroTik RouterOS
|
|
* `filter.d/sshd.conf`:
|
|
- avoid double counting for "maximum authentication attempts exceeded" (gh-3502)
|
|
- message "Disconnecting ... Too many authentication failures" is not a failure anymore
|
|
- mode `ddos`/`aggressive` extended to match new messages caused by port scanner, wrong payload on ssh port (gh-3486):
|
|
* message authentication code incorrect [preauth]
|
|
* connection corrupted [preauth]
|
|
* timeout before authentication
|
|
|
|
|
|
ver. 1.0.2 (2022/11/09) - finally-war-game-test-tape-not-a-nuclear-alarm
|
|
-----------
|
|
|
|
### Fixes
|
|
* backend `systemd`: code review and several fixes:
|
|
- wait only if it is necessary, e. g. in operational mode and if no more entries retrieved (end of journal);
|
|
- ensure we give enough time after possible rotation, vacuuming or adding/removing journal files,
|
|
and move cursor back and forth to avoid entering dead space
|
|
* `filter.d/named-refused.conf`:
|
|
- support BIND named log categories, gh-3388
|
|
- allow `info:` as possible error prefix too ("query (cache) denied" may occur as info)
|
|
* `filter.d/dovecot.conf`:
|
|
- fixes regression introduced in gh-3210: resolve extremely long search by repeated apply of non-greedy RE-part
|
|
with following branches (it may be extremely slow up to infinite search depending on message), gh-3370
|
|
- fixes regression and matches new format in aggressive mode too (amend to gh-3210)
|
|
|
|
### New Features and Enhancements
|
|
|
|
|
|
ver. 1.0.1 (2022/09/27) - energy-equals-mass-times-the-speed-of-light-squared
|
|
-----------
|
|
|
|
### Compatibility
|
|
* the minimum supported python version is now 2.7, if you have previous python version
|
|
you can use the 0.11 version of fail2ban or upgrade python (or even build it from source).
|
|
* potential incompatibility by parsing of options of `backend`, `filter` and `action` parameters (if they
|
|
are partially incorrect), because fail2ban could throw an error now (doesn't silently bypass it anymore).
|
|
* due to fix for CVE-2021-32749 (GHSA-m985-3f3v-cwmm) the mailing action using mailutils may require extra configuration,
|
|
if it is not compatible or doesn't support `-E 'set escape'` (e. g. with `mailcmd` parameter), see gh-3059
|
|
* automatic invocation of 2to3 is removed in setup now (gh-3098), there is also no option `--disable-2to3` anymore,
|
|
`./fail2ban-2to3` should be called outside before setup
|
|
* to v.0.11:
|
|
- due to change of `actioncheck` behavior (gh-488), some actions can be incompatible as regards
|
|
the invariant check, if `actionban` or `actionunban` would not throw an error (exit code
|
|
different from 0) in case of unsane environment.
|
|
- actions that have used tag `<ip>` (instead of `<fid>` or `<F-ID>`) to get failure-ID may become
|
|
incompatible, if filter uses IP-related tags (like `<ADDR>` or `<HOST>`) additionally to `<F-ID>`
|
|
and the values are different (gh-3217)
|
|
|
|
### Fixes
|
|
* theoretical RCE vulnerability in mailing action using mailutils (mail-whois), CVE-2021-32749, GHSA-m985-3f3v-cwmm
|
|
* readline fixed to consider interim new-line character as part of code point in multi-byte logs
|
|
(e. g. unicode encoding like utf-16be, utf-16le);
|
|
* [stability] solves race condition with uncontrolled growth of failure list (jail with too many matches,
|
|
that did not cause ban), behavior changed to ban ASAP, gh-2945
|
|
* fixes search for the best datepattern - e. g. if line is too short, boundaries check for previously known
|
|
imprecise pattern may fail on incomplete lines (logging break-off, no flush, etc), gh-3020
|
|
* [stability, performance] backend `systemd`:
|
|
- fixes error "local variable 'line' referenced before assignment", introduced in 55d7d9e2, gh-3097
|
|
- don't update database too often (every 10 ticks or ~ 10 seconds in production)
|
|
- fixes wrong time point of "in operation" mode, gh-2882
|
|
- better avoidance of landing in dead space by seeks over journals (improved seek to time)
|
|
- fixes missing space in message (tag `<matches>`) between timestamp and host if the message read from systemd journal, gh-3293
|
|
* [stability] backend `pyinotify`: fixes sporadic runtime error "dictionary changed size during iteration"
|
|
* several backends optimizations (in file and journal filters):
|
|
- don't need to wait if we still had log-entries from last iteration (which got interrupted for servicing)
|
|
- rewritten update log/journal position, it is more stable and faster now (fewer DB access and surely up-to-date at end)
|
|
* `paths-debian.conf`:
|
|
- add debian path to roundcube error logs
|
|
* `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-`;"
|
|
reverted the incompatibility gh-3047 introduced in a038fd5, gh-2821, because this depends now on firewalld backend
|
|
(e. g. `-` vs. `:` related to `iptables` vs. `nftables`)
|
|
* `action.d/nginx-block-map.conf`: reload nginx only if it is running (also avoid error in nginx-errorlog, gh-2949)
|
|
* `action.d/ufw.conf`:
|
|
- fixed handling on IPv6 (using prepend, gh-2331, gh-3018)
|
|
- application names containing spaces can be used now (gh-656, gh-1532, gh-3018)
|
|
* `filter.d/apache-fakegooglebot.conf`:
|
|
- better, more precise regex and datepattern (closes possible weakness like gh-3013)
|
|
- `filter.d/ignorecommands/apache-fakegooglebot` - added timeout parameter (default 55 seconds), avoid fail with timeout
|
|
(default 1 minute) by reverse lookup on some slow DNS services (googlebots must be resolved fast), gh-2951
|
|
* `filter.d/apache-overflows.conf` - extended to match AH00126 error (Invalid URI ...), gh-2908
|
|
* `filter.d/asterisk.conf` - add transport to asterisk RE: call rejection messages can have the transport prefixed to the IP address, gh-2913
|
|
* `filter.d/courier-auth.conf`:
|
|
- consider optional port after IP, gh-3211
|
|
- regex is rewritten without catch-all's and right anchor, so it is more stable against further modifications now
|
|
* `filter.d/dovecot.conf`:
|
|
- adjusted for updated dovecot log format with `read(size=...)` in message (gh-3210)
|
|
- parse everything in parenthesis by auth-worker info, e. g. can match (pid=...,uid=...) too (amend to gh-2553)
|
|
- extended to match prefix like `conn unix:auth-worker (uid=143): auth-worker<13247>:`
|
|
(authenticate from external service like exim), gh-2553
|
|
- fixed "Authentication failure" regex, matches "Password mismatch" in title case (gh-2880)
|
|
* `filter.d/drupal-auth.conf` - more strict regex, extended to match "Login attempt failed from" (gh-2742)
|
|
* `filter.d/exim-common.conf` - pid-prefix extended to match `mx1 exim[...]:` (gh-2553)
|
|
* `filter.d/lighttpd-auth.conf` - adjusted to the current source code + avoiding catch-all's, etc (gh-3116)
|
|
* `filter.d/named-refused.conf`:
|
|
- added support for alternate names (suffix), FreeIPA renames the BIND9 named daemon to named-pkcs11, gh-2636
|
|
- fixes prefix for messages from systemd journal (no mandatory space ahead, because don't have timestamp), gh-2899
|
|
* `filter.d/nginx-*.conf` - added journalmatch to nginx filters, gh-2935
|
|
* `filter.d/nsd.conf` - support for current log format, gh-2965
|
|
* `filter.d/postfix.conf`: fixes and new vectors, review and combining several regex to single RE:
|
|
- mode `ddos` (and `aggressive`) extended:
|
|
* to consider abusive handling of clients hitting command limit, gh-3040
|
|
* to handle postscreen's PREGREET and HANGUP messages, gh-2898
|
|
- matches rejects with "undeliverable address" (sender/recipient verification) additionally to "Unknown user", gh-3039
|
|
both are configurable now via extended parameter and can be disabled using `exre-user=` supplied in filter parameters
|
|
- reject: BDAT/DATA from, gh-2927
|
|
- (since regex is more precise now) token selector changed to `[A-Z]{4}`, e. g. no matter what a command is supplied now
|
|
(RCPT, EHLO, VRFY, DATA, BDAT or something else)
|
|
- matches "Command rejected" and "Data command rejected" now
|
|
- matches RCPT from unknown, 504 5.5.2, need fully-qualified hostname, gh-2995
|
|
- matches 550 5.7.25 Client host rejected, gh-2996
|
|
* `filter.d/sendmail-auth.conf`:
|
|
- detect several "authentication failure" messages, sendmail 8.16.1, gh-2757
|
|
- detect user not found, gh-3030
|
|
- detect failures without user part, gh-3324
|
|
* `filter.d/sendmail-reject.conf`:
|
|
- fix reverse DNS for ... (gh-3012)
|
|
- fixed regex to consider "Connection rate limit exceeded" with different combination of arguments
|
|
* `filter.d/sshd.conf`:
|
|
- mode `ddos` extended - recognizes messages "kex_exchange_identification: Connection closed / reset by pear", gh-3086
|
|
(fixed possible regression of f77398c)
|
|
- mode `ddos` extended - recognizes new message "banner exchange: invalid format" generated by port scanner
|
|
(https payload on ssh port), gh-3169
|
|
* `filter.d/zoneminder.conf` - support new log format (ERR instead of WAR), add detection of non-existent user login attempts, gh-2984
|
|
* amend to gh-980 fixing several actions (correctly supporting new enhancements now)
|
|
* fixed typo by `--dump-pretty` option which did never work (only `--dp` was working)
|
|
* fixes start of fail2ban-client in docker: speedup daemonization process by huge open files limit, gh-3334
|
|
* provides details of failed regex compilation in the error message we throw in Regex-constructor
|
|
(it's good to know what exactly is wrong)
|
|
* fixed failed update of database didn't signal with an error, gh-3352:
|
|
- client and server exit with error code by failure during start process (in foreground mode)
|
|
- added fallback to repair if database cannot be upgraded
|
|
|
|
### New Features and Enhancements
|
|
* python 3.10 and 3.11 compatibility (and GHA-CI support)
|
|
* `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair
|
|
of sane environment (in case of recognized unsane state) would only occur on action errors (e. g.
|
|
if ban or unban operations are exiting with other code as 0)
|
|
* better recognition of log rotation, better performance by reopen: avoid unnecessary seek to begin of file
|
|
(and hash calculation)
|
|
* file filter reads only complete lines (ended with new-line) now, so waits for end of line (for its completion)
|
|
* datedetector:
|
|
- token `%Z` must recognize zone abbreviation `Z` (GMT/UTC) also (similar to `%z`)
|
|
- token `%Z` recognizes all known zone abbreviation besides Z, GMT, UTC correctly, if it is matching
|
|
(`%z` remains unchanged for backwards-compatibility, see comment in code)
|
|
- date patterns `%ExY` and `%Exy` accept every year from 19xx up to current century (+3 years) in `fail2ban-regex`
|
|
- better grouping algorithm for resulting century RE for `%ExY` and `%Exy`
|
|
* actions differentiate tags `<ip>` and `<fid>` (`<F-ID>`), if IP-address deviates from ID then the value
|
|
of `<ip>` is not equal `<fid>` anymore (gh-3217)
|
|
* action info extended with new members for jail info (usable as tags in command actions), gh-10:
|
|
- `<jail.found>`, `<jail.found_total>` - current and total found failures
|
|
- `<jail.banned>`, `<jail.banned_total>` - current and total bans
|
|
* `filter.d/monitorix.conf` - added new filter and jail for Monitorix, gh-2679
|
|
* `filter.d/mssql-auth.conf` - new filter and jail for Microsoft SQL Server, gh-2642
|
|
* `filter.d/nginx-bad-request.conf` - added filter to find bad requests (400), gh-2750
|
|
* `filter.d/nginx-http-auth.conf` - extended with parameter mode, so additionally to `auth` (or `normal`)
|
|
mode `fallback` (or combined as `aggressive`) can find SSL errors while SSL handshaking, gh-2881
|
|
* `filter.d/scanlogd.conf` - new filter and jail, add support for filtering out detected port scans via scanlogd, gh-2950
|
|
* `action.d/apprise.conf` - added Apprise support (50+ Notifications), gh-2565
|
|
* `action.d/badips.*` - removed actions, badips.com is no longer active, gh-2889
|
|
* `action.d/cloudflare.conf` - better IPv6 capability, gh-2891
|
|
* `action.d/cloudflare-token.conf` - added support for Cloudflare Token APIs. This method is more restrictive and therefore safter than using API Keys.
|
|
* `action.d/ipthreat.conf` - new action for IPThreat integration, gh-3349
|
|
* `action.d/ufw.conf` (gh-3018):
|
|
- new option `add` (default `prepend`), can be supplied as `insert 1` for ufw versions before v.0.36 (gh-2331, gh-3018)
|
|
- new options `kill-mode` and `kill` to drop established connections of intruder (see action for details, gh-3018)
|
|
* `iptables` and `iptables-ipset` actions extended to support multiple protocols with single action
|
|
for multiport or oneport type (back-ported from nftables action);
|
|
* `iptables` actions are more breakdown-safe: start wouldn't fail if chain or rule already exists
|
|
(e. g. created by previous instance and doesn't get purged properly); ultimately closes gh-980
|
|
* `ipset` actions are more breakdown-safe: start wouldn't fail if set with this name already exists
|
|
(e. g. created by previous instance and don't deleted properly)
|
|
* replace internals of several `iptables` and `iptables-ipset` actions using internals of iptables include:
|
|
- better check mechanism (using `-C`, option `--check` is available long time);
|
|
- additionally iptables-ipset is a common action for `iptables-ipset-proto6-*` now (which become obsolete now);
|
|
- many features of different iptables actions are combinable as single chain/rule (can be supplied to action as parameters);
|
|
- iptables is a replacement for iptables-common now, several actions using this as include now become obsolete;
|
|
* new logtarget SYSTEMD-JOURNAL, gh-1403
|
|
* fail2ban.conf: new fail2ban configuration option `allowipv6` (default `auto`), can be used to allow or disallow IPv6
|
|
interface in fail2ban immediately by start (e. g. if fail2ban starts before network interfaces), gh-2804
|
|
* invalidate IP/DNS caches by reload, so inter alia would allow to recognize IPv6IsAllowed immediately, previously
|
|
retarded up to cache max-time (5m), gh-2804
|
|
* OpenRC (Gentoo, mainly) service script improvements, gh-2182
|
|
* suppress unneeded info "Jail is not a JournalFilter instance" (moved to debug level), gh-3186
|
|
* implements new interpolation variable `%(fail2ban_confpath)s` (automatically substituted from config-reader path,
|
|
default `/etc/fail2ban` or `/usr/local/etc/fail2ban` depending on distribution); `ignorecommands_dir` is unneeded anymore,
|
|
thus removed from `paths-common.conf`, fixes gh-3005
|
|
* `fail2ban-regex`: accepts filter parameters containing new-line
|
|
|
|
|
|
ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools
|
|
-----------
|
|
|
|
### Compatibility
|
|
* to v.0.10:
|
|
- 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database
|
|
got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you
|
|
have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema)
|
|
if you would need to downgrade to 0.10 for some reason.
|
|
* to v.0.9:
|
|
- Filter (or `failregex`) internal capture-groups:
|
|
|
|
* If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
|
|
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
|
|
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
|
|
|
|
Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
|
|
```
|
|
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
|
|
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
|
|
```
|
|
* New internal groups (currently reserved for internal usage):
|
|
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
|
|
mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
|
|
|
|
- v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some
|
|
user configurations resp. `datepattern`.
|
|
|
|
- Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are
|
|
IPv6-capable now.
|
|
|
|
### Fixes
|
|
* [stability] prevent race condition - no ban if filter (backend) is continuously busy if
|
|
too many messages will be found in log, e. g. initial scan of large log-file or journal (gh-2660)
|
|
* pyinotify-backend sporadically avoided initial scanning of log-file by start
|
|
* python 3.9 compatibility (and Travis CI support)
|
|
* restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
|
|
* manual ban is written to database, so can be restored by restart (gh-2647)
|
|
* `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead)
|
|
* no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
|
|
per jail or in default section in jail.local), closes gh-2357
|
|
* ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh-2686)
|
|
* don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes),
|
|
so would bother the action interpolation
|
|
* fixed type conversion in config readers (take place after all interpolations get ready), that allows to
|
|
specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
|
|
* `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy
|
|
between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh-2703)
|
|
* `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing
|
|
with `jq`, gh-2140, gh-2656)
|
|
* `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh-2763)
|
|
* `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh-2821)
|
|
* `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh-2836)
|
|
* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
|
|
should be interpolated in definition section (inside the filter-config, gh-2650)
|
|
* `filter.d/dovecot.conf`:
|
|
- add managesieve and submission support (gh-2795);
|
|
- accept messages with more verbose logging (gh-2573);
|
|
* `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh-2697)
|
|
* `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle
|
|
the match of username differently (gh-2693):
|
|
- `normal`: matches 401 with supplied username only
|
|
- `ddos`: matches 401 without supplied username only
|
|
- `aggressive`: matches 401 and any variant (with and without username)
|
|
* `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh-2749)
|
|
|
|
### New Features and Enhancements
|
|
* fail2ban-regex:
|
|
- speedup formatted output (bypass unneeded stats creation)
|
|
- extended with prefregex statistic
|
|
- more informative output for `datepattern` (e. g. set from filter) - pattern : description
|
|
* parsing of action in jail-configs considers space between action-names as separator also
|
|
(previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b`
|
|
* new filter and jail for GitLab recognizing failed application logins (gh-2689)
|
|
* new filter and jail for Grafana recognizing failed application logins (gh-2855)
|
|
* new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723)
|
|
* `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh-2631)
|
|
* `filter.d/bitwarden.conf` enhanced to support syslog (gh-2778)
|
|
* introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
|
|
* datetemplate: improved anchor detection for capturing groups `(^...)`;
|
|
* datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
|
|
as well as some warnings signaling user about invalid pattern or zone (gh-2814):
|
|
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
|
|
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
|
|
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
|
|
bypass of failure (previously exceeding `findtime`);
|
|
- better interaction with non-matching optional datepattern or invalid timestamps;
|
|
- implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages,
|
|
whereas filter will use now as timestamp (gh-2802)
|
|
* performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template);
|
|
* fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791;
|
|
* extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
|
|
prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of `<F-TUPLE_V?_n?>` tags (gh-2755)
|
|
|
|
|
|
ver. 0.11.1 (2020/01/11) - this-is-the-way
|
|
-----------
|
|
|
|
### Fixes
|
|
* purge database will be executed now (within observer).
|
|
* restoring currently banned ip after service restart fixed
|
|
(now < timeofban + bantime), ignore old log failures (already banned)
|
|
* upgrade database: update new created table `bips` with entries from table `bans` (allows restore
|
|
current bans after upgrade from version <= 0.10)
|
|
|
|
### New Features
|
|
* Increment ban time (+ observer) functionality introduced.
|
|
* Database functionality extended with bad ips.
|
|
* New tags (usable in actions):
|
|
- `<bancount>` - ban count of this offender if known as bad (started by 1 for unknown)
|
|
- `<bantime>` - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
|
|
* Introduced new action command `actionprolong` to prolong ban-time (e. g. set new timeout if expected);
|
|
Several actions (like ipset, etc.) rewritten using net logic with `actionprolong`.
|
|
Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).
|
|
|
|
### Enhancements
|
|
* algorithm of restore current bans after restart changed: update the restored ban-time (and therefore
|
|
end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater
|
|
(or persistent); not affected if ban-time of the jail is unchanged between stop/start.
|
|
* added new setup-option `--without-tests` to skip building and installing of tests files (gh-2287).
|
|
* added new command `fail2ban-client get <JAIL> banip ?sep-char|--with-time?` to get the banned ip addresses (gh-1916).
|
|
|
|
|
|
ver. 0.10.5 (2020/01/10) - deserve-more-respect-a-jedis-weapon-must
|
|
-----------
|
|
|
|
Yes, Hrrrm...
|
|
|
|
### Fixes
|
|
* [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixed in gh-2444 in order to ignore
|
|
user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392)
|
|
* [grave] fixed parsing of multi-line filters (`maxlines` > 1) together with systemd backend,
|
|
now systemd-filter replaces newlines in message from systemd journal with `\n` (otherwise
|
|
multi-line parsing may be broken, because removal of matched string from multi-line buffer window
|
|
is confused by such extra new-lines, so they are retained and got matched on every followed
|
|
message, see gh-2431)
|
|
* [stability] prevent race condition - no unban if the bans occur continuously (gh-2410);
|
|
now an unban-check will happen not later than 10 tickets get banned regardless there are
|
|
still active bans available (precedence of ban over unban-check is 10 now)
|
|
* fixed read of included config-files (`.local` overwrites options of `.conf` for config-files
|
|
included with before/after)
|
|
* `action.d/abuseipdb.conf`: switched to use AbuseIPDB API v2 (gh-2302)
|
|
* `action.d/badips.py`: fixed start of banaction on demand (which may be IP-family related), gh-2390
|
|
* `action.d/helpers-common.conf`: rewritten grep arguments, now options `-wF` used to match only
|
|
whole words and fixed string (not as pattern), gh-2298
|
|
* `filter.d/apache-auth.conf`:
|
|
- ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548);
|
|
- extended with option `mode` - `normal` (default) and `aggressive`
|
|
* `filter.d/sshd.conf`:
|
|
- matches `Bad protocol version identification` in `ddos` and `aggressive` modes (gh-2404).
|
|
- captures `Disconnecting ...: Change of username or service not allowed` (gh-2239, gh-2279)
|
|
- captures `Disconnected from ... [preauth]`, preauth phase only, different handling by `extra`
|
|
(with supplied user only) and `ddos`/`aggressive` mode (gh-2115, gh-2239, gh-2279)
|
|
* `filter.d/mysqld-auth.conf`:
|
|
- MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words
|
|
enclosed in brackets after "[Note]" (gh-2314)
|
|
* `filter.d/sendmail-reject.conf`:
|
|
- `mode=extra` now captures port IDs of `TLSMTA` and `MSA` (defaults for ports 465 and 587 on some distros)
|
|
* `files/fail2ban.service.in`: fixed systemd-unit template - missing nftables dependency (gh-2313)
|
|
* several `action.d/mail*`: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341)
|
|
* `filter.d/sendmail-reject.conf`: fixed journal usage for some systems (e. g. CentOS): if only identifier
|
|
set to `sm-mta` (no unit `sendmail`) for some messages (gh-2385)
|
|
* `filter.d/asterisk.conf`: asterisk can log additional timestamp if logs into systemd-journal
|
|
(regex extended with optional part matching this, gh-2383)
|
|
* `filter.d/postfix.conf`:
|
|
- regexp's accept variable suffix code in status of postfix for precise messages (gh-2442)
|
|
- extended with new postfix filter mode `errors` to match "too many errors" (gh-2439),
|
|
also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix
|
|
parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`)
|
|
* `filter.d/named-refused.conf`:
|
|
- support BIND 9.11.0 log format (includes an additional field @0xXXX..., gh-2406);
|
|
- `prefregex` extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
|
|
* `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
|
|
- ID in prefix can be longer as 14 characters (gh-2563);
|
|
* all filters would accept square brackets around IPv4 addresses also (e. g. monit-filter, gh-2494)
|
|
* avoids unhandled exception during flush (gh-2588)
|
|
* fixes pass2allow-ftp jail - due to inverted handling, action should prohibit access per default for any IP,
|
|
therefore reset start on demand parameter for this action (it will be started immediately by repair);
|
|
* auto-detection of IPv6 subsystem availability (important for not on-demand actions or jails, like pass2allow);
|
|
|
|
### New Features
|
|
* new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559):
|
|
- `<CIDR>` - helper regex to match CIDR (simple integer form of net-mask);
|
|
- `<SUBNET>` - regex to match sub-net addresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
|
|
* grouped tags (`<ADDR>`, `<HOST>`, `<SUBNET>`) recognize IP addresses enclosed in square brackets
|
|
* new failregex-flag tag `<F-MLFGAINED>` for failregex, signaled that the access to service was gained
|
|
(ATM used similar to tag `<F-NOFAIL>`, but it does not add the log-line to matches, gh-2279)
|
|
* filters: introduced new configuration parameter `logtype` (default `file` for file-backends, and
|
|
`journal` for journal-backends, gh-2387); can be also set to `rfc5424` to force filters (which include common.conf)
|
|
to use RFC 5424 conform prefix-line per default (gh-2467);
|
|
* for better performance and safety the option `logtype` can be also used to
|
|
select short prefix-line for file-backends too for all filters using `__prefix_line` (`common.conf`),
|
|
if message logged only with `hostname svc[nnnn]` prefix (often the case on several systems):
|
|
```ini
|
|
[jail]
|
|
backend = auto
|
|
filter = flt[logtype=short]
|
|
```
|
|
* `filter.d/common.conf`: differentiate `__prefix_line` for file/journal logtype's (speedup and fix parsing
|
|
of systemd-journal);
|
|
* `filter.d/traefik-auth.conf`: used to ban hosts, that were failed through traefik
|
|
* `filter.d/znc-adminlog.conf`: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded
|
|
|
|
### Enhancements
|
|
* introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf) to control
|
|
how many matches per ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118);
|
|
* fail2ban.conf: introduced new section `[Thread]` and option `stacksize` to configure default size
|
|
of the stack for threads running in fail2ban (gh-2356), it could be set in `fail2ban.local` to
|
|
avoid runtime error "can't start new thread" (see gh-969);
|
|
* jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations
|
|
containing new-line);
|
|
* fail2ban-client: extended to ban/unban multiple tickets (see gh-2351, gh-2349);
|
|
Syntax:
|
|
- `fail2ban-client set <jain> banip <ip1> ... <ipN>`
|
|
- `fail2ban-client set <jain> unbanip [--report-absent] <ip1> ... <ipN>`
|
|
* fail2ban-client: extended with new feature which allows to inform fail2ban about single or multiple
|
|
attempts (failure) for IP (resp. failure-ID), see gh-2351;
|
|
Syntax:
|
|
- `fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-messageN>]`
|
|
* `action.d/nftables.conf`:
|
|
- isolate fail2ban rules into a dedicated table and chain (gh-2254)
|
|
- `nftables-allports` supports multiple protocols in single rule now
|
|
- combined nftables actions to single action `nftables`:
|
|
* `nftables-common` is removed (replaced with single action `nftables` now)
|
|
* `nftables-allports` is obsolete, superseded by `nftables[type=allports]`
|
|
* `nftables-multiport` is obsolete, superseded by `nftables[type=multiport]`
|
|
- allowed multiple protocols in `nftables[type=multiport]` action (single set with multiple rules
|
|
in chain), following configuration in jail would replace 3 separate actions, see
|
|
https://github.com/fail2ban/fail2ban/pull/2254#issuecomment-534684675
|
|
* `action.d/badips.py`: option `loglevel` extended with level of summary message,
|
|
following example configuration logging summary with NOTICE and rest with DEBUG log-levels:
|
|
`action = badips.py[loglevel="debug, notice"]`
|
|
* samplestestcase.py (testSampleRegexsFactory) extended:
|
|
- allow coverage of journal logtype;
|
|
- new option `fileOptions` to set common filter/test options for whole test-file;
|
|
* large enhancement: auto-reban, improved invariant check and conditional operations (gh-2588):
|
|
- improves invariant check and repair (avoid unhandled exception, consider family on conditional operations, etc),
|
|
prepared for bulk re-ban in repair case (if bulk-ban becomes implemented);
|
|
- automatic reban (repeat banning action) after repair/restore sane environment, if already logged ticket causes
|
|
new failures (via new action operation `actionreban` or `actionban` if still not defined in action);
|
|
* introduces banning epoch for actions and tickets (to distinguish or recognize removed set of the tickets);
|
|
* invariant check avoids repair by unban/stop (unless parameter `actionrepair_on_unban` set to `true`);
|
|
* better handling for all conditional operations (distinguish families for certain operations like
|
|
repair/flush/stop, prepared for other families, e. g. if different handling for subnets expected, etc);
|
|
* partially implements gh-980 (more breakdown safe handling);
|
|
* closes gh-1680 (better as large-scale banning implementation with on-demand reban by failure,
|
|
at least unless a bulk-ban gets implemented);
|
|
* fail2ban-regex - several enhancements and fixes:
|
|
- improved usage output (don't put a long help if an error occurs);
|
|
- new option `--no-check-all` to avoid check of all regex's (first matched only);
|
|
- new option `-o`, `--out` to set token only provided in output (disables check-all and outputs only expected data).
|
|
|
|
|
|
ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four
|
|
-----------
|
|
|
|
### Fixes
|
|
* `filter.d/dovecot.conf`:
|
|
- failregex enhancement to catch sql password mismatch errors (gh-2153);
|
|
- disconnected with "proxy dest auth failed" (gh-2184);
|
|
* `filter.d/freeswitch.conf`:
|
|
- provide compatibility for log-format from gh-2193:
|
|
* extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
|
|
`YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
|
|
* more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
|
|
- extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
|
|
(see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
|
|
how to set it to mode `normal`.
|
|
* `filter.d/domino-smtp.conf`:
|
|
- recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
|
|
- failregex extended to catch connections rejected for policy reasons (gh-2228);
|
|
* `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected
|
|
and don't allowed in command-actions), see gh-2114;
|
|
* decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
|
|
- fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
|
|
`UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors;
|
|
- actions: avoid possible conversion errors on wrong-chars by replace tags;
|
|
- database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
|
|
additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
|
|
- logging in fail2ban is process-wide exception-safe now.
|
|
* repaired start-time of initial seek to time (as well as other log-parsing related data),
|
|
if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
|
|
* systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
|
|
|
|
### New Features
|
|
* new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`,
|
|
`ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
|
|
* `ignorecommand` extended to use actions-similar replacement (capable to interpolate
|
|
all possible tags like `<ip-host>`, `<family>`, `<fid>`, `F-USER` etc.)
|
|
|
|
### Enhancements
|
|
* `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
|
|
* since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
|
|
additionally option `-V` can be used to get version in normalized machine-readable short format.
|
|
|
|
|
|
ver. 0.10.3 (2018/04/04) - the-time-is-always-right-to-do-what-is-right
|
|
-----------
|
|
|
|
### ver. 0.10.3.1:
|
|
* fixed JSON serialization for the set-object within dump into database (gh-2103).
|
|
|
|
### Fixes
|
|
* `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
|
|
* `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
|
|
* `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069;
|
|
* `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
|
|
- fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064);
|
|
* `filter.d/sshd.conf`:
|
|
- failregex got an optional space in order to match new log-format (see gh-2061);
|
|
- fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
|
|
- fixed root login refused regex (optional port before preauth, gh-2080);
|
|
- avoid banning of legitimate users when pam_unix used in combination with other password method, so
|
|
bypass pam_unix failures if accepted available for this user gh-2070;
|
|
- amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediately);
|
|
- mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
|
|
it counts failure on closing connection within preauth-stage (gh-2085);
|
|
* `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);
|
|
* `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
|
|
* `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
|
|
* (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
|
|
|
|
### New Features
|
|
* several stability and performance optimizations, more effective filter parsing, etc;
|
|
* stable runnable within python versions 3.6 (as well as within 3.7-dev);
|
|
|
|
### Enhancements
|
|
* `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);
|
|
* `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);
|
|
* date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029);
|
|
* possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038);
|
|
the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line,
|
|
e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line.
|
|
* badips.py now uses https instead of plain http when requesting badips.com (gh-2057);
|
|
* add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056);
|
|
* Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG):
|
|
Usage `logtarget = target[padding=on|off]`
|
|
|
|
|
|
ver. 0.10.2 (2018/01/18) - nothing-burns-like-the-cold
|
|
-----------
|
|
|
|
### Incompatibility list:
|
|
* The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
|
|
anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
|
|
just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.
|
|
|
|
### Fixes
|
|
* Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid
|
|
write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
|
|
* Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
|
|
* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
|
|
(if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
|
|
* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
|
|
in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
|
|
* `action.d/pf.conf`:
|
|
- fixed syntax error in achnor definition (documentation, see gh-1919);
|
|
- enclose ports in braces for multiport jails (see gh-1925);
|
|
* `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
|
|
* `filter.d/sshd.conf`:
|
|
- extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
|
|
forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
|
|
see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
|
|
- fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
|
|
|
|
### New Features
|
|
* datedetector: extended default date-patterns (allows extra space between the date and time stamps);
|
|
introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
|
|
- %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
|
|
(corresponds %H, but allows space if not zero-padded).
|
|
- %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
|
|
(corresponds %I, but allows space if not zero-padded).
|
|
* `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
|
|
* New Actions:
|
|
- `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
|
|
nginx-location with map-file);
|
|
|
|
### Enhancements
|
|
* jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
|
|
* action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
|
|
* Introduced new parameters for logging within fail2ban-server (gh-1980).
|
|
Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
|
|
- `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
|
|
for the list of facilities);
|
|
- `datetime` - add date-time to the message (default on, ignored if `format` specified);
|
|
- `format` - specify own format how it will be logged, for example for short-log into STDOUT:
|
|
`fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
|
|
* Automatically recover or recreate corrupt persistent database (e. g. if failed to open with
|
|
'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
|
|
if repair fails - recreate new database (gh-1465, gh-2004).
|
|
|
|
|
|
ver. 0.10.1 (2017/10/12) - succeeded-before-friday-the-13th
|
|
-----------
|
|
|
|
### Fixes
|
|
* fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891)
|
|
* jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884)
|
|
* avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables
|
|
'LANGUAGE', 'LC_ALL', 'LC_CTYPE', and 'LANG', see gh-1587).
|
|
* action.d/pf.conf: several fixes for pf-action like anchoring, etc. (see gh-1866, gh-1867);
|
|
* fixed ignoreself issue "Retrieving own IPs of localhost failed: inet_pton() argument 2 must be string, not int" (see gh-1865);
|
|
* fixed tags `<fq-hostname>` and `<sh-hostname>`, could be used without ticket (a. g. in `actionstart` etc., gh-1859).
|
|
|
|
* setup.py: fixed several setup facilities (gh-1874):
|
|
- don't check return code by dry-run: returns 256 on some python/setuptool versions;
|
|
- `files/fail2ban.service` renamed as template to `files/fail2ban.service.in`;
|
|
- setup process generates `build/fail2ban.service` from `files/fail2ban.service.in` using distribution related bin-path;
|
|
- bug-fixing by running setup with option `--dry-run`;
|
|
|
|
### New Features
|
|
* introduced new command-line options `--dp`, `--dump-pretty` to dump the configuration using more
|
|
human readable representation (opposite to `-d`);
|
|
|
|
### Enhancements
|
|
* nftables actions are IPv6-capable now (gh-1893)
|
|
* filter.d/dovecot.conf: introduced mode `aggressive` for cases like "disconnected before auth was ready" (gh-1880)
|
|
|
|
|
|
ver. 0.10.0 (2017/08/09) - long-awaited 0.10th version
|
|
-----------
|
|
|
|
TODO: implementing of options resp. other tasks from PR #1346
|
|
documentation should be extended (new options, etc)
|
|
|
|
### Fixes
|
|
* `filter.d/apache-auth.conf`:
|
|
- better failure recognition using short form of regex (url/referer are foreign inputs, see gh-1645)
|
|
* `filter.d/apache-common.conf` (`filter.d/apache-*.conf`):
|
|
- support of apache log-format if logging into syslog/systemd (gh-1695), using parameter `logging`,
|
|
parameter usage for jail:
|
|
filter = apache-auth[logging=syslog]
|
|
parameter usage for `apache-common.local`:
|
|
logging = syslog
|
|
* `filter.d/pam-generic.conf`:
|
|
- [grave] injection on user name to host fixed
|
|
* `filter.d/sshd.conf`:
|
|
- rewritten using `prefregex` and used MLFID-related multi-line parsing
|
|
(by using tag `<F-MLFID>` instead of buffering with `maxlines`);
|
|
- optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all),
|
|
see sshd for regex details)
|
|
* `filter.d/sendmail-reject.conf`:
|
|
- rewritten using `prefregex` and used MLFID-related multi-line parsing;
|
|
- optional parameter `mode` introduced: normal (default), extra or aggressive
|
|
* `filter.d/haproxy-http-auth`: do not mistake client port for part of an IPv6 address (gh-1745)
|
|
* `filter.d/postfix.conf`:
|
|
- updated to latest postfix formats
|
|
- joined several postfix filter together (normalized and optimized version, gh-1825)
|
|
- introduced new parameter `mode` (see gh-1825): more (default, combines normal and rbl), auth, normal,
|
|
rbl, ddos, extra or aggressive (combines all)
|
|
- postfix postscreen (resp. other RBL's compatibility fix, gh-1764, gh-1825)
|
|
* `filter.d/postfix-rbl.conf`: removed (replaced with `postfix[mode=rbl]`)
|
|
* `filter.d/postfix-sasl.conf`: removed (replaced with `postfix[mode=auth]`)
|
|
* `filter.d/roundcube-auth.conf`:
|
|
- fixed regex when `X-Real-IP` or/and `X-Forwarded-For` are present after host (gh-1303);
|
|
- fixed regex when logging authentication errors to journal instead to a local file (gh-1159);
|
|
- additionally fixed more complex injections on username (e. g. using dot after fake host).
|
|
* `filter.d/ejabberd-auth.conf`: fixed failregex - accept new log-format (gh-993)
|
|
* `action.d/complain.conf`
|
|
- fixed using new tag `<ip-rev>` (sh/dash compliant now)
|
|
* `action.d/sendmail-geoip-lines.conf`
|
|
- fixed using new tag `<ip-host>` (without external command execution)
|
|
* fail2ban-regex: fixed matched output by multi-line (buffered) parsing
|
|
* fail2ban-regex: support for multi-line debuggex URL implemented (gh-422)
|
|
* fixed ipv6-action errors on systems not supporting ipv6 and vice versa (gh-1741)
|
|
* fixed directory-based log-rotate for pyinotify-backend (gh-1778)
|
|
|
|
### New Features
|
|
* New Actions:
|
|
|
|
* New Filters:
|
|
|
|
### Enhancements
|
|
* Introduced new filter option `prefregex` for pre-filtering using single regular expression (gh-1698);
|
|
* Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without
|
|
line buffering (scrolling of the buffer-window).
|
|
Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs
|
|
using single-line expressions:
|
|
- tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same
|
|
identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`,
|
|
see sshd.conf for example);
|
|
- tag `<F-MLFFORGET>`: can be used as mark to forget current multi-line MLFID (e. g. by connection
|
|
closed, reset or disconnect etc);
|
|
- tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info,
|
|
e. g. from lines that contain IP-address);
|
|
Opposite to obsolete multi-line parsing (using buffering with `maxlines`) it is more precise and
|
|
can recognize multiple failure attempts within the same connection (MLFID).
|
|
* Several filters optimized with pre-filtering using new option `prefregex`, and multiline filter
|
|
using `<F-MLFID>` + `<F-NOFAIL>` combination;
|
|
* Exposes filter group captures in actions (non-recursive interpolation of tags `<F-...>`,
|
|
see gh-1698, gh-1110)
|
|
* Some filters extended with user name (can be used in gh-1243 to distinguish IP and user,
|
|
resp. to remove after success login the user-related failures only);
|
|
* Safer, more stable and faster replaceTag interpolation (switched from cycle over all tags
|
|
to re.sub with callable)
|
|
* substituteRecursiveTags optimization + moved in helpers facilities (because currently used
|
|
commonly in server and in client)
|
|
* New tags (usable in actions):
|
|
- `<fid>` - failure identifier (if raw resp. failures without IP address)
|
|
- `<ip-rev>` - PTR reversed representation of IP address
|
|
- `<ip-host>` - host name of the IP address
|
|
- `<bancount>` - ban count of this offender if known as bad (started by 1 for unknown)
|
|
- `<bantime>` - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
|
|
- `<F-...>` - interpolates to the corresponding filter group capture `...`
|
|
- `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`)
|
|
- `<sh-hostname>` - short hostname (the same as `$(uname -n)`)
|
|
* Introduced new action command `actionprolong` to prolong ban-time (e. g. set new timeout if expected);
|
|
Several actions (like ipset, etc.) rewritten using net logic with `actionprolong`.
|
|
Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).
|
|
* Allow to use filter options by `fail2ban-regex`, example:
|
|
fail2ban-regex text.log "sshd[mode=aggressive]"
|
|
* Samples test case factory extended with filter options - dict in JSON to control
|
|
filter options (e. g. mode, etc.):
|
|
# filterOptions: {"mode": "aggressive"}
|
|
* Introduced new jail option "ignoreself", specifies whether the local resp. own IP addresses
|
|
should be ignored (default is true). Fail2ban will not ban a host which matches such addresses.
|
|
Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS
|
|
resp. IPs of the host self.
|
|
* Regex will be compiled as MULTILINE only if needed (buffering with `maxlines` > 1), that enables:
|
|
- to improve performance by the single line parsing (see gh-1733);
|
|
- make regex more precise (because distinguish between anchors `^`/`$` for the begin/end of string
|
|
and the new-line character '\n', e. g. if coming from filters (like systemd journal) that allow
|
|
the parsing of log-entries contain new-line chars (as single entry);
|
|
- if multiline regex however expected (by single-line parsing without buffering) - prefix `(?m)`
|
|
could be used in regex to enable it;
|
|
* Implemented execution of `actionstart` on demand (conditional), if action depends on `family` (gh-1742):
|
|
- new action parameter `actionstart_on_demand` (bool) can be set to prevent/allow starting action
|
|
on demand (default retrieved automatically, if some conditional parameter `param?family=...`
|
|
presents in action properties), see `action.d/pf.conf` for example;
|
|
- additionally `actionstop` will be executed only for families previously executing `actionstart`
|
|
(starting on demand only)
|
|
* Introduced new command `actionflush`: executed in order to flush all bans at once
|
|
e. g. by unban all, reload with removing action, stop, shutdown the system (gh-1743),
|
|
the actions having `actionflush` do not execute `actionunban` for each single ticket
|
|
* Add new command `actionflush` default for several iptables/iptables-ipset actions (and common include);
|
|
* Add new jail option `logtimezone` to force the timezone on log lines that don't have an explicit one (gh-1773)
|
|
* Implemented zone abbreviations (like CET, CEST, etc.) and abbr+-offset functionality (accept zones
|
|
like 'CET+0100'), for the list of abbreviations see strptime.TZ_STR;
|
|
* Introduced new option `--timezone` (resp. `--TZ`) for `fail2ban-regex`.
|
|
* Tokens `%z` and `%Z` are changed (more precise now);
|
|
* Introduced new tokens `%Exz` and `%ExZ` that fully support zone abbreviations and/or offset-based
|
|
zones (implemented as enhancement using custom `datepattern`, because may be too dangerous for default
|
|
patterns and tokens like `%z`);
|
|
Note: the extended tokens supported zone abbreviations, but it can parse 1 or 3-5 char(s) in lowercase.
|
|
Don't use them in default date-patterns (if not anchored, few precise resp. optional).
|
|
Because python currently does not support mixing of case-sensitive with case-insensitive matching,
|
|
the TZ (in uppercase) cannot be combined with `%a`/`%b` etc (that are currently case-insensitive),
|
|
to avoid invalid date-time recognition in strings like '11-Aug-2013 03:36:11.372 error ...' with
|
|
wrong TZ "error".
|
|
Hence `%z` currently match literal Z|UTC|GMT only (and offset-based), and `%Exz` - all zone
|
|
abbreviations.
|
|
* `filter.d/courier-auth.conf`: support failed logins with method only
|
|
* Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of
|
|
python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is
|
|
like our another features like `%(known/option)s`, etc. (gh-1750)
|
|
* Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now,
|
|
but now the setting of parameter `backend` in default section of `jail.local` can overwrite default
|
|
backend also (see gh-1750). In the future versions parameter `default_backend` can be removed (incompatibility,
|
|
possibly some distributions affected).
|
|
|
|
|
|
ver. 0.10.0-alpha-1 (2016/07/14) - ipv6-support-etc
|
|
-----------
|
|
|
|
### Fixes
|
|
* [Grave] memory leak's fixed (gh-1277, gh-1234)
|
|
* [Grave] Misleading date patterns defined more precisely (using extended syntax
|
|
`%Ex[mdHMS]` for exact two-digit match or e. g. `%ExY` as more precise year
|
|
pattern, within same century of last year and the next 3 years)
|
|
* [Grave] extends date detector template with distance (position of match in
|
|
log-line), to prevent grave collision using (re)ordered template list (e.g.
|
|
find-spot of wrong date-match inside foreign input, misleading date patterns
|
|
by ambiguous formats, etc.)
|
|
* Distance collision check always prefers template with shortest distance
|
|
(left for right) if date pattern is not anchored
|
|
* Tricky bug fix: last position of log file will be never retrieved (gh-795),
|
|
because of CASCADE all log entries will be deleted from logs table together with jail,
|
|
if used "INSERT OR REPLACE" statement
|
|
* Asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
|
|
* testSocket: sporadical bug repaired - wait for server thread starts a socket (listener)
|
|
* testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid file inside bash,
|
|
kill tree in any case (gh-1155)
|
|
* purge database will be executed now (within observer).
|
|
* restoring currently banned ip after service restart fixed
|
|
(now < timeofban + bantime), ignore old log failures (already banned)
|
|
* Fixed high-load of pyinotify-backend,
|
|
see https://github.com/fail2ban/fail2ban/issues/885#issuecomment-248964591
|
|
* Database: stability fix - repack cursor iterator as long as locked
|
|
* File filter backends: stability fix for sporadically errors - always close file
|
|
handle, otherwise may be locked (prevent log-rotate, etc.)
|
|
* Pyinotify-backend: stability fix for sporadically errors in multi-threaded
|
|
environment (without lock)
|
|
* Fixed sporadically error in testCymruInfoNxdomain, because of unsorted values
|
|
* Misleading errors logged from ignorecommand in success case on retcode 1 (gh-1194)
|
|
* fail2ban.service - systemd service updated (gh-1618):
|
|
- starting service in normal mode (without forking)
|
|
- does not restart if service exited normally (exit-code 0, e.g. stopped via fail2ban-client)
|
|
- does not restart if service can not start (exit-code 255, e.g. wrong configuration, etc.)
|
|
- service can be additionally started/stopped with commands (fail2ban-client, fail2ban-server)
|
|
- automatically creates `/var/run/fail2ban` directory before start fail2ban
|
|
(systems with virtual resp. memory-based FS for `/var/run`), see gh-1531
|
|
- if fail2ban running as systemd-service, for logging to the systemd-journal,
|
|
the `logtarget` could be set to STDOUT
|
|
- value `logtarget` for system targets allowed also in lowercase (stdout, stderr, syslog, etc.)
|
|
* Fixed UTC/GMT named time zone, using `%Z` and `%z` patterns
|
|
(special case with 0 zone offset, see gh-1575)
|
|
* `filter.d/freeswitch.conf`
|
|
- Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
|
|
- User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)
|
|
|
|
### New Features
|
|
* IPv6 support:
|
|
- IP addresses are now handled as objects rather than strings capable for
|
|
handling both address types IPv4 and IPv6
|
|
- iptables related actions have been amended to support IPv6 specific actions
|
|
additionally
|
|
- hostsdeny and route actions have been tested to be aware of v4 and v6 already
|
|
- pf action for *BSD systems has been improved and supports now also v4 and v6
|
|
- name resolution is now working for either address type
|
|
- new conditional section functionality used in config resp. includes:
|
|
- [Init?family=inet4] - IPv4 qualified hosts only
|
|
- [Init?family=inet6] - IPv6 qualified hosts only
|
|
* Increment ban time (+ observer) functionality introduced.
|
|
Thanks Serg G. Brester (sebres)
|
|
* Database functionality extended with bad ips.
|
|
* New reload functionality (now totally without restart, unbanning/rebanning, etc.),
|
|
see gh-1557
|
|
* Several commands extended and new commands introduced:
|
|
- `restart [--unban] [--if-exists] <JAIL>` - restarts the jail \<JAIL\>
|
|
(alias for `reload --restart ... <JAIL>`)
|
|
- `reload [--restart] [--unban] [--all]` - reloads the configuration without restarting
|
|
of the server, the option `--restart` activates completely restarting of affected jails,
|
|
thereby can unban IP addresses (if option `--unban` specified)
|
|
- `reload [--restart] [--unban] [--if-exists] <JAIL>` - reloads the jail \<JAIL\>,
|
|
or restarts it (if option `--restart` specified), at the same time unbans all IP addresses
|
|
banned in this jail, if option `--unban` specified
|
|
- `unban --all` - unbans all IP addresses (in all jails and database)
|
|
- `unban <IP> ... <IP>` - unbans \<IP\> (in all jails and database) (see gh-1388)
|
|
- introduced new option `-t` or `--test` to test configuration resp. start server only
|
|
if configuration is clean (fails by wrong configured jails if option `-t` specified)
|
|
* New command action parameter `actionrepair` - command executed in order to restore
|
|
sane environment in error case of `actioncheck`.
|
|
* Reporting via abuseipdb.com:
|
|
- Bans can now be reported to abuseipdb
|
|
- Categories must be set in the config
|
|
- Relevant log lines included in report
|
|
|
|
### Enhancements
|
|
* Huge increasing of fail2ban performance and especially test-cases performance (see gh-1109)
|
|
* Datedetector: in-place reordering using hits and last used time:
|
|
matchTime, template list etc. rewritten because of performance degradation
|
|
* Prevent out of memory situation if many IP's makes extremely many failures (maxEntries)
|
|
* Introduced string to seconds (str2seconds) for configuration entries with time,
|
|
use `1h` instead of `3600`, `1d` instead of `86400`, etc
|
|
* seekToTime - prevent completely read of big files first time (after start of service),
|
|
initial seek to start time using half-interval search algorithm (see issue gh-795)
|
|
* Ticket and some other modules prepared to easy merge with newest version of 'ban-time-incr'
|
|
* Cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name,
|
|
especially for wrong dns or lazy dns-system
|
|
* FailManager memory-optimization: increases performance,
|
|
prevents memory leakage, because don't copy failures list on some operations
|
|
* fail2ban-testcases - new options introduced:
|
|
- `-f`, `--fast` to decrease wait intervals, avoid passive waiting, and skip
|
|
few very slow test cases (implied memory database, see `-m` and no gamin tests `-g`)
|
|
- `-g`, `--no-gamin` to prevent running of tests that require the gamin (slow)
|
|
- `-m`, `--memory-db` - run database tests using memory instead of file
|
|
- `-i`, `--ignore` - negate [regexps] filter to ignore tests matched specified regexps
|
|
* Background servicing: prevents memory leak on some platforms/python versions, using forced GC
|
|
in periodic intervals (latency and threshold)
|
|
* executeCmd partially moved from action to new module utils
|
|
* Several functionality of class `DNSUtils` moved to new class `IPAddr`,
|
|
both classes moved to new module `ipdns`
|
|
* Pseudo-conditional section introduced, for conditional substitution resp.
|
|
evaluation of parameters for different family qualified hosts,
|
|
syntax `[Section?family=inet6]` (currently use for IPv6-support only).
|
|
* All the backends were rewritten to get reload-possibility, performance increased,
|
|
so fewer greedy regarding cpu- resp. system-load now
|
|
* Numeric log-level allowed now in server (resp. fail2ban.conf);
|
|
* Implemented better error handling in some multi-threaded routines; shutdown of jails
|
|
rewritten (faster and safer, does not breaks shutdown process if some error occurred)
|
|
* Possibility for overwriting some configuration options (read with config-readers)
|
|
with command line option, e. g.:
|
|
```bash
|
|
## start server with DEBUG log-level (ignore level read from fail2ban.conf):
|
|
fail2ban-client --loglevel DEBUG start
|
|
## or
|
|
fail2ban-server -c /cfg/path --loglevel DEBUG start
|
|
## keep server log-level by reload (without restart it)
|
|
fail2ban-client --loglevel DEBUG reload
|
|
## switch log-level back to INFO:
|
|
fail2ban-client set loglevel INFO
|
|
```
|
|
* Optimized BanManager: increase performance, fewer system load, try to prevent
|
|
memory leakage:
|
|
- better ban/unban handling within actions (e.g. used dict instead of list)
|
|
- don't copy bans resp. its list on some operations;
|
|
- added new unbantime handling to relieve unBanList (prevent permanent
|
|
searching for tickets to unban)
|
|
- prefer failure-ID as identifier of the ticket to its IP (most of the time
|
|
the same, but it can be something else e.g. user name in some complex jails,
|
|
as introduced in 0.10)
|
|
* Regexp enhancements:
|
|
- build replacement of `<HOST>` substitution corresponding parameter
|
|
`usedns` - dns-part will be added only if `usedns` is not `no`,
|
|
also using fail2ban-regex
|
|
- new replacement for `<ADDR>` in opposition to `<HOST>`, for separate
|
|
usage of 2 address groups only (regardless of `usedns`), `ip4` and `ip6`
|
|
together, without host (dns)
|
|
* Misconfigured jails don't prevent fail2ban from starting, server starts
|
|
nevertheless, as long as one jail was successful configured (gh-1619)
|
|
Message about wrong jail configuration logged in client log (stdout, systemd
|
|
journal etc.) and in server log with error level
|
|
* More precise date template handling (WARNING: theoretically possible incompatibilities):
|
|
- datedetector rewritten more strict as earlier;
|
|
- default templates can be specified exacter using prefix/suffix syntax (via `datepattern`);
|
|
- more as one date pattern can be specified using option `datepattern` now
|
|
(new-line separated);
|
|
- some default options like `datepattern` can be specified directly in
|
|
section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]`
|
|
section, because of performance (each extra section costs time);
|
|
- option `datepattern` can be specified in jail also (e. g. jails without filters
|
|
or custom log-format, new-line separated for multiple patterns);
|
|
- if first unnamed group specified in pattern, only this will be cut out from
|
|
search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match
|
|
pattern, and leaves `date:[] ...` for searching in filter);
|
|
- faster match and fewer searching of appropriate templates
|
|
(DateDetector.matchTime calls rarer DateTemplate.matchDate now);
|
|
- several standard filters extended with exact prefixed or anchored date templates;
|
|
* Added possibility to recognize restored state of the tickets (see gh-1669).
|
|
New option `norestored` introduced, to ignore restored tickets (after restart).
|
|
To avoid execution of ban/unban for the restored tickets, `norestored = true`
|
|
could be added in definition section of action.
|
|
For conditional usage in the shell-based actions an interpolation `<restored>`
|
|
could be used also. E. g. it is enough to add following script-piece at begin
|
|
of `actionban` (or `actionunban`) to prevent execution:
|
|
`if [ '<restored>' = '1' ]; then exit 0; fi;`
|
|
Several actions extended now using `norestored` option:
|
|
- complain.conf
|
|
- dshield.conf
|
|
- mail-buffered.conf
|
|
- mail-whois-lines.conf
|
|
- mail-whois.conf
|
|
- mail.conf
|
|
- sendmail-buffered.conf
|
|
- sendmail-geoip-lines.conf
|
|
- sendmail-whois-ipjailmatches.conf
|
|
- sendmail-whois-ipmatches.conf
|
|
- sendmail-whois-lines.conf
|
|
- sendmail-whois-matches.conf
|
|
- sendmail-whois.conf
|
|
- sendmail.conf
|
|
- smtp.py
|
|
- xarf-login-attack.conf
|
|
* fail2ban-testcases:
|
|
- `assertLogged` extended with parameter wait (to wait up to specified timeout,
|
|
before we throw assert exception) + test cases rewritten using that
|
|
- added `assertDictEqual` for compatibility to early python versions (< 2.7);
|
|
- new `with_foreground_server_thread` decorator to test several client/server commands
|
|
|
|
|
|
ver. 0.9.8 (2016/XX/XXX) - wanna-be-released
|
|
-----------
|
|
|
|
0.9.x line is no longer heavily developed. If you are interested in
|
|
new features (e.g. IPv6 support), please consider 0.10 branch and its
|
|
releases.
|
|
|
|
|
|
### Fixes
|
|
* Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991.
|
|
Partially back-ported from v.0.10.
|
|
* action.d/bsd-ipfw.conf
|
|
- Make the rule number, the action starts looking for a free slot to insert
|
|
the new rule, configurable (gh-1689)
|
|
- Replace not posix-compliant grep option: fgrep with `-q` option can cause
|
|
141 exit code in some cases (gh-1389)
|
|
* filter.d/apache-overflows.conf:
|
|
- Fixes resources greedy expression (see gh-1790);
|
|
- Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
|
|
* filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882)
|
|
* filter.d/asterisk.conf
|
|
- fixed failregex AMI Asterisk authentication failed (see gh-1302)
|
|
- removed invalid (vulnerable) regex blocking IPs using forign data (from header "from")
|
|
thus not the IP-address that really originates the request (see gh-1927)
|
|
- fixed failregex for the SQL-injection attempts with single-quotes in connect-string (see gh-2011)
|
|
* filter.d/dovecot.conf:
|
|
- fixed failregex, see gh-1879 (partially cherry-picked from gh-1880)
|
|
- extended to match pam_authenticate failures with "Permission denied" (gh-1897)
|
|
* filter.d/exim.conf
|
|
- fixed failregex for case of flood attempts with `D=0s` (gh-1887)
|
|
- fixed failregex of "AUTH command used when not advertised" to better handle the foreign
|
|
input SMTP command (lower/mixed case auth command, prevent injection) (gh-1979)
|
|
* filter.d/postfix-*.conf - added optional port regex (gh-1902)
|
|
* filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
|
|
* filter.d/nginx-http-auth.conf - match usernames with spaces (gh-2015)
|
|
|
|
### New Features
|
|
|
|
### Enhancements
|
|
* action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651)
|
|
* action.d/firewallcmd-ipset.conf - new parameter `actiontype`, provides `allports` capability (gh-1167)
|
|
* filter.d/kerio.conf - filter extended with new rules (see gh-1455)
|
|
* filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging
|
|
* filter.d/zoneminder.conf - new filter for ZoneMinder (gh-1376)
|
|
|
|
|
|
ver. 0.9.7 (2017/05/11) - awaiting-victory
|
|
-----------
|
|
|
|
### Fixes
|
|
* Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
|
|
* filter.d/sshd.conf
|
|
- Fixed non-anchored part of failregex (misleading match of colon inside
|
|
IPv6 address instead of `: ` in the reason-part by missing space, gh-1658)
|
|
(0.10th resp. IPv6 relevant only, amend for gh-1479)
|
|
* config/pathes-freebsd.conf
|
|
- Fixed filenames for apache and nginx log files (gh-1667)
|
|
* filter.d/exim.conf
|
|
- optional part `(...)` after host-name before `[IP]` (gh-1751)
|
|
- new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
|
|
- match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh-1766)
|
|
* filter.d/sshd.conf
|
|
- new aggressive rules (gh-864):
|
|
- Connection reset by peer (multi-line rule during authorization process)
|
|
- No supported authentication methods available
|
|
- single line and multi-line expression optimized, added optional prefixes
|
|
and suffix (logged from several ssh versions), according to gh-1206;
|
|
- fixed expression received disconnect auth fail (optional space after port
|
|
part, gh-1652)
|
|
and suffix (logged from several ssh versions), according to gh-1206;
|
|
* filter.d/suhosin.conf
|
|
- greedy catch-all before `<HOST>` fixed (potential vulnerability)
|
|
* filter.d/cyrus-imap.conf
|
|
- accept entries without login-info resp. hostname before IP address (gh-1707)
|
|
* Filter tests extended with check of all config-regexp, that contains greedy catch-all
|
|
before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`
|
|
|
|
### New Features
|
|
* New Actions:
|
|
- action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)
|
|
|
|
* New Filters:
|
|
- filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)
|
|
|
|
### Enhancements
|
|
* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
|
|
|
|
|
|
ver. 0.9.6 (2016/12/10) - stretch-is-coming
|
|
-----------
|
|
|
|
### Fixes
|
|
* Misleading add resp. enable of (already available) jail in database, that
|
|
induced a subsequent error: last position of log file will be never retrieved (gh-795)
|
|
* Fixed a distribution related bug within testReadStockJailConfForceEnabled
|
|
(e.g. test-cases faults on Fedora, see gh-1353)
|
|
* Fixed pythonic filters and test scripts (running via wrong python version,
|
|
uses "fail2ban-python" now);
|
|
* Fixed test case "testSetupInstallRoot" for not default python version (also
|
|
using direct call, out of virtualenv);
|
|
* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
|
|
* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
|
|
* Monit config: scripting is not supported in path (gh-1556)
|
|
* `filter.d/apache-modsecurity.conf`
|
|
- Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
|
|
replaced for safer match, unneeded catch-all anchoring removed, non-capturing
|
|
* `filter.d/asterisk.conf`
|
|
- Fixed to match different asterisk log prefix (source file: method:)
|
|
* `filter.d/dovecot.conf`
|
|
- Fixed failregex ignores failures through some not relevant info (gh-1623)
|
|
* `filter.d/ignorecommands/apache-fakegooglebot`
|
|
- Fixed error within apache-fakegooglebot, that will be called
|
|
with wrong python version (gh-1506)
|
|
* `filter.d/assp.conf`
|
|
- Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
|
|
* `filter.d/postfix-sasl.conf`
|
|
- Allow for having no trailing space after 'failed:' (gh-1497)
|
|
* `filter.d/vsftpd.conf`
|
|
- Optional reason part in message after FAIL LOGIN (gh-1543)
|
|
* `filter.d/sendmail-reject.conf`
|
|
- removed mandatory double space (if dns-host available, gh-1579)
|
|
* filter.d/sshd.conf
|
|
- recognized "Failed publickey for" (gh-1477);
|
|
- optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479)
|
|
- eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
|
|
- optional port part after host (see gh-1533, gh-1581)
|
|
|
|
### New Features
|
|
* New Actions:
|
|
- `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
|
|
* New Filters:
|
|
- `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
|
|
(gh-1586, gh-1606 and gh-1607)
|
|
|
|
### Enhancements
|
|
* DateTemplate regexp extended with the word-end boundary, additionally to
|
|
word-start boundary
|
|
* Introduces new command "fail2ban-python", as automatically created symlink to
|
|
python executable, where fail2ban currently installed (resp. its modules are located):
|
|
- allows to use the same version, fail2ban currently running, e.g. in
|
|
external scripts just via replace python with fail2ban-python:
|
|
```diff
|
|
-#!/usr/bin/env python
|
|
+#!/usr/bin/env fail2ban-python
|
|
```
|
|
- always the same pickle protocol
|
|
- the same (and also guaranteed available) fail2ban modules
|
|
- simplified stand-alone install, resp. stand-alone installation possibility
|
|
via setup (like gh-1487) is getting closer
|
|
* Several test cases rewritten using new methods assertIn, assertNotIn
|
|
* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
|
|
Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
|
|
are test covered now
|
|
* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
|
|
examples:
|
|
- `backend = systemd[journalpath=/run/log/journal/machine-1]`
|
|
- `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
|
|
- `backend = systemd[journalflags=2]`
|
|
|
|
|
|
ver. 0.9.5 (2016/07/15) - old-not-obsolete
|
|
-----------
|
|
|
|
### Fixes
|
|
* `filter.d/monit.conf`
|
|
- Extended failregex with new monit "access denied" version (gh-1355)
|
|
- failregex of previous monit version merged as single expression
|
|
* `filter.d/postfix.conf`, `filter.d/postfix-sasl.conf`
|
|
- Extended failregex daemon part, matching also `postfix/smtps/smtpd`
|
|
now (gh-1391)
|
|
* Fixed a grave bug within tags substitutions because of incorrect
|
|
detection of recursion in case of multiple inline substitutions
|
|
of the same tag (affected actions: `bsd-ipfw`, etc). Now tracks
|
|
the actual list of the already substituted tags (per tag instead
|
|
of single list)
|
|
* `filter.d/common.conf`
|
|
- Unexpected extra regex-space in generic `__prefix_line` (gh-1405)
|
|
- All optional spaces normalized in `common.conf`, test covered now
|
|
- Generic `__prefix_line` extended with optional brackets for the
|
|
date ambit (gh-1421), added new parameter `__date_ambit`
|
|
* `gentoo-initd` fixed `--pidfile` bug: `--pidfile` is option of
|
|
`start-stop-daemon`, not argument of fail2ban (see gh-1434)
|
|
* `filter.d/asterisk.conf`
|
|
- Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
|
|
- Improved log support for PJSIP and Asterisk 13+ with different
|
|
callID (gh-1458)
|
|
|
|
### New Features
|
|
* New Actions:
|
|
- `action.d/firewallcmd-rich-rules` and `action.d/firewallcmd-rich-logging`
|
|
(gh-1367)
|
|
* New filters:
|
|
- slapd - ban hosts, that were failed to connect with invalid
|
|
credentials: error code 49 (gh-1478)
|
|
|
|
|
|
### Enhancements
|
|
* Extreme speedup of all sqlite database operations (gh-1436),
|
|
by using of following sqlite options:
|
|
- (synchronous = OFF) write data through OS without syncing
|
|
- (journal_mode = MEMORY) use memory for the transaction logging
|
|
- (temp_store = MEMORY) temporary tables and indices are kept in memory
|
|
* journald journalmatch for pure-ftpd (gh-1362)
|
|
* Added additional regex filter for dovecot ldap authentication failures (gh-1370)
|
|
* `filter.d/exim*conf`
|
|
- Added additional regexes (gh-1371)
|
|
- Made port entry optional
|
|
|
|
|
|
ver. 0.9.4 (2016/03/08) - for-you-ladies
|
|
-----------
|
|
|
|
### Fixes
|
|
* `roundcube-auth` jail typo for logpath
|
|
* Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
|
|
* `filter.d/apache-badbots.conf`
|
|
- Updated useragent string regex adding escape for `+`
|
|
* `filter.d/mysqld-auth.conf`
|
|
- Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
|
|
* `filter.d/sshd.conf`
|
|
- Updated "Auth fail" regex for OpenSSH 5.9 and later
|
|
* Treat failed and killed execution of commands identically (only
|
|
different log messages), which addresses different behavior on different
|
|
exit codes of dash and bash (gh-1155)
|
|
* Fix jail.conf.5 man's section (gh-1226)
|
|
* Fixed default banaction for allports jails like pam-generic, recidive, etc
|
|
with new default variable `banaction_allports` (gh-1216)
|
|
* Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
|
|
for python version < 3.x (gh-1248)
|
|
* Use postfix_log logpath for postfix-rbl jail
|
|
* `filters.d/postfix.conf` - add 'Sender address rejected: Domain not found' failregex
|
|
* use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
|
|
* Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
|
|
* Changed `filter.d/asterisk` regex for "Call from ..." (few vulnerable now)
|
|
* Removed compression and rotation count from logrotate (inherit them from
|
|
the global logrotate config)
|
|
|
|
### New Features
|
|
* New interpolation feature for definition config readers - `<known/parameter>`
|
|
(means last known init definition of filters or actions with name `parameter`).
|
|
This interpolation makes possible to extend a parameters of stock filter or
|
|
action directly in jail inside jail.local file, without creating a separately
|
|
`filter.d/*.local` file.
|
|
As extension to interpolation `%(known/parameter)s`, that does not works for
|
|
filter and action init parameters
|
|
* New actions:
|
|
- `nftables-multiport` and `nftables-allports` - filtering using nftables
|
|
framework. Note: it requires a pre-existing chain for the filtering rule.
|
|
* New filters:
|
|
- `openhab` - domotic software authentication failure with the
|
|
rest api and web interface (gh-1223)
|
|
- `nginx-limit-req` - ban hosts, that were failed through nginx by limit
|
|
request processing rate (ngx_http_limit_req_module)
|
|
- `murmur` - ban hosts that repeatedly attempt to connect to
|
|
murmur/mumble-server with an invalid server password or certificate.
|
|
- `haproxy-http-auth` - filter to match failed HTTP Authentications against a
|
|
HAProxy server
|
|
* New jails:
|
|
- `murmur` - bans TCP and UDP from the bad host on the default murmur port.
|
|
* `sshd` filter got new failregex to match "maximum authentication
|
|
attempts exceeded" (introduced in openssh 6.8)
|
|
* Added filter for Mac OS screen sharing (VNC) daemon
|
|
|
|
### Enhancements
|
|
* Do not rotate empty log files
|
|
* Added new date pattern with year after day (e.g. `Sun Jan 23 2005 21:59:59`)
|
|
http://bugs.debian.org/798923
|
|
* Added openSUSE path configuration (Thanks Johannes Weberhofer)
|
|
* Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
|
|
* Added a timeout (3 sec) to urlopen within badips.py action
|
|
(Thanks M. Maraun)
|
|
* Added check against atacker's Googlebot PTR fake records
|
|
(Thanks Pablo Rodriguez Fernandez)
|
|
* Enhance filter against atacker's Googlebot PTR fake records
|
|
(gh-1226)
|
|
* Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
|
|
* Added filter for openhab domotic software authentication failure with the
|
|
rest api and web interface (gh-1223)
|
|
* Add `*_backend` options for services to allow distros to set the default
|
|
backend per service, set default to systemd for Fedora as appropriate
|
|
* Performance improvements while monitoring large number of files (gh-1265).
|
|
Use associative array (dict) for monitored log files to speed up lookup
|
|
operations. Thanks @kshetragia
|
|
* Specified that fail2ban is PartOf iptables.service `firewalld.service` in
|
|
`.service` file -- would reload fail2ban if those services are restarted
|
|
* Provides new default `fail2ban_version` and interpolation variable
|
|
`fail2ban_agent` in jail.conf
|
|
* Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
|
|
and to support multiple instances of postfix having varying suffix (gh-1331)
|
|
(Thanks Tom Hendrikx)
|
|
* `files/gentoo-initd` to use `start-stop-daemon` to robustify restarting the service
|
|
|
|
|
|
ver. 0.9.3 (2015/08/01) - lets-all-stay-friends
|
|
----------
|
|
|
|
### IMPORTANT incompatible changes
|
|
* `filter.d/roundcube-auth.conf`
|
|
- Changed logpath to 'errors' log (was 'userlogins')
|
|
* `action.d/iptables-common.conf`
|
|
- All calls to iptables command now use -w switch introduced in
|
|
iptables 1.4.20 (some distribution could have patched their
|
|
earlier base version as well) to provide this locking mechanism
|
|
useful under heavy load to avoid contesting on iptables calls.
|
|
If you need to disable, define `action.d/iptables-common.local`
|
|
with empty value for 'lockingopt' in `[Init]` section.
|
|
* `mail-whois-lines`, `sendmail-geoip-lines` and `sendmail-whois-lines`
|
|
actions now include by default only the first 1000 log lines in
|
|
the emails. Adjust `<grepopts>` to augment the behavior.
|
|
|
|
### Fixes
|
|
* reload in interactive mode appends all the jails twice (gh-825)
|
|
* reload server/jail failed if database used (but was not changed) and
|
|
some jail active (gh-1072)
|
|
* `filter.d/dovecot.conf` - also match unknown user in passwd-file.
|
|
Thanks Anton Shestakov
|
|
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
|
|
* `filter.d/asterisk.conf` - fix security log support for Asterisk 12+
|
|
* `filter.d/roundcube-auth.conf`
|
|
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
|
|
- Added regex to work with 'userlogins' log
|
|
* `action.d/sendmail*.conf` - use LC_ALL (superseding LC_TIME) to override
|
|
locale on systems with customized LC_ALL
|
|
* performance fix: minimizes connection overhead, close socket only at
|
|
communication end (gh-1099)
|
|
* unbanip always deletes ip from database (independent of bantime, also if
|
|
currently not banned or persistent)
|
|
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
|
|
* always set 'dbfile' before other database options (gh-1050)
|
|
* kill the entire process group of the child process upon timeout (gh-1129).
|
|
Otherwise could lead to resource exhaustion due to hanging whois
|
|
processes.
|
|
* resolve `/var/run/fail2ban` path in setup.py to help installation
|
|
on platforms with `/var/run` -> /run symlink (gh-1142)
|
|
|
|
### New Features
|
|
* RETURN iptables target is now a variable: `<returntype>`
|
|
* New type of operation: pass2allow, use fail2ban for "knocking",
|
|
opening a closed port by swapping blocktype and returntype
|
|
* New filters:
|
|
- froxlor-auth - Thanks Joern Muehlencord
|
|
- apache-pass - filter Apache access log for successful authentication
|
|
* New actions:
|
|
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
|
|
manual pre-configuration of the shorewall. See the action file for detail.
|
|
* New jails:
|
|
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
|
|
|
|
### Enhancements
|
|
* `action.d/cloudflare.conf` - improved documentation on how to allow
|
|
multiple CF accounts, and jail.conf got new compound action
|
|
definition action_cf_mwl to submit cloudflare report.
|
|
* Check access to socket for more detailed logging on error (gh-595)
|
|
* fail2ban-testcases man page
|
|
* `filter.d/apache-badbots.conf`, `filter.d/nginx-botsearch.conf` - add
|
|
HEAD method verb
|
|
* Revamp of Travis and coverage automated testing
|
|
* Added a space between IP address and the following colon
|
|
in notification emails for easier text selection
|
|
* Character detection heuristics for whois output via optional setting
|
|
in mail-whois*.conf. Thanks Thomas Mayer.
|
|
Not enabled by default, if _whois_command is set to be
|
|
%(_whois_convert_charset)s (e.g. in `action.d/mail-whois-common.local`),
|
|
it
|
|
- detects character set of whois output (which is undefined by
|
|
RFC 3912) via heuristics of the file command
|
|
- converts whois data to UTF-8 character set with iconv
|
|
- sends the whois output in UTF-8 character set to mail program
|
|
- avoids that heirloom mailx creates binary attachment for input with
|
|
unknown character set
|
|
|
|
|
|
ver. 0.9.2 (2015/04/29) - better-quick-now-than-later
|
|
----------
|
|
|
|
### Fixes
|
|
* Fix ufw action commands
|
|
* infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
|
|
Thanks TonyThompson
|
|
* port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
|
|
(fnerdwq)
|
|
* $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
|
|
* grep'ing for IP in *mail-whois-lines.conf should now match also
|
|
at the beginning and EOL. Thanks Dean Lee
|
|
* `jail.conf`
|
|
- `php-url-fopen`: separate logpath entries by newline
|
|
* failregex declared direct in jail was joined to single line (specifying of
|
|
multiple expressions was not possible).
|
|
* `filters.d/exim.conf` - cover different settings of exim logs
|
|
details. Thanks bes.internal
|
|
* `filter.d/postfix-sasl.conf` - failregex is now case insensitive
|
|
* `filters.d/postfix.conf` - add 'Client host rejected error message' failregex
|
|
* `fail2ban/__init__.py` - add strptime thread safety hack-around
|
|
* recidive uses `iptables-allports` banaction by default now.
|
|
Avoids problems with iptables versions not understanding 'all' for
|
|
protocols and ports
|
|
* `filter.d/dovecot.conf`
|
|
- match pam_authenticate line from EL7
|
|
- match unknown user line from EL7
|
|
* Use `use_poll=True` for Python 2.7 and >=3.4 to overcome "Bad file
|
|
descriptor" msgs issue (gh-161)
|
|
* `filter.d/postfix-sasl.conf` - tweak failregex and add ignoreregex to ignore
|
|
system authentication issues
|
|
* fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
|
|
(gh-954)
|
|
* firewallcmd-* actions: split output into separate lines for grepping (gh-908)
|
|
* Guard unicode encode/decode issues while storing records in the database.
|
|
Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
|
|
for reporting
|
|
* `filter.d/sshd` added regex for matching openSUSE ssh authentication failure
|
|
* `filter.d/asterisk.conf`:
|
|
- Dropped "Sending fake auth rejection" failregex since it incorrectly
|
|
targets the asterisk server itself
|
|
- match "hacking attempt detected" logs
|
|
|
|
### New Features
|
|
* New filters:
|
|
- postfix-rbl Thanks Lee Clemens
|
|
- apache-fakegooglebot.conf Thanks Lee Clemens
|
|
- nginx-botsearch Thanks Frantisek Sumsal
|
|
- drupal-auth Thanks Lee Clemens
|
|
* New recursive embedded substitution feature added:
|
|
- `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
|
|
- `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
|
|
* New interpolation feature for config readers - `%(known/parameter)s`.
|
|
(means last known option with name `parameter`). This interpolation makes
|
|
possible to extend a stock filter or jail regexp in .local file
|
|
(opposite to simply set failregex/ignoreregex that overwrites it),
|
|
see gh-867.
|
|
* Monit config for fail2ban in `files/monit/`
|
|
* New actions:
|
|
- `action.d/firewallcmd-multiport` and `action.d/firewallcmd-allports` Thanks Donald Yandt
|
|
- `action.d/sendmail-geoip-lines.conf`
|
|
- `action.d/nsupdate` to update DNSBL. Thanks Andrew St. Jean
|
|
* New status argument for fail2ban-client -- flavor:
|
|
`fail2ban-client status <jail> [flavor]`
|
|
- empty or "basic" works as-is
|
|
- "cymru" additionally prints (ASN, Country RIR) per banned IP
|
|
(requires dnspython or dnspython3)
|
|
* Flush log at USR1 signal
|
|
|
|
### Enhancements
|
|
* Enable multiport for firewallcmd-new action. Closes gh-834
|
|
* files/debian-initd migrated from the debian branch and should be
|
|
suitable for manual installations now (thanks Juan Karlo de Guzman)
|
|
* Define empty ignoreregex in filters which didn't have it to avoid
|
|
warnings (gh-934)
|
|
* `action.d/{sendmail-*,xarf-login-attack}.conf` - report local
|
|
timezone not UTC time/zone. Closes gh-911
|
|
* Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
|
|
* Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
|
|
* Added syslogsocket configuration to fail2ban.conf
|
|
* Note in the `jail.conf` for the recidive jail to increase dbpurgeage (gh-964)
|
|
|
|
|
|
ver. 0.9.1 (2014/10/29) - better, faster, stronger
|
|
----------
|
|
|
|
### Refactoring (IMPORTANT -- Please review your setup and configuration)
|
|
* `iptables-common.conf` replaced `iptables-blocktype.conf`
|
|
(`iptables-blocktype.local` should still be read) and now also
|
|
provides defaults for the chain, port, protocol and name tags
|
|
|
|
### Fixes
|
|
* start of file2ban aborted (on slow hosts, systemd considers the server has
|
|
been timed out and kills him), see gh-824
|
|
* UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
|
|
* systemd backend error on bad utf-8 in python3
|
|
* badips.py action error when logging HTTP error raised with badips request
|
|
* fail2ban-regex failed to work in python3 due to space/tab mix
|
|
* recidive regex samples incorrect log level
|
|
* journalmatch for recidive incorrect PRIORITY
|
|
* loglevel couldn't be changed in fail2ban.conf
|
|
* Handle case when no sqlite library is available for persistent database
|
|
* Only reban once per IP from database on fail2ban restart
|
|
* Nginx filter to support missing server_name. Closes gh-676
|
|
* fail2ban-regex assertion error caused by miscount missed lines with
|
|
multiline regex
|
|
* Fix actions failing to execute for Python 3.4.0. Workaround for
|
|
http://bugs.python.org/issue21207
|
|
* Database now returns persistent bans on restart (bantime < 0)
|
|
* Recursive action tags now fully processed. Fixes issue with bsd-ipfw
|
|
action
|
|
* Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
|
|
Thanks Serg G. Brester
|
|
* Correct times for non-timezone date times formats during DST
|
|
* Pass a copy of, not original, aInfo into actions to avoid side-effects
|
|
* Per-distribution paths to the exim's main log
|
|
* Ignored IPs are no longer banned when being restored from persistent
|
|
database
|
|
* Manually unbanned IPs are now removed from persistent database, such they
|
|
won't be banned again when Fail2Ban is restarted
|
|
* Pass "bantime" parameter to the actions in default jail's action
|
|
definition(s)
|
|
* `filters.d/sieve.conf` - fixed typo in _daemon. Thanks Jisoo Park
|
|
* cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
|
|
Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
|
|
Debian bug #755173
|
|
* postfix-sasl - added journalmatch. Thanks Luc Maisonobe
|
|
* postfix* - match with a new daemon string (postfix/submission/smtpd).
|
|
Closes gh-804 . Thanks Paul Traina
|
|
* apache - added filter for AH01630 client denied by server configuration.
|
|
|
|
### New Features
|
|
* New filters:
|
|
- monit Thanks Jason H Martin
|
|
- directadmin Thanks niorg
|
|
- apache-shellshock Thanks Eugene Hopkinson (SlowRiot)
|
|
* New actions:
|
|
- symbiosis-blacklist-allports for Bytemark symbiosis firewall
|
|
- fail2ban-client can fetch the running server version
|
|
- Added Cloudflare API action
|
|
|
|
### Enhancements
|
|
* Start performance of fail2ban-client (and tests) increased, start time
|
|
and cpu usage rapidly reduced. Introduced a shared storage logic, to
|
|
bypass reading lots of config files (see gh-824).
|
|
Thanks to Joost Molenaar for good catch (reported gh-820).
|
|
* Fail2ban-regex - add print-all-matched option. Closes gh-652
|
|
* Suppress fail2ban-client warnings for non-critical config options
|
|
* Match non "Bye Bye" disconnect messages for sshd locked account regex
|
|
* courier-smtp filter:
|
|
- match lines with user names
|
|
- match lines containing "535 Authentication failed" attempts
|
|
* Add `<chain>` tag to iptables-ipsets
|
|
* Realign fail2ban log output with white space to improve readability. Does
|
|
not affect SYSLOG output
|
|
* Log unhandled exceptions
|
|
* cyrus-imap: catch "user not found" attempts
|
|
* Add support for Portsentry
|
|
|
|
|
|
ver. 0.9.0 (2014/03/14) - beta
|
|
----------
|
|
|
|
Carries all fixes, features and enhancements from 0.8.13 (unreleased) with
|
|
major changes.
|
|
|
|
The minimum supported python version is now 2.6. If you have python-2.4 or 2.5
|
|
you can use the 0.8.12 version of fail2ban.
|
|
|
|
Please take note of release notes:
|
|
https://github.com/fail2ban/fail2ban/releases/tag/0.9.0
|
|
|
|
Please test your configuration before relying on it.
|
|
|
|
Nearly all development is thanks to Steven Hiscocks (THANKS!), merging,
|
|
testcases and timezone support from Daniel Black, and code-review and minor
|
|
additions from Yaroslav Halchenko.
|
|
|
|
### Refactoring (IMPORTANT -- Please review your setup and configuration):
|
|
* [..bddbf1e] jail.conf was heavily refactored and now is similar
|
|
to how it looked on Debian systems:
|
|
- default action could be configured once for all jails
|
|
- jails definitions only provide customizations (port, logpath)
|
|
- no need to specify 'filter' if name matches jail name
|
|
* [..5aef036] Core functionality moved into fail2ban/ module.
|
|
Closes gh-26
|
|
- tests included in module to aid testing and debugging
|
|
* Added fail2ban persistent database
|
|
- default location at `/var/lib/fail2ban/fail2ban.sqlite3`
|
|
- allows active bans to be reinstated on restart
|
|
- log files read from last position after restart
|
|
* Added systemd journal backend
|
|
- Dependency on python-systemd
|
|
- New "journalmatch" option added to filter configs files
|
|
- New "systemd-journal" option added to fail2ban-regex
|
|
* Added python3 support
|
|
* Support %z (Timezone offset) and %f (sub-seconds) support for
|
|
datedetector. Enhanced existing date/time have been updated patterns to
|
|
support these. ISO8601 now defaults to localtime unless specified otherwise.
|
|
Some filters have been change as required to capture these elements in the
|
|
right timezone correctly.
|
|
* Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
|
|
- Log level INFO is now more verbose
|
|
* Optionally can read log files starting from "head" or "tail".
|
|
- See "logpath" option in jail.conf(5) man page.
|
|
* Can now set log encoding for files per jail.
|
|
- Default uses systemd locale.
|
|
|
|
### New Features
|
|
* [..c7ae460] Multiline failregex. Close gh-54
|
|
* [8af32ed] Guacamole filter and support for Apache Tomcat date
|
|
format
|
|
* [..b6059f4] 'timeout' option for actions Close gh-60 and Debian
|
|
bug #410077. Also it would now capture and include stdout and stderr
|
|
into logging messages in case of error or at DEBUG loglevel.
|
|
* Added action xarf-login-attack to report formatted attack messages
|
|
according to the XARF standard (v0.2). Close gh-105
|
|
* Support PyPy
|
|
* Add filter for apache-botsearch
|
|
* Add filter for kerio. Thanks Tony Lawrence for blog of regexs and
|
|
providing samples. Close gh-120
|
|
* Filter for stunnel
|
|
* Filter for Counter Strike 1.6. Thanks to onorua for logs.
|
|
Close gh-347
|
|
* Filter for squirrelmail. Close gh-261
|
|
* Filter for tine20. Close gh-583
|
|
* Custom date formats (strptime) can now be set in filters and jail.conf
|
|
* Python based actions can now be created.
|
|
- SMTP action for sending emails on jail start, stop and ban.
|
|
* Added action to use badips.com reporting and blacklist
|
|
- Requires Python 2.7+
|
|
|
|
### Enhancements
|
|
* Fail2ban-regex - don't accumulate lines if not printing them.
|
|
add options to suppress output of missed/ignored lines. Close gh-644
|
|
* Asterisk now supports syslog format
|
|
* Jail names increased to 26 characters and iptables prefix reduced
|
|
from fail2ban- to f2b- as suggested by buanzo in gh-462.
|
|
* Multiline filter for sendmail-spam. Close gh-418
|
|
* Multiline regex for Disconnecting: Too many authentication failures for
|
|
root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]
|
|
* Multiline regex for Disconnecting: Connection from 61.XX.XX.XX port
|
|
51353\nToo many authentication failures for root [preauth]. Thanks
|
|
Helmut Grohne. Close gh-457
|
|
* Replacing use of deprecated API (.warning, .assertEqual, etc)
|
|
* [..a648cc2] Filters can have options now too which are substituted into
|
|
failregex / ignoreregex
|
|
* [..e019ab7] Multiple instances of the same action are allowed in the
|
|
same jail -- use actname option to disambiguate.
|
|
* Add honeypot email address to exim-spam filter as argument
|
|
* Properties and methods of actions accessible from fail2ban-client
|
|
- Use of properties replaces command actions "cinfo" interface
|
|
|
|
ver. 0.8.13 (2014/03/15) - maintenance-only-from-now-on
|
|
-----------
|
|
|
|
### Fixes
|
|
- action firewallcmd-ipset had non-working actioncheck. Removed.
|
|
redhat bug #1046816.
|
|
- filter pureftpd - added _daemon which got removed. Added
|
|
|
|
### New Features
|
|
- filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
|
|
- filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
|
|
|
|
### Enhancements
|
|
- filter asterisk now supports syslog format
|
|
- filter pureftpd - added all translations of "Authentication failed for
|
|
user"
|
|
- filter dovecot - lip= was optional and extended TLS errors can occur.
|
|
Thanks Noel Butler.
|
|
|
|
ver. 0.8.12 (2014/01/22) - things-can-only-get-better
|
|
----------
|
|
|
|
- IMPORTANT incompatible changes:
|
|
- Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name
|
|
name length. As per gh-395
|
|
- mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog.
|
|
Part of gh-447.
|
|
|
|
### Fixes
|
|
- allow for ",milliseconds" in the custom date format of proftpd.log
|
|
- allow for ", referer ..." in apache-* filter for apache error logs.
|
|
- allow for spaces at the beginning of kernel messages. Closes gh-448
|
|
- recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias
|
|
- smtps not a IANA standard and has been removed from Arch. Replaced with
|
|
465. Thanks Stefan. Closes gh-447
|
|
- add 'flushlogs' command to allow logrotation without clobbering logtarget
|
|
settings. Closes gh-458, Debian bug #697333, Redhat bug #891798.
|
|
- complain action - ensure where not matching other IPs in log sample.
|
|
Closes gh-467
|
|
- Fix firewall-cmd actioncheck - patch from Adam Tkac. Redhat Bug #979622
|
|
- Fix apache-common for apache-2.4 log file format. Thanks Mark White.
|
|
Closes gh-516
|
|
- Asynchat changed to use push method which verifys whether all data was
|
|
send. This ensures that all data is sent before closing the connection.
|
|
- Removed unnecessary reference to as yet undeclared $jail_name when checking
|
|
a specific jail in nagios script.
|
|
- Filter dovecot reordered session and TLS items in regex with wider scope
|
|
for session characters. Thanks Ivo Truxa. Closes gh-586
|
|
- A single bad failregex or command syntax in configuration files won't stop
|
|
fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585.
|
|
|
|
### Enhancements
|
|
- long names on jails documented based on iptables limit of 30 less
|
|
len("fail2ban-").
|
|
- remove indentation of name and loglevel while logging to SYSLOG to
|
|
resolve syslog(-ng) parsing problems. Closes Debian bug #730202.
|
|
- updated check_fail2ban to return performance data for all jails.
|
|
- filter apache-noscript now includes php cgi scripts.
|
|
Thanks dani. Closes gh-503
|
|
- exim-spam filter to match spamassassin log entry for option SAdevnull.
|
|
Thanks Ivo Truxa. Closes gh-533
|
|
- `filter.d/nsd.conf` -- also amended Unix date template to match nsd format
|
|
- Added to sshd filter expression for `Received disconnect from <HOST>: 3:
|
|
...: Auth fail`. Thanks Marcel Dopita. Closes gh-289
|
|
- loglines now also report "[PID]" after the name portion
|
|
- Added `filter.d/ejabberd-auth`
|
|
- Improved ACL-handling for Asterisk
|
|
- loglines now also report "[PID]" after the name portion
|
|
- Added improper command pipelining to postfix filter.
|
|
|
|
### New Features
|
|
|
|
- `filter.d/solid-pop3d` -- added thanks to Jacques Lav!gnotte on mailinglist.
|
|
- Add filter for apache-modsecurity.
|
|
- `filter.d/nsd.conf` -- also amended Unix date template to match nsd format
|
|
- Added openwebmail filter thanks Ivo Truxa. Closes gh-543
|
|
- Added filter for freeswitch. Thanks Jim and editors and authors of
|
|
http://wiki.freeswitch.org/wiki/Fail2ban
|
|
- Added groupoffice filter thanks to logs from Merijn Schering.
|
|
Closes gh-566
|
|
- Added filter for horde
|
|
- Added filter for squid. Thanks Roman Gelfand.
|
|
- Added filter for ejabberd-auth.
|
|
- Added `filter.d/openwebmail` filter thanks Ivo Truxa. Closes gh-543
|
|
- Added `filter.d/groupoffice` filter thanks to logs from Merijn Schering.
|
|
Closes gh-566
|
|
- Added `action.d/badips`. Thanks to Amy for making a nice API.
|
|
- Added firewallcmd-ipset action.
|
|
- Added ufw action. Thanks Guilhem Lettron. lp-#701522
|
|
- Added blocklist_de action.
|
|
|
|
|
|
ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes
|
|
----------
|
|
|
|
In light of CVE-2013-2178 that triggered our last release we have put
|
|
a significant effort into tightening all of the regexs of our filters
|
|
to avoid another similar vulnerability. All filters have been updated
|
|
and some to catch more login/authentication failures and to support
|
|
for newer application versions. There are test cases for most log
|
|
cases of failures now.
|
|
|
|
As usual, if you have other examples that demonstrate that a filter is
|
|
insufficient, or if we have inadvertently introduced a regression,
|
|
please provide us with example log lines on the github issue tracker
|
|
http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in
|
|
some obscure corner of the Internet.
|
|
|
|
Many thanks to our contributors for this release Daniel Black, Yaroslav
|
|
Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski,
|
|
Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François
|
|
Boulogne and others who have helped on IRC and mailing list, logged issues
|
|
and bug requests.
|
|
|
|
### IMPORTANT incompatible changes
|
|
|
|
Filter name changes:
|
|
* 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
|
|
* 'sasl' has been renamed to 'postfix-sasl'
|
|
* 'exim' spam catching failregexes was split out into 'exim-spam'
|
|
These changes will require changing jail.{conf,local} if any of
|
|
those filters were used.
|
|
|
|
### Fixes
|
|
- Jonathan Lanning
|
|
* `filter.d/asterisk` -- identified another regex for blocking. Also channel
|
|
ID is hex not decimal as noted in sample logs provided.
|
|
- Daniel Black & Marcel Dopita
|
|
* `filter.d/apache-auth` -- fixed and apache auth samples provide. Closes gh-286
|
|
- Yaroslav Halchenko
|
|
* `filter.d/common.conf` -- make colon after [daemon] optional. Closes gh-267
|
|
* `filter.d/apache-common.conf` -- support apache 2.4 more detailed error
|
|
log format. Closes gh-268
|
|
* Backends changes detection and parsing. Close gh-223 and gh-103:
|
|
- Polling backend: detect changes in the files not only based on
|
|
mtime, but also on the size and inode. It should allow for
|
|
better detection of changes and log rotations on busy servers,
|
|
older python 2.4, and file systems with precision of mtime only
|
|
up to a second (e.g. ext3).
|
|
- All backends, possible race condition: do not read from a file
|
|
initially reported empty. Originally could have lead to
|
|
accounting for detected log lines multiple times.
|
|
- Do not crash if executing a command in fail2ban-client interactive
|
|
mode has failed (e.g. due to incorrect syntax). Closes gh-353
|
|
- Daniel Black & Мернов Георгий
|
|
* `filter.d/dovecot.conf` -- Fix when no TLS enabled - line doesn't end in ,
|
|
- Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
|
|
* `filter.d/exim.conf` -- regex hardening and extra failure examples in
|
|
sample logs
|
|
* `filter.d/named-refused.conf` - BIND 9.9.3 regex changes
|
|
- Daniel Black & Sebastian Arcus
|
|
* `filter.d/asterisk` -- more regexes
|
|
- Daniel Black
|
|
* `action.d/hostsdeny` -- NOTE: new dependency 'ed'. Switched to use 'ed' across
|
|
all platforms to ensure permissions are the same before and after a ban.
|
|
Closes gh-266. hostsdeny supports daemon_list now too.
|
|
* `action.d/bsd-ipfw` - action option unused. Change blocktype to port unreach
|
|
instead of deny for consistency.
|
|
* `filter.d/dovecot` - added to support different dovecot failure
|
|
"..disallowed plaintext auth". Closes Debian bug #709324
|
|
* `filter.d/roundcube-auth` - timezone offset can be positive or negative
|
|
* `action.d/bsd-ipfw` - action option unused. Fixed to blocktype for
|
|
consistency. default to port unreach instead of deny
|
|
* `filter.d/dropbear` - fix regexs to match standard dropbear and the patched
|
|
http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch
|
|
and add PAM is it in dropbear-2013.60 source code.
|
|
* `filter.d/{asterisk,assp,dovecot,proftpd}.conf` -- regex hardening
|
|
and extra failure examples in sample logs
|
|
* `filter.d/apache-auth` - added expressions for mod_authz, mod_auth and
|
|
mod_auth_digest failures.
|
|
* `filter.d/recidive` -- support f2b syslog target and anchor regex at start
|
|
* `filter.d/mysqld-auth.conf` - mysql can use syslog
|
|
* `filter.d/sshd` - regex enhancements to support openssh-6.3. Closes Debian
|
|
bug #722970. Thanks Colin Watson for the regex analysis.
|
|
* `filter.d/wuftpd` - regex enhancements to support pam and wuftpd. Closes
|
|
Debian bug #665925
|
|
- Rolf Fokkens
|
|
* `action.d/dshield.conf` and complain.conf -- reorder mailx arguments.
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=998020
|
|
- John Doe (ache)
|
|
* `action.d/bsd-ipfw.conf` - invert actionstop logic to make exist status 0.
|
|
Closes gh-343.
|
|
- JP Espinosa (Reviewed by O.Poplawski)
|
|
* files/redhat-initd - rewritten to use stock init.d functions thus
|
|
avoiding problems with getpid. Also $network and iptables moved
|
|
to Should- rc init fields
|
|
- Rick Mellor
|
|
* `filter.d/vsftp` - fix capture with tty=ftp
|
|
|
|
### New Features
|
|
- Edgar Hoch
|
|
* `action.d/firewall-cmd-direct-new.conf` - action for firewalld
|
|
from https://bugzilla.redhat.com/show_bug.cgi?id=979622
|
|
NOTE: requires firewalld-0.3.8+
|
|
- Andy Fragen and Daniel Black
|
|
* `filter.d/osx-ipfw.conf` - ipfw action for OSX based on random rule
|
|
numbers.
|
|
- Anonymous:
|
|
* `action.d/osx-afctl` - an action based on afctl for osx
|
|
- Daniel Black & ykimon
|
|
* `filter.d/3proxy.conf` -- filter added
|
|
* fail2ban-regex - now generates http://www.debuggex.com urls for debugging
|
|
regular expressions with the -D parameter.
|
|
- Daniel Black
|
|
* `filter.d/exim-spam.conf` -- a splitout of exim's spam regexes
|
|
with additions for greater control over filtering spam.
|
|
* add date expression for apache-2.4 - milliseconds
|
|
* `filter.d/nginx-http-auth` -- filter added for http basic authentication
|
|
failures in nginx. Partially fulfills gh-405.
|
|
- Christophe Carles & Daniel Black
|
|
* `filter.d/perdition.conf` -- filter added
|
|
- Mark McKinstry
|
|
* `action.d/apf.conf` - add action for Advanced Policy Firewall (apf)
|
|
- Amir Caspi and kjohnsonecl
|
|
* `filter.d/uwimap-auth` - filter for uwimap-auth IMAP/POP server
|
|
- Steven Hiscocks and Daniel Black
|
|
* `filter.d/selinux-{common,ssh`} -- add SELinux date and ssh filter
|
|
|
|
### Enhancements
|
|
- François Boulogne and Frédéric
|
|
* `filter.d/lighttpd` - auth regexs for lighttpd-1.4.31
|
|
- Daniel Black
|
|
* reorder parsing of jail.conf, `jail.d/*.conf`, `jail.local`, `jail.d/*.local`
|
|
and likewise for `fail2ban.{conf|local|d/*.conf|d/*.local`}. Closes gh-392
|
|
* jail.conf now has asterisk jail - no need for asterisk-tcp and
|
|
asterisk-udp. Users should replace existing jails with asterisk to
|
|
reduce duplicate parsing of the asterisk log file.
|
|
* `filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin`}- regex anchor at
|
|
start
|
|
* `filter.d/vsftpd` - anchored regex at start. disable old pam format regex
|
|
* `filter.d/pam-generic` - added syslog prefix. Disabled support for
|
|
linux-pam before version 0.99.2.0 (2005)
|
|
* `filter.d/postfix-sasl` - renamed from sasl, anchor at start and base on
|
|
syslog
|
|
* `filter.d/qmail` - rewrote regex to anchor at start. Added regex for
|
|
another "in the wild" patch to rblsmtp.
|
|
- Yaroslav Halchenko
|
|
* fail2ban-regex -- refactored to provide more details (missing and
|
|
ignored lines, control over logging, etc) while maintaining look&feel
|
|
* fail2ban-client -- log to standard error. Closes gh-264
|
|
* Fail to configure if not a single log file was found for an
|
|
enabled jail. Closes gh-63
|
|
* `<HOST>` is now enforced to end with an alphanumeric
|
|
* `filter.d/roundcube-auth.conf` -- anchored version
|
|
* date matching - for standard asctime formats prefer more detailed
|
|
first (thus use year if available)
|
|
* files/gen_badbots was added and `filter.d/apache-badbots.conf` was
|
|
regenerated to get updated (although now still an old) list of
|
|
"bad" bots
|
|
- Alexander Dietrich
|
|
* `action.d/sendmail-common.conf` -- added common sendmail settings file
|
|
and made the sender display name configurable
|
|
- Steven Hiscocks
|
|
* `filter.d/dovecot` - Addition of session, time values and possible blank
|
|
user
|
|
- Zurd and Daniel Black
|
|
* `filter.d/named-refused` - added refused on zone transfer
|
|
* `filter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd`} - General
|
|
regex improvements
|
|
- Zurd
|
|
* `filter.d/postfix` - add filter for VRFY failures. Closes gh-322.
|
|
- Orion Poplawski
|
|
* `fail2ban.d/` and `jail.d/` directories are added to `etc/fail2ban` to facilitate
|
|
their use
|
|
|
|
ver. 0.8.10 (2013/06/12) - wanna-be-secure
|
|
-----------
|
|
|
|
Primarily bugfix and enhancements release, triggered by "bugs" in
|
|
apache- filters. If you are relying on listed below apache- filters,
|
|
upgrade asap and seek your distributions to patch their fail2ban
|
|
distribution with [6ccd5781].
|
|
|
|
### Fixes
|
|
- Yaroslav Halchenko
|
|
* [6ccd5781] `filter.d/apache-{auth,nohome,noscript,overflows`} - anchor
|
|
failregex at the beginning (and where applicable at the end).
|
|
Addresses a possible DoS. Closes gh-248
|
|
* `action.d/{route,shorewall}.conf` - blocktype must be defined
|
|
within [Init]. Closes gh-232
|
|
### Enhancements
|
|
- Yaroslav Halchenko
|
|
* jail.conf -- assure all jails have actions and remove unused
|
|
ports specifications
|
|
- Terence Namusonge
|
|
* `filter.d/roundcube-auth.conf` -- support roundcube 0.9+
|
|
- Daniel Black
|
|
* `files/suse-initd` -- update to the copy from stock SUSE
|
|
silviogarbes & Daniel Black
|
|
* Updates to asterisk filter. Closes gh-227/gh-230.
|
|
- Carlos Alberto Lopez Perez
|
|
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
|
|
|
|
ver. 0.8.9 (2013/05/13) - wanna-be-stable
|
|
----------
|
|
|
|
Originally targeted as a bugfix release, it incorporated many new
|
|
enhancements, few new features, and more importantly -- quite extended
|
|
tests battery with current 94% coverage (from 56% of 0.8.8).
|
|
|
|
This release introduces over 200 of non-merge commits from 16
|
|
contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
|
|
Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki,
|
|
ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
|
|
Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.
|
|
|
|
Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
|
|
Hendrikx, Yehuda Katz and other TBN heroes supporting users on
|
|
fail2ban-users mailing list and IRC.
|
|
|
|
### Fixes
|
|
- Yaroslav Halchenko
|
|
* [6f4dad46] python-2.4 is the minimal version.
|
|
* [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
|
|
on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
|
|
* [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
|
|
insight. Closes gh-103.
|
|
* [ab044b75] delay check for the existence of config directory until read.
|
|
* [3b4084d4] fixing up for handling of TAI64N timestamps.
|
|
* [154aa38e] do not shutdown logging until all jails stop.
|
|
* [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184.
|
|
Thanks to Jon Foster for report and troubleshooting.
|
|
- Orion Poplawski
|
|
* [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
|
|
newly created directories.
|
|
- Nicolas Collignon
|
|
* [39667ff6] Avoid leaking file descriptors. Closes gh-167.
|
|
- Sergey Brester
|
|
* [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
|
|
sorting template list.
|
|
- Steven Hiscocks
|
|
* [7a442f07] When changing log target with python2.{4,5} handle KeyError.
|
|
Closes gh-147, gh-148.
|
|
* [b6a68f51] Fix delaction on server side. Closes gh-124.
|
|
- Daniel Black
|
|
* [f0610c01] Allow more that a one word command when changing and Action via
|
|
the fail2ban-client. Closes gh-134.
|
|
* [945ad3d9] Fix dates on email actions to work in different locals. Closes
|
|
gh-70. Thanks to iGeorgeX for the idea.
|
|
- blotus
|
|
* [96eb8986] ' and " should also be escaped in action tags Closes gh-109
|
|
- Christoph Theis, Nick Hilliard, Daniel Black
|
|
* [b3bd877d,cde71080] Make `syslog -v` and `syslog -vv` formats work on FreeBSD
|
|
|
|
### New Features
|
|
- Yaroslav Halchenko
|
|
* [9ba27353] Add support for `jail.d/{confilefile}` and `fail2ban.d/{configfile}`
|
|
to provide additional flexibility to system administrators. Thanks to
|
|
beilber for the idea. Closes gh-114.
|
|
* [3ce53e87] Add exim filter.
|
|
- Erwan Ben Souiden
|
|
* [d7d5228] add nagios integration documentation and script to ensure
|
|
fail2ban is running. Closes gh-166.
|
|
- Artur Penttinen
|
|
* [29d0df5] Add mysqld filter. Closes gh-152.
|
|
- ArndRaphael Brandes
|
|
* [bba3fd8] Add Sogo filter. Closes gh-117.
|
|
- Michael Gebetsriother
|
|
* [f9b78ba] Add action route to block at routing level.
|
|
- Teodor Micu & Yaroslav Halchenko
|
|
* [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
|
|
- Daniel Black
|
|
* [be06b1b] Add action for iptables-ipsets. Closes gh-102.
|
|
- Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
|
|
* [b6d0e8a] Add and enhance the bsd-ipfw action from
|
|
FreeBSD ports.
|
|
- Soulard Morgan
|
|
* [f336d9f] Add filter for webmin. Closes gh-99.
|
|
- Steven Hiscocks
|
|
* [..746c7d9] bash interactive shell completions for fail2ban-*'s
|
|
- Nick Hilliard
|
|
* [0c5a9c5] Add pf action.
|
|
|
|
### Enhancements
|
|
- Enrico Labedzki
|
|
* [24a8d07] Added new date format for ASSP SMTP Proxy.
|
|
- Steven Hiscocks
|
|
* [3d6791f] Ensure restart of Actions after a check fails occurs
|
|
consistently. Closes gh-172.
|
|
* [MANY] Improvements to test cases, travis, and code coverage (coveralls).
|
|
* [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
|
|
* [ce3ab34] Added ability to specify PID file.
|
|
- Orion Poplawski
|
|
* [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
|
|
Closes gh-142.
|
|
- Yaroslav Halchenko
|
|
* [MANY] Lots of improvements to log messages, man pages and test cases.
|
|
* [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
|
|
Closes gh-126. Bug report by Michael Heuberger.
|
|
* [40c5a2d] adding more of diagnostic messages into -client while starting
|
|
the daemon.
|
|
* [8e63d4c] Compare against None with 'is' instead of '=='.
|
|
* [6fef85f] Strip CR and LF while analyzing the log line
|
|
- Daniel Black
|
|
* [3aeb1a9] Add jail.conf manual page. Closes gh-143.
|
|
* [MANY] man page edits.
|
|
* [7cd6dab] Added help command to fail2ban-client.
|
|
* [c8c7b0b,23bbc60] Better logging of log file read errors.
|
|
* [3665e6d] Added code coverage to development process.
|
|
* [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
|
|
source. Also include BSD changes.
|
|
* [1d9abd1] Action files can have tags in definition that refer to other
|
|
tags.
|
|
* [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
|
|
unreachable rather than just a drop of the packet.
|
|
- Pascal Borreli
|
|
* [a2b29b4] Fixed lots of typos in config files and documentation.
|
|
- hamilton5
|
|
* [7ede1e8] Update dovecot filter config.
|
|
- Romain Riviere
|
|
* [0ac8746] Enhance named-refused filter for views.
|
|
- James Stout
|
|
* [..2143cdf] Solaris support enhancements:
|
|
- `README.Solaris`
|
|
- failregex'es tune ups (`sshd.conf`)
|
|
- hostsdeny: do not rely on support of '-i' in sed
|
|
|
|
ver. 0.8.8 (2012/12/06) - stable
|
|
----------
|
|
### Fixes
|
|
- Alan Jenkins
|
|
* [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
|
|
banning due to misconfigured DNS. Closes gh-64
|
|
- Yaroslav Halchenko
|
|
* [83109bc] IMPORTANT: escape the content of <matches> (if used in
|
|
custom action files) since its value could contain arbitrary
|
|
symbols. Thanks for discovery go to the NBS System security
|
|
team
|
|
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83
|
|
* [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
|
|
* [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
|
|
in the console. Closes gh-91
|
|
|
|
### New Features
|
|
- David Engeset
|
|
* [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
|
|
the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86
|
|
|
|
### Enhancements
|
|
* [2d66f31] replaced uninformative "Invalid command" message with warning log
|
|
exception why command actually failed
|
|
* [958a1b0] improved failregex to "support" auth.backend = "htdigest"
|
|
* [9e7a3b7] until we make it proper module -- adjusted sys.path only if
|
|
system-wide run
|
|
* [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79
|
|
* [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
|
|
for this gh-87)
|
|
* Various others: travis-ci integration, script to run tests
|
|
against all available Python versions, etc
|
|
|
|
ver. 0.8.7.1 (2012/07/31) - stable
|
|
----------
|
|
|
|
### Fixes
|
|
* [e9762f3] Removed sneaked in comment on sys.path.insert
|
|
|
|
ver. 0.8.7 (2012/07/31) - stable
|
|
----------
|
|
|
|
### Fixes
|
|
- Tom Hendrikx & Jeremy Olexa
|
|
* [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
|
|
See http://forums.gentoo.org/viewtopic-t-899018.html
|
|
- Chris Reffett
|
|
* [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
|
|
rather than just one failure.
|
|
- Yaroslav Halchenko
|
|
* [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
|
|
* [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
|
|
* [ed16ecc] enforce "ip" field returned as str, not unicode so that log
|
|
message stays non-unicode. Close gh-32
|
|
* [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
|
|
already present in the pattern
|
|
* [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
|
|
friend to developers stuck with Windows (Closes gh-66)
|
|
* [80b191c] anchor grep regexp in actioncheck to not match partial names
|
|
of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
|
|
### New Features
|
|
- François Boulogne
|
|
* [a7cb20e..] add lighttpd-auth filter/jail
|
|
- Lee Clemens & Yaroslav Halchenko
|
|
* [e442503] pyinotify backend (default if backend='auto' and pyinotify
|
|
is available)
|
|
* [d73a71f,3989d24] usedns parameter for the jails to allow disabling
|
|
use of DNS
|
|
- Tom Hendrikx
|
|
* [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
|
|
repeated offenders. Close gh-19
|
|
- Xavier Devlamynck
|
|
* [7d465f9..] Add asterisk support
|
|
- Zbigniew Jędrzejewski-Szmek
|
|
* [de502cf..] allow running fail2ban as non-root user (disabled by
|
|
default) via xt_recent. See doc/run-rootless.txt
|
|
### Enhancements
|
|
- Lee Clemens
|
|
* [47c03a2] files/nagios - spelling/grammar fixes
|
|
* [b083038] updated Free Software Foundation's address
|
|
* [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
|
|
* [642d9af,3282f86] reformatted printing of jail's name to be consistent
|
|
with init's info messages
|
|
* [3282f86] uniform use of capitalized Jail in the messages
|
|
- Leonardo Chiquitto
|
|
* [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
|
|
to reflect code
|
|
* [a7d47e8] Update Free Software Foundation's address
|
|
- Petr Voralek
|
|
* [4007751] catch failed ssh logins due to being listed in DenyUsers.
|
|
Close gh-47 (Closes: #669063)
|
|
- Yaroslav Halchenko
|
|
* [MANY] extended and robustified unittests: test different backends
|
|
* [d9248a6] refactored Filter's to avoid duplicate functionality
|
|
* [7821174] direct users to issues on github
|
|
* [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
|
|
default with -v to control verbosity
|
|
* [b4099da] adjusted header for config/*.conf to mention .local and way
|
|
to comment (Thanks Stefano Forli for the note)
|
|
* [6ad55f6] added failregex for wu-ftpd to match against syslog instead
|
|
of DoS-prone auth.log's rhost (Closes: #514239)
|
|
* [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
|
|
sshd filter (Closes: #648020)
|
|
- Yehuda Katz & Yaroslav Halchenko
|
|
* [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
|
|
|
|
ver. 0.8.6 (2011/11/28) - stable
|
|
----------
|
|
### Fixes
|
|
- Markos Chandras & Yaroslav Halchenko
|
|
* [492d8e5,bd658fc] Use hashlib (instead of deprecated md5) where available
|
|
- Robert Trace & Michael Lorant
|
|
* [c48c2b1] gentoo-initd cleanup and fixes: assure `/var/run` + remove stale
|
|
sock file
|
|
- Michael Saavedra
|
|
* [3a58d0e] Lock server's executeCmd to prevent racing among iptables calls:
|
|
see http://bugs.debian.org/554162
|
|
- Yaroslav Halchenko
|
|
* [3eb5e3b] Allow for trailing spaces in sasl logs
|
|
* [1632244] Stop server-side communication before stopping the
|
|
jails (prevents lockup if actions use fail2ban-client upon
|
|
unban): see https://github.com/fail2ban/fail2ban/issues/7
|
|
* [5a2d518] Various changes to reincarnate unittests
|
|
- Yehuda Katz
|
|
* Wiki was cleaned from SPAM
|
|
|
|
### Enhancements
|
|
- Adam Spiers
|
|
* [3152afb] Recognise time-stamped kernel messages
|
|
- Guido Bozzetto
|
|
* [713fea6] Added ipmasq rule file to restart fail2ban when iptables are
|
|
wiped out: see http://bugs.debian.org/461417
|
|
- Łukasz
|
|
* [5f23542] Matching of month names in Polish (thanks michaelberg79
|
|
for QA)
|
|
- Tom Hendrikx
|
|
* [9fa54cf] Added Date: header for sendmail*.conf actions
|
|
- Yaroslav Halchenko & Tom Hendrikx
|
|
* [b52d420..22b7007] <matches> in action files now can be used
|
|
to provide matched loglines which triggered action
|
|
- Yaroslav Halchenko
|
|
* [ed0bf3a] Removed duplicate entry for DataCha0s/2\.0 in badbots:
|
|
see http://bugs.debian.org/519557
|
|
* [dad91f7] sshd.conf: allow user names to have spaces and
|
|
trailing spaces in the line
|
|
* [a9be451] removed expansions for few Date and Revision SVN keywords
|
|
* [a33135c] set/getFile for ticket.py -- found in source distribution
|
|
of 0.8.4
|
|
* [fbce415] additional logging while stopping the jails
|
|
|
|
ver. 0.8.5 (2011/07/28) - stable
|
|
----------
|
|
- Fix: use addfailregex instead of failregex while processing per-jail
|
|
"failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to
|
|
Marat Khayrullin for the patch and Daniel T Chen for forwarding to
|
|
Debian.
|
|
- Fix: use os.path.join to generate full path - fixes includes in configs
|
|
given local filename (5 weeks ago) [yarikoptic]
|
|
- Fix: allowed for trailing spaces in proftpd logs
|
|
- Fix: escaped () in pure-ftpd filter. Thanks to Teodor
|
|
- Fix: allowed space in the trailing of failregex for sasl.conf:
|
|
see http://bugs.debian.org/573314
|
|
- Fix: use `/var/run/fail2ban` instead of `/tmp` for temp files in actions:
|
|
see http://bugs.debian.org/544232
|
|
- Fix: Tai64N stores time in GMT, needed to convert to local time before
|
|
returning
|
|
- Fix: disabled named-refused-udp jail entirely with a big fat warning
|
|
- Fix: added time module. Bug reported in buanzo's blog:
|
|
see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
|
|
- Fix: Patch to make log file descriptors cloexec to stop leaking file
|
|
descriptors on fork/exec. Thanks to Jonathan Underwood:
|
|
see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24
|
|
- Enhancement: added author for dovecot filter and pruned unneeded space
|
|
in the regexp
|
|
- Enhancement: proftpd filter -- if login failed -- count regardless of the
|
|
reason for failure
|
|
- Enhancement: added <chain> to `action.d/iptables*`. Thanks to Matthijs Kooijman:
|
|
see http://bugs.debian.org/515599
|
|
- Enhancement: added `filter.d/dovecot.conf` from Martin Waschbuesch
|
|
- Enhancement: made `filter.d/apache-overflows.conf` catch more:
|
|
see http://bugs.debian.org/574182
|
|
- Enhancement: added dropbear filter from Francis Russell and Zak B. Elep:
|
|
see http://bugs.debian.org/546913
|
|
- Enhancement: changed default ignoreip to ignore entire loopback zone (/8):
|
|
see http://bugs.debian.org/598200
|
|
- Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer
|
|
- Few minor cosmetic changes
|
|
|
|
ver. 0.8.4 (2009/09/07) - stable
|
|
----------
|
|
- Check the inode number for rotation in addition to checking the first line of
|
|
the file. Thanks to Jonathan Kamens. Red Hat #503852. Tracker #2800279.
|
|
- Moved the shutdown of the logging subsystem out of Server.quit() to
|
|
the end of Server.start(). Fixes the 'cannot release un-acquired lock'
|
|
error.
|
|
- Added "Ban IP" command. Thanks to Arturo 'Buanzo' Busleiman.
|
|
- Added two new filters: lighttpd-fastcgi and php-url-fopen.
|
|
- Fixed the 'unexpected communication error' problem by means of
|
|
use_poll=False in Python >= 2.6.
|
|
- Merged patches from Debian package. Thanks to Yaroslav Halchenko.
|
|
- Use current day and month instead of Jan 1st if both are not available in the
|
|
log. Thanks to Andreas Itzchak Rehberg.
|
|
- Try to match the regex even if the line does not contain a valid date/time.
|
|
Described in Debian #491253. Thanks to Yaroslav Halchenko.
|
|
- Added/improved filters and date formats.
|
|
- Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to
|
|
Russell Odom.
|
|
- Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to
|
|
Detlef Reichelt.
|
|
- Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
|
|
- Added nagios script. Thanks to Sebastian Mueller.
|
|
- Added CPanel date format. Thanks to David Collins. Tracker #1967610.
|
|
- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
|
|
- Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115.
|
|
- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
|
|
- Changed `<HOST>` template to be more restrictive. Debian bug #514163.
|
|
- Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct
|
|
fix but seems to work. Tracker #2500276.
|
|
- Made the named-refused regex a bit less restrictive in order to match logs
|
|
with "view". Thanks to Stephen Gildea.
|
|
- Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714
|
|
|
|
ver. 0.8.3 (2008/07/17) - stable
|
|
----------
|
|
- Process failtickets as long as failmanager is not empty.
|
|
- Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav
|
|
Halchenko.
|
|
- Fixed socket path in redhat and suse init script. Thanks to Jim Wight.
|
|
- Fixed PID file while started in daemon mode. Thanks to Christian Jobic who
|
|
submitted a similar patch.
|
|
- Fixed `fail2ban-client get <jail> logpath`. Bug #1916986.
|
|
- Added gssftpd filter. Thanks to Kevin Zembower.
|
|
- Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis
|
|
Winter.
|
|
- Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber.
|
|
- Added ISO 8601 date/time format.
|
|
- Added and changed some logging level and messages.
|
|
- Added missing ignoreregex to filters. Thanks to Klaus Lehmann.
|
|
- Use poll instead of select in asyncore.loop. This should solve the "Unknown
|
|
error 514". Thanks to Michael Geiger and Klaus Lehmann.
|
|
|
|
ver. 0.8.2 (2008/03/06) - stable
|
|
----------
|
|
- Fixed named filter. Thanks to Yaroslav Halchenko
|
|
- Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines
|
|
- Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann
|
|
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be
|
|
possible to create stronger failregex against log injection
|
|
- Fixed ipfw action script. Thanks to Nick Munger
|
|
- Removed date from logging message when using SYSLOG. Thanks to Iain Lea
|
|
- Fixed "ignore IPs". Only the first value was taken into account. Thanks to
|
|
Adrien Clerc
|
|
- Moved socket to `/var/run/fail2ban`.
|
|
- Rewrote the communication server.
|
|
- Refactoring. Reduced number of files.
|
|
- Removed Python 2.4. Minimum required version is now Python 2.3.
|
|
- New log rotation detection algorithm.
|
|
- Print monitored files in status.
|
|
- Create a PID file in `/var/run/fail2ban/`. Thanks to Julien Perez.
|
|
- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks
|
|
to Yaroslav Halchenko for the fix.
|
|
- `reload <jail>` reloads a single jail and the parameters in fail2ban.conf.
|
|
- Added Mac OS/X startup script. Thanks to Bill Heaton.
|
|
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
|
|
- Replaced "echo" with "printf" in actions. Fix #1839673
|
|
- Replaced "reject" with "drop" in shorwall action. Fix #1854875
|
|
- Fixed Debian bug #456567, #468477, #462060, #461426
|
|
- readline is now optional in fail2ban-client (not needed in fail2ban-server).
|
|
|
|
ver. 0.8.1 (2007/08/14) - stable
|
|
----------
|
|
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
|
|
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
|
|
- Improved regular expressions. Thanks to Yaroslav Halchenko and others
|
|
- Added sendmail actions. The action started with "mail" are now deprecated.
|
|
Thanks to Raphaël Marichez
|
|
- Added "ignoreregex" support to fail2ban-regex
|
|
- Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch
|
|
- Tightening up the pid check in redhat-initd. Thanks to David Nutter
|
|
- Added webmin authentication filter. Thanks to Guillaume Delvit
|
|
- Removed textToDns() which is not required anymore. Thanks to Yaroslav
|
|
Halchenko
|
|
- Added new action iptables-allports. Thanks to Yaroslav Halchenko
|
|
- Added "named" date format to date detector. Thanks to Yaroslav Halchenko
|
|
- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
|
|
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko
|
|
|
|
ver. 0.8.0 (2007/05/03) - stable
|
|
----------
|
|
- Fixed RedHat init script. Thanks to Jonathan Underwood
|
|
- Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner
|
|
|
|
ver. 0.7.9 (2007/04/19) - release candidate
|
|
----------
|
|
- Close opened handlers. Thanks to Yaroslav Halchenko
|
|
- Fixed "reload" bug. Many many thanks to Yaroslav Halchenko
|
|
- Added date format for asctime without year
|
|
- Modified filters config. Thanks to Michael C. Haller
|
|
- Fixed a small bug in mail-buffered.conf
|
|
|
|
ver. 0.7.8 (2007/03/21) - release candidate
|
|
----------
|
|
- Fixed asctime pattern in datedetector.py
|
|
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
|
- Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch
|
|
- Moved every locking statements in a try..finally block
|
|
|
|
ver. 0.7.7 (2007/02/08) - release candidate
|
|
----------
|
|
- Added signal handling in fail2ban-client
|
|
- Added a wonderful visual effect when waiting on the server
|
|
- fail2ban-client returns an error code if configuration is not valid
|
|
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
|
- Call Python interpreter directly (instead of using "env")
|
|
- Added file support to fail2ban-regex. Benchmark feature has been removed
|
|
- Added cacti script and template.
|
|
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier
|
|
|
|
ver. 0.7.6 (2007/01/04) - beta
|
|
----------
|
|
- Added a "sleep 1" in redhat-initd. Thanks to Jim Wight
|
|
- Use `/dev/log` for SYSLOG output. Thanks to Joerg Sommrey
|
|
- Use numeric output for iptables in "actioncheck"
|
|
- Fixed removal of host in hosts.deny. Thanks to René Berber
|
|
- Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI
|
|
- Several "failregex" and "ignoreregex" are now accepted. Creation of rules
|
|
should be easier now.
|
|
- Added license in COPYING. Thanks to Axel Thimm
|
|
- Allow comma in action options. The value of the option must be escaped with "
|
|
or '. Thanks to Yaroslav Halchenko
|
|
- Now Fail2ban goes in `/usr/share/fail2ban` instead of `/usr/lib/fail2ban`. This is
|
|
more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko
|
|
|
|
ver. 0.7.5 (2006/12/07) - beta
|
|
----------
|
|
- Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko
|
|
- The supported tags in "action(un)ban" are `<ip>`, `<failures>` and `<time>`
|
|
- Fixed refactoring bug (getLastcommand -> getLastAction)
|
|
- Added option "ignoreregex" in filter scripts and `jail.conf`.
|
|
Feature Request #1283304
|
|
- Fixed a bug in user defined time regex/pattern
|
|
- Improved documentation
|
|
- Moved `version.py` and `protocol.py` to `common/`
|
|
- Merged "maxtime" option with "findtime"
|
|
- Added `<HOST>` tag support in failregex which matches default IP
|
|
address/hostname. `(?P<host>\S)` is still valid and supported
|
|
- Fixed exception when calling fail2ban-server with unknown option
|
|
- Fixed Debian bug 400162. The "socket" option is now handled correctly by
|
|
`fail2ban-client`
|
|
- Fixed RedHat init script. Thanks to Justin Shore
|
|
- Changed timeout to 30 secondes before assuming the server cannot be started.
|
|
Thanks to Joël Bertrand
|
|
|
|
ver. 0.7.4 (2006/11/01) - beta
|
|
----------
|
|
- Improved configuration files. Thanks to Yaroslav Halchenko
|
|
- Added man page for "fail2ban-regex"
|
|
- Moved ban/unban messages from "info" level to "warn"
|
|
- Added "-s" option to specify the socket path and "socket" option in
|
|
"fail2ban.conf"
|
|
- Added "backend" option in "jail.conf"
|
|
- Added more filters/actions and jail samples. Thanks to Nick Munger, Christoph
|
|
Haas
|
|
- Improved testing framework
|
|
- Fixed a bug in the return code handling of the executed commands. Thanks to
|
|
Yaroslav Halchenko
|
|
- Signal handling. There is a bug with join() and signal in Python
|
|
- Better debugging output for "fail2ban-regex"
|
|
- Added support for more date format
|
|
- cPickle does not work with Python 2.5. Use pickle instead (performance is not
|
|
a problem in our case)
|
|
|
|
ver. 0.7.3 (2006/09/28) - beta
|
|
----------
|
|
- Added man pages. Thanks to Yaroslav Halchenko
|
|
- Added wildcard support for "logpath"
|
|
- Added Gamin (file and directory monitoring system) support
|
|
- (Re)added "ignoreip" option
|
|
- Added more concurrency protection
|
|
- First attempt at solving bug #1457620 (locale issue)
|
|
- Performance improvements
|
|
- (Re)added permanent banning with banTime < 0
|
|
- Added DNS support to "ignoreip". Feature Request #1285859
|
|
|
|
ver. 0.7.2 (2006/09/10) - beta
|
|
----------
|
|
- Refactoring and code cleanup
|
|
- Improved client output
|
|
- Added more get/set commands
|
|
- Added more configuration templates
|
|
- Removed "logpath" and "maxretry" from filter templates. They must be defined
|
|
in jail.conf now
|
|
- Added interactive mode. Use "-i"
|
|
- Added a date detector. "timeregex" and "timepattern" are no more needed
|
|
- Added "fail2ban-regex". This is a tool to help finding "failregex"
|
|
- Improved server communication. Start a new thread for each incoming request.
|
|
Fail2ban is not really thread-safe yet
|
|
|
|
ver. 0.7.1 (2006/08/23) - alpha
|
|
----------
|
|
- Fixed daemon mode bug
|
|
- Added Gentoo init.d script
|
|
- Fixed path bug when trying to start "fail2ban-server"
|
|
- Fixed reload command
|
|
|
|
ver. 0.7.0 (2006/08/23) - alpha
|
|
----------
|
|
- Almost a complete rewrite :) Fail2ban design is really better (IMHO). There is
|
|
a lot of new features
|
|
- Client/Server architecture
|
|
- Multithreading. Each jail has its own threads: one for the log reading and
|
|
another for the actions
|
|
- Execute several actions
|
|
- Split configuration files. They are more readable and easy to use
|
|
- failregex uses group (<host>) now. This feature was already present in the
|
|
Debian package
|
|
- lots of things...
|
|
|
|
ver. 0.6.1 (2006/03/16) - stable
|
|
----------
|
|
- Added permanent banning. Set banTime to a negative value to enable this
|
|
feature (-1 is perfect). Thanks to Mannone
|
|
- Fixed locale bug. Thanks to Fernando José
|
|
- Fixed crash when time format does not match data
|
|
- Propagated patch from Debian to fix fail2ban search path addition to the path
|
|
search list: now it is added first. Thanks to Nick Craig-Wood
|
|
- Added SMTP authentication for mail notification. Thanks to Markus Hoffmann
|
|
- Removed debug mode as it is confusing for people
|
|
- Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark
|
|
Edgington
|
|
- Added patch #1382936 (Default formatted syslog logging). Thanks to Patrick
|
|
Börjesson
|
|
- Removed 192.168.0.0/16 from ignoreip. Attacks could also come from the local
|
|
network.
|
|
- Robust startup: if iptables module does not get fully initialized after
|
|
startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its
|
|
own firewall. It will sleep between attempts for "polltime" number of seconds
|
|
(closes Debian: #334272). Thanks to Yaroslav Halchenko
|
|
- Added "interpolations" in fail2ban.conf. This is provided by the ConfigParser
|
|
module. Old configuration files still work. Thanks to Yaroslav Halchenko
|
|
- Added initial support for hosts.deny and shorewall. Need more testing. Please
|
|
test. Thanks to kojiro from Gentoo forum for hosts.deny support
|
|
- Added support for vsftpd. Thanks to zugeschmiert
|
|
|
|
ver. 0.6.0 (2005/11/20) - stable
|
|
----------
|
|
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
|
* Added an option to report local time (including timezone) or GMT in mail
|
|
notification.
|
|
|
|
ver. 0.5.5 (2005/10/26) - beta
|
|
----------
|
|
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
|
* Introduced fwcheck option to verify consistency of the chains. Implemented
|
|
automatic restart of fail2ban main function in case check of fwban or
|
|
fwunban command failed (closes: #329163, #331695). (Introduced patch was
|
|
further adjusted by upstream author).
|
|
* Added -f command line parameter for [findtime].
|
|
* Added a cleanup of firewall rules on emergency shutdown when unknown
|
|
exception is caught.
|
|
* Fail2ban should not crash now if a wrong file name is specified in config.
|
|
* reordered code a bit so that log targets are setup right after background
|
|
and then only loglevel (verbose, debug) is processed, so the warning could
|
|
be seen in the logs
|
|
* Added a keyword `<section>` in parsing of the subject and the body of an email
|
|
sent out by fail2ban (closes: #330311)
|
|
|
|
ver. 0.5.4 (2005/09/13) - beta
|
|
----------
|
|
- Fixed bug #1286222.
|
|
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
|
* Fixed handling of SYSLOG logging target. Now it can log to any SYSLOG target
|
|
and facility as directed by the config
|
|
* Format of SYSLOG entries fixed to look closer to standard
|
|
* Fixed errata in config/gentoo-confd
|
|
* Introduced findtime configuration variable to control the lifetime of caught
|
|
"failed" log entries
|
|
|
|
ver. 0.5.3 (2005/09/08) - beta
|
|
----------
|
|
- Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav
|
|
Halchenko
|
|
- Added more debug output if an error occurs when sending mail. Thanks to
|
|
Stephen Gildea
|
|
- Renamed "maxretry" to "maxfailures" and changed default value to 5. Thanks to
|
|
Stephen Gildea
|
|
- Hopefully fixed bug #1256075
|
|
- Fixed bug #1262345
|
|
- Fixed exception handling in PIDLock
|
|
- Removed warning when using "-V" or "-h" with no config file. Thanks to
|
|
Yaroslav Halchenko
|
|
- Removed "-i eth0" from config file. Thanks to Yaroslav Halchenko
|
|
|
|
ver. 0.5.2 (2005/08/06) - beta
|
|
----------
|
|
- Better PID lock file handling. Should close #1239562
|
|
- Added man pages
|
|
- Removed log4py dependency. Use logging module instead
|
|
- "maxretry" and "bantime" can be overridden in each section
|
|
- Fixed bug #1246278 (excessive memory usage)
|
|
- Fixed crash on wrong option value in configuration file
|
|
- Changed custom chains to lowercase
|
|
|
|
ver. 0.5.1 (2005/07/23) - beta
|
|
----------
|
|
- Fixed bugs #1241756, #1239557
|
|
- Added log targets in configuration file. Removed -l option
|
|
- Changed iptables rules in order to create a separated chain for each section
|
|
- Fixed static banList in firewall.py
|
|
- Added an initd script for Debian. Thanks to Yaroslav Halchenko
|
|
- Check for obsolete files after install
|
|
|
|
ver. 0.5.0 (2005/07/12) - beta
|
|
----------
|
|
- Added support for CIDR mask in ignoreip
|
|
- Added mail notification support
|
|
- Fixed bug #1234699
|
|
- Added tags replacement in rules definition. Should allow a clean solution for
|
|
Feature Request #1229479
|
|
- Removed "interface" and "firewall" options
|
|
- Added start and end commands in the configuration file. Thanks to Yaroslav
|
|
Halchenko
|
|
- Added firewall rules definition in the configuration file
|
|
- Cleaned fail2ban.py
|
|
- Added an initd script for RedHat/Fedora. Thanks to Andrey G. Grozin
|
|
|
|
ver. 0.4.1 (2005/06/30) - stable
|
|
----------
|
|
- Fixed textToDNS method which generated wrong matches for "rhost=12-xyz...".
|
|
Thanks to Tom Pike
|
|
- `fail2ban.conf` modified for readability. Thanks to Iain Lea
|
|
- Added an initd script for Gentoo
|
|
- Changed default PID lock file location from `/tmp` to `/var/run`
|
|
|
|
ver. 0.4.0 (2005/04/24) - stable
|
|
----------
|
|
- Fixed textToDNS which did not recognize strings like
|
|
"12-345-67-890.abcd.mnopqr.xyz"
|
|
|
|
ver. 0.3.1 (2005/03/31) - beta
|
|
----------
|
|
- Corrected level of messages
|
|
- Added DNS lookup support
|
|
- Improved parsing speed. Only parse the new log messages
|
|
- Added a second verbose level (-vv)
|
|
|
|
ver. 0.3.0 (2005/02/24) - beta
|
|
----------
|
|
- Re-writting of parts of the code in order to handle several log files with
|
|
different rules
|
|
- Removed `sshd.py` because it is no more needed
|
|
- Fixed a bug when exiting with IP in the ban list
|
|
- Added PID lock file
|
|
- Improved some parts of the code
|
|
- Added `ipfw-start-rule` option (thanks to Robert Edeker)
|
|
- Added -k option which kills a currently running Fail2Ban
|
|
|
|
ver. 0.1.2 (2004/11/21) - beta
|
|
----------
|
|
- Add ipfw and ipfwadm support. The rules are taken from BlockIt. Thanks to
|
|
Robert Edeker
|
|
- Add -e option which allows to set the interface. Thanks to Robert Edeker who
|
|
reminded me this
|
|
- Small code cleaning
|
|
|
|
ver. 0.1.1 (2004/10/23) - beta
|
|
----------
|
|
- Add SIGTERM handler in order to exit nicely when in daemon mode
|
|
- Add -r option which allows to set the maximum number of login failures
|
|
- Remove the Metalog class as the log file are not so syslog daemon specific
|
|
- Rewrite log reader to be service centered. Sshd support added. Match "Failed
|
|
password" and "Illegal user"
|
|
- Add `/etc/fail2ban.conf` configuration support
|
|
- Code documentation
|
|
|
|
ver. 0.1.0 (2004/10/12) - alpha
|
|
----------
|
|
- Initial release
|