mirror of https://github.com/fail2ban/fail2ban
1331 lines
61 KiB
Plaintext
1331 lines
61 KiB
Plaintext
__ _ _ ___ _
|
|
/ _|__ _(_) |_ ) |__ __ _ _ _
|
|
| _/ _` | | |/ /| '_ \/ _` | ' \
|
|
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
|
|
|
Fail2Ban: Changelog
|
|
===================
|
|
|
|
ver. 0.9.3 (2015/08/01) - lets-all-stay-friends
|
|
----------
|
|
|
|
- IMPORTANT incompatible changes:
|
|
* filter.d/roundcube-auth.conf
|
|
- Changed logpath to 'errors' log (was 'userlogins')
|
|
* action.d/iptables-common.conf
|
|
- All calls to iptables command now use -w switch introduced in
|
|
iptables 1.4.20 (some distribution could have patched their
|
|
earlier base version as well) to provide this locking mechanism
|
|
useful under heavy load to avoid contesting on iptables calls.
|
|
If you need to disable, define 'action.d/iptables-common.local'
|
|
with empty value for 'lockingopt' in `[Init]` section.
|
|
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
|
|
actions now include by default only the first 1000 log lines in
|
|
the emails. Adjust <grepopts> to augment the behavior.
|
|
|
|
- Fixes:
|
|
* reload in interactive mode appends all the jails twice (gh-825)
|
|
* reload server/jail failed if database used (but was not changed) and
|
|
some jail active (gh-1072)
|
|
* filter.d/dovecot.conf - also match unknown user in passwd-file.
|
|
Thanks Anton Shestakov
|
|
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
|
|
* filter.d/asterisk.conf - fix security log support for Asterisk 12+
|
|
* filter.d/roundcube-auth.conf
|
|
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
|
|
- Added regex to work with 'userlogins' log
|
|
* action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
|
|
locale on systems with customized LC_ALL
|
|
* performance fix: minimizes connection overhead, close socket only at
|
|
communication end (gh-1099)
|
|
* unbanip always deletes ip from database (independent of bantime, also if
|
|
currently not banned or persistent)
|
|
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
|
|
* always set 'dbfile' before other database options (gh-1050)
|
|
* kill the entire process group of the child process upon timeout (gh-1129).
|
|
Otherwise could lead to resource exhaustion due to hanging whois
|
|
processes.
|
|
* resolve /var/run/fail2ban path in setup.py to help installation
|
|
on platforms with /var/run -> /run symlink (gh-1142)
|
|
|
|
- New Features:
|
|
* RETURN iptables target is now a variable: <returntype>
|
|
* New type of operation: pass2allow, use fail2ban for "knocking",
|
|
opening a closed port by swapping blocktype and returntype
|
|
* New filters:
|
|
- froxlor-auth - Thanks Joern Muehlencord
|
|
- apache-pass - filter Apache access log for successful authentication
|
|
* New actions:
|
|
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
|
|
manual pre-configuration of the shorewall. See the action file for detail.
|
|
* New jails:
|
|
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
|
|
|
|
- Enhancements:
|
|
* action.d/cloudflare.conf - improved documentation on how to allow
|
|
multiple CF accounts, and jail.conf got new compound action
|
|
definition action_cf_mwl to submit cloudflare report.
|
|
* Check access to socket for more detailed logging on error (gh-595)
|
|
* fail2ban-testcases man page
|
|
* filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
|
|
HEAD method verb
|
|
* Revamp of Travis and coverage automated testing
|
|
* Added a space between IP address and the following colon
|
|
in notification emails for easier text selection
|
|
* Character detection heuristics for whois output via optional setting
|
|
in mail-whois*.conf. Thanks Thomas Mayer.
|
|
Not enabled by default, if _whois_command is set to be
|
|
%(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
|
|
it
|
|
- detects character set of whois output (which is undefined by
|
|
RFC 3912) via heuristics of the file command
|
|
- converts whois data to UTF-8 character set with iconv
|
|
- sends the whois output in UTF-8 character set to mail program
|
|
- avoids that heirloom mailx creates binary attachment for input with
|
|
unknown character set
|
|
|
|
|
|
ver. 0.9.2 (2015/04/29) - better-quick-now-than-later
|
|
----------
|
|
|
|
- Fixes:
|
|
* Fix ufw action commands
|
|
* infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
|
|
Thanks TonyThompson
|
|
* port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
|
|
(fnerdwq)
|
|
* $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
|
|
* grep'ing for IP in *mail-whois-lines.conf should now match also
|
|
at the beginning and EOL. Thanks Dean Lee
|
|
* jail.conf
|
|
- php-url-fopen: separate logpath entries by newline
|
|
* failregex declared direct in jail was joined to single line (specifying of
|
|
multiple expressions was not possible).
|
|
* filters.d/exim.conf - cover different settings of exim logs
|
|
details. Thanks bes.internal
|
|
* filter.d/postfix-sasl.conf - failregex is now case insensitive
|
|
* filters.d/postfix.conf - add 'Client host rejected error message' failregex
|
|
* fail2ban/__init__.py - add strptime thread safety hack-around
|
|
* recidive uses iptables-allports banaction by default now.
|
|
Avoids problems with iptables versions not understanding 'all' for
|
|
protocols and ports
|
|
* filter.d/dovecot.conf
|
|
- match pam_authenticate line from EL7
|
|
- match unknown user line from EL7
|
|
* Use use_poll=True for Python 2.7 and >=3.4 to overcome "Bad file
|
|
descriptor" msgs issue (gh-161)
|
|
* filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore
|
|
system authentication issues
|
|
* fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
|
|
(gh-954)
|
|
* firewallcmd-* actions: split output into separate lines for grepping (gh-908)
|
|
* Guard unicode encode/decode issues while storing records in the database.
|
|
Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
|
|
for reporting
|
|
* filter.d/sshd added regex for matching openSUSE ssh authentication failure
|
|
* filter.d/asterisk.conf:
|
|
- Dropped "Sending fake auth rejection" failregex since it incorrectly
|
|
targets the asterisk server itself
|
|
- match "hacking attempt detected" logs
|
|
|
|
- New Features:
|
|
- New filters:
|
|
- postfix-rbl Thanks Lee Clemens
|
|
- apache-fakegooglebot.conf Thanks Lee Clemens
|
|
- nginx-botsearch Thanks Frantisek Sumsal
|
|
- drupal-auth Thanks Lee Clemens
|
|
- New recursive embedded substitution feature added:
|
|
- `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
|
|
- `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
|
|
- New interpolation feature for config readers - `%(known/parameter)s`.
|
|
(means last known option with name `parameter`). This interpolation makes
|
|
possible to extend a stock filter or jail regexp in .local file
|
|
(opposite to simply set failregex/ignoreregex that overwrites it),
|
|
see gh-867.
|
|
- Monit config for fail2ban in files/monit/
|
|
- New actions:
|
|
- action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt
|
|
- action.d/sendmail-geoip-lines.conf
|
|
- action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean
|
|
- New status argument for fail2ban-client -- flavor:
|
|
fail2ban-client status <jail> [flavor]
|
|
- empty or "basic" works as-is
|
|
- "cymru" additionally prints (ASN, Country RIR) per banned IP
|
|
(requires dnspython or dnspython3)
|
|
- Flush log at USR1 signal
|
|
|
|
- Enhancements:
|
|
* Enable multiport for firewallcmd-new action. Closes gh-834
|
|
* files/debian-initd migrated from the debian branch and should be
|
|
suitable for manual installations now (thanks Juan Karlo de Guzman)
|
|
* Define empty ignoreregex in filters which didn't have it to avoid
|
|
warnings (gh-934)
|
|
* action.d/{sendmail-*,xarf-login-attack}.conf - report local
|
|
timezone not UTC time/zone. Closes gh-911
|
|
* Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
|
|
* Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
|
|
* Added syslogsocket configuration to fail2ban.conf
|
|
* Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964)
|
|
|
|
|
|
ver. 0.9.1 (2014/10/29) - better, faster, stronger
|
|
----------
|
|
|
|
- Refactoring (IMPORTANT -- Please review your setup and configuration):
|
|
* iptables-common.conf replaced iptables-blocktype.conf
|
|
(iptables-blocktype.local should still be read) and now also
|
|
provides defaults for the chain, port, protocol and name tags
|
|
|
|
- Fixes:
|
|
* start of file2ban aborted (on slow hosts, systemd considers the server has
|
|
been timed out and kills him), see gh-824
|
|
* UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
|
|
* systemd backend error on bad utf-8 in python3
|
|
* badips.py action error when logging HTTP error raised with badips request
|
|
* fail2ban-regex failed to work in python3 due to space/tab mix
|
|
* recidive regex samples incorrect log level
|
|
* journalmatch for recidive incorrect PRIORITY
|
|
* loglevel couldn't be changed in fail2ban.conf
|
|
* Handle case when no sqlite library is available for persistent database
|
|
* Only reban once per IP from database on fail2ban restart
|
|
* Nginx filter to support missing server_name. Closes gh-676
|
|
* fail2ban-regex assertion error caused by miscount missed lines with
|
|
multiline regex
|
|
* Fix actions failing to execute for Python 3.4.0. Workaround for
|
|
http://bugs.python.org/issue21207
|
|
* Database now returns persistent bans on restart (bantime < 0)
|
|
* Recursive action tags now fully processed. Fixes issue with bsd-ipfw
|
|
action
|
|
* Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
|
|
Thanks Serg G. Brester
|
|
* Correct times for non-timezone date times formats during DST
|
|
* Pass a copy of, not original, aInfo into actions to avoid side-effects
|
|
* Per-distribution paths to the exim's main log
|
|
* Ignored IPs are no longer banned when being restored from persistent
|
|
database
|
|
* Manually unbanned IPs are now removed from persistent database, such they
|
|
wont be banned again when Fail2Ban is restarted
|
|
* Pass "bantime" parameter to the actions in default jail's action
|
|
definition(s)
|
|
* filters.d/sieve.conf - fixed typo in _daemon. Thanks Jisoo Park
|
|
* cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
|
|
Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
|
|
Debian bug #755173
|
|
* postfix-sasl - added journalmatch. Thanks Luc Maisonobe
|
|
* postfix* - match with a new daemon string (postfix/submission/smtpd).
|
|
Closes gh-804 . Thanks Paul Traina
|
|
* apache - added filter for AH01630 client denied by server configuration.
|
|
|
|
- New features:
|
|
- New filters:
|
|
- monit Thanks Jason H Martin
|
|
- directadmin Thanks niorg
|
|
- apache-shellshock Thanks Eugene Hopkinson (SlowRiot)
|
|
- New actions:
|
|
- symbiosis-blacklist-allports for Bytemark symbiosis firewall
|
|
- fail2ban-client can fetch the running server version
|
|
- Added Cloudflare API action
|
|
|
|
- Enhancements
|
|
* Start performance of fail2ban-client (and tests) increased, start time
|
|
and cpu usage rapidly reduced. Introduced a shared storage logic, to
|
|
bypass reading lots of config files (see gh-824).
|
|
Thanks to Joost Molenaar for good catch (reported gh-820).
|
|
* Fail2ban-regex - add print-all-matched option. Closes gh-652
|
|
* Suppress fail2ban-client warnings for non-critical config options
|
|
* Match non "Bye Bye" disconnect messages for sshd locked account regex
|
|
* courier-smtp filter:
|
|
- match lines with user names
|
|
- match lines containing "535 Authentication failed" attempts
|
|
* Add <chain> tag to iptables-ipsets
|
|
* Realign fail2ban log output with white space to improve readability. Does
|
|
not affect SYSLOG output
|
|
* Log unhandled exceptions
|
|
* cyrus-imap: catch "user not found" attempts
|
|
* Add support for Portsentry
|
|
|
|
ver. 0.9.0 (2014/03/14) - beta
|
|
----------
|
|
|
|
Carries all fixes, features and enhancements from 0.8.13 (unreleased) with
|
|
major changes.
|
|
|
|
The minimum supported python version is now 2.6. If you have python-2.4 or 2.5
|
|
you can use the 0.8.12 version of fail2ban.
|
|
|
|
Please take note of release notes:
|
|
https://github.com/fail2ban/fail2ban/releases/tag/0.9.0
|
|
|
|
Please test your configuration before relying on it.
|
|
|
|
Nearly all development is thanks to Steven Hiscocks (THANKS!), merging,
|
|
testcases and timezone support from Daniel Black, and code-review and minor
|
|
additions from Yaroslav Halchenko.
|
|
|
|
- Refactoring (IMPORTANT -- Please review your setup and configuration):
|
|
* [..bddbf1e] jail.conf was heavily refactored and now is similar
|
|
to how it looked on Debian systems:
|
|
- default action could be configured once for all jails
|
|
- jails definitions only provide customizations (port, logpath)
|
|
- no need to specify 'filter' if name matches jail name
|
|
* [..5aef036] Core functionality moved into fail2ban/ module.
|
|
Closes gh-26
|
|
- tests included in module to aid testing and debugging
|
|
* Added fail2ban persistent database
|
|
- default location at /var/lib/fail2ban/fail2ban.sqlite3
|
|
- allows active bans to be reinstated on restart
|
|
- log files read from last position after restart
|
|
* Added systemd journal backend
|
|
- Dependency on python-systemd
|
|
- New "journalmatch" option added to filter configs files
|
|
- New "systemd-journal" option added to fail2ban-regex
|
|
* Added python3 support
|
|
* Support %z (Timezone offset) and %f (sub-seconds) support for
|
|
datedetector. Enhanced existing date/time have been updated patterns to
|
|
support these. ISO8601 now defaults to localtime unless specified otherwise.
|
|
Some filters have been change as required to capture these elements in the
|
|
right timezone correctly.
|
|
* Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
|
|
- Log level INFO is now more verbose
|
|
* Optionally can read log files starting from "head" or "tail".
|
|
- See "logpath" option in jail.conf(5) man page.
|
|
* Can now set log encoding for files per jail.
|
|
- Default uses systemd locale.
|
|
|
|
- New features:
|
|
* [..c7ae460] Multiline failregex. Close gh-54
|
|
* [8af32ed] Guacamole filter and support for Apache Tomcat date
|
|
format
|
|
* [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug
|
|
#410077. Also it would now capture and include stdout and stderr
|
|
into logging messages in case of error or at DEBUG loglevel.
|
|
* Added action xarf-login-attack to report formatted attack messages
|
|
according to the XARF standard (v0.2). Close gh-105
|
|
* Support PyPy
|
|
* Add filter for apache-botsearch
|
|
* Add filter for kerio. Thanks Tony Lawrence for blog of regexs and
|
|
providing samples. Close gh-120
|
|
* Filter for stunnel
|
|
* Filter for Counter Strike 1.6. Thanks to onorua for logs.
|
|
Close gh-347
|
|
* Filter for squirrelmail. Close gh-261
|
|
* Filter for tine20. Close gh-583
|
|
* Custom date formats (strptime) can now be set in filters and jail.conf
|
|
* Python based actions can now be created.
|
|
- SMTP action for sending emails on jail start, stop and ban.
|
|
* Added action to use badips.com reporting and blacklist
|
|
- Requires Python 2.7+
|
|
|
|
- Enhancements
|
|
* Fail2ban-regex - don't accumulate lines if not printing them.
|
|
add options to suppress output of missed/ignored lines. Close gh-644
|
|
* Asterisk now supports syslog format
|
|
* Jail names increased to 26 characters and iptables prefix reduced
|
|
from fail2ban- to f2b- as suggested by buanzo in gh-462.
|
|
* Multiline filter for sendmail-spam. Close gh-418
|
|
* Multiline regex for Disconnecting: Too many authentication failures for
|
|
root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]
|
|
* Multiline regex for Disconnecting: Connection from 61.XX.XX.XX port
|
|
51353\nToo many authentication failures for root [preauth]. Thanks
|
|
Helmut Grohne. Close gh-457
|
|
* Replacing use of deprecated API (.warning, .assertEqual, etc)
|
|
* [..a648cc2] Filters can have options now too which are substituted into
|
|
failregex / ignoreregex
|
|
* [..e019ab7] Multiple instances of the same action are allowed in the
|
|
same jail -- use actname option to disambiguate.
|
|
* Add honeypot email address to exim-spam filter as argument
|
|
* Properties and methods of actions accessible from fail2ban-client
|
|
- Use of properties replaces command actions "cinfo" interface
|
|
|
|
ver. 0.8.13 (2014/03/15) - maintenance-only-from-now-on
|
|
-----------
|
|
|
|
- Fixes:
|
|
- action firewallcmd-ipset had non-working actioncheck. Removed.
|
|
redhat bug #1046816.
|
|
- filter pureftpd - added _daemon which got removed. Added
|
|
|
|
- New Features:
|
|
- filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
|
|
- filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
|
|
|
|
- Enhancements:
|
|
- filter asterisk now supports syslog format
|
|
- filter pureftpd - added all translations of "Authentication failed for
|
|
user"
|
|
- filter dovecot - lip= was optional and extended TLS errors can occur.
|
|
Thanks Noel Butler.
|
|
|
|
ver. 0.8.12 (2014/01/22) - things-can-only-get-better
|
|
----------
|
|
|
|
- IMPORTANT incompatible changes:
|
|
- Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name
|
|
name length. As per gh-395
|
|
- mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog.
|
|
Part of gh-447.
|
|
|
|
- Fixes:
|
|
- allow for ",milliseconds" in the custom date format of proftpd.log
|
|
- allow for ", referer ..." in apache-* filter for apache error logs.
|
|
- allow for spaces at the beginning of kernel messages. Closes gh-448
|
|
- recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias
|
|
- smtps not a IANA standard and has been removed from Arch. Replaced with
|
|
465. Thanks Stefan. Closes gh-447
|
|
- add 'flushlogs' command to allow logrotation without clobbering logtarget
|
|
settings. Closes gh-458, Debian bug #697333, Redhat bug #891798.
|
|
- complain action - ensure where not matching other IPs in log sample.
|
|
Closes gh-467
|
|
- Fix firewall-cmd actioncheck - patch from Adam Tkac. Redhat Bug #979622
|
|
- Fix apache-common for apache-2.4 log file format. Thanks Mark White.
|
|
Closes gh-516
|
|
- Asynchat changed to use push method which verifys whether all data was
|
|
send. This ensures that all data is sent before closing the connection.
|
|
- Removed unnecessary reference to as yet undeclared $jail_name when checking
|
|
a specific jail in nagios script.
|
|
- Filter dovecot reordered session and TLS items in regex with wider scope
|
|
for session characters. Thanks Ivo Truxa. Closes gh-586
|
|
- A single bad failregex or command syntax in configuration files won't stop
|
|
fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585.
|
|
|
|
- Enhancements:
|
|
- long names on jails documented based on iptables limit of 30 less
|
|
len("fail2ban-").
|
|
- remove indentation of name and loglevel while logging to SYSLOG to
|
|
resolve syslog(-ng) parsing problems. Closes Debian bug #730202.
|
|
- updated check_fail2ban to return performance data for all jails.
|
|
- filter apache-noscript now includes php cgi scripts.
|
|
Thanks dani. Closes gh-503
|
|
- exim-spam filter to match spamassassin log entry for option SAdevnull.
|
|
Thanks Ivo Truxa. Closes gh-533
|
|
- filter.d/nsd.conf -- also amended Unix date template to match nsd format
|
|
- Added to sshd filter expression for "Received disconnect from <HOST>: 3:
|
|
...: Auth fail". Thanks Marcel Dopita. Closes gh-289
|
|
- loglines now also report "[PID]" after the name portion
|
|
- Added filter.d/ejabberd-auth
|
|
- Improved ACL-handling for Asterisk
|
|
- loglines now also report "[PID]" after the name portion
|
|
- Added improper command pipelining to postfix filter.
|
|
|
|
- New Features:
|
|
|
|
- filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
|
|
- Add filter for apache-modsecurity.
|
|
- filter.d/nsd.conf -- also amended Unix date template to match nsd format
|
|
- Added openwebmail filter thanks Ivo Truxa. Closes gh-543
|
|
- Added filter for freeswitch. Thanks Jim and editors and authors of
|
|
http://wiki.freeswitch.org/wiki/Fail2ban
|
|
- Added groupoffice filter thanks to logs from Merijn Schering.
|
|
Closes gh-566
|
|
- Added filter for horde
|
|
- Added filter for squid. Thanks Roman Gelfand.
|
|
- Added filter for ejabberd-auth.
|
|
- Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543
|
|
- Added filter.d/groupoffice filter thanks to logs from Merijn Schering.
|
|
Closes gh-566
|
|
- Added action.d/badips. Thanks to Amy for making a nice API.
|
|
- Added firewallcmd-ipset action.
|
|
- Added ufw action. Thanks Guilhem Lettron. lp-#701522
|
|
- Added blocklist_de action.
|
|
|
|
|
|
ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes
|
|
----------
|
|
|
|
In light of CVE-2013-2178 that triggered our last release we have put
|
|
a significant effort into tightening all of the regexs of our filters
|
|
to avoid another similar vulnerability. All filters have been updated
|
|
and some to catch more login/authentication failures and to support
|
|
for newer application versions. There are test cases for most log
|
|
cases of failures now.
|
|
|
|
As usual, if you have other examples that demonstrate that a filter is
|
|
insufficient, or if we have inadvertently introduced a regression,
|
|
please provide us with example log lines on the github issue tracker
|
|
http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in
|
|
some obscure corner of the Internet.
|
|
|
|
Many thanks to our contributors for this release Daniel Black, Yaroslav
|
|
Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski,
|
|
Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François
|
|
Boulogne and others who have helped on IRC and mailing list, logged issues
|
|
and bug requests.
|
|
|
|
- IMPORTANT incompatible changes:
|
|
Filter name changes:
|
|
* 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
|
|
* 'sasl' has been renamed to 'postfix-sasl'
|
|
* 'exim' spam catching failregexes was split out into 'exim-spam'
|
|
These changes will require changing jail.{conf,local} if any of
|
|
those filters were used.
|
|
|
|
- Fixes:
|
|
Jonathan Lanning
|
|
* filter.d/asterisk -- identified another regex for blocking. Also channel
|
|
ID is hex not decimal as noted in sample logs provided.
|
|
Daniel Black & Marcel Dopita
|
|
* filter.d/apache-auth -- fixed and apache auth samples provide. Closes gh-286
|
|
Yaroslav Halchenko
|
|
* filter.d/common.conf -- make colon after [daemon] optional. Closes gh-267
|
|
* filter.d/apache-common.conf -- support apache 2.4 more detailed error
|
|
log format. Closes gh-268
|
|
* Backends changes detection and parsing. Close gh-223 and gh-103:
|
|
- Polling backend: detect changes in the files not only based on
|
|
mtime, but also on the size and inode. It should allow for
|
|
better detection of changes and log rotations on busy servers,
|
|
older python 2.4, and file systems with precision of mtime only
|
|
up to a second (e.g. ext3).
|
|
- All backends, possible race condition: do not read from a file
|
|
initially reported empty. Originally could have lead to
|
|
accounting for detected log lines multiple times.
|
|
- Do not crash if executing a command in fail2ban-client interactive
|
|
mode has failed (e.g. due to incorrect syntax). Closes gh-353
|
|
Daniel Black & Мернов Георгий
|
|
* filter.d/dovecot.conf -- Fix when no TLS enabled - line doesn't end in ,
|
|
Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
|
|
* filter.d/exim.conf -- regex hardening and extra failure examples in
|
|
sample logs
|
|
* filter.d/named-refused.conf - BIND 9.9.3 regex changes
|
|
Daniel Black & Sebastian Arcus
|
|
* filter.d/asterisk -- more regexes
|
|
Daniel Black
|
|
* action.d/hostsdeny -- NOTE: new dependency 'ed'. Switched to use 'ed' across
|
|
all platforms to ensure permissions are the same before and after a ban.
|
|
Closes gh-266. hostsdeny supports daemon_list now too.
|
|
* action.d/bsd-ipfw - action option unused. Change blocktype to port unreach
|
|
instead of deny for consistancy.
|
|
* filter.d/dovecot - added to support different dovecot failure
|
|
"..disallowed plaintext auth". Closes Debian bug #709324
|
|
* filter.d/roundcube-auth - timezone offset can be positive or negative
|
|
* action.d/bsd-ipfw - action option unused. Fixed to blocktype for
|
|
consistency. default to port unreach instead of deny
|
|
* filter.d/dropbear - fix regexs to match standard dropbear and the patched
|
|
http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch
|
|
and add PAM is it in dropbear-2013.60 source code.
|
|
* filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
|
|
and extra failure examples in sample logs
|
|
* filter.d/apache-auth - added expressions for mod_authz, mod_auth and
|
|
mod_auth_digest failures.
|
|
* filter.d/recidive -- support f2b syslog target and anchor regex at start
|
|
* filter.d/mysqld-auth.conf - mysql can use syslog
|
|
* filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
|
|
bug #722970. Thanks Colin Watson for the regex analysis.
|
|
* filter.d/wuftpd - regex enhancements to support pam and wuftpd. Closes
|
|
Debian bug #665925
|
|
Rolf Fokkens
|
|
* action.d/dshield.conf and complain.conf -- reorder mailx arguments.
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=998020
|
|
John Doe (ache)
|
|
* action.d/bsd-ipfw.conf - invert actionstop logic to make exist status 0.
|
|
Closes gh-343.
|
|
JP Espinosa (Reviewed by O.Poplawski)
|
|
* files/redhat-initd - rewritten to use stock init.d functions thus
|
|
avoiding problems with getpid. Also $network and iptables moved
|
|
to Should- rc init fields
|
|
Rick Mellor
|
|
* filter.d/vsftp - fix capture with tty=ftp
|
|
|
|
- New Features:
|
|
Edgar Hoch
|
|
* action.d/firewall-cmd-direct-new.conf - action for firewalld
|
|
from https://bugzilla.redhat.com/show_bug.cgi?id=979622
|
|
NOTE: requires firewalld-0.3.8+
|
|
Andy Fragen and Daniel Black
|
|
* filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule
|
|
numbers.
|
|
Anonymous:
|
|
* action.d/osx-afctl - an action based on afctl for osx
|
|
Daniel Black & ykimon
|
|
* filter.d/3proxy.conf -- filter added
|
|
* fail2ban-regex - now generates http://www.debuggex.com urls for debugging
|
|
regular expressions with the -D parameter.
|
|
Daniel Black
|
|
* filter.d/exim-spam.conf -- a splitout of exim's spam regexes
|
|
with additions for greater control over filtering spam.
|
|
* add date expression for apache-2.4 - milliseconds
|
|
* filter.d/nginx-http-auth -- filter added for http basic authentication
|
|
failures in nginx. Partially fulfills gh-405.
|
|
Christophe Carles & Daniel Black
|
|
* filter.d/perdition.conf -- filter added
|
|
Mark McKinstry
|
|
* action.d/apf.conf - add action for Advanced Policy Firewall (apf)
|
|
Amir Caspi and kjohnsonecl
|
|
* filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server
|
|
Steven Hiscocks and Daniel Black
|
|
* filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter
|
|
|
|
- Enhancements:
|
|
François Boulogne and Frédéric
|
|
* filter.d/lighttpd - auth regexs for lighttpd-1.4.31
|
|
Daniel Black
|
|
* reorder parsing of jail.conf, jail.d/*.conf, jail.local, jail.d/*.local
|
|
and likewise for fail2ban.{conf|local|d/*.conf|d/*.local}. Closes gh-392
|
|
* jail.conf now has asterisk jail - no need for asterisk-tcp and
|
|
asterisk-udp. Users should replace existing jails with asterisk to
|
|
reduce duplicate parsing of the asterisk log file.
|
|
* filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin}- regex anchor at
|
|
start
|
|
* filter.d/vsftpd - anchored regex at start. disable old pam format regex
|
|
* filter.d/pam-generic - added syslog prefix. Disabled support for
|
|
linux-pam before version 0.99.2.0 (2005)
|
|
* filter.d/postfix-sasl - renamed from sasl, anchor at start and base on
|
|
syslog
|
|
* filter.d/qmail - rewrote regex to anchor at start. Added regex for
|
|
another "in the wild" patch to rblsmtp.
|
|
Yaroslav Halchenko
|
|
* fail2ban-regex -- refactored to provide more details (missing and
|
|
ignored lines, control over logging, etc) while maintaining look&feel
|
|
* fail2ban-client -- log to standard error. Closes gh-264
|
|
* Fail to configure if not a single log file was found for an
|
|
enabled jail. Closes gh-63
|
|
* <HOST> is now enforced to end with an alphanumeric
|
|
* filter.d/roundcube-auth.conf -- anchored version
|
|
* date matching - for standard asctime formats prefer more detailed
|
|
first (thus use year if available)
|
|
* files/gen_badbots was added and filter.d/apache-badbots.conf was
|
|
regenerated to get updated (although now still an old) list of
|
|
"bad" bots
|
|
Alexander Dietrich
|
|
* action.d/sendmail-common.conf -- added common sendmail settings file
|
|
and made the sender display name configurable
|
|
Steven Hiscocks
|
|
* filter.d/dovecot - Addition of session, time values and possible blank
|
|
user
|
|
Zurd and Daniel Black
|
|
* filter/named-refused - added refused on zone transfer
|
|
* filter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd} - General
|
|
regex impovements
|
|
Zurd
|
|
* filter.d/postfix - add filter for VRFY failures. Closes gh-322.
|
|
Orion Poplawski
|
|
* fail2ban.d/ and jail.d/ directories are added to etc/fail2ban to facilitate
|
|
their use
|
|
|
|
ver. 0.8.10 (2013/06/12) - wanna-be-secure
|
|
-----------
|
|
|
|
Primarily bugfix and enhancements release, triggered by "bugs" in
|
|
apache- filters. If you are relying on listed below apache- filters,
|
|
upgrade asap and seek your distributions to patch their fail2ban
|
|
distribution with [6ccd5781].
|
|
|
|
- Fixes: Yaroslav Halchenko
|
|
* [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
|
|
failregex at the beginning (and where applicable at the end).
|
|
Addresses a possible DoS. Closes gh-248
|
|
* action.d/{route,shorewall}.conf - blocktype must be defined
|
|
within [Init]. Closes gh-232
|
|
- Enhancements
|
|
Yaroslav Halchenko
|
|
* jail.conf -- assure all jails have actions and remove unused
|
|
ports specifications
|
|
Terence Namusonge
|
|
* config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
|
|
Daniel Black
|
|
* files/suse-initd -- update to the copy from stock SUSE
|
|
silviogarbes & Daniel Black
|
|
* Updates to asterisk filter. Closes gh-227/gh-230.
|
|
Carlos Alberto Lopez Perez
|
|
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
|
|
|
|
ver. 0.8.9 (2013/05/13) - wanna-be-stable
|
|
----------
|
|
|
|
Originally targeted as a bugfix release, it incorporated many new
|
|
enhancements, few new features, and more importantly -- quite extended
|
|
tests battery with current 94% coverage (from 56% of 0.8.8).
|
|
|
|
This release introduces over 200 of non-merge commits from 16
|
|
contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
|
|
Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki,
|
|
ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
|
|
Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.
|
|
|
|
Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
|
|
Hendrikx, Yehuda Katz and other TBN heroes supporting users on
|
|
fail2ban-users mailing list and IRC.
|
|
|
|
- Fixes: Yaroslav Halchenko
|
|
* [6f4dad46] python-2.4 is the minimal version.
|
|
* [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
|
|
on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
|
|
* [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
|
|
insight. Closes gh-103.
|
|
* [ab044b75] delay check for the existence of config directory until read.
|
|
* [3b4084d4] fixing up for handling of TAI64N timestamps.
|
|
* [154aa38e] do not shutdown logging until all jails stop.
|
|
* [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184.
|
|
Thanks to Jon Foster for report and troubleshooting.
|
|
Orion Poplawski
|
|
* [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
|
|
newly created directories.
|
|
Nicolas Collignon
|
|
* [39667ff6] Avoid leaking file descriptors. Closes gh-167.
|
|
Sergey Brester
|
|
* [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
|
|
sorting template list.
|
|
Steven Hiscocks
|
|
* [7a442f07] When changing log target with python2.{4,5} handle KeyError.
|
|
Closes gh-147, gh-148.
|
|
* [b6a68f51] Fix delaction on server side. Closes gh-124.
|
|
Daniel Black
|
|
* [f0610c01] Allow more that a one word command when changing and Action via
|
|
the fail2ban-client. Closes gh-134.
|
|
* [945ad3d9] Fix dates on email actions to work in different locals. Closes
|
|
gh-70. Thanks to iGeorgeX for the idea.
|
|
blotus
|
|
* [96eb8986] ' and " should also be escaped in action tags Closes gh-109
|
|
Christoph Theis, Nick Hilliard, Daniel Black
|
|
* [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
|
|
- New features:
|
|
Yaroslav Halchenko
|
|
* [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
|
|
to provide additional flexibility to system adminstrators. Thanks to
|
|
beilber for the idea. Closes gh-114.
|
|
* [3ce53e87] Add exim filter.
|
|
Erwan Ben Souiden
|
|
* [d7d5228] add nagios integration documentation and script to ensure
|
|
fail2ban is running. Closes gh-166.
|
|
Artur Penttinen
|
|
* [29d0df5] Add mysqld filter. Closes gh-152.
|
|
ArndRaphael Brandes
|
|
* [bba3fd8] Add Sogo filter. Closes gh-117.
|
|
Michael Gebetsriother
|
|
* [f9b78ba] Add action route to block at routing level.
|
|
Teodor Micu & Yaroslav Halchenko
|
|
* [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
|
|
Daniel Black
|
|
* [be06b1b] Add action for iptables-ipsets. Closes gh-102.
|
|
Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
|
|
* [b6d0e8a] Add and enhance the bsd-ipfw action from
|
|
FreeBSD ports.
|
|
Soulard Morgan
|
|
* [f336d9f] Add filter for webmin. Closes gh-99.
|
|
Steven Hiscocks
|
|
* [..746c7d9] bash interactive shell completions for fail2ban-*'s
|
|
Nick Hilliard
|
|
* [0c5a9c5] Add pf action.
|
|
- Enhancements:
|
|
Enrico Labedzki
|
|
* [24a8d07] Added new date format for ASSP SMTP Proxy.
|
|
Steven Hiscocks
|
|
* [3d6791f] Ensure restart of Actions after a check fails occurs
|
|
consistently. Closes gh-172.
|
|
* [MANY] Improvements to test cases, travis, and code coverage (coveralls).
|
|
* [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
|
|
* [ce3ab34] Added ability to specify PID file.
|
|
Orion Poplawski
|
|
* [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
|
|
Closes gh-142.
|
|
Yaroslav Halchenko
|
|
* [MANY] Lots of improvements to log messages, man pages and test cases.
|
|
* [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
|
|
Closes gh-126. Bug report by Michael Heuberger.
|
|
* [40c5a2d] adding more of diagnostic messages into -client while starting
|
|
the daemon.
|
|
* [8e63d4c] Compare against None with 'is' instead of '=='.
|
|
* [6fef85f] Strip CR and LF while analyzing the log line
|
|
Daniel Black
|
|
* [3aeb1a9] Add jail.conf manual page. Closes gh-143.
|
|
* [MANY] man page edits.
|
|
* [7cd6dab] Added help command to fail2ban-client.
|
|
* [c8c7b0b,23bbc60] Better logging of log file read errors.
|
|
* [3665e6d] Added code coverage to development process.
|
|
* [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
|
|
source. Also include BSD changes.
|
|
* [1d9abd1] Action files can have tags in definition that refer to other
|
|
tags.
|
|
* [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
|
|
unreachable rather than just a drop of the packet.
|
|
Pascal Borreli
|
|
* [a2b29b4] Fixed lots of typos in config files and documentation.
|
|
hamilton5
|
|
* [7ede1e8] Update dovecot filter config.
|
|
Romain Riviere
|
|
* [0ac8746] Enhance named-refused filter for views.
|
|
James Stout
|
|
* [..2143cdf] Solaris support enhancements:
|
|
- README.Solaris
|
|
- failregex'es tune ups (sshd.conf)
|
|
- hostsdeny: do not rely on support of '-i' in sed
|
|
|
|
ver. 0.8.8 (2012/12/06) - stable
|
|
----------
|
|
- Fixes:
|
|
Alan Jenkins
|
|
* [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
|
|
banning due to misconfigured DNS. Closes gh-64
|
|
Yaroslav Halchenko
|
|
* [83109bc] IMPORTANT: escape the content of <matches> (if used in
|
|
custom action files) since its value could contain arbitrary
|
|
symbols. Thanks for discovery go to the NBS System security
|
|
team
|
|
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83
|
|
* [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
|
|
* [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
|
|
in the console. Closes gh-91
|
|
- New features:
|
|
David Engeset
|
|
* [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
|
|
the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86
|
|
Yaroslav Halchenko
|
|
- Enhancements:
|
|
* [2d66f31] replaced uninformative "Invalid command" message with warning log
|
|
exception why command actually failed
|
|
* [958a1b0] improved failregex to "support" auth.backend = "htdigest"
|
|
* [9e7a3b7] until we make it proper module -- adjusted sys.path only if
|
|
system-wide run
|
|
* [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79
|
|
* [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
|
|
for this gh-87)
|
|
* Various others: travis-ci integration, script to run tests
|
|
against all available Python versions, etc
|
|
|
|
ver. 0.8.7.1 (2012/07/31) - stable
|
|
----------
|
|
|
|
- Fixes:
|
|
Yaroslav Halchenko
|
|
* [e9762f3] Removed sneaked in comment on sys.path.insert
|
|
|
|
ver. 0.8.7 (2012/07/31) - stable
|
|
----------
|
|
|
|
- Fixes:
|
|
Tom Hendrikx & Jeremy Olexa
|
|
* [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
|
|
See http://forums.gentoo.org/viewtopic-t-899018.html
|
|
Chris Reffett
|
|
* [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
|
|
rather than just one failure.
|
|
Yaroslav Halchenko
|
|
* [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
|
|
* [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
|
|
* [ed16ecc] enforce "ip" field returned as str, not unicode so that log
|
|
message stays non-unicode. Close gh-32
|
|
* [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
|
|
already present in the pattern
|
|
* [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
|
|
friend to developers stuck with Windows (Closes gh-66)
|
|
* [80b191c] anchor grep regexp in actioncheck to not match partial names
|
|
of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
|
|
- New features:
|
|
François Boulogne
|
|
* [a7cb20e..] add lighttpd-auth filter/jail
|
|
Lee Clemens & Yaroslav Halchenko
|
|
* [e442503] pyinotify backend (default if backend='auto' and pyinotify
|
|
is available)
|
|
* [d73a71f,3989d24] usedns parameter for the jails to allow disabling
|
|
use of DNS
|
|
Tom Hendrikx
|
|
* [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
|
|
repeated offenders. Close gh-19
|
|
Xavier Devlamynck
|
|
* [7d465f9..] Add asterisk support
|
|
Zbigniew Jędrzejewski-Szmek
|
|
* [de502cf..] allow running fail2ban as non-root user (disabled by
|
|
default) via xt_recent. See doc/run-rootless.txt
|
|
- Enhancements
|
|
Lee Clemens
|
|
* [47c03a2] files/nagios - spelling/grammar fixes
|
|
* [b083038] updated Free Software Foundation's address
|
|
* [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
|
|
* [642d9af,3282f86] reformated printing of jail's name to be consistent
|
|
with init's info messages
|
|
* [3282f86] uniform use of capitalized Jail in the messages
|
|
Leonardo Chiquitto
|
|
* [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
|
|
to reflect code
|
|
* [a7d47e8] Update Free Software Foundation's address
|
|
Petr Voralek
|
|
* [4007751] catch failed ssh logins due to being listed in DenyUsers.
|
|
Close gh-47 (Closes: #669063)
|
|
Yaroslav Halchenko
|
|
* [MANY] extended and robustified unittests: test different backends
|
|
* [d9248a6] refactored Filter's to avoid duplicate functionality
|
|
* [7821174] direct users to issues on github
|
|
* [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
|
|
default with -v to control verbosity
|
|
* [b4099da] adjusted header for config/*.conf to mention .local and way
|
|
to comment (Thanks Stefano Forli for the note)
|
|
* [6ad55f6] added failregex for wu-ftpd to match against syslog instead
|
|
of DoS-prone auth.log's rhost (Closes: #514239)
|
|
* [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
|
|
sshd filter (Closes: #648020)
|
|
Yehuda Katz & Yaroslav Halchenko
|
|
* [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
|
|
|
|
ver. 0.8.6 (2011/11/28) - stable
|
|
----------
|
|
- Fixes:
|
|
Markos Chandras & Yaroslav Halchenko
|
|
* [492d8e5,bd658fc] Use hashlib (instead of deprecated md5) where available
|
|
Robert Trace & Michael Lorant
|
|
* [c48c2b1] gentoo-initd cleanup and fixes: assure /var/run + remove stale
|
|
sock file
|
|
Michael Saavedra
|
|
* [3a58d0e] Lock server's executeCmd to prevent racing among iptables calls:
|
|
see http://bugs.debian.org/554162
|
|
Yaroslav Halchenko
|
|
* [3eb5e3b] Allow for trailing spaces in sasl logs
|
|
* [1632244] Stop server-side communication before stopping the
|
|
jails (prevents lockup if actions use fail2ban-client upon
|
|
unban): see https://github.com/fail2ban/fail2ban/issues/7
|
|
* [5a2d518] Various changes to reincarnate unittests
|
|
Yehuda Katz
|
|
* Wiki was cleaned from SPAM
|
|
- Enhancements:
|
|
Adam Spiers
|
|
* [3152afb] Recognise time-stamped kernel messages
|
|
Guido Bozzetto
|
|
* [713fea6] Added ipmasq rule file to restart fail2ban when iptables are
|
|
wiped out: see http://bugs.debian.org/461417
|
|
Łukasz
|
|
* [5f23542] Matching of month names in Polish (thanks michaelberg79
|
|
for QA)
|
|
Tom Hendrikx
|
|
* [9fa54cf] Added Date: header for sendmail*.conf actions
|
|
Yaroslav Halchenko & Tom Hendrikx
|
|
* [b52d420..22b7007] <matches> in action files now can be used
|
|
to provide matched loglines which triggered action
|
|
Yaroslav Halchenko
|
|
* [ed0bf3a] Removed duplicate entry for DataCha0s/2\.0 in badbots:
|
|
see http://bugs.debian.org/519557
|
|
* [dad91f7] sshd.conf: allow user names to have spaces and
|
|
trailing spaces in the line
|
|
* [a9be451] removed expansions for few Date and Revision SVN keywords
|
|
* [a33135c] set/getFile for ticket.py -- found in source distribution
|
|
of 0.8.4
|
|
* [fbce415] additional logging while stopping the jails
|
|
|
|
ver. 0.8.5 (2011/07/28) - stable
|
|
----------
|
|
- Fix: use addfailregex instead of failregex while processing per-jail
|
|
"failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to
|
|
Marat Khayrullin for the patch and Daniel T Chen for forwarding to
|
|
Debian.
|
|
- Fix: use os.path.join to generate full path - fixes includes in configs
|
|
given local filename (5 weeks ago) [yarikoptic]
|
|
- Fix: allowed for trailing spaces in proftpd logs
|
|
- Fix: escaped () in pure-ftpd filter. Thanks to Teodor
|
|
- Fix: allowed space in the trailing of failregex for sasl.conf:
|
|
see http://bugs.debian.org/573314
|
|
- Fix: use /var/run/fail2ban instead of /tmp for temp files in actions:
|
|
see http://bugs.debian.org/544232
|
|
- Fix: Tai64N stores time in GMT, needed to convert to local time before
|
|
returning
|
|
- Fix: disabled named-refused-udp jail entirely with a big fat warning
|
|
- Fix: added time module. Bug reported in buanzo's blog:
|
|
see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
|
|
- Fix: Patch to make log file descriptors cloexec to stop leaking file
|
|
descriptors on fork/exec. Thanks to Jonathan Underwood:
|
|
see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24
|
|
- Enhancement: added author for dovecot filter and pruned unneeded space
|
|
in the regexp
|
|
- Enhancement: proftpd filter -- if login failed -- count regardless of the
|
|
reason for failure
|
|
- Enhancement: added <chain> to action.d/iptables*. Thanks to Matthijs Kooijman:
|
|
see http://bugs.debian.org/515599
|
|
- Enhancement: added filter.d/dovecot.conf from Martin Waschbuesch
|
|
- Enhancement: made filter.d/apache-overflows.conf catch more:
|
|
see http://bugs.debian.org/574182
|
|
- Enhancement: added dropbear filter from Francis Russell and Zak B. Elep:
|
|
see http://bugs.debian.org/546913
|
|
- Enhancement: changed default ignoreip to ignore entire loopback zone (/8):
|
|
see http://bugs.debian.org/598200
|
|
- Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer
|
|
- Few minor cosmetic changes
|
|
|
|
ver. 0.8.4 (2009/09/07) - stable
|
|
----------
|
|
- Check the inode number for rotation in addition to checking the first line of
|
|
the file. Thanks to Jonathan Kamens. Red Hat #503852. Tracker #2800279.
|
|
- Moved the shutdown of the logging subsystem out of Server.quit() to
|
|
the end of Server.start(). Fixes the 'cannot release un-acquired lock'
|
|
error.
|
|
- Added "Ban IP" command. Thanks to Arturo 'Buanzo' Busleiman.
|
|
- Added two new filters: lighttpd-fastcgi and php-url-fopen.
|
|
- Fixed the 'unexpected communication error' problem by means of
|
|
use_poll=False in Python >= 2.6.
|
|
- Merged patches from Debian package. Thanks to Yaroslav Halchenko.
|
|
- Use current day and month instead of Jan 1st if both are not available in the
|
|
log. Thanks to Andreas Itzchak Rehberg.
|
|
- Try to match the regex even if the line does not contain a valid date/time.
|
|
Described in Debian #491253. Thanks to Yaroslav Halchenko.
|
|
- Added/improved filters and date formats.
|
|
- Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to
|
|
Russell Odom.
|
|
- Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to
|
|
Detlef Reichelt.
|
|
- Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
|
|
- Added nagios script. Thanks to Sebastian Mueller.
|
|
- Added CPanel date format. Thanks to David Collins. Tracker #1967610.
|
|
- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
|
|
- Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker
|
|
#2484115.
|
|
- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
|
|
- Changed <HOST> template to be more restrictive. Debian bug #514163.
|
|
- Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct
|
|
fix but seems to work. Tracker #2500276.
|
|
- Made the named-refused regex a bit less restrictive in order to match logs
|
|
with "view". Thanks to Stephen Gildea.
|
|
- Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker
|
|
#2019714.
|
|
|
|
ver. 0.8.3 (2008/07/17) - stable
|
|
----------
|
|
- Process failtickets as long as failmanager is not empty.
|
|
- Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav
|
|
Halchenko.
|
|
- Fixed socket path in redhat and suse init script. Thanks to Jim Wight.
|
|
- Fixed PID file while started in daemon mode. Thanks to Christian Jobic who
|
|
submitted a similar patch.
|
|
- Fixed "fail2ban-client get <jail> logpath". Bug #1916986.
|
|
- Added gssftpd filter. Thanks to Kevin Zembower.
|
|
- Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis
|
|
Winter.
|
|
- Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber.
|
|
- Added ISO 8601 date/time format.
|
|
- Added and changed some logging level and messages.
|
|
- Added missing ignoreregex to filters. Thanks to Klaus Lehmann.
|
|
- Use poll instead of select in asyncore.loop. This should solve the "Unknown
|
|
error 514". Thanks to Michael Geiger and Klaus Lehmann.
|
|
|
|
ver. 0.8.2 (2008/03/06) - stable
|
|
----------
|
|
- Fixed named filter. Thanks to Yaroslav Halchenko
|
|
- Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines
|
|
- Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann
|
|
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be
|
|
possible to create stronger failregex against log injection
|
|
- Fixed ipfw action script. Thanks to Nick Munger
|
|
- Removed date from logging message when using SYSLOG. Thanks to Iain Lea
|
|
- Fixed "ignore IPs". Only the first value was taken into account. Thanks to
|
|
Adrien Clerc
|
|
- Moved socket to /var/run/fail2ban.
|
|
- Rewrote the communication server.
|
|
- Refactoring. Reduced number of files.
|
|
- Removed Python 2.4. Minimum required version is now Python 2.3.
|
|
- New log rotation detection algorithm.
|
|
- Print monitored files in status.
|
|
- Create a PID file in /var/run/fail2ban/. Thanks to Julien Perez.
|
|
- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks
|
|
to Yaroslav Halchenko for the fix.
|
|
- "reload <jail>" reloads a single jail and the parameters in fail2ban.conf.
|
|
- Added Mac OS/X startup script. Thanks to Bill Heaton.
|
|
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
|
|
- Replaced "echo" with "printf" in actions. Fix #1839673
|
|
- Replaced "reject" with "drop" in shorwall action. Fix #1854875
|
|
- Fixed Debian bug #456567, #468477, #462060, #461426
|
|
- readline is now optional in fail2ban-client (not needed in fail2ban-server).
|
|
|
|
ver. 0.8.1 (2007/08/14) - stable
|
|
----------
|
|
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
|
|
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
|
|
- Improved regular expressions. Thanks to Yaroslav Halchenko and others
|
|
- Added sendmail actions. The action started with "mail" are now deprecated.
|
|
Thanks to Raphaël Marichez
|
|
- Added "ignoreregex" support to fail2ban-regex
|
|
- Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch
|
|
- Tightening up the pid check in redhat-initd. Thanks to David Nutter
|
|
- Added webmin authentication filter. Thanks to Guillaume Delvit
|
|
- Removed textToDns() which is not required anymore. Thanks to Yaroslav
|
|
Halchenko
|
|
- Added new action iptables-allports. Thanks to Yaroslav Halchenko
|
|
- Added "named" date format to date detector. Thanks to Yaroslav Halchenko
|
|
- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
|
|
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko
|
|
|
|
ver. 0.8.0 (2007/05/03) - stable
|
|
----------
|
|
- Fixed RedHat init script. Thanks to Jonathan Underwood
|
|
- Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner
|
|
|
|
ver. 0.7.9 (2007/04/19) - release candidate
|
|
----------
|
|
- Close opened handlers. Thanks to Yaroslav Halchenko
|
|
- Fixed "reload" bug. Many many thanks to Yaroslav Halchenko
|
|
- Added date format for asctime without year
|
|
- Modified filters config. Thanks to Michael C. Haller
|
|
- Fixed a small bug in mail-buffered.conf
|
|
|
|
ver. 0.7.8 (2007/03/21) - release candidate
|
|
----------
|
|
- Fixed asctime pattern in datedetector.py
|
|
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
|
- Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch
|
|
- Moved every locking statements in a try..finally block
|
|
|
|
ver. 0.7.7 (2007/02/08) - release candidate
|
|
----------
|
|
- Added signal handling in fail2ban-client
|
|
- Added a wonderful visual effect when waiting on the server
|
|
- fail2ban-client returns an error code if configuration is not valid
|
|
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
|
- Call Python interpreter directly (instead of using "env")
|
|
- Added file support to fail2ban-regex. Benchmark feature has been removed
|
|
- Added cacti script and template.
|
|
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier
|
|
|
|
ver. 0.7.6 (2007/01/04) - beta
|
|
----------
|
|
- Added a "sleep 1" in redhat-initd. Thanks to Jim Wight
|
|
- Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey
|
|
- Use numeric output for iptables in "actioncheck"
|
|
- Fixed removal of host in hosts.deny. Thanks to René Berber
|
|
- Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI
|
|
- Several "failregex" and "ignoreregex" are now accepted. Creation of rules
|
|
should be easier now.
|
|
- Added license in COPYING. Thanks to Axel Thimm
|
|
- Allow comma in action options. The value of the option must be escaped with "
|
|
or '. Thanks to Yaroslav Halchenko
|
|
- Now Fail2ban goes in /usr/share/fail2ban instead of /usr/lib/fail2ban. This is
|
|
more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko
|
|
|
|
ver. 0.7.5 (2006/12/07) - beta
|
|
----------
|
|
- Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko
|
|
- The supported tags in "action(un)ban" are <ip>, <failures> and <time>
|
|
- Fixed refactoring bug (getLastcommand -> getLastAction)
|
|
- Added option "ignoreregex" in filter scripts and jail.conf. Feature Request
|
|
#1283304
|
|
- Fixed a bug in user defined time regex/pattern
|
|
- Improved documentation
|
|
- Moved version.py and protocol.py to common/
|
|
- Merged "maxtime" option with "findtime"
|
|
- Added "<HOST>" tag support in failregex which matches default IP
|
|
address/hostname. "(?P<host>\S)" is still valid and supported
|
|
- Fixed exception when calling fail2ban-server with unknown option
|
|
- Fixed Debian bug 400162. The "socket" option is now handled correctly by
|
|
fail2ban-client
|
|
- Fixed RedHat init script. Thanks to Justin Shore
|
|
- Changed timeout to 30 secondes before assuming the server cannot be started.
|
|
Thanks to Joël Bertrand
|
|
|
|
ver. 0.7.4 (2006/11/01) - beta
|
|
----------
|
|
- Improved configuration files. Thanks to Yaroslav Halchenko
|
|
- Added man page for "fail2ban-regex"
|
|
- Moved ban/unban messages from "info" level to "warn"
|
|
- Added "-s" option to specify the socket path and "socket" option in
|
|
"fail2ban.conf"
|
|
- Added "backend" option in "jail.conf"
|
|
- Added more filters/actions and jail samples. Thanks to Nick Munger, Christoph
|
|
Haas
|
|
- Improved testing framework
|
|
- Fixed a bug in the return code handling of the executed commands. Thanks to
|
|
Yaroslav Halchenko
|
|
- Signal handling. There is a bug with join() and signal in Python
|
|
- Better debugging output for "fail2ban-regex"
|
|
- Added support for more date format
|
|
- cPickle does not work with Python 2.5. Use pickle instead (performance is not
|
|
a problem in our case)
|
|
|
|
ver. 0.7.3 (2006/09/28) - beta
|
|
----------
|
|
- Added man pages. Thanks to Yaroslav Halchenko
|
|
- Added wildcard support for "logpath"
|
|
- Added Gamin (file and directory monitoring system) support
|
|
- (Re)added "ignoreip" option
|
|
- Added more concurrency protection
|
|
- First attempt at solving bug #1457620 (locale issue)
|
|
- Performance improvements
|
|
- (Re)added permanent banning with banTime < 0
|
|
- Added DNS support to "ignoreip". Feature Request #1285859
|
|
|
|
ver. 0.7.2 (2006/09/10) - beta
|
|
----------
|
|
- Refactoring and code cleanup
|
|
- Improved client output
|
|
- Added more get/set commands
|
|
- Added more configuration templates
|
|
- Removed "logpath" and "maxretry" from filter templates. They must be defined
|
|
in jail.conf now
|
|
- Added interactive mode. Use "-i"
|
|
- Added a date detector. "timeregex" and "timepattern" are no more needed
|
|
- Added "fail2ban-regex". This is a tool to help finding "failregex"
|
|
- Improved server communication. Start a new thread for each incoming request.
|
|
Fail2ban is not really thread-safe yet
|
|
|
|
ver. 0.7.1 (2006/08/23) - alpha
|
|
----------
|
|
- Fixed daemon mode bug
|
|
- Added Gentoo init.d script
|
|
- Fixed path bug when trying to start "fail2ban-server"
|
|
- Fixed reload command
|
|
|
|
ver. 0.7.0 (2006/08/23) - alpha
|
|
----------
|
|
- Almost a complete rewrite :) Fail2ban design is really better (IMHO). There is
|
|
a lot of new features
|
|
- Client/Server architecture
|
|
- Multithreading. Each jail has its own threads: one for the log reading and
|
|
another for the actions
|
|
- Execute several actions
|
|
- Split configuration files. They are more readable and easy to use
|
|
- failregex uses group (<host>) now. This feature was already present in the
|
|
Debian package
|
|
- lots of things...
|
|
|
|
ver. 0.6.1 (2006/03/16) - stable
|
|
----------
|
|
- Added permanent banning. Set banTime to a negative value to enable this
|
|
feature (-1 is perfect). Thanks to Mannone
|
|
- Fixed locale bug. Thanks to Fernando José
|
|
- Fixed crash when time format does not match data
|
|
- Propagated patch from Debian to fix fail2ban search path addition to the path
|
|
search list: now it is added first. Thanks to Nick Craig-Wood
|
|
- Added SMTP authentification for mail notification. Thanks to Markus Hoffmann
|
|
- Removed debug mode as it is confusing for people
|
|
- Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark
|
|
Edgington
|
|
- Added patch #1382936 (Default formatted syslog logging). Thanks to Patrick
|
|
Börjesson
|
|
- Removed 192.168.0.0/16 from ignoreip. Attacks could also come from the local
|
|
network.
|
|
- Robust startup: if iptables module does not get fully initialized after
|
|
startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its
|
|
own firewall. It will sleep between attempts for "polltime" number of seconds
|
|
(closes Debian: #334272). Thanks to Yaroslav Halchenko
|
|
- Added "interpolations" in fail2ban.conf. This is provided by the ConfigParser
|
|
module. Old configuration files still work. Thanks to Yaroslav Halchenko
|
|
- Added initial support for hosts.deny and shorewall. Need more testing. Please
|
|
test. Thanks to kojiro from Gentoo forum for hosts.deny support
|
|
- Added support for vsftpd. Thanks to zugeschmiert
|
|
|
|
ver. 0.6.0 (2005/11/20) - stable
|
|
----------
|
|
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
|
* Added an option to report local time (including timezone) or GMT in mail
|
|
notification.
|
|
|
|
ver. 0.5.5 (2005/10/26) - beta
|
|
----------
|
|
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
|
* Introduced fwcheck option to verify consistency of the chains. Implemented
|
|
automatic restart of fail2ban main function in case check of fwban or
|
|
fwunban command failed (closes: #329163, #331695). (Introduced patch was
|
|
further adjusted by upstream author).
|
|
* Added -f command line parameter for [findtime].
|
|
* Added a cleanup of firewall rules on emergency shutdown when unknown
|
|
exception is catched.
|
|
* Fail2ban should not crash now if a wrong file name is specified in config.
|
|
* reordered code a bit so that log targets are setup right after background
|
|
and then only loglevel (verbose, debug) is processed, so the warning could
|
|
be seen in the logs
|
|
* Added a keyword <section> in parsing of the subject and the body of an email
|
|
sent out by fail2ban (closes: #330311)
|
|
|
|
ver. 0.5.4 (2005/09/13) - beta
|
|
----------
|
|
- Fixed bug #1286222.
|
|
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
|
* Fixed handling of SYSLOG logging target. Now it can log to any SYSLOG target
|
|
and facility as directed by the config
|
|
* Format of SYSLOG entries fixed to look closer to standard
|
|
* Fixed errata in config/gentoo-confd
|
|
* Introduced findtime configuration variable to control the lifetime of caught
|
|
"failed" log entries
|
|
|
|
ver. 0.5.3 (2005/09/08) - beta
|
|
----------
|
|
- Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav
|
|
Halchenko
|
|
- Added more debug output if an error occurs when sending mail. Thanks to
|
|
Stephen Gildea
|
|
- Renamed "maxretry" to "maxfailures" and changed default value to 5. Thanks to
|
|
Stephen Gildea
|
|
- Hopefully fixed bug #1256075
|
|
- Fixed bug #1262345
|
|
- Fixed exception handling in PIDLock
|
|
- Removed warning when using "-V" or "-h" with no config file. Thanks to
|
|
Yaroslav Halchenko
|
|
- Removed "-i eth0" from config file. Thanks to Yaroslav Halchenko
|
|
|
|
ver. 0.5.2 (2005/08/06) - beta
|
|
----------
|
|
- Better PID lock file handling. Should close #1239562
|
|
- Added man pages
|
|
- Removed log4py dependency. Use logging module instead
|
|
- "maxretry" and "bantime" can be overridden in each section
|
|
- Fixed bug #1246278 (excessive memory usage)
|
|
- Fixed crash on wrong option value in configuration file
|
|
- Changed custom chains to lowercase
|
|
|
|
ver. 0.5.1 (2005/07/23) - beta
|
|
----------
|
|
- Fixed bugs #1241756, #1239557
|
|
- Added log targets in configuration file. Removed -l option
|
|
- Changed iptables rules in order to create a separated chain for each section
|
|
- Fixed static banList in firewall.py
|
|
- Added an initd script for Debian. Thanks to Yaroslav Halchenko
|
|
- Check for obsolete files after install
|
|
|
|
ver. 0.5.0 (2005/07/12) - beta
|
|
----------
|
|
- Added support for CIDR mask in ignoreip
|
|
- Added mail notification support
|
|
- Fixed bug #1234699
|
|
- Added tags replacement in rules definition. Should allow a clean solution for
|
|
Feature Request #1229479
|
|
- Removed "interface" and "firewall" options
|
|
- Added start and end commands in the configuration file. Thanks to Yaroslav
|
|
Halchenko
|
|
- Added firewall rules definition in the configuration file
|
|
- Cleaned fail2ban.py
|
|
- Added an initd script for RedHat/Fedora. Thanks to Andrey G. Grozin
|
|
|
|
ver. 0.4.1 (2005/06/30) - stable
|
|
----------
|
|
- Fixed textToDNS method which generated wrong matches for "rhost=12-xyz...".
|
|
Thanks to Tom Pike
|
|
- fail2ban.conf modified for readability. Thanks to Iain Lea
|
|
- Added an initd script for Gentoo
|
|
- Changed default PID lock file location from /tmp to /var/run
|
|
|
|
ver. 0.4.0 (2005/04/24) - stable
|
|
----------
|
|
- Fixed textToDNS which did not recognize strings like
|
|
"12-345-67-890.abcd.mnopqr.xyz"
|
|
|
|
ver. 0.3.1 (2005/03/31) - beta
|
|
----------
|
|
- Corrected level of messages
|
|
- Added DNS lookup support
|
|
- Improved parsing speed. Only parse the new log messages
|
|
- Added a second verbose level (-vv)
|
|
|
|
ver. 0.3.0 (2005/02/24) - beta
|
|
----------
|
|
- Re-writting of parts of the code in order to handle several log files with
|
|
different rules
|
|
- Removed sshd.py because it is no more needed
|
|
- Fixed a bug when exiting with IP in the ban list
|
|
- Added PID lock file
|
|
- Improved some parts of the code
|
|
- Added ipfw-start-rule option (thanks to Robert Edeker)
|
|
- Added -k option which kills a currently running Fail2Ban
|
|
|
|
ver. 0.1.2 (2004/11/21) - beta
|
|
----------
|
|
- Add ipfw and ipfwadm support. The rules are taken from BlockIt. Thanks to
|
|
Robert Edeker
|
|
- Add -e option which allows to set the interface. Thanks to Robert Edeker who
|
|
reminded me this
|
|
- Small code cleaning
|
|
|
|
ver. 0.1.1 (2004/10/23) - beta
|
|
----------
|
|
- Add SIGTERM handler in order to exit nicely when in daemon mode
|
|
- Add -r option which allows to set the maximum number of login failures
|
|
- Remove the Metalog class as the log file are not so syslog daemon specific
|
|
- Rewrite log reader to be service centered. Sshd support added. Match "Failed
|
|
password" and "Illegal user"
|
|
- Add /etc/fail2ban.conf configuration support
|
|
- Code documentation
|
|
|
|
ver. 0.1.0 (2004/10/12) - alpha
|
|
----------
|
|
- Initial release
|