pax_global_header00006660000000000000000000000064125570206350014517gustar00rootroot0000000000000052 comment=70ba5cb0054f0869930b8cd2dc1bb836653dd289 fail2ban-0.9.3/000077500000000000000000000000001255702063500132065ustar00rootroot00000000000000fail2ban-0.9.3/.coveragerc000066400000000000000000000002021255702063500153210ustar00rootroot00000000000000 [run] branch = True source = config fail2ban [report] exclude_lines = pragma: no cover pragma: systemd no cover fail2ban-0.9.3/.gitignore000066400000000000000000000001261255702063500151750ustar00rootroot00000000000000*~ build dist *.pyc htmlcov .coverage *.orig *.rej *.bak __pycache__ .vagrant/ .idea/ fail2ban-0.9.3/.project000066400000000000000000000005631255702063500146610ustar00rootroot00000000000000 fail2ban-unstable org.python.pydev.PyDevBuilder org.python.pydev.pythonNature fail2ban-0.9.3/.pydevproject000066400000000000000000000006571255702063500157350ustar00rootroot00000000000000 python 2.3 /fail2ban-0.8/client /fail2ban-0.8/server /fail2ban-0.8/testcases /fail2ban-0.8 fail2ban-0.9.3/.pylintrc000066400000000000000000000024371255702063500150610ustar00rootroot00000000000000# Custom pylint configuration for the Fail2Ban project # # Set your PYLINTRC environment variable to point to this file # e.g. # export PYLINTRC=$PWD/.pylintrc [FORMAT] indent-string='\t' [BASIC] # Fail2Ban uses non-conventional to Python world camel-casing # These regexps were originally borrowed from 0.4.x series of # PyMVPA which had similar conventions. # Regular expression which should only match correct module names module-rgx=(([a-z][a-z0-9_]*)|([A-Z][a-zA-Z0-9_]+))$ attr-rgx=[a-z_][a-zA-Z0-9_]{2,30} # Regular expression which should only match correct class names class-rgx=[A-Z_]+[a-zA-Z0-9]+$ # Regular expression which should only match correct function names function-rgx=[a-z_]+[a-z_][a-zA-Z0-9]*$ # Regular expression which should only match correct method names method-rgx=([a-z_]|__)[a-zA-Z0-9]*(__)?$ # Regular expression which should only match correct argument names argument-rgx=[a-z][a-zA-Z0-9]*_*[a-zA-Z0-9]*_*[a-zA-Z0-9]*_?$ # Regular expression which should only match correct variable names variable-rgx=([a-z_]+[a-zA-Z0-9]*_*[a-zA-Z0-9]*_*[a-zA-Z0-9]*_?||(__.*__))$||[A-Z] # Regular expression which should only match correct module level names # Default: (([A-Z_][A-Z1-9_]*)|(__.*__))$ const-rgx=([a-z_]+[a-zA-Z0-9]*_*[a-zA-Z0-9]*_*[a-zA-Z0-9]*_?|__.*__)$||[A-Z] fail2ban-0.9.3/.travis.yml000066400000000000000000000042561255702063500153260ustar00rootroot00000000000000# vim ft=yaml # travis-ci.org definition for Fail2Ban build # https://travis-ci.org/fail2ban/fail2ban/ language: python python: - 2.6 - 2.7 - pypy - 3.2 - 3.3 - 3.4 - pypy3 before_install: - if [[ $TRAVIS_PYTHON_VERSION == 2* || $TRAVIS_PYTHON_VERSION == 'pypy' ]]; then export F2B_PY_2=true && echo "Set F2B_PY_2"; fi - if [[ $TRAVIS_PYTHON_VERSION == 3* || $TRAVIS_PYTHON_VERSION == 'pypy3' ]]; then export F2B_PY_3=true && echo "Set F2B_PY_3"; fi - travis_retry sudo apt-get update -qq # Set this so sudo executes the correct python binary # Anything not using sudo will already have the correct environment - export VENV_BIN="$VIRTUAL_ENV/bin" && echo "VENV_BIN set to $VENV_BIN" install: # Install Python packages / dependencies # coverage - travis_retry pip install coverage # coveralls - travis_retry pip install coveralls # dnspython or dnspython3 - if [[ "$F2B_PY_2" ]]; then travis_retry pip install dnspython; fi - if [[ "$F2B_PY_3" ]]; then travis_retry pip install dnspython3; fi # gamin - install manually (not in PyPI) - travis-ci system Python is 2.7 - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then travis_retry sudo apt-get install -qq python-gamin && cp /usr/share/pyshared/gamin.py /usr/lib/pyshared/python2.7/_gamin.so $VIRTUAL_ENV/lib/python2.7/site-packages/; fi # pyinotify - travis_retry pip install pyinotify before_script: # Manually execute 2to3 for now - if [[ "$F2B_PY_3" ]]; then ./fail2ban-2to3; fi script: # Keep the legacy setup.py test approach of checking coverage for python2 - if [[ "$F2B_PY_2" ]]; then coverage run setup.py test; fi # Coverage doesn't pick up setup.py test with python3, so run it directly - if [[ "$F2B_PY_3" ]]; then coverage run bin/fail2ban-testcases; fi # Use $VENV_BIN (not python) or else sudo will always run the system's python (2.7) - sudo $VENV_BIN/pip install . after_success: - coveralls matrix: fast_finish: true # Might be worth looking into #notifications: # email: true # irc: # channels: "irc.freenode.org#fail2ban" # template: # - "%{repository}@%{branch}: %{message} (%{build_url})" # on_success: change # on_failure: change # skip_join: true fail2ban-0.9.3/CONTRIBUTING.md000066400000000000000000000021231255702063500154350ustar00rootroot00000000000000Guidelines on Fail2Ban contributions ==================================== ### You found a severe security vulnerability in Fail2Ban? email details to fail2ban-vulnerabilities at lists dot sourceforge dot net . ### You need some new features, you found bugs? visit [Issues](https://github.com/fail2ban/fail2ban/issues) and if your issue is not yet known -- file a bug report. See [Fail2Ban wiki](http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help) on further instructions. ### You would like to troubleshoot or discuss? join the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users) ### You would like to contribute (new filters/actions/code/documentation)? send a [pull request](https://github.com/fail2ban/fail2ban/pulls) Pull requests guidelines ======================== - If there is an issue on github to be closed by the pull request, include ```Closes #ISSUE``` (where ISSUE is issue's number) - Add a brief summary of the change to the ChangeLog file into a corresponding section out of Fixes, New Features or Enhancements (improvements to existing features) fail2ban-0.9.3/COPYING000066400000000000000000000455401255702063500142510ustar00rootroot00000000000000The following copyright applies to all files present in the Fail2ban package, except if a different copyright is explicitly defined in this file. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. --------------------------------- The file server/iso8601.py is licensed under the following terms. Copyright (c) 2007 Michael Twomey Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. fail2ban-0.9.3/ChangeLog000066400000000000000000001713711255702063500147720ustar00rootroot00000000000000 __ _ _ ___ _ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| Fail2Ban: Changelog =================== ver. 0.9.3 (2015/08/01) - lets-all-stay-friends ---------- - IMPORTANT incompatible changes: * filter.d/roundcube-auth.conf - Changed logpath to 'errors' log (was 'userlogins') * action.d/iptables-common.conf - All calls to iptables command now use -w switch introduced in iptables 1.4.20 (some distribution could have patched their earlier base version as well) to provide this locking mechanism useful under heavy load to avoid contesting on iptables calls. If you need to disable, define 'action.d/iptables-common.local' with empty value for 'lockingopt' in `[Init]` section. * mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines actions now include by default only the first 1000 log lines in the emails. Adjust to augment the behavior. - Fixes: * reload in interactive mode appends all the jails twice (gh-825) * reload server/jail failed if database used (but was not changed) and some jail active (gh-1072) * filter.d/dovecot.conf - also match unknown user in passwd-file. Thanks Anton Shestakov * Fix fail2ban-regex not parsing journalmatch correctly from filter config * filter.d/asterisk.conf - fix security log support for Asterisk 12+ * filter.d/roundcube-auth.conf - Updated regex to work with 'errors' log (1.0.5 and 1.1.1) - Added regex to work with 'userlogins' log * action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override locale on systems with customized LC_ALL * performance fix: minimizes connection overhead, close socket only at communication end (gh-1099) * unbanip always deletes ip from database (independent of bantime, also if currently not banned or persistent) * guarantee order of dbfile to be before dbpurgeage (gh-1048) * always set 'dbfile' before other database options (gh-1050) * kill the entire process group of the child process upon timeout (gh-1129). Otherwise could lead to resource exhaustion due to hanging whois processes. * resolve /var/run/fail2ban path in setup.py to help installation on platforms with /var/run -> /run symlink (gh-1142) - New Features: * RETURN iptables target is now a variable: * New type of operation: pass2allow, use fail2ban for "knocking", opening a closed port by swapping blocktype and returntype * New filters: - froxlor-auth - Thanks Joern Muehlencord - apache-pass - filter Apache access log for successful authentication * New actions: - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires manual pre-configuration of the shorewall. See the action file for detail. * New jails: - pass2allow-ftp - allows FTP traffic after successful HTTP authentication - Enhancements: * action.d/cloudflare.conf - improved documentation on how to allow multiple CF accounts, and jail.conf got new compound action definition action_cf_mwl to submit cloudflare report. * Check access to socket for more detailed logging on error (gh-595) * fail2ban-testcases man page * filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add HEAD method verb * Revamp of Travis and coverage automated testing * Added a space between IP address and the following colon in notification emails for easier text selection * Character detection heuristics for whois output via optional setting in mail-whois*.conf. Thanks Thomas Mayer. Not enabled by default, if _whois_command is set to be %(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local), it - detects character set of whois output (which is undefined by RFC 3912) via heuristics of the file command - converts whois data to UTF-8 character set with iconv - sends the whois output in UTF-8 character set to mail program - avoids that heirloom mailx creates binary attachment for input with unknown character set ver. 0.9.2 (2015/04/29) - better-quick-now-than-later ---------- - Fixes: * Fix ufw action commands * infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907. Thanks TonyThompson * port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner (fnerdwq) * $ typo in jail.conf. Thanks Skibbi. Debian bug #767255 * grep'ing for IP in *mail-whois-lines.conf should now match also at the beginning and EOL. Thanks Dean Lee * jail.conf - php-url-fopen: separate logpath entries by newline * failregex declared direct in jail was joined to single line (specifying of multiple expressions was not possible). * filters.d/exim.conf - cover different settings of exim logs details. Thanks bes.internal * filter.d/postfix-sasl.conf - failregex is now case insensitive * filters.d/postfix.conf - add 'Client host rejected error message' failregex * fail2ban/__init__.py - add strptime thread safety hack-around * recidive uses iptables-allports banaction by default now. Avoids problems with iptables versions not understanding 'all' for protocols and ports * filter.d/dovecot.conf - match pam_authenticate line from EL7 - match unknown user line from EL7 * Use use_poll=True for Python 2.7 and >=3.4 to overcome "Bad file descriptor" msgs issue (gh-161) * filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore system authentication issues * fail2ban-regex reads filter file(s) completely, incl. '.local' file etc. (gh-954) * firewallcmd-* actions: split output into separate lines for grepping (gh-908) * Guard unicode encode/decode issues while storing records in the database. Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot for reporting * filter.d/sshd added regex for matching openSUSE ssh authentication failure * filter.d/asterisk.conf: - Dropped "Sending fake auth rejection" failregex since it incorrectly targets the asterisk server itself - match "hacking attempt detected" logs - New Features: - New filters: - postfix-rbl Thanks Lee Clemens - apache-fakegooglebot.conf Thanks Lee Clemens - nginx-botsearch Thanks Frantisek Sumsal - drupal-auth Thanks Lee Clemens - New recursive embedded substitution feature added: - `<HOST>` becomes `` for PREF=`IPV4`; - `<HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`; - New interpolation feature for config readers - `%(known/parameter)s`. (means last known option with name `parameter`). This interpolation makes possible to extend a stock filter or jail regexp in .local file (opposite to simply set failregex/ignoreregex that overwrites it), see gh-867. - Monit config for fail2ban in files/monit/ - New actions: - action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt - action.d/sendmail-geoip-lines.conf - action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean - New status argument for fail2ban-client -- flavor: fail2ban-client status [flavor] - empty or "basic" works as-is - "cymru" additionally prints (ASN, Country RIR) per banned IP (requires dnspython or dnspython3) - Flush log at USR1 signal - Enhancements: * Enable multiport for firewallcmd-new action. Closes gh-834 * files/debian-initd migrated from the debian branch and should be suitable for manual installations now (thanks Juan Karlo de Guzman) * Define empty ignoreregex in filters which didn't have it to avoid warnings (gh-934) * action.d/{sendmail-*,xarf-login-attack}.conf - report local timezone not UTC time/zone. Closes gh-911 * Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916 * Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests * Added syslogsocket configuration to fail2ban.conf * Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964) ver. 0.9.1 (2014/10/29) - better, faster, stronger ---------- - Refactoring (IMPORTANT -- Please review your setup and configuration): * iptables-common.conf replaced iptables-blocktype.conf (iptables-blocktype.local should still be read) and now also provides defaults for the chain, port, protocol and name tags - Fixes: * start of file2ban aborted (on slow hosts, systemd considers the server has been timed out and kills him), see gh-824 * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806. * systemd backend error on bad utf-8 in python3 * badips.py action error when logging HTTP error raised with badips request * fail2ban-regex failed to work in python3 due to space/tab mix * recidive regex samples incorrect log level * journalmatch for recidive incorrect PRIORITY * loglevel couldn't be changed in fail2ban.conf * Handle case when no sqlite library is available for persistent database * Only reban once per IP from database on fail2ban restart * Nginx filter to support missing server_name. Closes gh-676 * fail2ban-regex assertion error caused by miscount missed lines with multiline regex * Fix actions failing to execute for Python 3.4.0. Workaround for http://bugs.python.org/issue21207 * Database now returns persistent bans on restart (bantime < 0) * Recursive action tags now fully processed. Fixes issue with bsd-ipfw action * Fixed TypeError with "ipfailures" and "ipjailfailures" action tags. Thanks Serg G. Brester * Correct times for non-timezone date times formats during DST * Pass a copy of, not original, aInfo into actions to avoid side-effects * Per-distribution paths to the exim's main log * Ignored IPs are no longer banned when being restored from persistent database * Manually unbanned IPs are now removed from persistent database, such they wont be banned again when Fail2Ban is restarted * Pass "bantime" parameter to the actions in default jail's action definition(s) * filters.d/sieve.conf - fixed typo in _daemon. Thanks Jisoo Park * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s). Regression was introduced while strengthening failregex in 0.8.11 (bd175f) Debian bug #755173 * postfix-sasl - added journalmatch. Thanks Luc Maisonobe * postfix* - match with a new daemon string (postfix/submission/smtpd). Closes gh-804 . Thanks Paul Traina * apache - added filter for AH01630 client denied by server configuration. - New features: - New filters: - monit Thanks Jason H Martin - directadmin Thanks niorg - apache-shellshock Thanks Eugene Hopkinson (SlowRiot) - New actions: - symbiosis-blacklist-allports for Bytemark symbiosis firewall - fail2ban-client can fetch the running server version - Added Cloudflare API action - Enhancements * Start performance of fail2ban-client (and tests) increased, start time and cpu usage rapidly reduced. Introduced a shared storage logic, to bypass reading lots of config files (see gh-824). Thanks to Joost Molenaar for good catch (reported gh-820). * Fail2ban-regex - add print-all-matched option. Closes gh-652 * Suppress fail2ban-client warnings for non-critical config options * Match non "Bye Bye" disconnect messages for sshd locked account regex * courier-smtp filter: - match lines with user names - match lines containing "535 Authentication failed" attempts * Add tag to iptables-ipsets * Realign fail2ban log output with white space to improve readability. Does not affect SYSLOG output * Log unhandled exceptions * cyrus-imap: catch "user not found" attempts * Add support for Portsentry ver. 0.9.0 (2014/03/14) - beta ---------- Carries all fixes, features and enhancements from 0.8.13 (unreleased) with major changes. The minimum supported python version is now 2.6. If you have python-2.4 or 2.5 you can use the 0.8.12 version of fail2ban. Please take note of release notes: https://github.com/fail2ban/fail2ban/releases/tag/0.9.0 Please test your configuration before relying on it. Nearly all development is thanks to Steven Hiscocks (THANKS!), merging, testcases and timezone support from Daniel Black, and code-review and minor additions from Yaroslav Halchenko. - Refactoring (IMPORTANT -- Please review your setup and configuration): * [..bddbf1e] jail.conf was heavily refactored and now is similar to how it looked on Debian systems: - default action could be configured once for all jails - jails definitions only provide customizations (port, logpath) - no need to specify 'filter' if name matches jail name * [..5aef036] Core functionality moved into fail2ban/ module. Closes gh-26 - tests included in module to aid testing and debugging * Added fail2ban persistent database - default location at /var/lib/fail2ban/fail2ban.sqlite3 - allows active bans to be reinstated on restart - log files read from last position after restart * Added systemd journal backend - Dependency on python-systemd - New "journalmatch" option added to filter configs files - New "systemd-journal" option added to fail2ban-regex * Added python3 support * Support %z (Timezone offset) and %f (sub-seconds) support for datedetector. Enhanced existing date/time have been updated patterns to support these. ISO8601 now defaults to localtime unless specified otherwise. Some filters have been change as required to capture these elements in the right timezone correctly. * Log levels are now set by Syslog style strings e.g. DEBUG, ERROR. - Log level INFO is now more verbose * Optionally can read log files starting from "head" or "tail". - See "logpath" option in jail.conf(5) man page. * Can now set log encoding for files per jail. - Default uses systemd locale. - New features: * [..c7ae460] Multiline failregex. Close gh-54 * [8af32ed] Guacamole filter and support for Apache Tomcat date format * [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug #410077. Also it would now capture and include stdout and stderr into logging messages in case of error or at DEBUG loglevel. * Added action xarf-login-attack to report formatted attack messages according to the XARF standard (v0.2). Close gh-105 * Support PyPy * Add filter for apache-botsearch * Add filter for kerio. Thanks Tony Lawrence for blog of regexs and providing samples. Close gh-120 * Filter for stunnel * Filter for Counter Strike 1.6. Thanks to onorua for logs. Close gh-347 * Filter for squirrelmail. Close gh-261 * Filter for tine20. Close gh-583 * Custom date formats (strptime) can now be set in filters and jail.conf * Python based actions can now be created. - SMTP action for sending emails on jail start, stop and ban. * Added action to use badips.com reporting and blacklist - Requires Python 2.7+ - Enhancements * Fail2ban-regex - don't accumulate lines if not printing them. add options to suppress output of missed/ignored lines. Close gh-644 * Asterisk now supports syslog format * Jail names increased to 26 characters and iptables prefix reduced from fail2ban- to f2b- as suggested by buanzo in gh-462. * Multiline filter for sendmail-spam. Close gh-418 * Multiline regex for Disconnecting: Too many authentication failures for root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth] * Multiline regex for Disconnecting: Connection from 61.XX.XX.XX port 51353\nToo many authentication failures for root [preauth]. Thanks Helmut Grohne. Close gh-457 * Replacing use of deprecated API (.warning, .assertEqual, etc) * [..a648cc2] Filters can have options now too which are substituted into failregex / ignoreregex * [..e019ab7] Multiple instances of the same action are allowed in the same jail -- use actname option to disambiguate. * Add honeypot email address to exim-spam filter as argument * Properties and methods of actions accessible from fail2ban-client - Use of properties replaces command actions "cinfo" interface ver. 0.8.13 (2014/03/15) - maintenance-only-from-now-on ----------- - Fixes: - action firewallcmd-ipset had non-working actioncheck. Removed. redhat bug #1046816. - filter pureftpd - added _daemon which got removed. Added - New Features: - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23). - Enhancements: - filter asterisk now supports syslog format - filter pureftpd - added all translations of "Authentication failed for user" - filter dovecot - lip= was optional and extended TLS errors can occur. Thanks Noel Butler. ver. 0.8.12 (2014/01/22) - things-can-only-get-better ---------- - IMPORTANT incompatible changes: - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name name length. As per gh-395 - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog. Part of gh-447. - Fixes: - allow for ",milliseconds" in the custom date format of proftpd.log - allow for ", referer ..." in apache-* filter for apache error logs. - allow for spaces at the beginning of kernel messages. Closes gh-448 - recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias - smtps not a IANA standard and has been removed from Arch. Replaced with 465. Thanks Stefan. Closes gh-447 - add 'flushlogs' command to allow logrotation without clobbering logtarget settings. Closes gh-458, Debian bug #697333, Redhat bug #891798. - complain action - ensure where not matching other IPs in log sample. Closes gh-467 - Fix firewall-cmd actioncheck - patch from Adam Tkac. Redhat Bug #979622 - Fix apache-common for apache-2.4 log file format. Thanks Mark White. Closes gh-516 - Asynchat changed to use push method which verifys whether all data was send. This ensures that all data is sent before closing the connection. - Removed unnecessary reference to as yet undeclared $jail_name when checking a specific jail in nagios script. - Filter dovecot reordered session and TLS items in regex with wider scope for session characters. Thanks Ivo Truxa. Closes gh-586 - A single bad failregex or command syntax in configuration files won't stop fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585. - Enhancements: - long names on jails documented based on iptables limit of 30 less len("fail2ban-"). - remove indentation of name and loglevel while logging to SYSLOG to resolve syslog(-ng) parsing problems. Closes Debian bug #730202. - updated check_fail2ban to return performance data for all jails. - filter apache-noscript now includes php cgi scripts. Thanks dani. Closes gh-503 - exim-spam filter to match spamassassin log entry for option SAdevnull. Thanks Ivo Truxa. Closes gh-533 - filter.d/nsd.conf -- also amended Unix date template to match nsd format - Added to sshd filter expression for "Received disconnect from : 3: ...: Auth fail". Thanks Marcel Dopita. Closes gh-289 - loglines now also report "[PID]" after the name portion - Added filter.d/ejabberd-auth - Improved ACL-handling for Asterisk - loglines now also report "[PID]" after the name portion - Added improper command pipelining to postfix filter. - New Features: - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist. - Add filter for apache-modsecurity. - filter.d/nsd.conf -- also amended Unix date template to match nsd format - Added openwebmail filter thanks Ivo Truxa. Closes gh-543 - Added filter for freeswitch. Thanks Jim and editors and authors of http://wiki.freeswitch.org/wiki/Fail2ban - Added groupoffice filter thanks to logs from Merijn Schering. Closes gh-566 - Added filter for horde - Added filter for squid. Thanks Roman Gelfand. - Added filter for ejabberd-auth. - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543 - Added filter.d/groupoffice filter thanks to logs from Merijn Schering. Closes gh-566 - Added action.d/badips. Thanks to Amy for making a nice API. - Added firewallcmd-ipset action. - Added ufw action. Thanks Guilhem Lettron. lp-#701522 - Added blocklist_de action. ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes ---------- In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. All filters have been updated and some to catch more login/authentication failures and to support for newer application versions. There are test cases for most log cases of failures now. As usual, if you have other examples that demonstrate that a filter is insufficient, or if we have inadvertently introduced a regression, please provide us with example log lines on the github issue tracker http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in some obscure corner of the Internet. Many thanks to our contributors for this release Daniel Black, Yaroslav Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski, Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François Boulogne and others who have helped on IRC and mailing list, logged issues and bug requests. - IMPORTANT incompatible changes: Filter name changes: * 'lighttpd-fastcgi' filter has been renamed to 'suhosin' * 'sasl' has been renamed to 'postfix-sasl' * 'exim' spam catching failregexes was split out into 'exim-spam' These changes will require changing jail.{conf,local} if any of those filters were used. - Fixes: Jonathan Lanning * filter.d/asterisk -- identified another regex for blocking. Also channel ID is hex not decimal as noted in sample logs provided. Daniel Black & Marcel Dopita * filter.d/apache-auth -- fixed and apache auth samples provide. Closes gh-286 Yaroslav Halchenko * filter.d/common.conf -- make colon after [daemon] optional. Closes gh-267 * filter.d/apache-common.conf -- support apache 2.4 more detailed error log format. Closes gh-268 * Backends changes detection and parsing. Close gh-223 and gh-103: - Polling backend: detect changes in the files not only based on mtime, but also on the size and inode. It should allow for better detection of changes and log rotations on busy servers, older python 2.4, and file systems with precision of mtime only up to a second (e.g. ext3). - All backends, possible race condition: do not read from a file initially reported empty. Originally could have lead to accounting for detected log lines multiple times. - Do not crash if executing a command in fail2ban-client interactive mode has failed (e.g. due to incorrect syntax). Closes gh-353 Daniel Black & Мернов Георгий * filter.d/dovecot.conf -- Fix when no TLS enabled - line doesn't end in , Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs * filter.d/named-refused.conf - BIND 9.9.3 regex changes Daniel Black & Sebastian Arcus * filter.d/asterisk -- more regexes Daniel Black * action.d/hostsdeny -- NOTE: new dependency 'ed'. Switched to use 'ed' across all platforms to ensure permissions are the same before and after a ban. Closes gh-266. hostsdeny supports daemon_list now too. * action.d/bsd-ipfw - action option unused. Change blocktype to port unreach instead of deny for consistancy. * filter.d/dovecot - added to support different dovecot failure "..disallowed plaintext auth". Closes Debian bug #709324 * filter.d/roundcube-auth - timezone offset can be positive or negative * action.d/bsd-ipfw - action option unused. Fixed to blocktype for consistency. default to port unreach instead of deny * filter.d/dropbear - fix regexs to match standard dropbear and the patched http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch and add PAM is it in dropbear-2013.60 source code. * filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening and extra failure examples in sample logs * filter.d/apache-auth - added expressions for mod_authz, mod_auth and mod_auth_digest failures. * filter.d/recidive -- support f2b syslog target and anchor regex at start * filter.d/mysqld-auth.conf - mysql can use syslog * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian bug #722970. Thanks Colin Watson for the regex analysis. * filter.d/wuftpd - regex enhancements to support pam and wuftpd. Closes Debian bug #665925 Rolf Fokkens * action.d/dshield.conf and complain.conf -- reorder mailx arguments. https://bugzilla.redhat.com/show_bug.cgi?id=998020 John Doe (ache) * action.d/bsd-ipfw.conf - invert actionstop logic to make exist status 0. Closes gh-343. JP Espinosa (Reviewed by O.Poplawski) * files/redhat-initd - rewritten to use stock init.d functions thus avoiding problems with getpid. Also $network and iptables moved to Should- rc init fields Rick Mellor * filter.d/vsftp - fix capture with tty=ftp - New Features: Edgar Hoch * action.d/firewall-cmd-direct-new.conf - action for firewalld from https://bugzilla.redhat.com/show_bug.cgi?id=979622 NOTE: requires firewalld-0.3.8+ Andy Fragen and Daniel Black * filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule numbers. Anonymous: * action.d/osx-afctl - an action based on afctl for osx Daniel Black & ykimon * filter.d/3proxy.conf -- filter added * fail2ban-regex - now generates http://www.debuggex.com urls for debugging regular expressions with the -D parameter. Daniel Black * filter.d/exim-spam.conf -- a splitout of exim's spam regexes with additions for greater control over filtering spam. * add date expression for apache-2.4 - milliseconds * filter.d/nginx-http-auth -- filter added for http basic authentication failures in nginx. Partially fulfills gh-405. Christophe Carles & Daniel Black * filter.d/perdition.conf -- filter added Mark McKinstry * action.d/apf.conf - add action for Advanced Policy Firewall (apf) Amir Caspi and kjohnsonecl * filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server Steven Hiscocks and Daniel Black * filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter - Enhancements: François Boulogne and Frédéric * filter.d/lighttpd - auth regexs for lighttpd-1.4.31 Daniel Black * reorder parsing of jail.conf, jail.d/*.conf, jail.local, jail.d/*.local and likewise for fail2ban.{conf|local|d/*.conf|d/*.local}. Closes gh-392 * jail.conf now has asterisk jail - no need for asterisk-tcp and asterisk-udp. Users should replace existing jails with asterisk to reduce duplicate parsing of the asterisk log file. * filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin}- regex anchor at start * filter.d/vsftpd - anchored regex at start. disable old pam format regex * filter.d/pam-generic - added syslog prefix. Disabled support for linux-pam before version 0.99.2.0 (2005) * filter.d/postfix-sasl - renamed from sasl, anchor at start and base on syslog * filter.d/qmail - rewrote regex to anchor at start. Added regex for another "in the wild" patch to rblsmtp. Yaroslav Halchenko * fail2ban-regex -- refactored to provide more details (missing and ignored lines, control over logging, etc) while maintaining look&feel * fail2ban-client -- log to standard error. Closes gh-264 * Fail to configure if not a single log file was found for an enabled jail. Closes gh-63 * is now enforced to end with an alphanumeric * filter.d/roundcube-auth.conf -- anchored version * date matching - for standard asctime formats prefer more detailed first (thus use year if available) * files/gen_badbots was added and filter.d/apache-badbots.conf was regenerated to get updated (although now still an old) list of "bad" bots Alexander Dietrich * action.d/sendmail-common.conf -- added common sendmail settings file and made the sender display name configurable Steven Hiscocks * filter.d/dovecot - Addition of session, time values and possible blank user Zurd and Daniel Black * filter/named-refused - added refused on zone transfer * filter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd} - General regex impovements Zurd * filter.d/postfix - add filter for VRFY failures. Closes gh-322. Orion Poplawski * fail2ban.d/ and jail.d/ directories are added to etc/fail2ban to facilitate their use ver. 0.8.10 (2013/06/12) - wanna-be-secure ----------- Primarily bugfix and enhancements release, triggered by "bugs" in apache- filters. If you are relying on listed below apache- filters, upgrade asap and seek your distributions to patch their fail2ban distribution with [6ccd5781]. - Fixes: Yaroslav Halchenko * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor failregex at the beginning (and where applicable at the end). Addresses a possible DoS. Closes gh-248 * action.d/{route,shorewall}.conf - blocktype must be defined within [Init]. Closes gh-232 - Enhancements Yaroslav Halchenko * jail.conf -- assure all jails have actions and remove unused ports specifications Terence Namusonge * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ Daniel Black * files/suse-initd -- update to the copy from stock SUSE silviogarbes & Daniel Black * Updates to asterisk filter. Closes gh-227/gh-230. Carlos Alberto Lopez Perez * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244. ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- Originally targeted as a bugfix release, it incorporated many new enhancements, few new features, and more importantly -- quite extended tests battery with current 94% coverage (from 56% of 0.8.8). This release introduces over 200 of non-merge commits from 16 contributors (sorted by number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki, ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither, Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli. Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom Hendrikx, Yehuda Katz and other TBN heroes supporting users on fail2ban-users mailing list and IRC. - Fixes: Yaroslav Halchenko * [6f4dad46] python-2.4 is the minimal version. * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. on Fedora. Closes gh-112. Thanks to Camusensei for the bug report. * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for insight. Closes gh-103. * [ab044b75] delay check for the existence of config directory until read. * [3b4084d4] fixing up for handling of TAI64N timestamps. * [154aa38e] do not shutdown logging until all jails stop. * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184. Thanks to Jon Foster for report and troubleshooting. Orion Poplawski * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories. Nicolas Collignon * [39667ff6] Avoid leaking file descriptors. Closes gh-167. Sergey Brester * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of sorting template list. Steven Hiscocks * [7a442f07] When changing log target with python2.{4,5} handle KeyError. Closes gh-147, gh-148. * [b6a68f51] Fix delaction on server side. Closes gh-124. Daniel Black * [f0610c01] Allow more that a one word command when changing and Action via the fail2ban-client. Closes gh-134. * [945ad3d9] Fix dates on email actions to work in different locals. Closes gh-70. Thanks to iGeorgeX for the idea. blotus * [96eb8986] ' and " should also be escaped in action tags Closes gh-109 Christoph Theis, Nick Hilliard, Daniel Black * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD - New features: Yaroslav Halchenko * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} to provide additional flexibility to system adminstrators. Thanks to beilber for the idea. Closes gh-114. * [3ce53e87] Add exim filter. Erwan Ben Souiden * [d7d5228] add nagios integration documentation and script to ensure fail2ban is running. Closes gh-166. Artur Penttinen * [29d0df5] Add mysqld filter. Closes gh-152. ArndRaphael Brandes * [bba3fd8] Add Sogo filter. Closes gh-117. Michael Gebetsriother * [f9b78ba] Add action route to block at routing level. Teodor Micu & Yaroslav Halchenko * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. Daniel Black * [be06b1b] Add action for iptables-ipsets. Closes gh-102. Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk * [b6d0e8a] Add and enhance the bsd-ipfw action from FreeBSD ports. Soulard Morgan * [f336d9f] Add filter for webmin. Closes gh-99. Steven Hiscocks * [..746c7d9] bash interactive shell completions for fail2ban-*'s Nick Hilliard * [0c5a9c5] Add pf action. - Enhancements: Enrico Labedzki * [24a8d07] Added new date format for ASSP SMTP Proxy. Steven Hiscocks * [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172. * [MANY] Improvements to test cases, travis, and code coverage (coveralls). * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124. * [ce3ab34] Added ability to specify PID file. Orion Poplawski * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. Closes gh-142. Yaroslav Halchenko * [MANY] Lots of improvements to log messages, man pages and test cases. * [91d5736] Postfix filter improvements - empty helo, from and rcpt to. Closes gh-126. Bug report by Michael Heuberger. * [40c5a2d] adding more of diagnostic messages into -client while starting the daemon. * [8e63d4c] Compare against None with 'is' instead of '=='. * [6fef85f] Strip CR and LF while analyzing the log line Daniel Black * [3aeb1a9] Add jail.conf manual page. Closes gh-143. * [MANY] man page edits. * [7cd6dab] Added help command to fail2ban-client. * [c8c7b0b,23bbc60] Better logging of log file read errors. * [3665e6d] Added code coverage to development process. * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh source. Also include BSD changes. * [1d9abd1] Action files can have tags in definition that refer to other tags. * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port unreachable rather than just a drop of the packet. Pascal Borreli * [a2b29b4] Fixed lots of typos in config files and documentation. hamilton5 * [7ede1e8] Update dovecot filter config. Romain Riviere * [0ac8746] Enhance named-refused filter for views. James Stout * [..2143cdf] Solaris support enhancements: - README.Solaris - failregex'es tune ups (sshd.conf) - hostsdeny: do not rely on support of '-i' in sed ver. 0.8.8 (2012/12/06) - stable ---------- - Fixes: Alan Jenkins * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid banning due to misconfigured DNS. Closes gh-64 Yaroslav Halchenko * [83109bc] IMPORTANT: escape the content of (if used in custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83 * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages in the console. Closes gh-91 - New features: David Engeset * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86 Yaroslav Halchenko - Enhancements: * [2d66f31] replaced uninformative "Invalid command" message with warning log exception why command actually failed * [958a1b0] improved failregex to "support" auth.backend = "htdigest" * [9e7a3b7] until we make it proper module -- adjusted sys.path only if system-wide run * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79 * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 for this gh-87) * Various others: travis-ci integration, script to run tests against all available Python versions, etc ver. 0.8.7.1 (2012/07/31) - stable ---------- - Fixes: Yaroslav Halchenko * [e9762f3] Removed sneaked in comment on sys.path.insert ver. 0.8.7 (2012/07/31) - stable ---------- - Fixes: Tom Hendrikx & Jeremy Olexa * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated. See http://forums.gentoo.org/viewtopic-t-899018.html Chris Reffett * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban, rather than just one failure. Yaroslav Halchenko * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf * [ed16ecc] enforce "ip" field returned as str, not unicode so that log message stays non-unicode. Close gh-32 * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if already present in the pattern * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be friend to developers stuck with Windows (Closes gh-66) * [80b191c] anchor grep regexp in actioncheck to not match partial names of the jails (Closes: #672228) (Thanks Szépe Viktor for the report) - New features: François Boulogne * [a7cb20e..] add lighttpd-auth filter/jail Lee Clemens & Yaroslav Halchenko * [e442503] pyinotify backend (default if backend='auto' and pyinotify is available) * [d73a71f,3989d24] usedns parameter for the jails to allow disabling use of DNS Tom Hendrikx * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban repeated offenders. Close gh-19 Xavier Devlamynck * [7d465f9..] Add asterisk support Zbigniew Jędrzejewski-Szmek * [de502cf..] allow running fail2ban as non-root user (disabled by default) via xt_recent. See doc/run-rootless.txt - Enhancements Lee Clemens * [47c03a2] files/nagios - spelling/grammar fixes * [b083038] updated Free Software Foundation's address * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606 * [642d9af,3282f86] reformated printing of jail's name to be consistent with init's info messages * [3282f86] uniform use of capitalized Jail in the messages Leonardo Chiquitto * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf to reflect code * [a7d47e8] Update Free Software Foundation's address Petr Voralek * [4007751] catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) Yaroslav Halchenko * [MANY] extended and robustified unittests: test different backends * [d9248a6] refactored Filter's to avoid duplicate functionality * [7821174] direct users to issues on github * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by default with -v to control verbosity * [b4099da] adjusted header for config/*.conf to mention .local and way to comment (Thanks Stefano Forli for the note) * [6ad55f6] added failregex for wu-ftpd to match against syslog instead of DoS-prone auth.log's rhost (Closes: #514239) * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for sshd filter (Closes: #648020) Yehuda Katz & Yaroslav Halchenko * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers ver. 0.8.6 (2011/11/28) - stable ---------- - Fixes: Markos Chandras & Yaroslav Halchenko * [492d8e5,bd658fc] Use hashlib (instead of deprecated md5) where available Robert Trace & Michael Lorant * [c48c2b1] gentoo-initd cleanup and fixes: assure /var/run + remove stale sock file Michael Saavedra * [3a58d0e] Lock server's executeCmd to prevent racing among iptables calls: see http://bugs.debian.org/554162 Yaroslav Halchenko * [3eb5e3b] Allow for trailing spaces in sasl logs * [1632244] Stop server-side communication before stopping the jails (prevents lockup if actions use fail2ban-client upon unban): see https://github.com/fail2ban/fail2ban/issues/7 * [5a2d518] Various changes to reincarnate unittests Yehuda Katz * Wiki was cleaned from SPAM - Enhancements: Adam Spiers * [3152afb] Recognise time-stamped kernel messages Guido Bozzetto * [713fea6] Added ipmasq rule file to restart fail2ban when iptables are wiped out: see http://bugs.debian.org/461417 Łukasz * [5f23542] Matching of month names in Polish (thanks michaelberg79 for QA) Tom Hendrikx * [9fa54cf] Added Date: header for sendmail*.conf actions Yaroslav Halchenko & Tom Hendrikx * [b52d420..22b7007] in action files now can be used to provide matched loglines which triggered action Yaroslav Halchenko * [ed0bf3a] Removed duplicate entry for DataCha0s/2\.0 in badbots: see http://bugs.debian.org/519557 * [dad91f7] sshd.conf: allow user names to have spaces and trailing spaces in the line * [a9be451] removed expansions for few Date and Revision SVN keywords * [a33135c] set/getFile for ticket.py -- found in source distribution of 0.8.4 * [fbce415] additional logging while stopping the jails ver. 0.8.5 (2011/07/28) - stable ---------- - Fix: use addfailregex instead of failregex while processing per-jail "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to Marat Khayrullin for the patch and Daniel T Chen for forwarding to Debian. - Fix: use os.path.join to generate full path - fixes includes in configs given local filename (5 weeks ago) [yarikoptic] - Fix: allowed for trailing spaces in proftpd logs - Fix: escaped () in pure-ftpd filter. Thanks to Teodor - Fix: allowed space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314 - Fix: use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs.debian.org/544232 - Fix: Tai64N stores time in GMT, needed to convert to local time before returning - Fix: disabled named-refused-udp jail entirely with a big fat warning - Fix: added time module. Bug reported in buanzo's blog: see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html - Fix: Patch to make log file descriptors cloexec to stop leaking file descriptors on fork/exec. Thanks to Jonathan Underwood: see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24 - Enhancement: added author for dovecot filter and pruned unneeded space in the regexp - Enhancement: proftpd filter -- if login failed -- count regardless of the reason for failure - Enhancement: added to action.d/iptables*. Thanks to Matthijs Kooijman: see http://bugs.debian.org/515599 - Enhancement: added filter.d/dovecot.conf from Martin Waschbuesch - Enhancement: made filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182 - Enhancement: added dropbear filter from Francis Russell and Zak B. Elep: see http://bugs.debian.org/546913 - Enhancement: changed default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 - Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer - Few minor cosmetic changes ver. 0.8.4 (2009/09/07) - stable ---------- - Check the inode number for rotation in addition to checking the first line of the file. Thanks to Jonathan Kamens. Red Hat #503852. Tracker #2800279. - Moved the shutdown of the logging subsystem out of Server.quit() to the end of Server.start(). Fixes the 'cannot release un-acquired lock' error. - Added "Ban IP" command. Thanks to Arturo 'Buanzo' Busleiman. - Added two new filters: lighttpd-fastcgi and php-url-fopen. - Fixed the 'unexpected communication error' problem by means of use_poll=False in Python >= 2.6. - Merged patches from Debian package. Thanks to Yaroslav Halchenko. - Use current day and month instead of Jan 1st if both are not available in the log. Thanks to Andreas Itzchak Rehberg. - Try to match the regex even if the line does not contain a valid date/time. Described in Debian #491253. Thanks to Yaroslav Halchenko. - Added/improved filters and date formats. - Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to Russell Odom. - Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to Detlef Reichelt. - Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824. - Added nagios script. Thanks to Sebastian Mueller. - Added CPanel date format. Thanks to David Collins. Tracker #1967610. - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410. - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115. - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953. - Changed template to be more restrictive. Debian bug #514163. - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct fix but seems to work. Tracker #2500276. - Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea. - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714. ver. 0.8.3 (2008/07/17) - stable ---------- - Process failtickets as long as failmanager is not empty. - Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav Halchenko. - Fixed socket path in redhat and suse init script. Thanks to Jim Wight. - Fixed PID file while started in daemon mode. Thanks to Christian Jobic who submitted a similar patch. - Fixed "fail2ban-client get logpath". Bug #1916986. - Added gssftpd filter. Thanks to Kevin Zembower. - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis Winter. - Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber. - Added ISO 8601 date/time format. - Added and changed some logging level and messages. - Added missing ignoreregex to filters. Thanks to Klaus Lehmann. - Use poll instead of select in asyncore.loop. This should solve the "Unknown error 514". Thanks to Michael Geiger and Klaus Lehmann. ver. 0.8.2 (2008/03/06) - stable ---------- - Fixed named filter. Thanks to Yaroslav Halchenko - Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines - Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann - Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection - Fixed ipfw action script. Thanks to Nick Munger - Removed date from logging message when using SYSLOG. Thanks to Iain Lea - Fixed "ignore IPs". Only the first value was taken into account. Thanks to Adrien Clerc - Moved socket to /var/run/fail2ban. - Rewrote the communication server. - Refactoring. Reduced number of files. - Removed Python 2.4. Minimum required version is now Python 2.3. - New log rotation detection algorithm. - Print monitored files in status. - Create a PID file in /var/run/fail2ban/. Thanks to Julien Perez. - Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks to Yaroslav Halchenko for the fix. - "reload " reloads a single jail and the parameters in fail2ban.conf. - Added Mac OS/X startup script. Thanks to Bill Heaton. - Absorbed some Debian patches. Thanks to Yaroslav Halchenko. - Replaced "echo" with "printf" in actions. Fix #1839673 - Replaced "reject" with "drop" in shorwall action. Fix #1854875 - Fixed Debian bug #456567, #468477, #462060, #461426 - readline is now optional in fail2ban-client (not needed in fail2ban-server). ver. 0.8.1 (2007/08/14) - stable ---------- - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid - Expand in ignoreregex. Thanks to Yaroslav Halchenko - Improved regular expressions. Thanks to Yaroslav Halchenko and others - Added sendmail actions. The action started with "mail" are now deprecated. Thanks to Raphaël Marichez - Added "ignoreregex" support to fail2ban-regex - Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch - Tightening up the pid check in redhat-initd. Thanks to David Nutter - Added webmin authentication filter. Thanks to Guillaume Delvit - Removed textToDns() which is not required anymore. Thanks to Yaroslav Halchenko - Added new action iptables-allports. Thanks to Yaroslav Halchenko - Added "named" date format to date detector. Thanks to Yaroslav Halchenko - Added filter file for named (bind9). Thanks to Yaroslav Halchenko - Fixed vsftpd filter. Thanks to Yaroslav Halchenko ver. 0.8.0 (2007/05/03) - stable ---------- - Fixed RedHat init script. Thanks to Jonathan Underwood - Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner ver. 0.7.9 (2007/04/19) - release candidate ---------- - Close opened handlers. Thanks to Yaroslav Halchenko - Fixed "reload" bug. Many many thanks to Yaroslav Halchenko - Added date format for asctime without year - Modified filters config. Thanks to Michael C. Haller - Fixed a small bug in mail-buffered.conf ver. 0.7.8 (2007/03/21) - release candidate ---------- - Fixed asctime pattern in datedetector.py - Added new filters/actions. Thanks to Yaroslav Halchenko - Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch - Moved every locking statements in a try..finally block ver. 0.7.7 (2007/02/08) - release candidate ---------- - Added signal handling in fail2ban-client - Added a wonderful visual effect when waiting on the server - fail2ban-client returns an error code if configuration is not valid - Added new filters/actions. Thanks to Yaroslav Halchenko - Call Python interpreter directly (instead of using "env") - Added file support to fail2ban-regex. Benchmark feature has been removed - Added cacti script and template. - Added IP list in "status ". Thanks to Eric Gerbier ver. 0.7.6 (2007/01/04) - beta ---------- - Added a "sleep 1" in redhat-initd. Thanks to Jim Wight - Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey - Use numeric output for iptables in "actioncheck" - Fixed removal of host in hosts.deny. Thanks to René Berber - Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI - Several "failregex" and "ignoreregex" are now accepted. Creation of rules should be easier now. - Added license in COPYING. Thanks to Axel Thimm - Allow comma in action options. The value of the option must be escaped with " or '. Thanks to Yaroslav Halchenko - Now Fail2ban goes in /usr/share/fail2ban instead of /usr/lib/fail2ban. This is more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko ver. 0.7.5 (2006/12/07) - beta ---------- - Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko - The supported tags in "action(un)ban" are , and