Tags

ver. 0.9.6 (2016/12/10) - stretch-is-coming
-----------

0.9.x line is no longer heavily developed.  If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.

* Misleading add resp. enable of (already available) jail in database, that
  induced a subsequent error: last position of log file will be never retrieved (gh-795)
* Fixed a distribution related bug within testReadStockJailConfForceEnabled
  (e.g. test-cases faults on Fedora, see gh-1353)
* Fixed pythonic filters and test scripts (running via wrong python version,
  uses "fail2ban-python" now);
* Fixed test case "testSetupInstallRoot" for not default python version (also
  using direct call, out of virtualenv);
* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
* Monit config: scripting is not supported in path (gh-1556)
* `filter.d/apache-modsecurity.conf`
    - Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
      replaced for safer match, unneeded catch-all anchoring removed, non-capturing
* `filter.d/asterisk.conf`
    - Fixed to match different asterisk log prefix (source file: method:)
* `filter.d/dovecot.conf`
    - Fixed failregex ignores failures through some not relevant info (gh-1623)
* `filter.d/ignorecommands/apache-fakegooglebot`
    - Fixed error within apache-fakegooglebot, that will be called
      with wrong python version (gh-1506)
* `filter.d/assp.conf`
    - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
* `filter.d/postfix-sasl.conf`
    - Allow for having no trailing space after 'failed:' (gh-1497)
* `filter.d/vsftpd.conf`
    - Optional reason part in message after FAIL LOGIN (gh-1543)
* `filter.d/sendmail-reject.conf`
    - removed mandatory double space (if dns-host available, gh-1579)
* filter.d/sshd.conf
    - recognized "Failed publickey for" (gh-1477);
    - optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479)
    - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
    - optional port part after host (see gh-1533, gh-1581)

* New Actions:
    - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
* New Filters:
    - `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
      (gh-1586, gh-1606 and gh-1607)

* DateTemplate regexp extended with the word-end boundary, additionally to
  word-start boundary
* Introduces new command "fail2ban-python", as automatically created symlink to
  python executable, where fail2ban currently installed (resp. its modules are located):
    - allows to use the same version, fail2ban currently running, e.g. in
      external scripts just via replace python with fail2ban-python:
      ```diff
      -#!/usr/bin/env python
      +#!/usr/bin/env fail2ban-python
      ```
    - always the same pickle protocol
    - the same (and also guaranteed available) fail2ban modules
    - simplified stand-alone install, resp. stand-alone installation possibility
      via setup (like gh-1487) is getting closer
* Several test cases rewritten using new methods assertIn, assertNotIn
* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
  Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
  are test covered now
* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
  examples:
    - `backend = systemd[journalpath=/run/log/journal/machine-1]`
    - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
    - `backend = systemd[journalflags=2]`

fail2ban Debian release 0.9.5-1

ver. 0.9.5 (2016/07/15) - old-not-obsolete
-----------

0.9.x line is no longer heavily developed.  If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.

* `filter.d/monit.conf`
    - Extended failregex with new monit "access denied" version (gh-1355)
    - failregex of previous monit version merged as single expression
* `filter.d/postfix.conf`, `filter.d/postfix-sasl.conf`
    - Extended failregex daemon part, matching also `postfix/smtps/smtpd`
      now (gh-1391)
* Fixed a grave bug within tags substitutions because of incorrect
  detection of recursion in case of multiple inline substitutions
  of the same tag (affected actions: `bsd-ipfw`, etc).  Now tracks
  the actual list of the already substituted tags (per tag instead
  of single list)
* `filter.d/common.conf`
    - Unexpected extra regex-space in generic `__prefix_line` (gh-1405)
    - All optional spaces normalized in `common.conf`, test covered now
    - Generic `__prefix_line` extended with optional brackets for the
     date ambit (gh-1421), added new parameter `__date_ambit`
* `gentoo-initd` fixed `--pidfile` bug: `--pidfile` is option of
  `start-stop-daemon`, not argument of fail2ban (see gh-1434)
* `filter.d/asterisk.conf`
    - Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
    - Improved log support for PJSIP and Asterisk 13+ with different
      callID (gh-1458)

* New Actions:
    - `action.d/firewallcmd-rich-rules` and `action.d/firewallcmd-rich-logging`
        (gh-1367)
* New filters:
    - slapd - ban hosts, that were failed to connect with invalid
        credentials: error code 49 (gh-1478)

* Extreme speedup of all sqlite database operations (gh-1436),
  by using of following sqlite options:
    - (synchronous = OFF) write data through OS without syncing
    - (journal_mode = MEMORY) use memory for the transaction logging
    - (temp_store = MEMORY) temporary tables and indices are kept in memory
* journald journalmatch for pure-ftpd (gh-1362)
* Added additional regex filter for dovecot ldap authentication failures (gh-1370)
* `filter.d/exim*conf`
    - Added additional regexes (gh-1371)
    - Made port entry optional

fail2ban Debian release 0.9.4-1

ver. 0.9.4 (2016/03/08) - for-you-ladies
-----------

- Fixes:
   * roundcube-auth jail typo for logpath
   * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
   * filter.d/apache-badbots.conf
     - Updated useragent string regex adding escape for `+`
   * filter.d/mysqld-auth.conf
     - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
   * filter.d/sshd.conf
     - Updated "Auth fail" regex for OpenSSH 5.9 and later
   * Treat failed and killed execution of commands identically (only
     different log messages), which addresses different behavior on different
     exit codes of dash and bash (gh-1155)
   * Fix jail.conf.5 man's section (gh-1226)
   * Fixed default banaction for allports jails like pam-generic, recidive, etc
     with new default variable `banaction_allports` (gh-1216)
   * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
     for python version < 3.x (gh-1248)
   * Use postfix_log logpath for postfix-rbl jail
   * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
   * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
   * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
   * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
   * Removed compression and rotation count from logrotate (inherit them from
     the global logrotate config)

- New Features:
   * New interpolation feature for definition config readers - `<known/parameter>`
     (means last known init definition of filters or actions with name `parameter`).
     This interpolation makes possible to extend a parameters of stock filter or
     action directly in jail inside jail.local file, without creating a separately
     filter.d/*.local file.
     As extension to interpolation `%(known/parameter)s`, that does not works for
     filter and action init parameters
   * New actions:
     - nftables-multiport and nftables-allports - filtering using nftables
       framework. Note: it requires a pre-existing chain for the filtering rule.
   * New filters:
     - openhab - domotic software authentication failure with the
       rest api and web interface (gh-1223)
     - nginx-limit-req - ban hosts, that were failed through nginx by limit
       request processing rate (ngx_http_limit_req_module)
     - murmur - ban hosts that repeatedly attempt to connect to
       murmur/mumble-server with an invalid server password or certificate.
     - haproxy-http-auth - filter to match failed HTTP Authentications against a
       HAProxy server
   * New jails:
     - murmur - bans TCP and UDP from the bad host on the default murmur port.
   * sshd filter got new failregex to match "maximum authentication
     attempts exceeded" (introduced in openssh 6.8)
   * Added filter for Mac OS screen sharing (VNC) daemon

- Enhancements:
   * Do not rotate empty log files
   * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59)
     http://bugs.debian.org/798923
   * Added openSUSE path configuration (Thanks Johannes Weberhofer)
   * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
   * Added a timeout (3 sec) to urlopen within badips.py action
     (Thanks M. Maraun)
   * Added check against atacker's Googlebot PTR fake records
     (Thanks Pablo Rodriguez Fernandez)
   * Enhance filter against atacker's Googlebot PTR fake records
     (gh-1226)
   * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
   * Added filter for openhab domotic software authentication failure with the
     rest api and web interface (gh-1223)
   * Add *_backend options for services to allow distros to set the default
     backend per service, set default to systemd for Fedora as appropriate
   * Performance improvements while monitoring large number of files (gh-1265).
     Use associative array (dict) for monitored log files to speed up lookup
     operations. Thanks @kshetragia
   * Specified that fail2ban is PartOf iptables.service firewalld.service in
     .service file -- would reload fail2ban if those services are restarted
   * Provides new default `fail2ban_version` and interpolation variable
     `fail2ban_agent` in jail.conf
   * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
     and to support multiple instances of postfix having varying suffix (gh-1331)
     (Thanks Tom Hendrikx)
   * files/gentoo-initd to use start-stop-daemon to robustify restarting the service

fail2ban Debian release 0.9.3-1

ver. 0.9.3 (2015/08/01) - lets-all-stay-friends
----------

- IMPORTANT incompatible changes:
   * filter.d/roundcube-auth.conf
     - Changed logpath to 'errors' log (was 'userlogins')
   * action.d/iptables-common.conf
     - All calls to iptables command now use -w switch introduced in
       iptables 1.4.20 (some distribution could have patched their
       earlier base version as well) to provide this locking mechanism
       useful under heavy load to avoid contesting on iptables calls.
       If you need to disable, define 'action.d/iptables-common.local'
       with empty value for 'lockingopt' in `[Init]` section.
   * mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
     actions now include by default only the first 1000 log lines in
     the emails.  Adjust <grepopts> to augment the behavior.

- Fixes:
   * reload in interactive mode appends all the jails twice (gh-825)
   * reload server/jail failed if database used (but was not changed) and
     some jail active (gh-1072)
   * filter.d/dovecot.conf - also match unknown user in passwd-file.
     Thanks Anton Shestakov
   * Fix fail2ban-regex not parsing journalmatch correctly from filter config
   * filter.d/asterisk.conf - fix security log support for Asterisk 12+
   * filter.d/roundcube-auth.conf
     - Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
     - Added regex to work with 'userlogins' log
   * action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
     locale on systems with customized LC_ALL
   * performance fix: minimizes connection overhead, close socket only at
     communication end (gh-1099)
   * unbanip always deletes ip from database (independent of bantime, also if
     currently not banned or persistent)
   * guarantee order of dbfile to be before dbpurgeage (gh-1048)
   * always set 'dbfile' before other database options (gh-1050)
   * kill the entire process group of the child process upon timeout (gh-1129).
     Otherwise could lead to resource exhaustion due to hanging whois
     processes.
   * resolve /var/run/fail2ban path in setup.py to help installation
     on platforms with /var/run -> /run symlink (gh-1142)

- New Features:
   * RETURN iptables target is now a variable: <returntype>
   * New type of operation: pass2allow, use fail2ban for "knocking",
     opening a closed port by swapping blocktype and returntype
   * New filters:
     - froxlor-auth - Thanks Joern Muehlencord
     - apache-pass - filter Apache access log for successful authentication
   * New actions:
     - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
       manual pre-configuration of the shorewall. See the action file for detail.
   * New jails:
     - pass2allow-ftp - allows FTP traffic after successful HTTP authentication

- Enhancements:
   * action.d/cloudflare.conf - improved documentation on how to allow
     multiple CF accounts, and jail.conf got new compound action
     definition action_cf_mwl to submit cloudflare report.
   * Check access to socket for more detailed logging on error (gh-595)
   * fail2ban-testcases man page
   * filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
     HEAD method verb
   * Revamp of Travis and coverage automated testing
   * Added a space between IP address and the following colon
     in notification emails for easier text selection
   * Character detection heuristics for whois output via optional setting
     in mail-whois*.conf. Thanks Thomas Mayer.
     Not enabled by default, if _whois_command is set to be
     %(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
     it
     - detects character set of whois output (which is undefined by
       RFC 3912) via heuristics of the file command
     - converts whois data to UTF-8 character set with iconv
     - sends the whois output in UTF-8 character set to mail program
     - avoids that heirloom mailx creates binary attachment for input with
       unknown character set

fail2ban Debian release 0.9.2-1

Long delayed

ver. 0.9.2 (2015/04/29) - better-quick-now-than-later
----------

- Fixes:
   * Fix ufw action commands
   * infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
     Thanks TonyThompson
   * port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
     (fnerdwq)
   * $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
   * grep'ing for IP in *mail-whois-lines.conf should now match also
     at the beginning and EOL.  Thanks Dean Lee
   * jail.conf
     - php-url-fopen: separate logpath entries by newline
   * failregex declared direct in jail was joined to single line (specifying of
     multiple expressions was not possible).
   * filters.d/exim.conf - cover different settings of exim logs
     details. Thanks bes.internal
   * filter.d/postfix-sasl.conf - failregex is now case insensitive
   * filters.d/postfix.conf - add 'Client host rejected error message' failregex
   * fail2ban/__init__.py - add strptime thread safety hack-around
   * recidive uses iptables-allports banaction by default now.
     Avoids problems with iptables versions not understanding 'all' for
     protocols and ports
   * filter.d/dovecot.conf
     - match pam_authenticate line from EL7
     - match unknown user line from EL7
   * Use use_poll=True for Python 2.7 and >=3.4 to overcome "Bad file
     descriptor" msgs issue (gh-161)
   * filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore
     system authentication issues
   * fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
     (gh-954)
   * firewallcmd-* actions: split output into separate lines for grepping (gh-908)
   * Guard unicode encode/decode issues while storing records in the database.
     Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
     for reporting
   * filter.d/sshd added regex for matching openSUSE ssh authentication failure
   * filter.d/asterisk.conf:
     - Dropped "Sending fake auth rejection" failregex since it incorrectly
       targets the asterisk server itself
     - match "hacking attempt detected" logs

- New Features:
   - New filters:
     - postfix-rbl  Thanks Lee Clemens
     - apache-fakegooglebot.conf  Thanks Lee Clemens
     - nginx-botsearch  Thanks Frantisek Sumsal
     - drupal-auth  Thanks Lee Clemens
   - New recursive embedded substitution feature added:
     - `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
     - `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
   - New interpolation feature for config readers - `%(known/parameter)s`.
     (means last known option with name `parameter`). This interpolation makes
     possible to extend a stock filter or jail regexp in .local file
     (opposite to simply set failregex/ignoreregex that overwrites it),
     see gh-867.
   - Monit config for fail2ban in files/monit/
   - New actions:
     - action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt
     - action.d/sendmail-geoip-lines.conf
     - action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean
   - New status argument for fail2ban-client -- flavor:
     fail2ban-client status <jail> [flavor]
     - empty or "basic" works as-is
     - "cymru" additionally prints (ASN, Country RIR) per banned IP
       (requires dnspython or dnspython3)
   - Flush log at USR1 signal

- Enhancements:
   * Enable multiport for firewallcmd-new action.  Closes gh-834
   * files/debian-initd migrated from the debian branch and should be
     suitable for manual installations now (thanks Juan Karlo de Guzman)
   * Define empty ignoreregex in filters which didn't have it to avoid
     warnings (gh-934)
   * action.d/{sendmail-*,xarf-login-attack}.conf - report local
     timezone not UTC time/zone. Closes gh-911
   * Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
   * Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
   * Added syslogsocket configuration to fail2ban.conf
   * Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964)

fail2ban Debian release 0.9.1+git44-gd65c4f8-1

fail2ban Debian release 0.9.1-1

What aught to be a bugfix release delayed into a featured release 0.9.1

ver. 0.9.1 (2014/10/29) - better, faster, stronger
----------

- Refactoring (IMPORTANT -- Please review your setup and configuration):
   * iptables-common.conf replaced iptables-blocktype.conf
     (iptables-blocktype.local should still be read) and now also
     provides defaults for the chain, port, protocol and name tags

- Fixes:
   * start of file2ban aborted (on slow hosts, systemd considers the server has
     been timed out and kills him), see gh-824
   * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
   * systemd backend error on bad utf-8 in python3
   * badips.py action error when logging HTTP error raised with badips request
   * fail2ban-regex failed to work in python3 due to space/tab mix
   * recidive regex samples incorrect log level
   * journalmatch for recidive incorrect PRIORITY
   * loglevel couldn't be changed in fail2ban.conf
   * Handle case when no sqlite library is available for persistent database
   * Only reban once per IP from database on fail2ban restart
   * Nginx filter to support missing server_name. Closes gh-676
   * fail2ban-regex assertion error caused by miscount missed lines with
     multiline regex
   * Fix actions failing to execute for Python 3.4.0. Workaround for
     http://bugs.python.org/issue21207
   * Database now returns persistent bans on restart (bantime < 0)
   * Recursive action tags now fully processed. Fixes issue with bsd-ipfw
     action
   * Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
     Thanks Serg G. Brester
   * Correct times for non-timezone date times formats during DST
   * Pass a copy of, not original, aInfo into actions to avoid side-effects
   * Per-distribution paths to the exim's main log
   * Ignored IPs are no longer banned when being restored from persistent
     database
   * Manually unbanned IPs are now removed from persistent database, such they
     wont be banned again when Fail2Ban is restarted
   * Pass "bantime" parameter to the actions in default jail's action
     definition(s)
   * filters.d/sieve.conf - fixed typo in _daemon.  Thanks Jisoo Park
   * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
     Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
     Debian bug #755173
   * postfix-sasl - added journalmatch.  Thanks Luc Maisonobe
   * postfix* - match with a new daemon string (postfix/submission/smtpd).
     Closes gh-804 .  Thanks Paul Traina
   * apache - added filter for AH01630 client denied by server configuration.

- New features:
   - New filters:
     - monit  Thanks Jason H Martin
     - directadmin  Thanks niorg
     - apache-shellshock  Thanks Eugene Hopkinson (SlowRiot)
   - New actions:
     - symbiosis-blacklist-allports  for Bytemark symbiosis firewall
   - fail2ban-client can fetch the running server version
   - Added Cloudflare API action

- Enhancements
   * Start performance of fail2ban-client (and tests) increased, start time
     and cpu usage rapidly reduced. Introduced a shared storage logic, to
     bypass reading lots of config files (see gh-824).
     Thanks to Joost Molenaar for good catch (reported gh-820).
   * Fail2ban-regex - add print-all-matched option. Closes gh-652
   * Suppress fail2ban-client warnings for non-critical config options
   * Match non "Bye Bye" disconnect messages for sshd locked account regex
   * courier-smtp filter:
     - match lines with user names
     - match lines containing "535 Authentication failed" attempts
   * Add <chain> tag to iptables-ipsets
   * Realign fail2ban log output with white space to improve readability. Does
     not affect SYSLOG output
   * Log unhandled exceptions
   * cyrus-imap: catch "user not found" attempts
   * Add support for Portsentry

fail2ban Debian release 0.9.0+git252-g47441d1-1

Bugfix release to please people with elderly Pythons

as was uploaded to squeeze LTS