All Versions
65
Latest Version
Avg Release Cycle
176 days
Latest Release
1643 days ago

Changelog History
Page 2

  • v0.10.2-2

    April 04, 2018
  • v0.10.2-1

    January 23, 2018
  • v0.10.1 Changes

    October 12, 2017

    ๐Ÿ›  Fixes

    • ๐Ÿ›  fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891)
    • jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884)
    • avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables 'LANGUAGE', 'LC_ALL', 'LC_CTYPE', and 'LANG', see gh-1587).
    • ๐Ÿ‘€ action.d/pf.conf: several fixes for pf-action like anchoring, etc. (see gh-1866, gh-1867);
    • ๐Ÿ›  fixed ignoreself issue "Retrieving own IPs of localhost failed: inet_pton() argument 2 must be string, not int" (see gh-1865);
    • ๐Ÿ›  fixed tags <fq-hostname> and <sh-hostname>, could be used without ticket (a. g. in actionstart etc., gh-1859).

    • ๐Ÿ›  setup.py: fixed several setup facilities (gh-1874):

      • don't check return code by dry-run: returns 256 on some python/setuptool versions;
      • files/fail2ban.service renamed as template to files/fail2ban.service.in;
      • setup process generates build/fail2ban.service from files/fail2ban.service.in using distribution related bin-path;
      • bug-fixing by running setup with option --dry-run;

    ๐Ÿ†• New Features

    • ๐Ÿ”ง introduced new command-line options --dp, --dump-pretty to dump the configuration using more human readable representation (opposite to -d);

    โœจ Enhancements

    • nftables actions are IPv6-capable now (gh-1893)
    • filter.d/dovecot.conf: introduced mode aggressive for cases like "disconnected before auth was ready" (gh-1880)
  • v0.10.0 Changes

    August 09, 2017

    TODO: implementing of options resp. other tasks from PR #1346 documentation should be extended (new options, etc)

    ๐Ÿ›  Fixes

    • filter.d/apache-auth.conf:
      • better failure recognition using short form of regex (url/referer are foreign inputs, see gh-1645)
    • filter.d/apache-common.conf (filter.d/apache-*.conf):
      • support of apache log-format if logging into syslog/systemd (gh-1695), using parameter logging, parameter usage for jail: filter = apache-auth[logging=syslog] parameter usage for apache-common.local: logging = syslog
    • filter.d/pam-generic.conf:
      • [grave] injection on user name to host fixed
    • filter.d/sshd.conf:
      • rewritten using prefregex and used MLFID-related multi-line parsing (by using tag <F-MLFID> instead of buffering with maxlines);
      • optional parameter mode rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details)
    • filter.d/sendmail-reject.conf:
      • rewritten using prefregex and used MLFID-related multi-line parsing;
      • optional parameter mode introduced: normal (default), extra or aggressive
    • filter.d/haproxy-http-auth: do not mistake client port for part of an IPv6 address (gh-1745)
    • filter.d/postfix.conf:
      • updated to latest postfix formats
      • joined several postfix filter together (normalized and optimized version, gh-1825)
      • introduced new parameter mode (see gh-1825): more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
      • postfix postscreen (resp. other RBL's compatibility fix, gh-1764, gh-1825)
    • ๐Ÿšš filter.d/postfix-rbl.conf: removed (replaced with postfix[mode=rbl])
    • ๐Ÿšš filter.d/postfix-sasl.conf: removed (replaced with postfix[mode=auth])
    • filter.d/roundcube-auth.conf:
      • fixed regex when X-Real-IP or/and X-Forwarded-For are present after host (gh-1303);
      • fixed regex when logging authentication errors to journal instead to a local file (gh-1159);
      • additionally fixed more complex injections on username (e. g. using dot after fake host).
    • ๐Ÿ›  filter.d/ejabberd-auth.conf: fixed failregex - accept new log-format (gh-993)
    • action.d/complain.conf
      • fixed using new tag <ip-rev> (sh/dash compliant now)
    • action.d/sendmail-geoip-lines.conf
      • fixed using new tag <ip-host> (without external command execution)
    • ๐Ÿ“œ fail2ban-regex: fixed matched output by multi-line (buffered) parsing
    • ๐Ÿ‘ fail2ban-regex: support for multi-line debuggex URL implemented (gh-422)
    • ๐Ÿ›  fixed ipv6-action errors on systems not supporting ipv6 and vice versa (gh-1741)
    • ๐Ÿ›  fixed directory-based log-rotate for pyinotify-backend (gh-1778)

    ๐Ÿ†• New Features

    • ๐Ÿ†• New Actions:

    • ๐Ÿ†• New Filters:

    โœจ Enhancements

    • Introduced new filter option prefregex for pre-filtering using single regular expression (gh-1698);
    • ๐Ÿ“œ Many times faster and fewer CPU-hungry because of parsing with maxlines=1, so without line buffering (scrolling of the buffer-window). Combination of tags <F-MLFID> and <F-NOFAIL> can be used now to process multi-line logs using single-line expressions:
      • tag <F-MLFID>: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by <F-MLFID>(?:conn-id)</F-MLFID>, see sshd.conf for example);
      • tag <F-MLFFORGET>: can be used as mark to forget current multi-line MLFID (e. g. by connection closed, reset or disconnect etc);
      • tag <F-NOFAIL>: used as mark for no-failure (helper to accumulate common failure-info, e. g. from lines that contain IP-address); Opposite to obsolete multi-line parsing (using buffering with maxlines) it is more precise and can recognize multiple failure attempts within the same connection (MLFID).
    • โšก๏ธ Several filters optimized with pre-filtering using new option prefregex, and multiline filter using <F-MLFID> + <F-NOFAIL> combination;
    • ๐Ÿ”ฆ Exposes filter group captures in actions (non-recursive interpolation of tags <F-...>, see gh-1698, gh-1110)
    • Some filters extended with user name (can be used in gh-1243 to distinguish IP and user, resp. to remove after success login the user-related failures only);
    • Safer, more stable and faster replaceTag interpolation (switched from cycle over all tags to re.sub with callable)
    • ๐Ÿšš substituteRecursiveTags optimization + moved in helpers facilities (because currently used commonly in server and in client)
    • ๐Ÿ†• New tags (usable in actions):
      • <fid> - failure identifier (if raw resp. failures without IP address)
      • <ip-rev> - PTR reversed representation of IP address
      • <ip-host> - host name of the IP address
      • <bancount> - ban count of this offender if known as bad (started by 1 for unknown)
      • <bantime> - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
      • <F-...> - interpolates to the corresponding filter group capture ...
      • <fq-hostname> - fully-qualified name of host (the same as $(hostname -f))
      • <sh-hostname> - short hostname (the same as $(uname -n))
    • โฑ Introduced new action command actionprolong to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic with actionprolong. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).
    • ๐Ÿ‘ Allow to use filter options by fail2ban-regex, example: fail2ban-regex text.log "sshd[mode=aggressive]"
    • โœ… Samples test case factory extended with filter options - dict in JSON to control filter options (e. g. mode, etc.): # filterOptions: {"mode": "aggressive"}
    • Introduced new jail option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true). Fail2ban will not ban a host which matches such addresses. Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
    • Regex will be compiled as MULTILINE only if needed (buffering with maxlines > 1), that enables:
      • to improve performance by the single line parsing (see gh-1733);
      • make regex more precise (because distinguish between anchors ^/$ for the begin/end of string and the new-line character '\n', e. g. if coming from filters (like systemd journal) that allow the parsing of log-entries contain new-line chars (as single entry);
      • if multiline regex however expected (by single-line parsing without buffering) - prefix (?m) could be used in regex to enable it;
    • Implemented execution of actionstart on demand (conditional), if action depends on family (gh-1742):
      • new action parameter actionstart_on_demand (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter param?family=... presents in action properties), see action.d/pf.conf for example;
      • additionally actionstop will be executed only for families previously executing actionstart (starting on demand only)
    • Introduced new command actionflush: executed in order to flush all bans at once e. g. by unban all, reload with removing action, stop, shutdown the system (gh-1743), the actions having actionflush do not execute actionunban for each single ticket
    • โž• Add new command actionflush default for several iptables/iptables-ipset actions (and common include);
    • โž• Add new jail option logtimezone to force the timezone on log lines that don't have an explicit one (gh-1773)
    • Implemented zone abbreviations (like CET, CEST, etc.) and abbr+-offset functionality (accept zones like 'CET+0100'), for the list of abbreviations see strptime.TZ_STR;
    • Introduced new option --timezone (resp. --TZ) for fail2ban-regex.
    • Tokens %z and %Z are changed (more precise now);
    • ๐Ÿ‘ Introduced new tokens %Exz and %ExZ that fully support zone abbreviations and/or offset-based zones (implemented as enhancement using custom datepattern, because may be too dangerous for default patterns and tokens like %z); Note: the extended tokens supported zone abbreviations, but it can parse 1 or 3-5 char(s) in lowercase. Don't use them in default date-patterns (if not anchored, few precise resp. optional). Because python currently does not support mixing of case-sensitive with case-insensitive matching, the TZ (in uppercase) cannot be combined with %a/%b etc (that are currently case-insensitive), to avoid invalid date-time recognition in strings like '11-Aug-2013 03:36:11.372 error ...' with wrong TZ "error". Hence %z currently match literal Z|UTC|GMT only (and offset-based), and %Exz - all zone abbreviations.
    • ๐Ÿ‘ filter.d/courier-auth.conf: support failed logins with method only
    • Config reader's: introduced new syntax %(section/option)s, in opposite to extended interpolation of python 3 ${section:option} work with all supported python version in fail2ban and this syntax is like our another features like %(known/option)s, etc. (gh-1750)
    • 0๏ธโƒฃ Variable default_backend switched to %(default/backend)s, so totally backwards compatible now, but now the setting of parameter backend in default section of jail.local can overwrite default backend also (see gh-1750). In the future versions parameter default_backend can be removed (incompatibility, possibly some distributions affected).
  • v0.10.0-alpha Changes

    July 14, 2016

    ๐Ÿ›  Fixes

    • ๐Ÿ›  [Grave] memory leak's fixed (gh-1277, gh-1234)
    • [Grave] Misleading date patterns defined more precisely (using extended syntax %Ex[mdHMS] for exact two-digit match or e. g. %ExY as more precise year pattern, within same century of last year and the next 3 years)
    • [Grave] extends date detector template with distance (position of match in log-line), to prevent grave collision using (re)ordered template list (e.g. find-spot of wrong date-match inside foreign input, misleading date patterns by ambiguous formats, etc.)
    • โœ… Distance collision check always prefers template with shortest distance (left for right) if date pattern is not anchored
    • ๐ŸŒฒ Tricky bug fix: last position of log file will be never retrieved (gh-795), because of CASCADE all log entries will be deleted from logs table together with jail, if used "INSERT OR REPLACE" statement
    • โœ… Asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
    • โœ… testSocket: sporadical bug repaired - wait for server thread starts a socket (listener)
    • โœ… testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid file inside bash, kill tree in any case (gh-1155)
    • purge database will be executed now (within observer).
    • ๐Ÿ›  restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
    • ๐Ÿ›  Fixed high-load of pyinotify-backend, see https://github.com/fail2ban/fail2ban/issues/885#issuecomment-248964591
    • Database: stability fix - repack cursor iterator as long as locked
    • File filter backends: stability fix for sporadically errors - always close file handle, otherwise may be locked (prevent log-rotate, etc.)
    • Pyinotify-backend: stability fix for sporadically errors in multi-threaded environment (without lock)
    • ๐Ÿ›  Fixed sporadically error in testCymruInfoNxdomain, because of unsorted values
    • Misleading errors logged from ignorecommand in success case on retcode 1 (gh-1194)
    • โšก๏ธ fail2ban.service - systemd service updated (gh-1618):
      • starting service in normal mode (without forking)
      • does not restart if service exited normally (exit-code 0, e.g. stopped via fail2ban-client)
      • does not restart if service can not start (exit-code 255, e.g. wrong configuration, etc.)
      • service can be additionally started/stopped with commands (fail2ban-client, fail2ban-server)
      • automatically creates /var/run/fail2ban directory before start fail2ban (systems with virtual resp. memory-based FS for /var/run), see gh-1531
      • if fail2ban running as systemd-service, for logging to the systemd-journal, the logtarget could be set to STDOUT
      • value logtarget for system targets allowed also in lowercase (stdout, stderr, syslog, etc.)
    • ๐Ÿ›  Fixed UTC/GMT named time zone, using %Z and %z patterns (special case with 0 zone offset, see gh-1575)
    • filter.d/freeswitch.conf
      • Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
      • User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)

    ๐Ÿ†• New Features

    • ๐Ÿ‘ IPv6 support:
      • IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6
      • iptables related actions have been amended to support IPv6 specific actions additionally
      • hostsdeny and route actions have been tested to be aware of v4 and v6 already
      • pf action for *BSD systems has been improved and supports now also v4 and v6
      • name resolution is now working for either address type
      • new conditional section functionality used in config resp. includes:
        • [Init?family=inet4] - IPv4 qualified hosts only
        • [Init?family=inet6] - IPv6 qualified hosts only
    • Increment ban time (+ observer) functionality introduced. Thanks Serg G. Brester (sebres)
    • Database functionality extended with bad ips.
    • ๐Ÿ†• New reload functionality (now totally without restart, unbanning/rebanning, etc.), see gh-1557
    • Several commands extended and new commands introduced:
      • restart [--unban] [--if-exists] <JAIL> - restarts the jail <JAIL> (alias for reload --restart ... <JAIL>)
      • reload [--restart] [--unban] [--all] - reloads the configuration without restarting of the server, the option --restart activates completely restarting of affected jails, thereby can unban IP addresses (if option --unban specified)
      • reload [--restart] [--unban] [--if-exists] <JAIL> - reloads the jail <JAIL>, or restarts it (if option --restart specified), at the same time unbans all IP addresses banned in this jail, if option --unban specified
      • unban --all - unbans all IP addresses (in all jails and database)
      • unban <IP> ... <IP> - unbans <IP> (in all jails and database) (see gh-1388)
      • introduced new option -t or --test to test configuration resp. start server only if configuration is clean (fails by wrong configured jails if option -t specified)
    • ๐Ÿ†• New command action parameter actionrepair - command executed in order to restore sane environment in error case of actioncheck.
    • Reporting via abuseipdb.com:
      • Bans can now be reported to abuseipdb
      • Catagories must be set in the config
      • Relevant log lines included in report

    โœจ Enhancements

    • ๐ŸŽ Huge increasing of fail2ban performance and especially test-cases performance (see gh-1109)
    • Datedetector: in-place reordering using hits and last used time: matchTime, template list etc. rewritten because of performance degradation
    • Prevent out of memory situation if many IP's makes extremely many failures (maxEntries)
    • ๐Ÿ”ง Introduced string to seconds (str2seconds) for configuration entries with time, use 1h instead of 3600, 1d instead of 86400, etc
    • ๐Ÿ‘€ seekToTime - prevent completely read of big files first time (after start of service), initial seek to start time using half-interval search algorithm (see issue gh-795)
    • ๐Ÿ”€ Ticket and some other modules prepared to easy merge with newest version of 'ban-time-incr'
    • Cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name, especially for wrong dns or lazy dns-system
    • ๐ŸŽ FailManager memory-optimization: increases performance, prevents memory leakage, because don't copy failures list on some operations
    • โœ… fail2ban-testcases - new options introduced:
      • -f, --fast to decrease wait intervals, avoid passive waiting, and skip few very slow test cases (implied memory database, see -m and no gamin tests -g)
      • -g, --no-gamin to prevent running of tests that require the gamin (slow)
      • -m, --memory-db - run database tests using memory instead of file
      • -i, --ignore - negate [regexps] filter to ignore tests matched specified regexps
    • Background servicing: prevents memory leak on some platforms/python versions, using forced GC in periodic intervals (latency and threshold)
    • ๐Ÿšš executeCmd partially moved from action to new module utils
    • ๐Ÿšš Several functionality of class DNSUtils moved to new class IPAddr, both classes moved to new module ipdns
    • Pseudo-conditional section introduced, for conditional substitution resp. evaluation of parameters for different family qualified hosts, syntax [Section?family=inet6] (currently use for IPv6-support only).
    • ๐ŸŽ All the backends were rewritten to get reload-possibility, performance increased, so fewer greedy regarding cpu- resp. system-load now
    • ๐ŸŒฒ Numeric log-level allowed now in server (resp. fail2ban.conf);
    • ๐Ÿ‘ Implemented better error handling in some multi-threaded routines; shutdown of jails rewritten (faster and safer, does not breaks shutdown process if some error occurred)
    • ๐Ÿ”ง Possibility for overwriting some configuration options (read with config-readers) with command line option, e. g.: bash ## start server with DEBUG log-level (ignore level read from fail2ban.conf): fail2ban-client --loglevel DEBUG start ## or fail2ban-server -c /cfg/path --loglevel DEBUG start ## keep server log-level by reload (without restart it) fail2ban-client --loglevel DEBUG reload ## switch log-level back to INFO: fail2ban-client set loglevel INFO
    • ๐ŸŽ Optimized BanManager: increase performance, fewer system load, try to prevent memory leakage:
      • better ban/unban handling within actions (e.g. used dict instead of list)
      • don't copy bans resp. its list on some operations;
      • added new unbantime handling to relieve unBanList (prevent permanent searching for tickets to unban)
      • prefer failure-ID as identifier of the ticket to its IP (most of the time the same, but it can be something else e.g. user name in some complex jails, as introduced in 0.10)
    • Regexp enhancements:
      • build replacement of <HOST> substitution corresponding parameter usedns - dns-part will be added only if usedns is not no, also using fail2ban-regex
      • new replacement for <ADDR> in opposition to <HOST>, for separate usage of 2 address groups only (regardless of usedns), ip4 and ip6 together, without host (dns)
    • Misconfigured jails don't prevent fail2ban from starting, server starts nevertheless, as long as one jail was successful configured (gh-1619) Message about wrong jail configuration logged in client log (stdout, systemd journal etc.) and in server log with error level
    • โš  More precise date template handling (WARNING: theoretically possible incompatibilities):
      • datedetector rewritten more strict as earlier;
      • default templates can be specified exacter using prefix/suffix syntax (via datepattern);
      • more as one date pattern can be specified using option datepattern now (new-line separated);
      • some default options like datepattern can be specified directly in section [Definition], that avoids contrary usage of unnecessarily [Init] section, because of performance (each extra section costs time);
      • option datepattern can be specified in jail also (e. g. jails without filters or custom log-format, new-line separated for multiple patterns);
      • if first unnamed group specified in pattern, only this will be cut out from search log-line (e. g.: ^date:[({DATE})] will cut out only datetime match pattern, and leaves date:[] ... for searching in filter);
      • faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
      • several standard filters extended with exact prefixed or anchored date templates;
    • โž• Added possibility to recognize restored state of the tickets (see gh-1669). New option norestored introduced, to ignore restored tickets (after restart). To avoid execution of ban/unban for the restored tickets, norestored = true could be added in definition section of action. For conditional usage in the shell-based actions an interpolation <restored> could be used also. E. g. it is enough to add following script-piece at begin of actionban (or actionunban) to prevent execution: if [ '<restored>' = '1' ]; then exit 0; fi; Several actions extended now using norestored option:
      • complain.conf
      • dshield.conf
      • mail-buffered.conf
      • mail-whois-lines.conf
      • mail-whois.conf
      • mail.conf
      • sendmail-buffered.conf
      • sendmail-geoip-lines.conf
      • sendmail-whois-ipjailmatches.conf
      • sendmail-whois-ipmatches.conf
      • sendmail-whois-lines.conf
      • sendmail-whois-matches.conf
      • sendmail-whois.conf
      • sendmail.conf
      • smtp.py
      • xarf-login-attack.conf
    • โœ… fail2ban-testcases:
      • assertLogged extended with parameter wait (to wait up to specified timeout, before we throw assert exception) + test cases rewritten using that
      • added assertDictEqual for compatibility to early python versions (< 2.7);
      • new with_foreground_server_thread decorator to test several client/server commands
  • v0.9.8 Changes

    0.9.x line is no longer heavily developed. If you are interested in ๐Ÿ†• new features (e.g. IPv6 support), please consider 0.10 branch and its ๐Ÿš€ releases.

    ๐Ÿ›  Fixes

    • ๐Ÿ›  Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991. Partially back-ported from v.0.10.
    • action.d/bsd-ipfw.conf
      • Make the rule number, the action starts looking for a free slot to insert the new rule, configurable (gh-1689)
      • Replace not posix-compliant grep option: fgrep with -q option can cause 141 exit code in some cases (gh-1389)
    • filter.d/apache-overflows.conf:
      • Fixes resources greedy expression (see gh-1790);
      • Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
    • filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882)
    • filter.d/asterisk.conf
      • fixed failregex AMI Asterisk authentification failed (see gh-1302)
      • removed invalid (vulnerable) regex blocking IPs using forign data (from header "from") thus not the IP-address that really originates the request (see gh-1927)
      • fixed failregex for the SQL-injection attempts with single-quotes in connect-string (see gh-2011)
    • filter.d/dovecot.conf:
      • fixed failregex, see gh-1879 (partially cherry-picked from gh-1880)
      • extended to match pam_authenticate failures with "Permission denied" (gh-1897)
    • filter.d/exim.conf
      • fixed failregex for case of flood attempts with D=0s (gh-1887)
      • fixed failregex of "AUTH command used when not advertised" to better handle the foreign input SMTP command (lower/mixed case auth command, prevent injection) (gh-1979)
    • filter.d/postfix-*.conf - added optional port regex (gh-1902)
    • filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
    • filter.d/nginx-http-auth.conf - match usernames with spaces (gh-2015)

    ๐Ÿ†• New Features

    โœจ Enhancements

    • action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651)
    • action.d/firewallcmd-ipset.conf - new parameter actiontype, provides allports capability (gh-1167)
    • ๐Ÿ‘€ filter.d/kerio.conf - filter extended with new rules (see gh-1455)
    • ๐ŸŒฒ filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging
    • filter.d/zoneminder.conf - new filter for ZoneMinder (gh-1376)
  • v0.9.7 Changes

    May 11, 2017

    ๐Ÿ›  Fixes

    • ๐Ÿ›  Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
    • filter.d/sshd.conf
      • Fixed non-anchored part of failregex (misleading match of colon inside IPv6 address instead of : in the reason-part by missing space, gh-1658) (0.10th resp. IPv6 relevant only, amend for gh-1479)
    • config/pathes-freebsd.conf
      • Fixed filenames for apache and nginx log files (gh-1667)
    • filter.d/exim.conf
      • optional part (...) after host-name before [IP] (gh-1751)
      • new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
      • match of complex time like D=2m42s in regex "no MAIL in SMTP connection" (gh-1766)
    • filter.d/sshd.conf
      • new aggressive rules (gh-864):
        • Connection reset by peer (multi-line rule during authorization process)
        • No supported authentication methods available
      • single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions), according to gh-1206;
      • fixed expression received disconnect auth fail (optional space after port part, gh-1652) and suffix (logged from several ssh versions), according to gh-1206;
    • filter.d/suhosin.conf
      • greedy catch-all before <HOST> fixed (potential vulnerability)
    • filter.d/cyrus-imap.conf
      • accept entries without login-info resp. hostname before IP address (gh-1707)
    • โœ… Filter tests extended with check of all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>

    ๐Ÿ†• New Features

    • ๐Ÿ†• New Actions:

      • action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)
    • ๐Ÿ†• New Filters:

      • filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)

    โœจ Enhancements

    • ๐ŸŒฒ Introduced new log-level MSG (as INFO-2, equivalent to 18)
  • v0.9.7-2

    August 04, 2017
  • v0.9.6 Changes

    December 10, 2016

    ๐Ÿ›  Fixes

    • Misleading add resp. enable of (already available) jail in database, that induced a subsequent error: last position of log file will be never retrieved (gh-795)
    • ๐Ÿ›  Fixed a distribution related bug within testReadStockJailConfForceEnabled (e.g. test-cases faults on Fedora, see gh-1353)
    • ๐Ÿ›  Fixed pythonic filters and test scripts (running via wrong python version, uses "fail2ban-python" now);
    • ๐Ÿ›  Fixed test case "testSetupInstallRoot" for not default python version (also using direct call, out of virtualenv);
    • ๐Ÿ›  Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
    • ๐Ÿ‘€ FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
    • ๐Ÿ‘ Monit config: scripting is not supported in path (gh-1556)
    • filter.d/apache-modsecurity.conf
      • Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all replaced for safer match, unneeded catch-all anchoring removed, non-capturing
    • filter.d/asterisk.conf
      • Fixed to match different asterisk log prefix (source file: method:)
    • filter.d/dovecot.conf
      • Fixed failregex ignores failures through some not relevant info (gh-1623)
    • filter.d/ignorecommands/apache-fakegooglebot
      • Fixed error within apache-fakegooglebot, that will be called with wrong python version (gh-1506)
    • filter.d/assp.conf
      • Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
    • filter.d/postfix-sasl.conf
      • Allow for having no trailing space after 'failed:' (gh-1497)
    • filter.d/vsftpd.conf
      • Optional reason part in message after FAIL LOGIN (gh-1543)
    • filter.d/sendmail-reject.conf
      • removed mandatory double space (if dns-host available, gh-1579)
    • filter.d/sshd.conf
      • recognized "Failed publickey for" (gh-1477);
      • optimized failregex to match all of "Failed any-method for ... from " (gh-1479)
      • eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
      • optional port part after host (see gh-1533, gh-1581)

    ๐Ÿ†• New Features

    • ๐Ÿ†• New Actions:
      • action.d/npf.conf for NPF, the latest packet filter for NetBSD
    • ๐Ÿ†• New Filters:
      • filter.d/mongodb-auth.conf for MongoDB (document-oriented NoSQL database engine) (gh-1586, gh-1606 and gh-1607)

    โœจ Enhancements

    • DateTemplate regexp extended with the word-end boundary, additionally to word-start boundary
    • Introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located):
      • allows to use the same version, fail2ban currently running, e.g. in external scripts just via replace python with fail2ban-python: diff -#!/usr/bin/env python +#!/usr/bin/env fail2ban-python
      • always the same pickle protocol
      • the same (and also guaranteed available) fail2ban modules
      • simplified stand-alone install, resp. stand-alone installation possibility via setup (like gh-1487) is getting closer
    • โœ… Several test cases rewritten using new methods assertIn, assertNotIn
    • ๐Ÿ†• New forward compatibility method assertRaisesRegexp (normally python >= 2.7). Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged are test covered now
    • ๐Ÿ‘€ Jail configuration extended with new syntax to pass options to the backend (see gh-1408), examples:
      • backend = systemd[journalpath=/run/log/journal/machine-1]
      • backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]
      • backend = systemd[journalflags=2]
  • v0.9.5 Changes

    July 15, 2016

    ๐Ÿ›  Fixes

    • filter.d/monit.conf
      • Extended failregex with new monit "access denied" version (gh-1355)
      • failregex of previous monit version merged as single expression
    • filter.d/postfix.conf, filter.d/postfix-sasl.conf
      • Extended failregex daemon part, matching also postfix/smtps/smtpd now (gh-1391)
    • ๐Ÿ›  Fixed a grave bug within tags substitutions because of incorrect detection of recursion in case of multiple inline substitutions of the same tag (affected actions: bsd-ipfw, etc). Now tracks the actual list of the already substituted tags (per tag instead of single list)
    • filter.d/common.conf
      • Unexpected extra regex-space in generic __prefix_line (gh-1405)
      • All optional spaces normalized in common.conf, test covered now
      • Generic __prefix_line extended with optional brackets for the date ambit (gh-1421), added new parameter __date_ambit
    • ๐Ÿ›  gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon, not argument of fail2ban (see gh-1434)
    • filter.d/asterisk.conf
      • Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
      • Improved log support for PJSIP and Asterisk 13+ with different callID (gh-1458)

    ๐Ÿ†• New Features

    • ๐Ÿ†• New Actions:
      • action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging (gh-1367)
    • ๐Ÿ†• New filters:
      • slapd - ban hosts, that were failed to connect with invalid credentials: error code 49 (gh-1478)

    โœจ Enhancements

    • Extreme speedup of all sqlite database operations (gh-1436), by using of following sqlite options:
      • (synchronous = OFF) write data through OS without syncing
      • (journal_mode = MEMORY) use memory for the transaction logging
      • (temp_store = MEMORY) temporary tables and indices are kept in memory
    • journald journalmatch for pure-ftpd (gh-1362)
    • โž• Added additional regex filter for dovecot ldap authentication failures (gh-1370)
    • filter.d/exim*conf
      • Added additional regexes (gh-1371)
      • Made port entry optional