Fail2Ban changelog

Changelog History

Page 1

• v0.11.2 Changes

  November 23, 2020

  Compatibility:

  • to v.0.10:
    • 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema) if you would need to downgrade to 0.10 for some reason.

  • to v.0.9:

    • Filter (or failregex) internal capture-groups:
    • If you've your own failregex or custom filters using conditional match (?P=host), you should rewrite the regex like in example below resp. using (?:(?P=ip4)|(?P=ip6) instead of (?P=host) (or (?:(?P=ip4)|(?P=ip6)|(?P=dns)) corresponding your usedns and raw settings).

    Of course you can always define your own capture-group (like below _cond_ip_) to do this.

      testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
      fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
    

    • New internal groups (currently reserved for internal usage): ip4, ip6, dns, fid, fport, additionally user and another captures in lower case if mapping from tag <F-*> used in failregex (e. g. user by <F-USER>).
    • v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some user configurations resp. datepattern.
    • Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now.

  🛠 Fixes

  • [stability] prevent race condition - no ban if filter (backend) is continuously busy if too many messages will be found in log, e. g. initial scan of large log-file or journal (gh-2660)
  • 🌲 pyinotify-backend sporadically avoided initial scanning of log-file by start
  • 👷 python 3.9 compatibility (and Travis CI support)
  • 🛠 restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
  • ⏪ manual ban is written to database, so can be restored by restart (gh-2647)
  • jail.conf: don't specify action directly in jails (use action_ or banaction instead)
  • 0️⃣ no mails-action added per default anymore (e. g. to allow that action = %(action_mw)s should be specified per jail or in default section in jail.local), closes gh-2357
  • ensure we've unique action name per jail (also if parameter actname is not set but name deviates from standard name, gh-2686)
  • don't use %(banaction)s interpolation because it can be complex value (containing [...] and/or quotes), so would bother the action interpolation
  • 🛠 fixed type conversion in config readers (take place after all interpolations get ready), that allows to specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
  • action.d/*-ipset*.conf: several ipset actions fixed (no timeout per default anymore), so no discrepancy between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh-2703)
  • 📜 action.d/cloudflare.conf: fixed actionunban (considering new-line chars and optionally real json-parsing with jq, gh-2140, gh-2656)
  • 🛠 action.d/nftables.conf (type=multiport only): fixed port range selector, replacing : with - (gh-2763)
  • 🛠 action.d/firewallcmd-*.conf (multiport only): fixed port range selector, replacing : with - (gh-2821)
  • action.d/bsd-ipfw.conf: fixed selection of rule-no by large list or initial lowest_rule_num (gh-2836)
  • filter.d/common.conf: avoid substitute of default values in related lt_* section, __prefix_line should be interpolated in definition section (inside the filter-config, gh-2650)
  • filter.d/dovecot.conf:
    • add managesieve and submission support (gh-2795);
    • accept messages with more verbose logging (gh-2573);
  • 🌲 filter.d/courier-smtp.conf: prefregex extended to consider port in log-message (gh-2697)
  • filter.d/traefik-auth.conf: filter extended with parameter mode (normal, ddos, aggressive) to handle the match of username differently (gh-2693):
    • normal: matches 401 with supplied username only
    • ddos: matches 401 without supplied username only
    • aggressive: matches 401 and any variant (with and without username)
  • filter.d/sshd.conf: normalizing of user pattern in all RE's, allowing empty user (gh-2749)

  🆕 New Features and Enhancements

  • fail2ban-regex:
    • speedup formatted output (bypass unneeded stats creation)
    • extended with prefregex statistic
    • more informative output for datepattern (e. g. set from filter) - pattern : description
  • 📜 parsing of action in jail-configs considers space between action-names as separator also (previously only new-line was allowed), for example action = a b would specify 2 actions a and b
  • 🆕 new filter and jail for GitLab recognizing failed application logins (gh-2689)
  • 🆕 new filter and jail for Grafana recognizing failed application logins (gh-2855)
  • 🆕 new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723)
  • 🔧 filter.d/guacamole.conf extended with logging parameter to follow webapp-logging if it's configured (gh-2631)
  • 👍 filter.d/bitwarden.conf enhanced to support syslog (gh-2778)
  • introduced new prefix {UNB} for datepattern to disable word boundaries in regex;
  • datetemplate: improved anchor detection for capturing groups (^...);
  • datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc) as well as some warnings signaling user about invalid pattern or zone (gh-2814):
    • filter gets mode in-operation, which gets activated if filter starts processing of new messages; in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected bypass of failure (previously exceeding findtime);
    • better interaction with non-matching optional datepattern or invalid timestamps;
    • implements special datepattern {NONE} - allow to find failures totally without date-time in log messages, whereas filter will use now as timestamp (gh-2802)
  • 🐎 performance optimization of datepattern (better search algorithm in datedetector, especially for single template);
  • fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791;
  • extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag prefix <F-TUPLE_, that would combine value of <F-V> with all value of <F-TUPLE_V?_n?> tags (gh-2755)

• v0.11.1 Changes

  January 11, 2020

  Compatibility:

  • to v.0.10:
    • 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema) if you would need to downgrade to 0.10 for some reason.

  • to v.0.9:

    • Filter (or failregex) internal capture-groups:
    • If you've your own failregex or custom filters using conditional match (?P=host), you should rewrite the regex like in example below resp. using (?:(?P=ip4)|(?P=ip6) instead of (?P=host) (or (?:(?P=ip4)|(?P=ip6)|(?P=dns)) corresponding your usedns and raw settings).

    Of course you can always define your own capture-group (like below _cond_ip_) to do this.

      testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
      fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
    

    • New internal groups (currently reserved for internal usage): ip4, ip6, dns, fid, fport, additionally user and another captures in lower case if mapping from tag <F-*> used in failregex (e. g. user by <F-USER>).
    • v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some user configurations resp. datepattern.
    • Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now.

  🛠 Fixes

  • purge database will be executed now (within observer).
  • 🛠 restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
  • ⚡️ upgrade database: update new created table bips with entries from table bans (allows restore current bans after upgrade from version <= 0.10)

  🆕 New Features

  • Increment ban time (+ observer) functionality introduced.
  • Database functionality extended with bad ips.
  • 🆕 New tags (usable in actions):
    • <bancount> - ban count of this offender if known as bad (started by 1 for unknown)
    • <bantime> - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
  • ⏱ Introduced new action command actionprolong to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic with actionprolong. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).

  ✨ Enhancements

  • ⚡️ algorithm of restore current bans after restart changed: update the restored ban-time (and therefore end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater (or persistent); not affected if ban-time of the jail is unchanged between stop/start.
  • ➕ added new setup-option --without-tests to skip building and installing of tests files (gh-2287).
  • ➕ added new command fail2ban-client get <JAIL> banip ?sep-char|--with-time? to get the banned ip addresses (gh-1916).

• v0.11.0-dev Changes

  🛠 Fixes

  • purge database will be executed now (within observer).
  • 🛠 restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
  • ⚡️ upgrade database: update new created table bips with entries from table bans (allows restore current bans after upgrade from version <= 0.10)

  🆕 New Features

  • Increment ban time (+ observer) functionality introduced.
  • Database functionality extended with bad ips.
  • 🆕 New tags (usable in actions):
    • <bancount> - ban count of this offender if known as bad (started by 1 for unknown)
    • <bantime> - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
  • ⏱ Introduced new action command actionprolong to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic with actionprolong. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).

  ✨ Enhancements

  • ⚡️ algorithm of restore current bans after restart changed: update the restored ban-time (and therefore end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater (or persistent); not affected if ban-time of the jail is unchanged between stop/start.
  • ➕ added new setup-option --without-tests to skip building and installing of tests files (gh-2287).
  • ➕ added new command fail2ban-client get <JAIL> banip ?sep-char|--with-time? to get the banned ip addresses (gh-1916).

• v0.10.6 Changes

  November 23, 2020

  ver. 0.10.6 (2020/11/23) - just what the doctor ordered

  🚀 Last (due to v.0.11) release of 0.10th fail2ban-version, filter and action updates, etc.
  👀 See the ChangeLog for more information.

  📦 It also includes debian package, built without a test suite (fail2ban-testcases, fail2ban.test python module).

• v0.10.5 Changes

  January 10, 2020

  Yes, Hrrrm...

  🛠 Fixes

  • 0️⃣ [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixed in gh-2444 in order to ignore user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392)
  • 📜 [grave] fixed parsing of multi-line filters (maxlines > 1) together with systemd backend, now systemd-filter replaces newlines in message from systemd journal with \n (otherwise multi-line parsing may be broken, because removal of matched string from multi-line buffer window is confused by such extra new-lines, so they are retained and got matched on every followed message, see gh-2431)
  • [stability] prevent race condition - no unban if the bans occur continuously (gh-2410); now an unban-check will happen not later than 10 tickets get banned regardless there are still active bans available (precedence of ban over unban-check is 10 now)
  • 🛠 fixed read of included config-files (.local overwrites options of .conf for config-files included with before/after)
  • action.d/abuseipdb.conf: switched to use AbuseIPDB API v2 (gh-2302)
  • 🛠 action.d/badips.py: fixed start of banaction on demand (which may be IP-family related), gh-2390
  • action.d/helpers-common.conf: rewritten grep arguments, now options -wF used to match only whole words and fixed string (not as pattern), gh-2298
  • filter.d/apache-auth.conf:
    • ignore errors from mod_evasive in normal mode (mode-controlled now) (gh-2548);
    • extended with option mode - normal (default) and aggressive
  • filter.d/sshd.conf:
    • matches Bad protocol version identification in ddos and aggressive modes (gh-2404).
    • captures Disconnecting ...: Change of username or service not allowed (gh-2239, gh-2279)
    • captures Disconnected from ... [preauth], preauth phase only, different handling by extra (with supplied user only) and ddos/aggressive mode (gh-2115, gh-2239, gh-2279)
  • filter.d/mysqld-auth.conf:
    • MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words enclosed in brackets after "[Note]" (gh-2314)
  • filter.d/sendmail-reject.conf:
    • mode=extra now captures port IDs of TLSMTA and MSA (defaults for ports 465 and 587 on some distros)
  • 🛠 files/fail2ban.service.in: fixed systemd-unit template - missing nftables dependency (gh-2313)
  • 🛠 several action.d/mail*: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341)
  • 🛠 filter.d/sendmail-reject.conf: fixed journal usage for some systems (e. g. CentOS): if only identifier set to sm-mta (no unit sendmail) for some messages (gh-2385)
  • 🔊 filter.d/asterisk.conf: asterisk can log additional timestamp if logs into systemd-journal (regex extended with optional part matching this, gh-2383)
  • filter.d/postfix.conf:
    • regexp's accept variable suffix code in status of postfix for precise messages (gh-2442)
    • extended with new postfix filter mode errors to match "too many errors" (gh-2439), also included within modes normal, more (extra and aggressive), since postfix parameter smtpd_hard_error_limit is default 20 (additionally consider maxretry)
  • filter.d/named-refused.conf:
    • support BIND 9.11.0 log format (includes an additional field @0xXXX..., gh-2406);
    • prefregex extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
  • filter.d/sendmail-auth.conf, filter.d/sendmail-reject.conf :
    • ID in prefix can be longer as 14 characters (gh-2563);
  • all filters would accept square brackets around IPv4 addresses also (e. g. monit-filter, gh-2494)
  • 👻 avoids unhandled exception during flush (gh-2588)
  • 🛠 fixes pass2allow-ftp jail - due to inverted handling, action should prohibit access per default for any IP, therefore reset start on demand parameter for this action (it will be started immediately by repair);
  • auto-detection of IPv6 subsystem availability (important for not on-demand actions or jails, like pass2allow);

  🆕 New Features

  • 🆕 new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559):
    • <CIDR> - helper regex to match CIDR (simple integer form of net-mask);
    • <SUBNET> - regex to match sub-net addresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
  • grouped tags (<ADDR>, <HOST>, <SUBNET>) recognize IP addresses enclosed in square brackets
  • 🆕 new failregex-flag tag <F-MLFGAINED> for failregex, signaled that the access to service was gained (ATM used similar to tag <F-NOFAIL>, but it does not add the log-line to matches, gh-2279)
  • 🔧 filters: introduced new configuration parameter logtype (default file for file-backends, and journal for journal-backends, gh-2387); can be also set to rfc5424 to force filters (which include common.conf) to use RFC 5424 conform prefix-line per default (gh-2467);
  • 🐎 for better performance and safety the option logtype can be also used to select short prefix-line for file-backends too for all filters using __prefix_line (common.conf), if message logged only with hostname svc[nnnn] prefix (often the case on several systems): ini [jail] backend = auto filter = flt[logtype=short]
  • filter.d/common.conf: differentiate __prefix_line for file/journal logtype's (speedup and fix parsing of systemd-journal);
  • filter.d/traefik-auth.conf: used to ban hosts, that were failed through traefik
  • filter.d/znc-adminlog.conf: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded

  ✨ Enhancements

  • introduced new options: dbmaxmatches (fail2ban.conf) and maxmatches (jail.conf) to contol how many matches per ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118);
  • 🔧 fail2ban.conf: introduced new section [Thread] and option stacksize to configure default size of the stack for threads running in fail2ban (gh-2356), it could be set in fail2ban.local to avoid runtime error "can't start new thread" (see gh-969);
  • 👍 jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations containing new-line);
  • 👀 fail2ban-client: extended to ban/unban multiple tickets (see gh-2351, gh-2349); Syntax:
    • fail2ban-client set <jain> banip <ip1> ... <ipN>
    • fail2ban-client set <jain> unbanip [--report-absent] <ip1> ... <ipN>
  • fail2ban-client: extended with new feature which allows to inform fail2ban about single or multiple attempts (failure) for IP (resp. failure-ID), see gh-2351; Syntax:
    • fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-messageN>]
  • action.d/nftables.conf:
    • isolate fail2ban rules into a dedicated table and chain (gh-2254)
    • nftables-allports supports multiple protocols in single rule now
    • combined nftables actions to single action nftables:
    • nftables-common is removed (replaced with single action nftables now)
    • nftables-allports is obsolete, superseded by nftables[type=allports]
    • nftables-multiport is obsolete, superseded by nftables[type=multiport]
    • allowed multiple protocols in nftables[type=multiport] action (single set with multiple rules in chain), following configuration in jail would replace 3 separate actions, see https://github.com/fail2ban/fail2ban/pull/2254#issuecomment-534684675
  • action.d/badips.py: option loglevel extended with level of summary message, following example configuration logging summary with NOTICE and rest with DEBUG log-levels: action = badips.py[loglevel="debug, notice"]
  • ✅ samplestestcase.py (testSampleRegexsFactory) extended:
    • allow coverage of journal logtype;
    • new option fileOptions to set common filter/test options for whole test-file;
  • large enhancement: auto-reban, improved invariant check and conditional operations (gh-2588):
    • improves invariant check and repair (avoid unhandled exception, consider family on conditional operations, etc), prepared for bulk re-ban in repair case (if bulk-ban becomes implemented);
    • automatic reban (repeat banning action) after repair/restore sane environment, if already logged ticket causes new failures (via new action operation actionreban or actionban if still not defined in action);
    • introduces banning epoch for actions and tickets (to distinguish or recognize removed set of the tickets);
    • invariant check avoids repair by unban/stop (unless parameter actionrepair_on_unban set to true);
    • better handling for all conditional operations (distinguish families for certain operations like repair/flush/stop, prepared for other families, e. g. if different handling for subnets expected, etc);
    • partially implements gh-980 (more breakdown safe handling);
    • closes gh-1680 (better as large-scale banning implementation with on-demand reban by failure, at least unless a bulk-ban gets implemented);
  • 🛠 fail2ban-regex - several enhancements and fixes:
    • improved usage output (don't put a long help if an error occurs);
    • new option --no-check-all to avoid check of all regex's (first matched only);
    • new option -o, --out to set token only provided in output (disables check-all and outputs only expected data).

• v0.10.5-dev Changes

  🛠 Fixes

  • 0️⃣ [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixed in gh-2444 in order to ignore user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392)
  • 📜 [grave] fixed parsing of multi-line filters (maxlines > 1) together with systemd backend, now systemd-filter replaces newlines in message from systemd journal with \n (otherwise multi-line parsing may be broken, because removal of matched string from multi-line buffer window is confused by such extra new-lines, so they are retained and got matched on every followed message, see gh-2431)
  • [stability] prevent race condition - no unban if the bans occur continuously (gh-2410); now an unban-check will happen not later than 10 tickets get banned regardless there are still active bans available (precedence of ban over unban-check is 10 now)
  • 🛠 fixed read of included config-files (.local overwrites options of .conf for config-files included with before/after)
  • action.d/abuseipdb.conf: switched to use AbuseIPDB API v2 (gh-2302)
  • 🛠 action.d/badips.py: fixed start of banaction on demand (which may be IP-family related), gh-2390
  • action.d/helpers-common.conf: rewritten grep arguments, now options -wF used to match only whole words and fixed string (not as pattern), gh-2298
  • filter.d/apache-auth.conf:
    • ignore errors from mod_evasive in normal mode (mode-controlled now) (gh-2548);
    • extended with option mode - normal (default) and aggressive
  • filter.d/sshd.conf:
    • matches Bad protocol version identification in ddos and aggressive modes (gh-2404).
    • captures Disconnecting ...: Change of username or service not allowed (gh-2239, gh-2279)
    • captures Disconnected from ... [preauth], preauth phase only, different handling by extra (with supplied user only) and ddos/aggressive mode (gh-2115, gh-2239, gh-2279)
  • filter.d/mysqld-auth.conf:
    • MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words enclosed in brackets after "[Note]" (gh-2314)
  • filter.d/sendmail-reject.conf:
    • mode=extra now captures port IDs of TLSMTA and MSA (defaults for ports 465 and 587 on some distros)
  • 🛠 files/fail2ban.service.in: fixed systemd-unit template - missing nftables dependency (gh-2313)
  • 🛠 several action.d/mail*: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341)
  • 🛠 filter.d/sendmail-reject.conf: fixed journal usage for some systems (e. g. CentOS): if only identifier set to sm-mta (no unit sendmail) for some messages (gh-2385)
  • 🔊 filter.d/asterisk.conf: asterisk can log additional timestamp if logs into systemd-journal (regex extended with optional part matching this, gh-2383)
  • filter.d/postfix.conf:
    • regexp's accept variable suffix code in status of postfix for precise messages (gh-2442)
    • extended with new postfix filter mode errors to match "too many errors" (gh-2439), also included within modes normal, more (extra and aggressive), since postfix parameter smtpd_hard_error_limit is default 20 (additionally consider maxretry)
  • filter.d/named-refused.conf:
    • support BIND 9.11.0 log format (includes an additional field @0xXXX..., gh-2406);
    • prefregex extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
  • filter.d/sendmail-auth.conf, filter.d/sendmail-reject.conf :
    • ID in prefix can be longer as 14 characters (gh-2563);
  • all filters would accept square brackets around IPv4 addresses also (e. g. monit-filter, gh-2494)
  • 👻 avoids unhandled exception during flush (gh-2588)
  • 🛠 fixes pass2allow-ftp jail - due to inverted handling, action should prohibit access per default for any IP, therefore reset start on demand parameter for this action (it will be started immediately by repair);
  • auto-detection of IPv6 subsystem availability (important for not on-demand actions or jails, like pass2allow);

  🆕 New Features

  • 🆕 new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559):
    • <CIDR> - helper regex to match CIDR (simple integer form of net-mask);
    • <SUBNET> - regex to match sub-net adresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
  • grouped tags (<ADDR>, <HOST>, <SUBNET>) recognize IP addresses enclosed in square brackets
  • 🆕 new failregex-flag tag <F-MLFGAINED> for failregex, signaled that the access to service was gained (ATM used similar to tag <F-NOFAIL>, but it does not add the log-line to matches, gh-2279)
  • 🔧 filters: introduced new configuration parameter logtype (default file for file-backends, and journal for journal-backends, gh-2387); can be also set to rfc5424 to force filters (which include common.conf) to use RFC 5424 conform prefix-line per default (gh-2467);
  • 🐎 for better performance and safety the option logtype can be also used to select short prefix-line for file-backends too for all filters using __prefix_line (common.conf), if message logged only with hostname svc[nnnn] prefix (often the case on several systems): ini [jail] backend = auto filter = flt[logtype=short]
  • filter.d/common.conf: differentiate __prefix_line for file/journal logtype's (speedup and fix parsing of systemd-journal);
  • filter.d/traefik-auth.conf: used to ban hosts, that were failed through traefik
  • filter.d/znc-adminlog.conf: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded

  ✨ Enhancements

  • introduced new options: dbmaxmatches (fail2ban.conf) and maxmatches (jail.conf) to contol how many matches per ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118);
  • 🔧 fail2ban.conf: introduced new section [Thread] and option stacksize to configure default size of the stack for threads running in fail2ban (gh-2356), it could be set in fail2ban.local to avoid runtime error "can't start new thread" (see gh-969);
  • 👍 jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations containing new-line);
  • 👀 fail2ban-client: extended to ban/unban multiple tickets (see gh-2351, gh-2349); Syntax:
    • fail2ban-client set <jain> banip <ip1> ... <ipN>
    • fail2ban-client set <jain> unbanip [--report-absent] <ip1> ... <ipN>
  • fail2ban-client: extended with new feature which allows to inform fail2ban about single or multiple attempts (failure) for IP (resp. failure-ID), see gh-2351; Syntax:
    • fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-messageN>]
  • action.d/nftables.conf:
    • isolate fail2ban rules into a dedicated table and chain (gh-2254)
    • nftables-allports supports multiple protocols in single rule now
    • combined nftables actions to single action nftables:
    • nftables-common is removed (replaced with single action nftables now)
    • nftables-allports is obsolete, superseded by nftables[type=allports]
    • nftables-multiport is obsolete, superseded by nftables[type=multiport]
    • allowed multiple protocols in nftables[type=multiport] action (single set with multiple rules in chain), following configuration in jail would replace 3 separate actions, see https://github.com/fail2ban/fail2ban/pull/2254#issuecomment-534684675
  • action.d/badips.py: option loglevel extended with level of summary message, following example configuration logging summary with NOTICE and rest with DEBUG log-levels: action = badips.py[loglevel="debug, notice"]
  • ✅ samplestestcase.py (testSampleRegexsFactory) extended:
    • allow coverage of journal logtype;
    • new option fileOptions to set common filter/test options for whole test-file;
  • large enhancement: auto-reban, improved invariant check and conditional operations (gh-2588):
    • improves invariant check and repair (avoid unhandled exception, consider family on conditional operations, etc), prepared for bulk re-ban in repair case (if bulk-ban becomes implemented);
    • automatic reban (repeat banning action) after repair/restore sane environment, if already logged ticket causes new failures (via new action operation actionreban or actionban if still not defined in action);
    • introduces banning epoch for actions and tickets (to distinguish or recognize removed set of the tickets);
    • invariant check avoids repair by unban/stop (unless parameter actionrepair_on_unban set to true);
    • better handling for all conditional operations (distinguish families for certain operations like repair/flush/stop, prepared for other families, e. g. if different handling for subnets expected, etc);
    • partially implements gh-980 (more breakdown safe handling);
    • closes gh-1680 (better as large-scale banning implementation with on-demand reban by failure, at least unless a bulk-ban gets implemented);
  • 🛠 fail2ban-regex - several enhancements and fixes:
    • improved usage output (don't put a long help if an error occurs);
    • new option --no-check-all to avoid check of all regex's (first matched only);
    • new option -o, --out to set token only provided in output (disables check-all and outputs only expected data).

• v0.10.4 Changes

  October 04, 2018

  🛠 Fixes

  • filter.d/dovecot.conf:
    • failregex enhancement to catch sql password mismatch errors (gh-2153);
    • disconnected with "proxy dest auth failed" (gh-2184);
  • filter.d/freeswitch.conf:
    • provide compatibility for log-format from gh-2193:
    • extended with new default date-pattern ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)? to cover YYYY-mm-dd HH:MM::SS.ms as well as mm-dd HH:MM::SS.ms (so year is optional);
    • more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
    • extended with mode parameter, allows to avoid matching of messages like auth challenge (REGISTER) (see gh-2163) (currently extra as default to be backwards-compatible), see comments in filter how to set it to mode normal.
  • filter.d/domino-smtp.conf:
    • recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
    • failregex extended to catch connections rejected for policy reasons (gh-2228);
  • action.d/hostsdeny.conf: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions), see gh-2114;
  • decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
    • fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly UTF-8 in opposite to ascii previously, so minimizes influence of implicit conversions errors;
    • actions: avoid possible conversion errors on wrong-chars by replace tags;
    • database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database; additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
    • logging in fail2ban is process-wide exception-safe now.
  • 👀 repaired start-time of initial seek to time (as well as other log-parsing related data), if parameter logpath specified before findtime, backend, datepattern, etc (gh-2173)
  • 🛠 systemd: fixed type error on option journalflags: an integer is required (gh-2125);

  🆕 New Features

  • 🆕 new option ignorecache to improve performance of ignore failure check (using caching of ignoreip, ignoreself and ignorecommand), see man jail.conf for syntax-example;
  • ignorecommand extended to use actions-similar replacement (capable to interpolate all possible tags like <ip-host>, <family>, <fid>, F-USER etc.)

  ✨ Enhancements

  • filter.d/dovecot.conf: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
  • since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info, additionally option -V can be used to get version in normalized machine-readable short format.

• v0.10.3

  April 04, 2018

• v0.10.3.1 Changes

  April 04, 2018

  ver. 0.10.3 (2018/04/04) - the-time-is-always-right-to-do-what-is-right

  🚀 Next release of 0.10th fail2ban-version, filter and action updates, etc.
  👀 See the ChangeLog for more information.

• v0.10.2 Changes

  January 18, 2018

  Incompatibility list:

  • ⬆️ The configuration for jails using banaction pf can be incompatible after upgrade, because pf-action uses anchors now (see action.d/pf.conf for more information). If you want use obsolete handling without anchors, just rewrite it in the jail.local by overwrite of pfctl parameter, e. g. like banaction = pf[pfctl="pfctl"].

  🛠 Fixes

  • 🛠 Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
  • 🛠 Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
  • jail.conf: port imap3 replaced with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
  • config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf) in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
  • action.d/pf.conf:
    • fixed syntax error in achnor definition (documentation, see gh-1919);
    • enclose ports in braces for multiport jails (see gh-1925);
  • 🛠 action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing family inet6, gh-1990)
  • filter.d/sshd.conf:
    • extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
    • fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);

  🆕 New Features

  • 0️⃣ datedetector: extended default date-patterns (allows extra space between the date and time stamps); introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
    • %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock, (corresponds %H, but allows space if not zero-padded).
    • %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock, (corresponds %I, but allows space if not zero-padded).
  • filter.d/exim.conf: added mode aggressive to ban flood resp. DDOS-similar failures (gh-1983);
  • 🆕 New Actions:
    • action.d/nginx-block-map.conf - in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file);

  ✨ Enhancements

  • 👍 jail.conf: extended with new parameter mode for the filters supporting it (gh-1988);
  • action.d/pf.conf: extended with bulk-unban, command actionflush in order to flush all bans at once.
  • 🌲 Introduced new parameters for logging within fail2ban-server (gh-1980). Usage logtarget = target[facility=..., datetime=on|off, format="..."]:
    • facility - specify syslog facility (default daemon, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler for the list of facilities);
    • datetime - add date-time to the message (default on, ignored if format specified);
    • format - specify own format how it will be logged, for example for short-log into STDOUT: fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start;
  • Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 'database disk image is malformed'). Fail2ban will create a backup, try to repair the database, if repair fails - recreate new database (gh-1465, gh-2004).

• 1
• 2
• 3
• 4
• 5
• Next ›
• Last »