All Versions
65
Latest Version
Avg Release Cycle
176 days
Latest Release
1643 days ago
Changelog History
Page 2
Changelog History
Page 2
-
v0.10.2-2
April 04, 2018 -
v0.10.2-1
January 23, 2018 -
v0.10.1 Changes
October 12, 2017๐ Fixes
- ๐ fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891)
- jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884)
- avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables 'LANGUAGE', 'LC_ALL', 'LC_CTYPE', and 'LANG', see gh-1587).
- ๐ action.d/pf.conf: several fixes for pf-action like anchoring, etc. (see gh-1866, gh-1867);
- ๐ fixed ignoreself issue "Retrieving own IPs of localhost failed: inet_pton() argument 2 must be string, not int" (see gh-1865);
๐ fixed tags
<fq-hostname>
and<sh-hostname>
, could be used without ticket (a. g. inactionstart
etc., gh-1859).๐ setup.py: fixed several setup facilities (gh-1874):
- don't check return code by dry-run: returns 256 on some python/setuptool versions;
files/fail2ban.service
renamed as template tofiles/fail2ban.service.in
;- setup process generates
build/fail2ban.service
fromfiles/fail2ban.service.in
using distribution related bin-path; - bug-fixing by running setup with option
--dry-run
;
๐ New Features
- ๐ง introduced new command-line options
--dp
,--dump-pretty
to dump the configuration using more human readable representation (opposite to-d
);
โจ Enhancements
- nftables actions are IPv6-capable now (gh-1893)
- filter.d/dovecot.conf: introduced mode
aggressive
for cases like "disconnected before auth was ready" (gh-1880)
-
v0.10.0 Changes
August 09, 2017TODO: implementing of options resp. other tasks from PR #1346 documentation should be extended (new options, etc)
๐ Fixes
filter.d/apache-auth.conf
:- better failure recognition using short form of regex (url/referer are foreign inputs, see gh-1645)
filter.d/apache-common.conf
(filter.d/apache-*.conf
):- support of apache log-format if logging into syslog/systemd (gh-1695), using parameter
logging
, parameter usage for jail: filter = apache-auth[logging=syslog] parameter usage forapache-common.local
: logging = syslog
- support of apache log-format if logging into syslog/systemd (gh-1695), using parameter
filter.d/pam-generic.conf
:- [grave] injection on user name to host fixed
filter.d/sshd.conf
:- rewritten using
prefregex
and used MLFID-related multi-line parsing (by using tag<F-MLFID>
instead of buffering withmaxlines
); - optional parameter
mode
rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details)
- rewritten using
filter.d/sendmail-reject.conf
:- rewritten using
prefregex
and used MLFID-related multi-line parsing; - optional parameter
mode
introduced: normal (default), extra or aggressive
- rewritten using
filter.d/haproxy-http-auth
: do not mistake client port for part of an IPv6 address (gh-1745)filter.d/postfix.conf
:- updated to latest postfix formats
- joined several postfix filter together (normalized and optimized version, gh-1825)
- introduced new parameter
mode
(see gh-1825): more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) - postfix postscreen (resp. other RBL's compatibility fix, gh-1764, gh-1825)
- ๐
filter.d/postfix-rbl.conf
: removed (replaced withpostfix[mode=rbl]
) - ๐
filter.d/postfix-sasl.conf
: removed (replaced withpostfix[mode=auth]
) filter.d/roundcube-auth.conf
:- fixed regex when
X-Real-IP
or/andX-Forwarded-For
are present after host (gh-1303); - fixed regex when logging authentication errors to journal instead to a local file (gh-1159);
- additionally fixed more complex injections on username (e. g. using dot after fake host).
- fixed regex when
- ๐
filter.d/ejabberd-auth.conf
: fixed failregex - accept new log-format (gh-993) action.d/complain.conf
- fixed using new tag
<ip-rev>
(sh/dash compliant now)
- fixed using new tag
action.d/sendmail-geoip-lines.conf
- fixed using new tag
<ip-host>
(without external command execution)
- fixed using new tag
- ๐ fail2ban-regex: fixed matched output by multi-line (buffered) parsing
- ๐ fail2ban-regex: support for multi-line debuggex URL implemented (gh-422)
- ๐ fixed ipv6-action errors on systems not supporting ipv6 and vice versa (gh-1741)
- ๐ fixed directory-based log-rotate for pyinotify-backend (gh-1778)
๐ New Features
๐ New Actions:
๐ New Filters:
โจ Enhancements
- Introduced new filter option
prefregex
for pre-filtering using single regular expression (gh-1698); - ๐ Many times faster and fewer CPU-hungry because of parsing with
maxlines=1
, so without line buffering (scrolling of the buffer-window). Combination of tags<F-MLFID>
and<F-NOFAIL>
can be used now to process multi-line logs using single-line expressions:- tag
<F-MLFID>
: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by<F-MLFID>(?:conn-id)</F-MLFID>
, see sshd.conf for example); - tag
<F-MLFFORGET>
: can be used as mark to forget current multi-line MLFID (e. g. by connection closed, reset or disconnect etc); - tag
<F-NOFAIL>
: used as mark for no-failure (helper to accumulate common failure-info, e. g. from lines that contain IP-address); Opposite to obsolete multi-line parsing (using buffering withmaxlines
) it is more precise and can recognize multiple failure attempts within the same connection (MLFID).
- tag
- โก๏ธ Several filters optimized with pre-filtering using new option
prefregex
, and multiline filter using<F-MLFID>
+<F-NOFAIL>
combination; - ๐ฆ Exposes filter group captures in actions (non-recursive interpolation of tags
<F-...>
, see gh-1698, gh-1110) - Some filters extended with user name (can be used in gh-1243 to distinguish IP and user, resp. to remove after success login the user-related failures only);
- Safer, more stable and faster replaceTag interpolation (switched from cycle over all tags to re.sub with callable)
- ๐ substituteRecursiveTags optimization + moved in helpers facilities (because currently used commonly in server and in client)
- ๐ New tags (usable in actions):
<fid>
- failure identifier (if raw resp. failures without IP address)<ip-rev>
- PTR reversed representation of IP address<ip-host>
- host name of the IP address<bancount>
- ban count of this offender if known as bad (started by 1 for unknown)<bantime>
- current ban-time of the ticket (prolongation can be retarded up to 10 sec.)<F-...>
- interpolates to the corresponding filter group capture...
<fq-hostname>
- fully-qualified name of host (the same as$(hostname -f)
)<sh-hostname>
- short hostname (the same as$(uname -n)
)
- โฑ Introduced new action command
actionprolong
to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic withactionprolong
. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local). - ๐ Allow to use filter options by
fail2ban-regex
, example: fail2ban-regex text.log "sshd[mode=aggressive]" - โ Samples test case factory extended with filter options - dict in JSON to control filter options (e. g. mode, etc.): # filterOptions: {"mode": "aggressive"}
- Introduced new jail option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true). Fail2ban will not ban a host which matches such addresses. Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
- Regex will be compiled as MULTILINE only if needed (buffering with
maxlines
> 1), that enables:- to improve performance by the single line parsing (see gh-1733);
- make regex more precise (because distinguish between anchors
^
/$
for the begin/end of string and the new-line character '\n', e. g. if coming from filters (like systemd journal) that allow the parsing of log-entries contain new-line chars (as single entry); - if multiline regex however expected (by single-line parsing without buffering) - prefix
(?m)
could be used in regex to enable it;
- Implemented execution of
actionstart
on demand (conditional), if action depends onfamily
(gh-1742):- new action parameter
actionstart_on_demand
(bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameterparam?family=...
presents in action properties), seeaction.d/pf.conf
for example; - additionally
actionstop
will be executed only for families previously executingactionstart
(starting on demand only)
- new action parameter
- Introduced new command
actionflush
: executed in order to flush all bans at once e. g. by unban all, reload with removing action, stop, shutdown the system (gh-1743), the actions havingactionflush
do not executeactionunban
for each single ticket - โ Add new command
actionflush
default for several iptables/iptables-ipset actions (and common include); - โ Add new jail option
logtimezone
to force the timezone on log lines that don't have an explicit one (gh-1773) - Implemented zone abbreviations (like CET, CEST, etc.) and abbr+-offset functionality (accept zones like 'CET+0100'), for the list of abbreviations see strptime.TZ_STR;
- Introduced new option
--timezone
(resp.--TZ
) forfail2ban-regex
. - Tokens
%z
and%Z
are changed (more precise now); - ๐ Introduced new tokens
%Exz
and%ExZ
that fully support zone abbreviations and/or offset-based zones (implemented as enhancement using customdatepattern
, because may be too dangerous for default patterns and tokens like%z
); Note: the extended tokens supported zone abbreviations, but it can parse 1 or 3-5 char(s) in lowercase. Don't use them in default date-patterns (if not anchored, few precise resp. optional). Because python currently does not support mixing of case-sensitive with case-insensitive matching, the TZ (in uppercase) cannot be combined with%a
/%b
etc (that are currently case-insensitive), to avoid invalid date-time recognition in strings like '11-Aug-2013 03:36:11.372 error ...' with wrong TZ "error". Hence%z
currently match literal Z|UTC|GMT only (and offset-based), and%Exz
- all zone abbreviations. - ๐
filter.d/courier-auth.conf
: support failed logins with method only - Config reader's: introduced new syntax
%(section/option)s
, in opposite to extended interpolation of python 3${section:option}
work with all supported python version in fail2ban and this syntax is like our another features like%(known/option)s
, etc. (gh-1750) - 0๏ธโฃ Variable
default_backend
switched to%(default/backend)s
, so totally backwards compatible now, but now the setting of parameterbackend
in default section ofjail.local
can overwrite default backend also (see gh-1750). In the future versions parameterdefault_backend
can be removed (incompatibility, possibly some distributions affected).
-
v0.10.0-alpha Changes
July 14, 2016๐ Fixes
- ๐ [Grave] memory leak's fixed (gh-1277, gh-1234)
- [Grave] Misleading date patterns defined more precisely (using extended syntax
%Ex[mdHMS]
for exact two-digit match or e. g.%ExY
as more precise year pattern, within same century of last year and the next 3 years) - [Grave] extends date detector template with distance (position of match in log-line), to prevent grave collision using (re)ordered template list (e.g. find-spot of wrong date-match inside foreign input, misleading date patterns by ambiguous formats, etc.)
- โ Distance collision check always prefers template with shortest distance (left for right) if date pattern is not anchored
- ๐ฒ Tricky bug fix: last position of log file will be never retrieved (gh-795), because of CASCADE all log entries will be deleted from logs table together with jail, if used "INSERT OR REPLACE" statement
- โ Asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
- โ testSocket: sporadical bug repaired - wait for server thread starts a socket (listener)
- โ testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid file inside bash, kill tree in any case (gh-1155)
- purge database will be executed now (within observer).
- ๐ restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
- ๐ Fixed high-load of pyinotify-backend, see https://github.com/fail2ban/fail2ban/issues/885#issuecomment-248964591
- Database: stability fix - repack cursor iterator as long as locked
- File filter backends: stability fix for sporadically errors - always close file handle, otherwise may be locked (prevent log-rotate, etc.)
- Pyinotify-backend: stability fix for sporadically errors in multi-threaded environment (without lock)
- ๐ Fixed sporadically error in testCymruInfoNxdomain, because of unsorted values
- Misleading errors logged from ignorecommand in success case on retcode 1 (gh-1194)
- โก๏ธ fail2ban.service - systemd service updated (gh-1618):
- starting service in normal mode (without forking)
- does not restart if service exited normally (exit-code 0, e.g. stopped via fail2ban-client)
- does not restart if service can not start (exit-code 255, e.g. wrong configuration, etc.)
- service can be additionally started/stopped with commands (fail2ban-client, fail2ban-server)
- automatically creates
/var/run/fail2ban
directory before start fail2ban (systems with virtual resp. memory-based FS for/var/run
), see gh-1531 - if fail2ban running as systemd-service, for logging to the systemd-journal,
the
logtarget
could be set to STDOUT - value
logtarget
for system targets allowed also in lowercase (stdout, stderr, syslog, etc.)
- ๐ Fixed UTC/GMT named time zone, using
%Z
and%z
patterns (special case with 0 zone offset, see gh-1575) filter.d/freeswitch.conf
- Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
- User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)
๐ New Features
- ๐ IPv6 support:
- IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6
- iptables related actions have been amended to support IPv6 specific actions additionally
- hostsdeny and route actions have been tested to be aware of v4 and v6 already
- pf action for *BSD systems has been improved and supports now also v4 and v6
- name resolution is now working for either address type
- new conditional section functionality used in config resp. includes:
- [Init?family=inet4] - IPv4 qualified hosts only
- [Init?family=inet6] - IPv6 qualified hosts only
- Increment ban time (+ observer) functionality introduced. Thanks Serg G. Brester (sebres)
- Database functionality extended with bad ips.
- ๐ New reload functionality (now totally without restart, unbanning/rebanning, etc.), see gh-1557
- Several commands extended and new commands introduced:
restart [--unban] [--if-exists] <JAIL>
- restarts the jail <JAIL> (alias forreload --restart ... <JAIL>
)reload [--restart] [--unban] [--all]
- reloads the configuration without restarting of the server, the option--restart
activates completely restarting of affected jails, thereby can unban IP addresses (if option--unban
specified)reload [--restart] [--unban] [--if-exists] <JAIL>
- reloads the jail <JAIL>, or restarts it (if option--restart
specified), at the same time unbans all IP addresses banned in this jail, if option--unban
specifiedunban --all
- unbans all IP addresses (in all jails and database)unban <IP> ... <IP>
- unbans <IP> (in all jails and database) (see gh-1388)- introduced new option
-t
or--test
to test configuration resp. start server only if configuration is clean (fails by wrong configured jails if option-t
specified)
- ๐ New command action parameter
actionrepair
- command executed in order to restore sane environment in error case ofactioncheck
. - Reporting via abuseipdb.com:
- Bans can now be reported to abuseipdb
- Catagories must be set in the config
- Relevant log lines included in report
โจ Enhancements
- ๐ Huge increasing of fail2ban performance and especially test-cases performance (see gh-1109)
- Datedetector: in-place reordering using hits and last used time: matchTime, template list etc. rewritten because of performance degradation
- Prevent out of memory situation if many IP's makes extremely many failures (maxEntries)
- ๐ง Introduced string to seconds (str2seconds) for configuration entries with time,
use
1h
instead of3600
,1d
instead of86400
, etc - ๐ seekToTime - prevent completely read of big files first time (after start of service), initial seek to start time using half-interval search algorithm (see issue gh-795)
- ๐ Ticket and some other modules prepared to easy merge with newest version of 'ban-time-incr'
- Cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name, especially for wrong dns or lazy dns-system
- ๐ FailManager memory-optimization: increases performance, prevents memory leakage, because don't copy failures list on some operations
- โ
fail2ban-testcases - new options introduced:
-f
,--fast
to decrease wait intervals, avoid passive waiting, and skip few very slow test cases (implied memory database, see-m
and no gamin tests-g
)-g
,--no-gamin
to prevent running of tests that require the gamin (slow)-m
,--memory-db
- run database tests using memory instead of file-i
,--ignore
- negate [regexps] filter to ignore tests matched specified regexps
- Background servicing: prevents memory leak on some platforms/python versions, using forced GC in periodic intervals (latency and threshold)
- ๐ executeCmd partially moved from action to new module utils
- ๐ Several functionality of class
DNSUtils
moved to new classIPAddr
, both classes moved to new moduleipdns
- Pseudo-conditional section introduced, for conditional substitution resp.
evaluation of parameters for different family qualified hosts,
syntax
[Section?family=inet6]
(currently use for IPv6-support only). - ๐ All the backends were rewritten to get reload-possibility, performance increased, so fewer greedy regarding cpu- resp. system-load now
- ๐ฒ Numeric log-level allowed now in server (resp. fail2ban.conf);
- ๐ Implemented better error handling in some multi-threaded routines; shutdown of jails rewritten (faster and safer, does not breaks shutdown process if some error occurred)
- ๐ง Possibility for overwriting some configuration options (read with config-readers)
with command line option, e. g.:
bash ## start server with DEBUG log-level (ignore level read from fail2ban.conf): fail2ban-client --loglevel DEBUG start ## or fail2ban-server -c /cfg/path --loglevel DEBUG start ## keep server log-level by reload (without restart it) fail2ban-client --loglevel DEBUG reload ## switch log-level back to INFO: fail2ban-client set loglevel INFO
- ๐ Optimized BanManager: increase performance, fewer system load, try to prevent
memory leakage:
- better ban/unban handling within actions (e.g. used dict instead of list)
- don't copy bans resp. its list on some operations;
- added new unbantime handling to relieve unBanList (prevent permanent searching for tickets to unban)
- prefer failure-ID as identifier of the ticket to its IP (most of the time the same, but it can be something else e.g. user name in some complex jails, as introduced in 0.10)
- Regexp enhancements:
- build replacement of
<HOST>
substitution corresponding parameterusedns
- dns-part will be added only ifusedns
is notno
, also using fail2ban-regex - new replacement for
<ADDR>
in opposition to<HOST>
, for separate usage of 2 address groups only (regardless ofusedns
),ip4
andip6
together, without host (dns)
- build replacement of
- Misconfigured jails don't prevent fail2ban from starting, server starts nevertheless, as long as one jail was successful configured (gh-1619) Message about wrong jail configuration logged in client log (stdout, systemd journal etc.) and in server log with error level
- โ More precise date template handling (WARNING: theoretically possible incompatibilities):
- datedetector rewritten more strict as earlier;
- default templates can be specified exacter using prefix/suffix syntax (via
datepattern
); - more as one date pattern can be specified using option
datepattern
now (new-line separated); - some default options like
datepattern
can be specified directly in section[Definition]
, that avoids contrary usage of unnecessarily[Init]
section, because of performance (each extra section costs time); - option
datepattern
can be specified in jail also (e. g. jails without filters or custom log-format, new-line separated for multiple patterns); - if first unnamed group specified in pattern, only this will be cut out from
search log-line (e. g.:
^date:[({DATE})]
will cut out only datetime match pattern, and leavesdate:[] ...
for searching in filter); - faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
- several standard filters extended with exact prefixed or anchored date templates;
- โ Added possibility to recognize restored state of the tickets (see gh-1669).
New option
norestored
introduced, to ignore restored tickets (after restart). To avoid execution of ban/unban for the restored tickets,norestored = true
could be added in definition section of action. For conditional usage in the shell-based actions an interpolation<restored>
could be used also. E. g. it is enough to add following script-piece at begin ofactionban
(oractionunban
) to prevent execution:if [ '<restored>' = '1' ]; then exit 0; fi;
Several actions extended now usingnorestored
option:- complain.conf
- dshield.conf
- mail-buffered.conf
- mail-whois-lines.conf
- mail-whois.conf
- mail.conf
- sendmail-buffered.conf
- sendmail-geoip-lines.conf
- sendmail-whois-ipjailmatches.conf
- sendmail-whois-ipmatches.conf
- sendmail-whois-lines.conf
- sendmail-whois-matches.conf
- sendmail-whois.conf
- sendmail.conf
- smtp.py
- xarf-login-attack.conf
- โ
fail2ban-testcases:
assertLogged
extended with parameter wait (to wait up to specified timeout, before we throw assert exception) + test cases rewritten using that- added
assertDictEqual
for compatibility to early python versions (< 2.7); - new
with_foreground_server_thread
decorator to test several client/server commands
-
v0.9.8 Changes
0.9.x line is no longer heavily developed. If you are interested in ๐ new features (e.g. IPv6 support), please consider 0.10 branch and its ๐ releases.
๐ Fixes
- ๐ Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991. Partially back-ported from v.0.10.
- action.d/bsd-ipfw.conf
- Make the rule number, the action starts looking for a free slot to insert the new rule, configurable (gh-1689)
- Replace not posix-compliant grep option: fgrep with
-q
option can cause 141 exit code in some cases (gh-1389)
- filter.d/apache-overflows.conf:
- Fixes resources greedy expression (see gh-1790);
- Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
- filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882)
- filter.d/asterisk.conf
- fixed failregex AMI Asterisk authentification failed (see gh-1302)
- removed invalid (vulnerable) regex blocking IPs using forign data (from header "from") thus not the IP-address that really originates the request (see gh-1927)
- fixed failregex for the SQL-injection attempts with single-quotes in connect-string (see gh-2011)
- filter.d/dovecot.conf:
- fixed failregex, see gh-1879 (partially cherry-picked from gh-1880)
- extended to match pam_authenticate failures with "Permission denied" (gh-1897)
- filter.d/exim.conf
- fixed failregex for case of flood attempts with
D=0s
(gh-1887) - fixed failregex of "AUTH command used when not advertised" to better handle the foreign input SMTP command (lower/mixed case auth command, prevent injection) (gh-1979)
- fixed failregex for case of flood attempts with
- filter.d/postfix-*.conf - added optional port regex (gh-1902)
- filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
- filter.d/nginx-http-auth.conf - match usernames with spaces (gh-2015)
๐ New Features
โจ Enhancements
- action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651)
- action.d/firewallcmd-ipset.conf - new parameter
actiontype
, providesallports
capability (gh-1167) - ๐ filter.d/kerio.conf - filter extended with new rules (see gh-1455)
- ๐ฒ filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging
- filter.d/zoneminder.conf - new filter for ZoneMinder (gh-1376)
-
v0.9.7 Changes
May 11, 2017๐ Fixes
- ๐ Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
- filter.d/sshd.conf
- Fixed non-anchored part of failregex (misleading match of colon inside
IPv6 address instead of
:
in the reason-part by missing space, gh-1658) (0.10th resp. IPv6 relevant only, amend for gh-1479)
- Fixed non-anchored part of failregex (misleading match of colon inside
IPv6 address instead of
- config/pathes-freebsd.conf
- Fixed filenames for apache and nginx log files (gh-1667)
- filter.d/exim.conf
- optional part
(...)
after host-name before[IP]
(gh-1751) - new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
- match of complex time like
D=2m42s
in regex "no MAIL in SMTP connection" (gh-1766)
- optional part
- filter.d/sshd.conf
- new aggressive rules (gh-864):
- Connection reset by peer (multi-line rule during authorization process)
- No supported authentication methods available
- single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions), according to gh-1206;
- fixed expression received disconnect auth fail (optional space after port part, gh-1652) and suffix (logged from several ssh versions), according to gh-1206;
- new aggressive rules (gh-864):
- filter.d/suhosin.conf
- greedy catch-all before
<HOST>
fixed (potential vulnerability)
- greedy catch-all before
- filter.d/cyrus-imap.conf
- accept entries without login-info resp. hostname before IP address (gh-1707)
- โ
Filter tests extended with check of all config-regexp, that contains greedy catch-all
before
<HOST>
, that is hard-anchored at end or precise sub expression after<HOST>
๐ New Features
๐ New Actions:
- action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)
๐ New Filters:
- filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)
โจ Enhancements
- ๐ฒ Introduced new log-level
MSG
(as INFO-2, equivalent to 18)
-
v0.9.7-2
August 04, 2017 -
v0.9.6 Changes
December 10, 2016๐ Fixes
- Misleading add resp. enable of (already available) jail in database, that induced a subsequent error: last position of log file will be never retrieved (gh-795)
- ๐ Fixed a distribution related bug within testReadStockJailConfForceEnabled (e.g. test-cases faults on Fedora, see gh-1353)
- ๐ Fixed pythonic filters and test scripts (running via wrong python version, uses "fail2ban-python" now);
- ๐ Fixed test case "testSetupInstallRoot" for not default python version (also using direct call, out of virtualenv);
- ๐ Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
- ๐ FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
- ๐ Monit config: scripting is not supported in path (gh-1556)
filter.d/apache-modsecurity.conf
- Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all replaced for safer match, unneeded catch-all anchoring removed, non-capturing
filter.d/asterisk.conf
- Fixed to match different asterisk log prefix (source file: method:)
filter.d/dovecot.conf
- Fixed failregex ignores failures through some not relevant info (gh-1623)
filter.d/ignorecommands/apache-fakegooglebot
- Fixed error within apache-fakegooglebot, that will be called with wrong python version (gh-1506)
filter.d/assp.conf
- Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
filter.d/postfix-sasl.conf
- Allow for having no trailing space after 'failed:' (gh-1497)
filter.d/vsftpd.conf
- Optional reason part in message after FAIL LOGIN (gh-1543)
filter.d/sendmail-reject.conf
- removed mandatory double space (if dns-host available, gh-1579)
- filter.d/sshd.conf
- recognized "Failed publickey for" (gh-1477);
- optimized failregex to match all of "Failed any-method for ... from " (gh-1479)
- eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
- optional port part after host (see gh-1533, gh-1581)
๐ New Features
- ๐ New Actions:
action.d/npf.conf
for NPF, the latest packet filter for NetBSD
- ๐ New Filters:
filter.d/mongodb-auth.conf
for MongoDB (document-oriented NoSQL database engine) (gh-1586, gh-1606 and gh-1607)
โจ Enhancements
- DateTemplate regexp extended with the word-end boundary, additionally to word-start boundary
- Introduces new command "fail2ban-python", as automatically created symlink to
python executable, where fail2ban currently installed (resp. its modules are located):
- allows to use the same version, fail2ban currently running, e.g. in
external scripts just via replace python with fail2ban-python:
diff -#!/usr/bin/env python +#!/usr/bin/env fail2ban-python
- always the same pickle protocol
- the same (and also guaranteed available) fail2ban modules
- simplified stand-alone install, resp. stand-alone installation possibility via setup (like gh-1487) is getting closer
- allows to use the same version, fail2ban currently running, e.g. in
external scripts just via replace python with fail2ban-python:
- โ Several test cases rewritten using new methods assertIn, assertNotIn
- ๐ New forward compatibility method assertRaisesRegexp (normally python >= 2.7). Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged are test covered now
- ๐ Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
examples:
backend = systemd[journalpath=/run/log/journal/machine-1]
backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]
backend = systemd[journalflags=2]
-
v0.9.5 Changes
July 15, 2016๐ Fixes
filter.d/monit.conf
- Extended failregex with new monit "access denied" version (gh-1355)
- failregex of previous monit version merged as single expression
filter.d/postfix.conf
,filter.d/postfix-sasl.conf
- Extended failregex daemon part, matching also
postfix/smtps/smtpd
now (gh-1391)
- Extended failregex daemon part, matching also
- ๐ Fixed a grave bug within tags substitutions because of incorrect
detection of recursion in case of multiple inline substitutions
of the same tag (affected actions:
bsd-ipfw
, etc). Now tracks the actual list of the already substituted tags (per tag instead of single list) filter.d/common.conf
- Unexpected extra regex-space in generic
__prefix_line
(gh-1405) - All optional spaces normalized in
common.conf
, test covered now - Generic
__prefix_line
extended with optional brackets for the date ambit (gh-1421), added new parameter__date_ambit
- Unexpected extra regex-space in generic
- ๐
gentoo-initd
fixed--pidfile
bug:--pidfile
is option ofstart-stop-daemon
, not argument of fail2ban (see gh-1434) filter.d/asterisk.conf
- Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
- Improved log support for PJSIP and Asterisk 13+ with different callID (gh-1458)
๐ New Features
- ๐ New Actions:
action.d/firewallcmd-rich-rules
andaction.d/firewallcmd-rich-logging
(gh-1367)
- ๐ New filters:
- slapd - ban hosts, that were failed to connect with invalid credentials: error code 49 (gh-1478)
โจ Enhancements
- Extreme speedup of all sqlite database operations (gh-1436),
by using of following sqlite options:
- (synchronous = OFF) write data through OS without syncing
- (journal_mode = MEMORY) use memory for the transaction logging
- (temp_store = MEMORY) temporary tables and indices are kept in memory
- journald journalmatch for pure-ftpd (gh-1362)
- โ Added additional regex filter for dovecot ldap authentication failures (gh-1370)
filter.d/exim*conf
- Added additional regexes (gh-1371)
- Made port entry optional