All Versions
65
Latest Version
Avg Release Cycle
176 days
Latest Release
922 days ago
Changelog History
Page 1
Changelog History
Page 1
-
v0.11.2 Changes
November 23, 2020Compatibility:
- to v.0.10:
- 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema) if you would need to downgrade to 0.10 for some reason.
to v.0.9:
- Filter (or
failregex
) internal capture-groups: - If you've your own
failregex
or custom filters using conditional match(?P=host)
, you should rewrite the regex like in example below resp. using(?:(?P=ip4)|(?P=ip6)
instead of(?P=host)
(or(?:(?P=ip4)|(?P=ip6)|(?P=dns))
corresponding yourusedns
andraw
settings).
Of course you can always define your own capture-group (like below
_cond_ip_
) to do this.testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
- New internal groups (currently reserved for internal usage):
ip4
,ip6
,dns
,fid
,fport
, additionallyuser
and another captures in lower case if mapping from tag<F-*>
used in failregex (e. g.user
by<F-USER>
). - v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some
user configurations resp.
datepattern
. - Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now.
- Filter (or
๐ Fixes
- [stability] prevent race condition - no ban if filter (backend) is continuously busy if too many messages will be found in log, e. g. initial scan of large log-file or journal (gh-2660)
- ๐ฒ pyinotify-backend sporadically avoided initial scanning of log-file by start
- ๐ท python 3.9 compatibility (and Travis CI support)
- ๐ restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
- โช manual ban is written to database, so can be restored by restart (gh-2647)
jail.conf
: don't specifyaction
directly in jails (useaction_
orbanaction
instead)- 0๏ธโฃ no mails-action added per default anymore (e. g. to allow that
action = %(action_mw)s
should be specified per jail or in default section in jail.local), closes gh-2357 - ensure we've unique action name per jail (also if parameter
actname
is not set but name deviates from standard name, gh-2686) - don't use
%(banaction)s
interpolation because it can be complex value (containing[...]
and/or quotes), so would bother the action interpolation - ๐ fixed type conversion in config readers (take place after all interpolations get ready), that allows to specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
action.d/*-ipset*.conf
: several ipset actions fixed (no timeout per default anymore), so no discrepancy between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh-2703)- ๐
action.d/cloudflare.conf
: fixedactionunban
(considering new-line chars and optionally real json-parsing withjq
, gh-2140, gh-2656) - ๐
action.d/nftables.conf
(type=multiport only): fixed port range selector, replacing:
with-
(gh-2763) - ๐
action.d/firewallcmd-*.conf
(multiport only): fixed port range selector, replacing:
with-
(gh-2821) action.d/bsd-ipfw.conf
: fixed selection of rule-no by large list or initiallowest_rule_num
(gh-2836)filter.d/common.conf
: avoid substitute of default values in relatedlt_*
section,__prefix_line
should be interpolated in definition section (inside the filter-config, gh-2650)filter.d/dovecot.conf
:- add managesieve and submission support (gh-2795);
- accept messages with more verbose logging (gh-2573);
- ๐ฒ
filter.d/courier-smtp.conf
: prefregex extended to consider port in log-message (gh-2697) filter.d/traefik-auth.conf
: filter extended with parameter mode (normal
,ddos
,aggressive
) to handle the match of username differently (gh-2693):normal
: matches 401 with supplied username onlyddos
: matches 401 without supplied username onlyaggressive
: matches 401 and any variant (with and without username)
filter.d/sshd.conf
: normalizing of user pattern in all RE's, allowing empty user (gh-2749)
๐ New Features and Enhancements
- fail2ban-regex:
- speedup formatted output (bypass unneeded stats creation)
- extended with prefregex statistic
- more informative output for
datepattern
(e. g. set from filter) - pattern : description
- ๐ parsing of action in jail-configs considers space between action-names as separator also
(previously only new-line was allowed), for example
action = a b
would specify 2 actionsa
andb
- ๐ new filter and jail for GitLab recognizing failed application logins (gh-2689)
- ๐ new filter and jail for Grafana recognizing failed application logins (gh-2855)
- ๐ new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723)
- ๐ง
filter.d/guacamole.conf
extended withlogging
parameter to follow webapp-logging if it's configured (gh-2631) - ๐
filter.d/bitwarden.conf
enhanced to support syslog (gh-2778) - introduced new prefix
{UNB}
fordatepattern
to disable word boundaries in regex; - datetemplate: improved anchor detection for capturing groups
(^...)
; - datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
as well as some warnings signaling user about invalid pattern or zone (gh-2814):
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
bypass of failure (previously exceeding
findtime
); - better interaction with non-matching optional datepattern or invalid timestamps;
- implements special datepattern
{NONE}
- allow to find failures totally without date-time in log messages, whereas filter will use now as timestamp (gh-2802)
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
bypass of failure (previously exceeding
- ๐ performance optimization of
datepattern
(better search algorithm in datedetector, especially for single template); - fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791;
- extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
prefix
<F-TUPLE_
, that would combine value of<F-V>
with all value of<F-TUPLE_V?_n?>
tags (gh-2755)
- to v.0.10:
-
v0.11.1 Changes
January 11, 2020Compatibility:
- to v.0.10:
- 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema) if you would need to downgrade to 0.10 for some reason.
to v.0.9:
- Filter (or
failregex
) internal capture-groups: - If you've your own
failregex
or custom filters using conditional match(?P=host)
, you should rewrite the regex like in example below resp. using(?:(?P=ip4)|(?P=ip6)
instead of(?P=host)
(or(?:(?P=ip4)|(?P=ip6)|(?P=dns))
corresponding yourusedns
andraw
settings).
Of course you can always define your own capture-group (like below
_cond_ip_
) to do this.testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
- New internal groups (currently reserved for internal usage):
ip4
,ip6
,dns
,fid
,fport
, additionallyuser
and another captures in lower case if mapping from tag<F-*>
used in failregex (e. g.user
by<F-USER>
). - v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some
user configurations resp.
datepattern
. - Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now.
- Filter (or
๐ Fixes
- purge database will be executed now (within observer).
- ๐ restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
- โก๏ธ upgrade database: update new created table
bips
with entries from tablebans
(allows restore current bans after upgrade from version <= 0.10)
๐ New Features
- Increment ban time (+ observer) functionality introduced.
- Database functionality extended with bad ips.
- ๐ New tags (usable in actions):
<bancount>
- ban count of this offender if known as bad (started by 1 for unknown)<bantime>
- current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
- โฑ Introduced new action command
actionprolong
to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic withactionprolong
. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).
โจ Enhancements
- โก๏ธ algorithm of restore current bans after restart changed: update the restored ban-time (and therefore end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater (or persistent); not affected if ban-time of the jail is unchanged between stop/start.
- โ added new setup-option
--without-tests
to skip building and installing of tests files (gh-2287). - โ added new command
fail2ban-client get <JAIL> banip ?sep-char|--with-time?
to get the banned ip addresses (gh-1916).
- to v.0.10:
-
v0.11.0-dev Changes
๐ Fixes
- purge database will be executed now (within observer).
- ๐ restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
- โก๏ธ upgrade database: update new created table
bips
with entries from tablebans
(allows restore current bans after upgrade from version <= 0.10)
๐ New Features
- Increment ban time (+ observer) functionality introduced.
- Database functionality extended with bad ips.
- ๐ New tags (usable in actions):
<bancount>
- ban count of this offender if known as bad (started by 1 for unknown)<bantime>
- current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
- โฑ Introduced new action command
actionprolong
to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic withactionprolong
. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).
โจ Enhancements
- โก๏ธ algorithm of restore current bans after restart changed: update the restored ban-time (and therefore end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater (or persistent); not affected if ban-time of the jail is unchanged between stop/start.
- โ added new setup-option
--without-tests
to skip building and installing of tests files (gh-2287). - โ added new command
fail2ban-client get <JAIL> banip ?sep-char|--with-time?
to get the banned ip addresses (gh-1916).
-
v0.10.6 Changes
November 23, 2020ver. 0.10.6 (2020/11/23) - just what the doctor ordered
๐ Last (due to v.0.11) release of 0.10th fail2ban-version, filter and action updates, etc.
๐ See the ChangeLog for more information.๐ฆ It also includes debian package, built without a test suite (fail2ban-testcases, fail2ban.test python module).
-
v0.10.5 Changes
January 10, 2020Yes, Hrrrm...
๐ Fixes
- 0๏ธโฃ [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixed in gh-2444 in order to ignore user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392)
- ๐ [grave] fixed parsing of multi-line filters (
maxlines
> 1) together with systemd backend, now systemd-filter replaces newlines in message from systemd journal with\n
(otherwise multi-line parsing may be broken, because removal of matched string from multi-line buffer window is confused by such extra new-lines, so they are retained and got matched on every followed message, see gh-2431) - [stability] prevent race condition - no unban if the bans occur continuously (gh-2410); now an unban-check will happen not later than 10 tickets get banned regardless there are still active bans available (precedence of ban over unban-check is 10 now)
- ๐ fixed read of included config-files (
.local
overwrites options of.conf
for config-files included with before/after) action.d/abuseipdb.conf
: switched to use AbuseIPDB API v2 (gh-2302)- ๐
action.d/badips.py
: fixed start of banaction on demand (which may be IP-family related), gh-2390 action.d/helpers-common.conf
: rewritten grep arguments, now options-wF
used to match only whole words and fixed string (not as pattern), gh-2298filter.d/apache-auth.conf
:- ignore errors from mod_evasive in
normal
mode (mode-controlled now) (gh-2548); - extended with option
mode
-normal
(default) andaggressive
- ignore errors from mod_evasive in
filter.d/sshd.conf
:- matches
Bad protocol version identification
inddos
andaggressive
modes (gh-2404). - captures
Disconnecting ...: Change of username or service not allowed
(gh-2239, gh-2279) - captures
Disconnected from ... [preauth]
, preauth phase only, different handling byextra
(with supplied user only) andddos
/aggressive
mode (gh-2115, gh-2239, gh-2279)
- matches
filter.d/mysqld-auth.conf
:- MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words enclosed in brackets after "[Note]" (gh-2314)
filter.d/sendmail-reject.conf
:mode=extra
now captures port IDs ofTLSMTA
andMSA
(defaults for ports 465 and 587 on some distros)
- ๐
files/fail2ban.service.in
: fixed systemd-unit template - missing nftables dependency (gh-2313) - ๐ several
action.d/mail*
: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341) - ๐
filter.d/sendmail-reject.conf
: fixed journal usage for some systems (e. g. CentOS): if only identifier set tosm-mta
(no unitsendmail
) for some messages (gh-2385) - ๐
filter.d/asterisk.conf
: asterisk can log additional timestamp if logs into systemd-journal (regex extended with optional part matching this, gh-2383) filter.d/postfix.conf
:- regexp's accept variable suffix code in status of postfix for precise messages (gh-2442)
- extended with new postfix filter mode
errors
to match "too many errors" (gh-2439), also included within modesnormal
,more
(extra
andaggressive
), since postfix parametersmtpd_hard_error_limit
is default 20 (additionally considermaxretry
)
filter.d/named-refused.conf
:- support BIND 9.11.0 log format (includes an additional field @0xXXX..., gh-2406);
prefregex
extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
filter.d/sendmail-auth.conf
,filter.d/sendmail-reject.conf
:- ID in prefix can be longer as 14 characters (gh-2563);
- all filters would accept square brackets around IPv4 addresses also (e. g. monit-filter, gh-2494)
- ๐ป avoids unhandled exception during flush (gh-2588)
- ๐ fixes pass2allow-ftp jail - due to inverted handling, action should prohibit access per default for any IP, therefore reset start on demand parameter for this action (it will be started immediately by repair);
- auto-detection of IPv6 subsystem availability (important for not on-demand actions or jails, like pass2allow);
๐ New Features
- ๐ new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559):
<CIDR>
- helper regex to match CIDR (simple integer form of net-mask);<SUBNET>
- regex to match sub-net addresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
- grouped tags (
<ADDR>
,<HOST>
,<SUBNET>
) recognize IP addresses enclosed in square brackets - ๐ new failregex-flag tag
<F-MLFGAINED>
for failregex, signaled that the access to service was gained (ATM used similar to tag<F-NOFAIL>
, but it does not add the log-line to matches, gh-2279) - ๐ง filters: introduced new configuration parameter
logtype
(defaultfile
for file-backends, andjournal
for journal-backends, gh-2387); can be also set torfc5424
to force filters (which include common.conf) to use RFC 5424 conform prefix-line per default (gh-2467); - ๐ for better performance and safety the option
logtype
can be also used to select short prefix-line for file-backends too for all filters using__prefix_line
(common.conf
), if message logged only withhostname svc[nnnn]
prefix (often the case on several systems):ini [jail] backend = auto filter = flt[logtype=short]
filter.d/common.conf
: differentiate__prefix_line
for file/journal logtype's (speedup and fix parsing of systemd-journal);filter.d/traefik-auth.conf
: used to ban hosts, that were failed through traefikfilter.d/znc-adminlog.conf
: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded
โจ Enhancements
- introduced new options:
dbmaxmatches
(fail2ban.conf) andmaxmatches
(jail.conf) to contol how many matches per ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118); - ๐ง fail2ban.conf: introduced new section
[Thread]
and optionstacksize
to configure default size of the stack for threads running in fail2ban (gh-2356), it could be set infail2ban.local
to avoid runtime error "can't start new thread" (see gh-969); - ๐ jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations containing new-line);
- ๐ fail2ban-client: extended to ban/unban multiple tickets (see gh-2351, gh-2349);
Syntax:
fail2ban-client set <jain> banip <ip1> ... <ipN>
fail2ban-client set <jain> unbanip [--report-absent] <ip1> ... <ipN>
- fail2ban-client: extended with new feature which allows to inform fail2ban about single or multiple
attempts (failure) for IP (resp. failure-ID), see gh-2351;
Syntax:
fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-messageN>]
action.d/nftables.conf
:- isolate fail2ban rules into a dedicated table and chain (gh-2254)
nftables-allports
supports multiple protocols in single rule now- combined nftables actions to single action
nftables
: nftables-common
is removed (replaced with single actionnftables
now)nftables-allports
is obsolete, superseded bynftables[type=allports]
nftables-multiport
is obsolete, superseded bynftables[type=multiport]
- allowed multiple protocols in
nftables[type=multiport]
action (single set with multiple rules in chain), following configuration in jail would replace 3 separate actions, see https://github.com/fail2ban/fail2ban/pull/2254#issuecomment-534684675
action.d/badips.py
: optionloglevel
extended with level of summary message, following example configuration logging summary with NOTICE and rest with DEBUG log-levels:action = badips.py[loglevel="debug, notice"]
- โ
samplestestcase.py (testSampleRegexsFactory) extended:
- allow coverage of journal logtype;
- new option
fileOptions
to set common filter/test options for whole test-file;
- large enhancement: auto-reban, improved invariant check and conditional operations (gh-2588):
- improves invariant check and repair (avoid unhandled exception, consider family on conditional operations, etc), prepared for bulk re-ban in repair case (if bulk-ban becomes implemented);
- automatic reban (repeat banning action) after repair/restore sane environment, if already logged ticket causes
new failures (via new action operation
actionreban
oractionban
if still not defined in action); - introduces banning epoch for actions and tickets (to distinguish or recognize removed set of the tickets);
- invariant check avoids repair by unban/stop (unless parameter
actionrepair_on_unban
set totrue
); - better handling for all conditional operations (distinguish families for certain operations like repair/flush/stop, prepared for other families, e. g. if different handling for subnets expected, etc);
- partially implements gh-980 (more breakdown safe handling);
- closes gh-1680 (better as large-scale banning implementation with on-demand reban by failure, at least unless a bulk-ban gets implemented);
- ๐ fail2ban-regex - several enhancements and fixes:
- improved usage output (don't put a long help if an error occurs);
- new option
--no-check-all
to avoid check of all regex's (first matched only); - new option
-o
,--out
to set token only provided in output (disables check-all and outputs only expected data).
-
v0.10.5-dev Changes
๐ Fixes
- 0๏ธโฃ [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixed in gh-2444 in order to ignore user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392)
- ๐ [grave] fixed parsing of multi-line filters (
maxlines
> 1) together with systemd backend, now systemd-filter replaces newlines in message from systemd journal with\n
(otherwise multi-line parsing may be broken, because removal of matched string from multi-line buffer window is confused by such extra new-lines, so they are retained and got matched on every followed message, see gh-2431) - [stability] prevent race condition - no unban if the bans occur continuously (gh-2410); now an unban-check will happen not later than 10 tickets get banned regardless there are still active bans available (precedence of ban over unban-check is 10 now)
- ๐ fixed read of included config-files (
.local
overwrites options of.conf
for config-files included with before/after) action.d/abuseipdb.conf
: switched to use AbuseIPDB API v2 (gh-2302)- ๐
action.d/badips.py
: fixed start of banaction on demand (which may be IP-family related), gh-2390 action.d/helpers-common.conf
: rewritten grep arguments, now options-wF
used to match only whole words and fixed string (not as pattern), gh-2298filter.d/apache-auth.conf
:- ignore errors from mod_evasive in
normal
mode (mode-controlled now) (gh-2548); - extended with option
mode
-normal
(default) andaggressive
- ignore errors from mod_evasive in
filter.d/sshd.conf
:- matches
Bad protocol version identification
inddos
andaggressive
modes (gh-2404). - captures
Disconnecting ...: Change of username or service not allowed
(gh-2239, gh-2279) - captures
Disconnected from ... [preauth]
, preauth phase only, different handling byextra
(with supplied user only) andddos
/aggressive
mode (gh-2115, gh-2239, gh-2279)
- matches
filter.d/mysqld-auth.conf
:- MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words enclosed in brackets after "[Note]" (gh-2314)
filter.d/sendmail-reject.conf
:mode=extra
now captures port IDs ofTLSMTA
andMSA
(defaults for ports 465 and 587 on some distros)
- ๐
files/fail2ban.service.in
: fixed systemd-unit template - missing nftables dependency (gh-2313) - ๐ several
action.d/mail*
: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341) - ๐
filter.d/sendmail-reject.conf
: fixed journal usage for some systems (e. g. CentOS): if only identifier set tosm-mta
(no unitsendmail
) for some messages (gh-2385) - ๐
filter.d/asterisk.conf
: asterisk can log additional timestamp if logs into systemd-journal (regex extended with optional part matching this, gh-2383) filter.d/postfix.conf
:- regexp's accept variable suffix code in status of postfix for precise messages (gh-2442)
- extended with new postfix filter mode
errors
to match "too many errors" (gh-2439), also included within modesnormal
,more
(extra
andaggressive
), since postfix parametersmtpd_hard_error_limit
is default 20 (additionally considermaxretry
)
filter.d/named-refused.conf
:- support BIND 9.11.0 log format (includes an additional field @0xXXX..., gh-2406);
prefregex
extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
filter.d/sendmail-auth.conf
,filter.d/sendmail-reject.conf
:- ID in prefix can be longer as 14 characters (gh-2563);
- all filters would accept square brackets around IPv4 addresses also (e. g. monit-filter, gh-2494)
- ๐ป avoids unhandled exception during flush (gh-2588)
- ๐ fixes pass2allow-ftp jail - due to inverted handling, action should prohibit access per default for any IP, therefore reset start on demand parameter for this action (it will be started immediately by repair);
- auto-detection of IPv6 subsystem availability (important for not on-demand actions or jails, like pass2allow);
๐ New Features
- ๐ new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559):
<CIDR>
- helper regex to match CIDR (simple integer form of net-mask);<SUBNET>
- regex to match sub-net adresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
- grouped tags (
<ADDR>
,<HOST>
,<SUBNET>
) recognize IP addresses enclosed in square brackets - ๐ new failregex-flag tag
<F-MLFGAINED>
for failregex, signaled that the access to service was gained (ATM used similar to tag<F-NOFAIL>
, but it does not add the log-line to matches, gh-2279) - ๐ง filters: introduced new configuration parameter
logtype
(defaultfile
for file-backends, andjournal
for journal-backends, gh-2387); can be also set torfc5424
to force filters (which include common.conf) to use RFC 5424 conform prefix-line per default (gh-2467); - ๐ for better performance and safety the option
logtype
can be also used to select short prefix-line for file-backends too for all filters using__prefix_line
(common.conf
), if message logged only withhostname svc[nnnn]
prefix (often the case on several systems):ini [jail] backend = auto filter = flt[logtype=short]
filter.d/common.conf
: differentiate__prefix_line
for file/journal logtype's (speedup and fix parsing of systemd-journal);filter.d/traefik-auth.conf
: used to ban hosts, that were failed through traefikfilter.d/znc-adminlog.conf
: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded
โจ Enhancements
- introduced new options:
dbmaxmatches
(fail2ban.conf) andmaxmatches
(jail.conf) to contol how many matches per ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118); - ๐ง fail2ban.conf: introduced new section
[Thread]
and optionstacksize
to configure default size of the stack for threads running in fail2ban (gh-2356), it could be set infail2ban.local
to avoid runtime error "can't start new thread" (see gh-969); - ๐ jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations containing new-line);
- ๐ fail2ban-client: extended to ban/unban multiple tickets (see gh-2351, gh-2349);
Syntax:
fail2ban-client set <jain> banip <ip1> ... <ipN>
fail2ban-client set <jain> unbanip [--report-absent] <ip1> ... <ipN>
- fail2ban-client: extended with new feature which allows to inform fail2ban about single or multiple
attempts (failure) for IP (resp. failure-ID), see gh-2351;
Syntax:
fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-messageN>]
action.d/nftables.conf
:- isolate fail2ban rules into a dedicated table and chain (gh-2254)
nftables-allports
supports multiple protocols in single rule now- combined nftables actions to single action
nftables
: nftables-common
is removed (replaced with single actionnftables
now)nftables-allports
is obsolete, superseded bynftables[type=allports]
nftables-multiport
is obsolete, superseded bynftables[type=multiport]
- allowed multiple protocols in
nftables[type=multiport]
action (single set with multiple rules in chain), following configuration in jail would replace 3 separate actions, see https://github.com/fail2ban/fail2ban/pull/2254#issuecomment-534684675
action.d/badips.py
: optionloglevel
extended with level of summary message, following example configuration logging summary with NOTICE and rest with DEBUG log-levels:action = badips.py[loglevel="debug, notice"]
- โ
samplestestcase.py (testSampleRegexsFactory) extended:
- allow coverage of journal logtype;
- new option
fileOptions
to set common filter/test options for whole test-file;
- large enhancement: auto-reban, improved invariant check and conditional operations (gh-2588):
- improves invariant check and repair (avoid unhandled exception, consider family on conditional operations, etc), prepared for bulk re-ban in repair case (if bulk-ban becomes implemented);
- automatic reban (repeat banning action) after repair/restore sane environment, if already logged ticket causes
new failures (via new action operation
actionreban
oractionban
if still not defined in action); - introduces banning epoch for actions and tickets (to distinguish or recognize removed set of the tickets);
- invariant check avoids repair by unban/stop (unless parameter
actionrepair_on_unban
set totrue
); - better handling for all conditional operations (distinguish families for certain operations like repair/flush/stop, prepared for other families, e. g. if different handling for subnets expected, etc);
- partially implements gh-980 (more breakdown safe handling);
- closes gh-1680 (better as large-scale banning implementation with on-demand reban by failure, at least unless a bulk-ban gets implemented);
- ๐ fail2ban-regex - several enhancements and fixes:
- improved usage output (don't put a long help if an error occurs);
- new option
--no-check-all
to avoid check of all regex's (first matched only); - new option
-o
,--out
to set token only provided in output (disables check-all and outputs only expected data).
-
v0.10.4 Changes
October 04, 2018๐ Fixes
filter.d/dovecot.conf
:- failregex enhancement to catch sql password mismatch errors (gh-2153);
- disconnected with "proxy dest auth failed" (gh-2184);
filter.d/freeswitch.conf
:- provide compatibility for log-format from gh-2193:
- extended with new default date-pattern
^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
to coverYYYY-mm-dd HH:MM::SS.ms
as well asmm-dd HH:MM::SS.ms
(so year is optional); - more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
- extended with mode parameter, allows to avoid matching of messages like
auth challenge (REGISTER)
(see gh-2163) (currentlyextra
as default to be backwards-compatible), see comments in filter how to set it to modenormal
.
filter.d/domino-smtp.conf
:- recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
- failregex extended to catch connections rejected for policy reasons (gh-2228);
action.d/hostsdeny.conf
: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions), see gh-2114;- decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
- fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
UTF-8
in opposite toascii
previously, so minimizes influence of implicit conversions errors; - actions: avoid possible conversion errors on wrong-chars by replace tags;
- database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database; additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
- logging in fail2ban is process-wide exception-safe now.
- fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
- ๐ repaired start-time of initial seek to time (as well as other log-parsing related data),
if parameter
logpath
specified beforefindtime
,backend
,datepattern
, etc (gh-2173) - ๐ systemd: fixed type error on option
journalflags
: an integer is required (gh-2125);
๐ New Features
- ๐ new option
ignorecache
to improve performance of ignore failure check (using caching ofignoreip
,ignoreself
andignorecommand
), seeman jail.conf
for syntax-example; ignorecommand
extended to use actions-similar replacement (capable to interpolate all possible tags like<ip-host>
,<family>
,<fid>
,F-USER
etc.)
โจ Enhancements
filter.d/dovecot.conf
: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)- since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
additionally option
-V
can be used to get version in normalized machine-readable short format.
-
v0.10.3
April 04, 2018 -
v0.10.3.1 Changes
April 04, 2018ver. 0.10.3 (2018/04/04) - the-time-is-always-right-to-do-what-is-right
๐ Next release of 0.10th fail2ban-version, filter and action updates, etc.
๐ See the ChangeLog for more information. -
v0.10.2 Changes
January 18, 2018Incompatibility list:
- โฌ๏ธ The configuration for jails using banaction
pf
can be incompatible after upgrade, because pf-action uses anchors now (seeaction.d/pf.conf
for more information). If you want use obsolete handling without anchors, just rewrite it in thejail.local
by overwrite ofpfctl
parameter, e. g. likebanaction = pf[pfctl="pfctl"]
.
๐ Fixes
- ๐ Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
- ๐ Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
- jail.conf: port
imap3
replaced withimap
everywhere, since imap3 is not a standard port and old rarely (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942. - config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf) in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
action.d/pf.conf
:- fixed syntax error in achnor definition (documentation, see gh-1919);
- enclose ports in braces for multiport jails (see gh-1925);
- ๐
action.d/firewallcmd-ipset.conf
: fixed create of set for ipv6 (missingfamily inet6
, gh-1990) filter.d/sshd.conf
:- extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
- fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
๐ New Features
- 0๏ธโฃ datedetector: extended default date-patterns (allows extra space between the date and time stamps);
introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
- %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock, (corresponds %H, but allows space if not zero-padded).
- %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock, (corresponds %I, but allows space if not zero-padded).
filter.d/exim.conf
: added modeaggressive
to ban flood resp. DDOS-similar failures (gh-1983);- ๐ New Actions:
action.d/nginx-block-map.conf
- in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file);
โจ Enhancements
- ๐ jail.conf: extended with new parameter
mode
for the filters supporting it (gh-1988); - action.d/pf.conf: extended with bulk-unban, command
actionflush
in order to flush all bans at once. - ๐ฒ Introduced new parameters for logging within fail2ban-server (gh-1980).
Usage
logtarget = target[facility=..., datetime=on|off, format="..."]
:facility
- specify syslog facility (defaultdaemon
, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler for the list of facilities);datetime
- add date-time to the message (default on, ignored ifformat
specified);format
- specify own format how it will be logged, for example for short-log into STDOUT:fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start
;
- Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 'database disk image is malformed'). Fail2ban will create a backup, try to repair the database, if repair fails - recreate new database (gh-1465, gh-2004).
- โฌ๏ธ The configuration for jails using banaction