ยซ Changelog History


Fail2Ban v0.10.2 Release Notes

Release Date: 2018-01-18 // over 6 years ago

  • Incompatibility list:

    • โฌ†๏ธ The configuration for jails using banaction pf can be incompatible after upgrade, because pf-action uses anchors now (see action.d/pf.conf for more information). If you want use obsolete handling without anchors, just rewrite it in the jail.local by overwrite of pfctl parameter, e. g. like banaction = pf[pfctl="pfctl"].

    ๐Ÿ›  Fixes

    • ๐Ÿ›  Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
    • ๐Ÿ›  Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
    • jail.conf: port imap3 replaced with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
    • config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf) in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
    • action.d/pf.conf:
      • fixed syntax error in achnor definition (documentation, see gh-1919);
      • enclose ports in braces for multiport jails (see gh-1925);
    • ๐Ÿ›  action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing family inet6, gh-1990)
    • filter.d/sshd.conf:
      • extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
      • fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);

    ๐Ÿ†• New Features

    • 0๏ธโƒฃ datedetector: extended default date-patterns (allows extra space between the date and time stamps); introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
      • %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock, (corresponds %H, but allows space if not zero-padded).
      • %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock, (corresponds %I, but allows space if not zero-padded).
    • filter.d/exim.conf: added mode aggressive to ban flood resp. DDOS-similar failures (gh-1983);
    • ๐Ÿ†• New Actions:
      • action.d/nginx-block-map.conf - in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file);

    โœจ Enhancements

    • ๐Ÿ‘ jail.conf: extended with new parameter mode for the filters supporting it (gh-1988);
    • action.d/pf.conf: extended with bulk-unban, command actionflush in order to flush all bans at once.
    • ๐ŸŒฒ Introduced new parameters for logging within fail2ban-server (gh-1980). Usage logtarget = target[facility=..., datetime=on|off, format="..."]:
      • facility - specify syslog facility (default daemon, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler for the list of facilities);
      • datetime - add date-time to the message (default on, ignored if format specified);
      • format - specify own format how it will be logged, for example for short-log into STDOUT: fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start;
    • Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 'database disk image is malformed'). Fail2ban will create a backup, try to repair the database, if repair fails - recreate new database (gh-1465, gh-2004).