Fail2Ban v0.11.1 Release Notes

Release Date: 2020-01-11 // over 4 years ago
  • Compatibility:

    • to v.0.10:
      • 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema) if you would need to downgrade to 0.10 for some reason.
    • to v.0.9:

      • Filter (or failregex) internal capture-groups:
      • If you've your own failregex or custom filters using conditional match (?P=host), you should rewrite the regex like in example below resp. using (?:(?P=ip4)|(?P=ip6) instead of (?P=host) (or (?:(?P=ip4)|(?P=ip6)|(?P=dns)) corresponding your usedns and raw settings).

      Of course you can always define your own capture-group (like below _cond_ip_) to do this.

        testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
        fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
      
      • New internal groups (currently reserved for internal usage): ip4, ip6, dns, fid, fport, additionally user and another captures in lower case if mapping from tag <F-*> used in failregex (e. g. user by <F-USER>).
      • v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some user configurations resp. datepattern.
      • Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now.

    🛠 Fixes

    • purge database will be executed now (within observer).
    • 🛠 restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
    • ⚡️ upgrade database: update new created table bips with entries from table bans (allows restore current bans after upgrade from version <= 0.10)

    🆕 New Features

    • Increment ban time (+ observer) functionality introduced.
    • Database functionality extended with bad ips.
    • 🆕 New tags (usable in actions):
      • <bancount> - ban count of this offender if known as bad (started by 1 for unknown)
      • <bantime> - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
    • ⏱ Introduced new action command actionprolong to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic with actionprolong. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).

    ✨ Enhancements

    • ⚡️ algorithm of restore current bans after restart changed: update the restored ban-time (and therefore end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater (or persistent); not affected if ban-time of the jail is unchanged between stop/start.
    • ➕ added new setup-option --without-tests to skip building and installing of tests files (gh-2287).
    • ➕ added new command fail2ban-client get <JAIL> banip ?sep-char|--with-time? to get the banned ip addresses (gh-1916).