Fail2Ban v0.8.11 Release Notes
Release Date: 2013-11-13 // over 10 years ago-
🚀 In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters ⚡️ to avoid another similar vulnerability. All filters have been updated 👍 and some to catch more login/authentication failures and to support ✅ for newer application versions. There are test cases for most log cases of failures now.
As usual, if you have other examples that demonstrate that a filter is insufficient, or if we have inadvertently introduced a regression, 🌲 please provide us with example log lines on the github issue tracker http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in some obscure corner of the Internet.
🚀 Many thanks to our contributors for this release Daniel Black, Yaroslav Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski, Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François Boulogne and others who have helped on IRC and mailing list, logged issues and bug requests.
IMPORTANT incompatible changes
Filter name changes: * 'lighttpd-fastcgi' filter has been renamed to 'suhosin' * 'sasl' has been renamed to 'postfix-sasl' * 'exim' spam catching failregexes was split out into 'exim-spam' These changes will require changing jail.{conf,local} if any of those filters were used.
🛠 Fixes
- Jonathan Lanning
filter.d/asterisk
-- identified another regex for blocking. Also channel ID is hex not decimal as noted in sample logs provided.
- Daniel Black & Marcel Dopita
filter.d/apache-auth
-- fixed and apache auth samples provide. Closes gh-286
- Yaroslav Halchenko
filter.d/common.conf
-- make colon after [daemon] optional. Closes gh-267filter.d/apache-common.conf
-- support apache 2.4 more detailed error log format. Closes gh-268- Backends changes detection and parsing. Close gh-223 and gh-103:
- Polling backend: detect changes in the files not only based on mtime, but also on the size and inode. It should allow for better detection of changes and log rotations on busy servers, older python 2.4, and file systems with precision of mtime only up to a second (e.g. ext3).
- All backends, possible race condition: do not read from a file initially reported empty. Originally could have lead to accounting for detected log lines multiple times.
- Do not crash if executing a command in fail2ban-client interactive mode has failed (e.g. due to incorrect syntax). Closes gh-353
- Daniel Black & Мернов Георгий
filter.d/dovecot.conf
-- Fix when no TLS enabled - line doesn't end in ,
- Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
filter.d/exim.conf
-- regex hardening and extra failure examples in sample logsfilter.d/named-refused.conf
- BIND 9.9.3 regex changes
- Daniel Black & Sebastian Arcus
filter.d/asterisk
-- more regexes
- Daniel Black
action.d/hostsdeny
-- NOTE: new dependency 'ed'. Switched to use 'ed' across all platforms to ensure permissions are the same before and after a ban. Closes gh-266. hostsdeny supports daemon_list now too.action.d/bsd-ipfw
- action option unused. Change blocktype to port unreach instead of deny for consistancy.filter.d/dovecot
- added to support different dovecot failure "..disallowed plaintext auth". Closes Debian bug #709324filter.d/roundcube-auth
- timezone offset can be positive or negativeaction.d/bsd-ipfw
- action option unused. Fixed to blocktype for consistency. default to port unreach instead of denyfilter.d/dropbear
- fix regexs to match standard dropbear and the patched http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch and add PAM is it in dropbear-2013.60 source code.filter.d/{asterisk,assp,dovecot,proftpd}.conf
-- regex hardening and extra failure examples in sample logsfilter.d/apache-auth
- added expressions for mod_authz, mod_auth and mod_auth_digest failures.filter.d/recidive
-- support f2b syslog target and anchor regex at startfilter.d/mysqld-auth.conf
- mysql can use syslogfilter.d/sshd
- regex enhancements to support openssh-6.3. Closes Debian bug #722970. Thanks Colin Watson for the regex analysis.filter.d/wuftpd
- regex enhancements to support pam and wuftpd. Closes Debian bug #665925
- Rolf Fokkens
action.d/dshield.conf
and complain.conf -- reorder mailx arguments. https://bugzilla.redhat.com/show_bug.cgi?id=998020
- John Doe (ache)
action.d/bsd-ipfw.conf
- invert actionstop logic to make exist status 0. Closes gh-343.
- JP Espinosa (Reviewed by O.Poplawski)
- files/redhat-initd - rewritten to use stock init.d functions thus avoiding problems with getpid. Also $network and iptables moved to Should- rc init fields
- Rick Mellor
filter.d/vsftp
- fix capture with tty=ftp
🆕 New Features
- Edgar Hoch
action.d/firewall-cmd-direct-new.conf
- action for firewalld from https://bugzilla.redhat.com/show_bug.cgi?id=979622 NOTE: requires firewalld-0.3.8+
- Andy Fragen and Daniel Black
filter.d/osx-ipfw.conf
- ipfw action for OSX based on random rule numbers.
- Anonymous:
action.d/osx-afctl
- an action based on afctl for osx
- Daniel Black & ykimon
filter.d/3proxy.conf
-- filter added- fail2ban-regex - now generates http://www.debuggex.com urls for debugging regular expressions with the -D parameter.
- Daniel Black
filter.d/exim-spam.conf
-- a splitout of exim's spam regexes with additions for greater control over filtering spam.- add date expression for apache-2.4 - milliseconds
filter.d/nginx-http-auth
-- filter added for http basic authentication failures in nginx. Partially fulfills gh-405.
- Christophe Carles & Daniel Black
filter.d/perdition.conf
-- filter added
- Mark McKinstry
action.d/apf.conf
- add action for Advanced Policy Firewall (apf)
- Amir Caspi and kjohnsonecl
filter.d/uwimap-auth
- filter for uwimap-auth IMAP/POP server
- Steven Hiscocks and Daniel Black
filter.d/selinux-{common,ssh
} -- add SELinux date and ssh filter
✨ Enhancements
- François Boulogne and Frédéric
filter.d/lighttpd
- auth regexs for lighttpd-1.4.31
- Daniel Black
- reorder parsing of jail.conf,
jail.d/*.conf
,jail.local
,jail.d/*.local
and likewise forfail2ban.{conf|local|d/*.conf|d/*.local
}. Closes gh-392 - jail.conf now has asterisk jail - no need for asterisk-tcp and asterisk-udp. Users should replace existing jails with asterisk to reduce duplicate parsing of the asterisk log file.
filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin
}- regex anchor at startfilter.d/vsftpd
- anchored regex at start. disable old pam format regexfilter.d/pam-generic
- added syslog prefix. Disabled support for linux-pam before version 0.99.2.0 (2005)filter.d/postfix-sasl
- renamed from sasl, anchor at start and base on syslogfilter.d/qmail
- rewrote regex to anchor at start. Added regex for another "in the wild" patch to rblsmtp.
- reorder parsing of jail.conf,
- Yaroslav Halchenko
- fail2ban-regex -- refactored to provide more details (missing and ignored lines, control over logging, etc) while maintaining look&feel
- fail2ban-client -- log to standard error. Closes gh-264
- Fail to configure if not a single log file was found for an enabled jail. Closes gh-63
<HOST>
is now enforced to end with an alphanumericfilter.d/roundcube-auth.conf
-- anchored version- date matching - for standard asctime formats prefer more detailed first (thus use year if available)
- files/gen_badbots was added and
filter.d/apache-badbots.conf
was regenerated to get updated (although now still an old) list of "bad" bots
- Alexander Dietrich
action.d/sendmail-common.conf
-- added common sendmail settings file and made the sender display name configurable
- Steven Hiscocks
filter.d/dovecot
- Addition of session, time values and possible blank user
- Zurd and Daniel Black
filter.d/named-refused
- added refused on zone transferfilter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd
} - General regex improvements
- Zurd
filter.d/postfix
- add filter for VRFY failures. Closes gh-322.
- Orion Poplawski
fail2ban.d/
andjail.d/
directories are added toetc/fail2ban
to facilitate their use
- Jonathan Lanning