« Changelog History


Fail2Ban v0.9.4 Release Notes

Release Date: 2016-03-08 // about 8 years ago

  • 🛠 Fixes

    • roundcube-auth jail typo for logpath
    • 🛠 Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
    • filter.d/apache-badbots.conf
      • Updated useragent string regex adding escape for +
    • filter.d/mysqld-auth.conf
      • Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
    • filter.d/sshd.conf
      • Updated "Auth fail" regex for OpenSSH 5.9 and later
    • Treat failed and killed execution of commands identically (only different log messages), which addresses different behavior on different exit codes of dash and bash (gh-1155)
    • 🛠 Fix jail.conf.5 man's section (gh-1226)
    • 🛠 Fixed default banaction for allports jails like pam-generic, recidive, etc with new default variable banaction_allports (gh-1216)
    • 🛠 Fixed fail2ban-regex stops working on invalid (wrong encoded) character for python version < 3.x (gh-1248)
    • 👉 Use postfix_log logpath for postfix-rbl jail
    • filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
    • use fail2ban_agent as user-agent in actions badips, blocklist_de, etc (gh-1271)
    • Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
    • 🔄 Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
    • ✂ Removed compression and rotation count from logrotate (inherit them from the global logrotate config)

    🆕 New Features

    • 🆕 New interpolation feature for definition config readers - <known/parameter> (means last known init definition of filters or actions with name parameter). This interpolation makes possible to extend a parameters of stock filter or action directly in jail inside jail.local file, without creating a separately filter.d/*.local file. As extension to interpolation %(known/parameter)s, that does not works for filter and action init parameters
    • 🆕 New actions:
      • nftables-multiport and nftables-allports - filtering using nftables framework. Note: it requires a pre-existing chain for the filtering rule.
    • 🆕 New filters:
      • openhab - domotic software authentication failure with the rest api and web interface (gh-1223)
      • nginx-limit-req - ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module)
      • murmur - ban hosts that repeatedly attempt to connect to murmur/mumble-server with an invalid server password or certificate.
      • haproxy-http-auth - filter to match failed HTTP Authentications against a HAProxy server
    • 🆕 New jails:
      • murmur - bans TCP and UDP from the bad host on the default murmur port.
    • sshd filter got new failregex to match "maximum authentication attempts exceeded" (introduced in openssh 6.8)
    • ➕ Added filter for Mac OS screen sharing (VNC) daemon

    ✨ Enhancements

    • 🌲 Do not rotate empty log files
    • ➕ Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59) http://bugs.debian.org/798923
    • ➕ Added openSUSE path configuration (Thanks Johannes Weberhofer)
    • 👍 Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
    • ➕ Added a timeout (3 sec) to urlopen within badips.py action (Thanks M. Maraun)
    • ➕ Added check against atacker's Googlebot PTR fake records (Thanks Pablo Rodriguez Fernandez)
    • ✨ Enhance filter against atacker's Googlebot PTR fake records (gh-1226)
    • 🛠 Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
    • ➕ Added filter for openhab domotic software authentication failure with the rest api and web interface (gh-1223)
    • ➕ Add *_backend options for services to allow distros to set the default backend per service, set default to systemd for Fedora as appropriate
    • 🐎 Performance improvements while monitoring large number of files (gh-1265). Use associative array (dict) for monitored log files to speed up lookup operations. Thanks @kshetragia
    • Specified that fail2ban is PartOf iptables.service firewalld.service in .service file -- would reload fail2ban if those services are restarted
    • 0️⃣ Provides new default fail2ban_version and interpolation variable fail2ban_agent in jail.conf
    • ✨ Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, and to support multiple instances of postfix having varying suffix (gh-1331) (Thanks Tom Hendrikx)
    • files/gentoo-initd to use start-stop-daemon to robustify restarting the service