Fail2Ban v0.9.4 Release Notes
Release Date: 2016-03-08 // about 8 years ago-
🛠 Fixes
roundcube-auth
jail typo for logpath- 🛠 Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
filter.d/apache-badbots.conf
- Updated useragent string regex adding escape for
+
- Updated useragent string regex adding escape for
filter.d/mysqld-auth.conf
- Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
filter.d/sshd.conf
- Updated "Auth fail" regex for OpenSSH 5.9 and later
- Treat failed and killed execution of commands identically (only different log messages), which addresses different behavior on different exit codes of dash and bash (gh-1155)
- 🛠 Fix jail.conf.5 man's section (gh-1226)
- 🛠 Fixed default banaction for allports jails like pam-generic, recidive, etc
with new default variable
banaction_allports
(gh-1216) - 🛠 Fixed
fail2ban-regex
stops working on invalid (wrong encoded) character for python version < 3.x (gh-1248) - 👉 Use postfix_log logpath for postfix-rbl jail
filters.d/postfix.conf
- add 'Sender address rejected: Domain not found' failregex- use
fail2ban_agent
as user-agent in actions badips, blocklist_de, etc (gh-1271) - Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
- 🔄 Changed
filter.d/asterisk
regex for "Call from ..." (few vulnerable now) - ✂ Removed compression and rotation count from logrotate (inherit them from the global logrotate config)
🆕 New Features
- 🆕 New interpolation feature for definition config readers -
<known/parameter>
(means last known init definition of filters or actions with nameparameter
). This interpolation makes possible to extend a parameters of stock filter or action directly in jail inside jail.local file, without creating a separatelyfilter.d/*.local
file. As extension to interpolation%(known/parameter)s
, that does not works for filter and action init parameters - 🆕 New actions:
nftables-multiport
andnftables-allports
- filtering using nftables framework. Note: it requires a pre-existing chain for the filtering rule.
- 🆕 New filters:
openhab
- domotic software authentication failure with the rest api and web interface (gh-1223)nginx-limit-req
- ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module)murmur
- ban hosts that repeatedly attempt to connect to murmur/mumble-server with an invalid server password or certificate.haproxy-http-auth
- filter to match failed HTTP Authentications against a HAProxy server
- 🆕 New jails:
murmur
- bans TCP and UDP from the bad host on the default murmur port.
sshd
filter got new failregex to match "maximum authentication attempts exceeded" (introduced in openssh 6.8)- ➕ Added filter for Mac OS screen sharing (VNC) daemon
✨ Enhancements
- 🌲 Do not rotate empty log files
- ➕ Added new date pattern with year after day (e.g.
Sun Jan 23 2005 21:59:59
) http://bugs.debian.org/798923 - ➕ Added openSUSE path configuration (Thanks Johannes Weberhofer)
- 👍 Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
- ➕ Added a timeout (3 sec) to urlopen within badips.py action (Thanks M. Maraun)
- ➕ Added check against atacker's Googlebot PTR fake records (Thanks Pablo Rodriguez Fernandez)
- ✨ Enhance filter against atacker's Googlebot PTR fake records (gh-1226)
- 🛠 Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
- ➕ Added filter for openhab domotic software authentication failure with the rest api and web interface (gh-1223)
- ➕ Add
*_backend
options for services to allow distros to set the default backend per service, set default to systemd for Fedora as appropriate - 🐎 Performance improvements while monitoring large number of files (gh-1265). Use associative array (dict) for monitored log files to speed up lookup operations. Thanks @kshetragia
- Specified that fail2ban is PartOf iptables.service
firewalld.service
in.service
file -- would reload fail2ban if those services are restarted - 0️⃣ Provides new default
fail2ban_version
and interpolation variablefail2ban_agent
in jail.conf - ✨ Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, and to support multiple instances of postfix having varying suffix (gh-1331) (Thanks Tom Hendrikx)
files/gentoo-initd
to usestart-stop-daemon
to robustify restarting the service