__ _ _ ___ _
/ _|__ _(_) |_ ) |__ __ _ _ _
| _/ _` | | |/ /| '_ \/ _` | ' \
|_| \__,_|_|_/___|_.__/\__,_|_||_|
- circumvent SEGFAULT in a python's socket module by getaddrinfo with disabled IPv6 (gh-3438)
action.d/cloudflare-token.conf
- fixes gh-3479, url-encode args by unbanaction.d/*ipset*
: makemaxelem
ipset option configurable through banaction arguments (gh-3564)
fail2ban-regex
extended to load settings from jail (by simple name it'd prefer jail to the filter now, gh-2655); to load the settings from filter one could use:
- fail2ban-regex ... sshd ; # jail
+ fail2ban-regex ... sshd.conf ; # filter
# or:
+ fail2ban-regex ... filter.d/sshd ; # filter
- better auto-detection for IPv6 support (
allowipv6 = auto
by default), trying to check sysctl net.ipv6.conf.all.disable_ipv6 (value read from/proc/sys/net/ipv6/conf/all/disable_ipv6
) if available, otherwise seeks over local IPv6 from network interfaces if available for platform and uses DNS to find local IPv6 as a fallback only - improve
ignoreself
by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132) action.d/mikrotik.conf
- new action for mikrotik routerOS, adds and removes entries from address lists on the router (gh-2860)action.d/smtp.py
- added optional support for TLS connections via thessl
arg.filter.d/exim.conf
- fixed "dropped: too many ..." regex, also matching unrecognized commands now (gh-3502)filter.d/nginx-forbidden.conf
- new filter to ban forbidden locations, e. g. usingdeny
directive (gh-2226)filter.d/sshd.conf
:- avoid double counting for "maximum authentication attempts exceeded" (gh-3502)
- message "Disconnecting ... Too many authentication failures" is not a failure anymore
- mode
ddos
/aggressive
extended to match new messages caused by port scanner, wrong payload on ssh port (gh-3486):- message authentication code incorrect [preauth]
- connection corrupted [preauth]
- timeout before authentication
- backend
systemd
: code review and several fixes:- wait only if it is necessary, e. g. in operational mode and if no more entries retrieved (end of journal);
- ensure we give enough time after possible rotation, vacuuming or adding/removing journal files, and move cursor back and forth to avoid entering dead space
filter.d/named-refused.conf
:- support BIND named log categories, gh-3388
- allow
info:
as possible error prefix too ("query (cache) denied" may occur as info)
filter.d/dovecot.conf
:- fixes regression introduced in gh-3210: resolve extremely long search by repeated apply of non-greedy RE-part with following branches (it may be extremely slow up to infinite search depending on message), gh-3370
- fixes regression and matches new format in aggressive mode too (amend to gh-3210)
- the minimum supported python version is now 2.7, if you have previous python version you can use the 0.11 version of fail2ban or upgrade python (or even build it from source).
- potential incompatibility by parsing of options of
backend
,filter
andaction
parameters (if they are partially incorrect), because fail2ban could throw an error now (doesn't silently bypass it anymore). - due to fix for CVE-2021-32749 (GHSA-m985-3f3v-cwmm) the mailing action using mailutils may require extra configuration,
if it is not compatible or doesn't support
-E 'set escape'
(e. g. withmailcmd
parameter), see gh-3059 - automatic invocation of 2to3 is removed in setup now (gh-3098), there is also no option
--disable-2to3
anymore,./fail2ban-2to3
should be called outside before setup - to v.0.11:
- due to change of
actioncheck
behavior (gh-488), some actions can be incompatible as regards the invariant check, ifactionban
oractionunban
would not throw an error (exit code different from 0) in case of unsane environment. - actions that have used tag
<ip>
(instead of<fid>
or<F-ID>
) to get failure-ID may become incompatible, if filter uses IP-related tags (like<ADDR>
or<HOST>
) additionally to<F-ID>
and the values are different (gh-3217)
- due to change of
- theoretical RCE vulnerability in mailing action using mailutils (mail-whois), CVE-2021-32749, GHSA-m985-3f3v-cwmm
- readline fixed to consider interim new-line character as part of code point in multi-byte logs (e. g. unicode encoding like utf-16be, utf-16le);
- [stability] solves race condition with uncontrolled growth of failure list (jail with too many matches, that did not cause ban), behavior changed to ban ASAP, gh-2945
- fixes search for the best datepattern - e. g. if line is too short, boundaries check for previously known imprecise pattern may fail on incomplete lines (logging break-off, no flush, etc), gh-3020
- [stability, performance] backend
systemd
:- fixes error "local variable 'line' referenced before assignment", introduced in 55d7d9e2, gh-3097
- don't update database too often (every 10 ticks or ~ 10 seconds in production)
- fixes wrong time point of "in operation" mode, gh-2882
- better avoidance of landing in dead space by seeks over journals (improved seek to time)
- fixes missing space in message (tag
<matches>
) between timestamp and host if the message read from systemd journal, gh-3293
- [stability] backend
pyinotify
: fixes sporadic runtime error "dictionary changed size during iteration" - several backends optimizations (in file and journal filters):
- don't need to wait if we still had log-entries from last iteration (which got interrupted for servicing)
- rewritten update log/journal position, it is more stable and faster now (fewer DB access and surely up-to-date at end)
paths-debian.conf
:- add debian path to roundcube error logs
action.d/firewallcmd-*.conf
(multiport only): fixed port range selector, replacing:
with-
;" reverted the incompatibility gh-3047 introduced in a038fd5, gh-2821, because this depends now on firewalld backend (e. g.-
vs.:
related toiptables
vs.nftables
)action.d/nginx-block-map.conf
: reload nginx only if it is running (also avoid error in nginx-errorlog, gh-2949)action.d/ufw.conf
:- fixed handling on IPv6 (using prepend, gh-2331, gh-3018)
- application names containing spaces can be used now (gh-656, gh-1532, gh-3018)
filter.d/apache-fakegooglebot.conf
:- better, more precise regex and datepattern (closes possible weakness like gh-3013)
filter.d/ignorecommands/apache-fakegooglebot
- added timeout parameter (default 55 seconds), avoid fail with timeout (default 1 minute) by reverse lookup on some slow DNS services (googlebots must be resolved fast), gh-2951
filter.d/apache-overflows.conf
- extended to match AH00126 error (Invalid URI ...), gh-2908filter.d/asterisk.conf
- add transport to asterisk RE: call rejection messages can have the transport prefixed to the IP address, gh-2913filter.d/courier-auth.conf
:- consider optional port after IP, gh-3211
- regex is rewritten without catch-all's and right anchor, so it is more stable against further modifications now
filter.d/dovecot.conf
:- adjusted for updated dovecot log format with
read(size=...)
in message (gh-3210) - parse everything in parenthesis by auth-worker info, e. g. can match (pid=...,uid=...) too (amend to gh-2553)
- extended to match prefix like
conn unix:auth-worker (uid=143): auth-worker<13247>:
(authenticate from external service like exim), gh-2553 - fixed "Authentication failure" regex, matches "Password mismatch" in title case (gh-2880)
- adjusted for updated dovecot log format with
filter.d/drupal-auth.conf
- more strict regex, extended to match "Login attempt failed from" (gh-2742)filter.d/exim-common.conf
- pid-prefix extended to matchmx1 exim[...]:
(gh-2553)filter.d/lighttpd-auth.conf
- adjusted to the current source code + avoiding catch-all's, etc (gh-3116)filter.d/named-refused.conf
:- added support for alternate names (suffix), FreeIPA renames the BIND9 named daemon to named-pkcs11, gh-2636
- fixes prefix for messages from systemd journal (no mandatory space ahead, because don't have timestamp), gh-2899
filter.d/nginx-*.conf
- added journalmatch to nginx filters, gh-2935filter.d/nsd.conf
- support for current log format, gh-2965filter.d/postfix.conf
: fixes and new vectors, review and combining several regex to single RE:- mode
ddos
(andaggressive
) extended:- to consider abusive handling of clients hitting command limit, gh-3040
- to handle postscreen's PREGREET and HANGUP messages, gh-2898
- matches rejects with "undeliverable address" (sender/recipient verification) additionally to "Unknown user", gh-3039
both are configurable now via extended parameter and can be disabled using
exre-user=
supplied in filter parameters - reject: BDAT/DATA from, gh-2927
- (since regex is more precise now) token selector changed to
[A-Z]{4}
, e. g. no matter what a command is supplied now (RCPT, EHLO, VRFY, DATA, BDAT or something else) - matches "Command rejected" and "Data command rejected" now
- matches RCPT from unknown, 504 5.5.2, need fully-qualified hostname, gh-2995
- matches 550 5.7.25 Client host rejected, gh-2996
- mode
filter.d/sendmail-auth.conf
:- detect several "authentication failure" messages, sendmail 8.16.1, gh-2757
- detect user not found, gh-3030
- detect failures without user part, gh-3324
filter.d/sendmail-reject.conf
:- fix reverse DNS for ... (gh-3012)
- fixed regex to consider "Connection rate limit exceeded" with different combination of arguments
filter.d/sshd.conf
:- mode
ddos
extended - recognizes messages "kex_exchange_identification: Connection closed / reset by pear", gh-3086 (fixed possible regression of f77398c) - mode
ddos
extended - recognizes new message "banner exchange: invalid format" generated by port scanner (https payload on ssh port), gh-3169
- mode
filter.d/zoneminder.conf
- support new log format (ERR instead of WAR), add detection of non-existent user login attempts, gh-2984- amend to gh-980 fixing several actions (correctly supporting new enhancements now)
- fixed typo by
--dump-pretty
option which did never work (only--dp
was working) - fixes start of fail2ban-client in docker: speedup daemonization process by huge open files limit, gh-3334
- provides details of failed regex compilation in the error message we throw in Regex-constructor (it's good to know what exactly is wrong)
- fixed failed update of database didn't signal with an error, gh-3352:
- client and server exit with error code by failure during start process (in foreground mode)
- added fallback to repair if database cannot be upgraded
- python 3.10 and 3.11 compatibility (and GHA-CI support)
actioncheck
behavior is changed now (gh-488), so invariant check as well as restore or repair of sane environment (in case of recognized unsane state) would only occur on action errors (e. g. if ban or unban operations are exiting with other code as 0)- better recognition of log rotation, better performance by reopen: avoid unnecessary seek to begin of file (and hash calculation)
- file filter reads only complete lines (ended with new-line) now, so waits for end of line (for its completion)
- datedetector:
- token
%Z
must recognize zone abbreviationZ
(GMT/UTC) also (similar to%z
) - token
%Z
recognizes all known zone abbreviation besides Z, GMT, UTC correctly, if it is matching (%z
remains unchanged for backwards-compatibility, see comment in code) - date patterns
%ExY
and%Exy
accept every year from 19xx up to current century (+3 years) infail2ban-regex
- better grouping algorithm for resulting century RE for
%ExY
and%Exy
- token
- actions differentiate tags
<ip>
and<fid>
(<F-ID>
), if IP-address deviates from ID then the value of<ip>
is not equal<fid>
anymore (gh-3217) - action info extended with new members for jail info (usable as tags in command actions), gh-10:
<jail.found>
,<jail.found_total>
- current and total found failures<jail.banned>
,<jail.banned_total>
- current and total bans
filter.d/monitorix.conf
- added new filter and jail for Monitorix, gh-2679filter.d/mssql-auth.conf
- new filter and jail for Microsoft SQL Server, gh-2642filter.d/nginx-bad-request.conf
- added filter to find bad requests (400), gh-2750filter.d/nginx-http-auth.conf
- extended with parameter mode, so additionally toauth
(ornormal
) modefallback
(or combined asaggressive
) can find SSL errors while SSL handshaking, gh-2881filter.d/scanlogd.conf
- new filter and jail, add support for filtering out detected port scans via scanlogd, gh-2950action.d/apprise.conf
- added Apprise support (50+ Notifications), gh-2565action.d/badips.*
- removed actions, badips.com is no longer active, gh-2889action.d/cloudflare.conf
- better IPv6 capability, gh-2891action.d/cloudflare-token.conf
- added support for Cloudflare Token APIs. This method is more restrictive and therefore safter than using API Keys.action.d/ipthreat.conf
- new action for IPThreat integration, gh-3349action.d/ufw.conf
(gh-3018):- new option
add
(defaultprepend
), can be supplied asinsert 1
for ufw versions before v.0.36 (gh-2331, gh-3018) - new options
kill-mode
andkill
to drop established connections of intruder (see action for details, gh-3018)
- new option
iptables
andiptables-ipset
actions extended to support multiple protocols with single action for multiport or oneport type (back-ported from nftables action);iptables
actions are more breakdown-safe: start wouldn't fail if chain or rule already exists (e. g. created by previous instance and doesn't get purged properly); ultimately closes gh-980ipset
actions are more breakdown-safe: start wouldn't fail if set with this name already exists (e. g. created by previous instance and don't deleted properly)- replace internals of several
iptables
andiptables-ipset
actions using internals of iptables include:- better check mechanism (using
-C
, option--check
is available long time); - additionally iptables-ipset is a common action for
iptables-ipset-proto6-*
now (which become obsolete now); - many features of different iptables actions are combinable as single chain/rule (can be supplied to action as parameters);
- iptables is a replacement for iptables-common now, several actions using this as include now become obsolete;
- better check mechanism (using
- new logtarget SYSTEMD-JOURNAL, gh-1403
- fail2ban.conf: new fail2ban configuration option
allowipv6
(defaultauto
), can be used to allow or disallow IPv6 interface in fail2ban immediately by start (e. g. if fail2ban starts before network interfaces), gh-2804 - invalidate IP/DNS caches by reload, so inter alia would allow to recognize IPv6IsAllowed immediately, previously retarded up to cache max-time (5m), gh-2804
- OpenRC (Gentoo, mainly) service script improvements, gh-2182
- suppress unneeded info "Jail is not a JournalFilter instance" (moved to debug level), gh-3186
- implements new interpolation variable
%(fail2ban_confpath)s
(automatically substituted from config-reader path, default/etc/fail2ban
or/usr/local/etc/fail2ban
depending on distribution);ignorecommands_dir
is unneeded anymore, thus removed frompaths-common.conf
, fixes gh-3005 fail2ban-regex
: accepts filter parameters containing new-line
- to v.0.10:
- 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema) if you would need to downgrade to 0.10 for some reason.
- to v.0.9:
-
Filter (or
failregex
) internal capture-groups:-
If you've your own
failregex
or custom filters using conditional match(?P=host)
, you should rewrite the regex like in example below resp. using(?:(?P=ip4)|(?P=ip6)
instead of(?P=host)
(or(?:(?P=ip4)|(?P=ip6)|(?P=dns))
corresponding yourusedns
andraw
settings).Of course you can always define your own capture-group (like below
_cond_ip_
) to do this.testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
-
New internal groups (currently reserved for internal usage):
ip4
,ip6
,dns
,fid
,fport
, additionallyuser
and another captures in lower case if mapping from tag<F-*>
used in failregex (e. g.user
by<F-USER>
).
-
-
v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some user configurations resp.
datepattern
. -
Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now.
-
- [stability] prevent race condition - no ban if filter (backend) is continuously busy if too many messages will be found in log, e. g. initial scan of large log-file or journal (gh-2660)
- pyinotify-backend sporadically avoided initial scanning of log-file by start
- python 3.9 compatibility (and Travis CI support)
- restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
- manual ban is written to database, so can be restored by restart (gh-2647)
jail.conf
: don't specifyaction
directly in jails (useaction_
orbanaction
instead)- no mails-action added per default anymore (e. g. to allow that
action = %(action_mw)s
should be specified per jail or in default section in jail.local), closes gh-2357 - ensure we've unique action name per jail (also if parameter
actname
is not set but name deviates from standard name, gh-2686) - don't use
%(banaction)s
interpolation because it can be complex value (containing[...]
and/or quotes), so would bother the action interpolation - fixed type conversion in config readers (take place after all interpolations get ready), that allows to specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
action.d/*-ipset*.conf
: several ipset actions fixed (no timeout per default anymore), so no discrepancy between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh-2703)action.d/cloudflare.conf
: fixedactionunban
(considering new-line chars and optionally real json-parsing withjq
, gh-2140, gh-2656)action.d/nftables.conf
(type=multiport only): fixed port range selector, replacing:
with-
(gh-2763)action.d/firewallcmd-*.conf
(multiport only): fixed port range selector, replacing:
with-
(gh-2821)action.d/bsd-ipfw.conf
: fixed selection of rule-no by large list or initiallowest_rule_num
(gh-2836)filter.d/common.conf
: avoid substitute of default values in relatedlt_*
section,__prefix_line
should be interpolated in definition section (inside the filter-config, gh-2650)filter.d/dovecot.conf
:- add managesieve and submission support (gh-2795);
- accept messages with more verbose logging (gh-2573);
filter.d/courier-smtp.conf
: prefregex extended to consider port in log-message (gh-2697)filter.d/traefik-auth.conf
: filter extended with parameter mode (normal
,ddos
,aggressive
) to handle the match of username differently (gh-2693):normal
: matches 401 with supplied username onlyddos
: matches 401 without supplied username onlyaggressive
: matches 401 and any variant (with and without username)
filter.d/sshd.conf
: normalizing of user pattern in all RE's, allowing empty user (gh-2749)
- fail2ban-regex:
- speedup formatted output (bypass unneeded stats creation)
- extended with prefregex statistic
- more informative output for
datepattern
(e. g. set from filter) - pattern : description
- parsing of action in jail-configs considers space between action-names as separator also
(previously only new-line was allowed), for example
action = a b
would specify 2 actionsa
andb
- new filter and jail for GitLab recognizing failed application logins (gh-2689)
- new filter and jail for Grafana recognizing failed application logins (gh-2855)
- new filter and jail for SoftEtherVPN recognizing failed application logins (gh-2723)
filter.d/guacamole.conf
extended withlogging
parameter to follow webapp-logging if it's configured (gh-2631)filter.d/bitwarden.conf
enhanced to support syslog (gh-2778)- introduced new prefix
{UNB}
fordatepattern
to disable word boundaries in regex; - datetemplate: improved anchor detection for capturing groups
(^...)
; - datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
as well as some warnings signaling user about invalid pattern or zone (gh-2814):
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
bypass of failure (previously exceeding
findtime
); - better interaction with non-matching optional datepattern or invalid timestamps;
- implements special datepattern
{NONE}
- allow to find failures totally without date-time in log messages, whereas filter will use now as timestamp (gh-2802)
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
bypass of failure (previously exceeding
- performance optimization of
datepattern
(better search algorithm in datedetector, especially for single template); - fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh-2791;
- extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
prefix
<F-TUPLE_
, that would combine value of<F-V>
with all value of<F-TUPLE_V?_n?>
tags (gh-2755)
- purge database will be executed now (within observer).
- restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
- upgrade database: update new created table
bips
with entries from tablebans
(allows restore current bans after upgrade from version <= 0.10)
- Increment ban time (+ observer) functionality introduced.
- Database functionality extended with bad ips.
- New tags (usable in actions):
<bancount>
- ban count of this offender if known as bad (started by 1 for unknown)<bantime>
- current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
- Introduced new action command
actionprolong
to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic withactionprolong
. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).
- algorithm of restore current bans after restart changed: update the restored ban-time (and therefore end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater (or persistent); not affected if ban-time of the jail is unchanged between stop/start.
- added new setup-option
--without-tests
to skip building and installing of tests files (gh-2287). - added new command
fail2ban-client get <JAIL> banip ?sep-char|--with-time?
to get the banned ip addresses (gh-1916).
Yes, Hrrrm...
- [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixed in gh-2444 in order to ignore user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392)
- [grave] fixed parsing of multi-line filters (
maxlines
> 1) together with systemd backend, now systemd-filter replaces newlines in message from systemd journal with\n
(otherwise multi-line parsing may be broken, because removal of matched string from multi-line buffer window is confused by such extra new-lines, so they are retained and got matched on every followed message, see gh-2431) - [stability] prevent race condition - no unban if the bans occur continuously (gh-2410); now an unban-check will happen not later than 10 tickets get banned regardless there are still active bans available (precedence of ban over unban-check is 10 now)
- fixed read of included config-files (
.local
overwrites options of.conf
for config-files included with before/after) action.d/abuseipdb.conf
: switched to use AbuseIPDB API v2 (gh-2302)action.d/badips.py
: fixed start of banaction on demand (which may be IP-family related), gh-2390action.d/helpers-common.conf
: rewritten grep arguments, now options-wF
used to match only whole words and fixed string (not as pattern), gh-2298filter.d/apache-auth.conf
:- ignore errors from mod_evasive in
normal
mode (mode-controlled now) (gh-2548); - extended with option
mode
-normal
(default) andaggressive
- ignore errors from mod_evasive in
filter.d/sshd.conf
:- matches
Bad protocol version identification
inddos
andaggressive
modes (gh-2404). - captures
Disconnecting ...: Change of username or service not allowed
(gh-2239, gh-2279) - captures
Disconnected from ... [preauth]
, preauth phase only, different handling byextra
(with supplied user only) andddos
/aggressive
mode (gh-2115, gh-2239, gh-2279)
- matches
filter.d/mysqld-auth.conf
:- MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words enclosed in brackets after "[Note]" (gh-2314)
filter.d/sendmail-reject.conf
:mode=extra
now captures port IDs ofTLSMTA
andMSA
(defaults for ports 465 and 587 on some distros)
files/fail2ban.service.in
: fixed systemd-unit template - missing nftables dependency (gh-2313)- several
action.d/mail*
: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341) filter.d/sendmail-reject.conf
: fixed journal usage for some systems (e. g. CentOS): if only identifier set tosm-mta
(no unitsendmail
) for some messages (gh-2385)filter.d/asterisk.conf
: asterisk can log additional timestamp if logs into systemd-journal (regex extended with optional part matching this, gh-2383)filter.d/postfix.conf
:- regexp's accept variable suffix code in status of postfix for precise messages (gh-2442)
- extended with new postfix filter mode
errors
to match "too many errors" (gh-2439), also included within modesnormal
,more
(extra
andaggressive
), since postfix parametersmtpd_hard_error_limit
is default 20 (additionally considermaxretry
)
filter.d/named-refused.conf
:- support BIND 9.11.0 log format (includes an additional field @0xXXX..., gh-2406);
prefregex
extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
filter.d/sendmail-auth.conf
,filter.d/sendmail-reject.conf
:- ID in prefix can be longer as 14 characters (gh-2563);
- all filters would accept square brackets around IPv4 addresses also (e. g. monit-filter, gh-2494)
- avoids unhandled exception during flush (gh-2588)
- fixes pass2allow-ftp jail - due to inverted handling, action should prohibit access per default for any IP, therefore reset start on demand parameter for this action (it will be started immediately by repair);
- auto-detection of IPv6 subsystem availability (important for not on-demand actions or jails, like pass2allow);
- new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559):
<CIDR>
- helper regex to match CIDR (simple integer form of net-mask);<SUBNET>
- regex to match sub-net addresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
- grouped tags (
<ADDR>
,<HOST>
,<SUBNET>
) recognize IP addresses enclosed in square brackets - new failregex-flag tag
<F-MLFGAINED>
for failregex, signaled that the access to service was gained (ATM used similar to tag<F-NOFAIL>
, but it does not add the log-line to matches, gh-2279) - filters: introduced new configuration parameter
logtype
(defaultfile
for file-backends, andjournal
for journal-backends, gh-2387); can be also set torfc5424
to force filters (which include common.conf) to use RFC 5424 conform prefix-line per default (gh-2467); - for better performance and safety the option
logtype
can be also used to select short prefix-line for file-backends too for all filters using__prefix_line
(common.conf
), if message logged only withhostname svc[nnnn]
prefix (often the case on several systems):
[jail]
backend = auto
filter = flt[logtype=short]
filter.d/common.conf
: differentiate__prefix_line
for file/journal logtype's (speedup and fix parsing of systemd-journal);filter.d/traefik-auth.conf
: used to ban hosts, that were failed through traefikfilter.d/znc-adminlog.conf
: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded
- introduced new options:
dbmaxmatches
(fail2ban.conf) andmaxmatches
(jail.conf) to control how many matches per ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118); - fail2ban.conf: introduced new section
[Thread]
and optionstacksize
to configure default size of the stack for threads running in fail2ban (gh-2356), it could be set infail2ban.local
to avoid runtime error "can't start new thread" (see gh-969); - jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations containing new-line);
- fail2ban-client: extended to ban/unban multiple tickets (see gh-2351, gh-2349);
Syntax:
fail2ban-client set <jain> banip <ip1> ... <ipN>
fail2ban-client set <jain> unbanip [--report-absent] <ip1> ... <ipN>
- fail2ban-client: extended with new feature which allows to inform fail2ban about single or multiple
attempts (failure) for IP (resp. failure-ID), see gh-2351;
Syntax:
fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-messageN>]
action.d/nftables.conf
:- isolate fail2ban rules into a dedicated table and chain (gh-2254)
nftables-allports
supports multiple protocols in single rule now- combined nftables actions to single action
nftables
:nftables-common
is removed (replaced with single actionnftables
now)nftables-allports
is obsolete, superseded bynftables[type=allports]
nftables-multiport
is obsolete, superseded bynftables[type=multiport]
- allowed multiple protocols in
nftables[type=multiport]
action (single set with multiple rules in chain), following configuration in jail would replace 3 separate actions, see fail2ban#2254 (comment)
action.d/badips.py
: optionloglevel
extended with level of summary message, following example configuration logging summary with NOTICE and rest with DEBUG log-levels:action = badips.py[loglevel="debug, notice"]
- samplestestcase.py (testSampleRegexsFactory) extended:
- allow coverage of journal logtype;
- new option
fileOptions
to set common filter/test options for whole test-file;
- large enhancement: auto-reban, improved invariant check and conditional operations (gh-2588):
- improves invariant check and repair (avoid unhandled exception, consider family on conditional operations, etc), prepared for bulk re-ban in repair case (if bulk-ban becomes implemented);
- automatic reban (repeat banning action) after repair/restore sane environment, if already logged ticket causes
new failures (via new action operation
actionreban
oractionban
if still not defined in action);
- introduces banning epoch for actions and tickets (to distinguish or recognize removed set of the tickets);
- invariant check avoids repair by unban/stop (unless parameter
actionrepair_on_unban
set totrue
); - better handling for all conditional operations (distinguish families for certain operations like repair/flush/stop, prepared for other families, e. g. if different handling for subnets expected, etc);
- partially implements gh-980 (more breakdown safe handling);
- closes gh-1680 (better as large-scale banning implementation with on-demand reban by failure, at least unless a bulk-ban gets implemented);
- fail2ban-regex - several enhancements and fixes:
- improved usage output (don't put a long help if an error occurs);
- new option
--no-check-all
to avoid check of all regex's (first matched only); - new option
-o
,--out
to set token only provided in output (disables check-all and outputs only expected data).
filter.d/dovecot.conf
:- failregex enhancement to catch sql password mismatch errors (gh-2153);
- disconnected with "proxy dest auth failed" (gh-2184);
filter.d/freeswitch.conf
:- provide compatibility for log-format from gh-2193:
- extended with new default date-pattern
^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
to coverYYYY-mm-dd HH:MM::SS.ms
as well asmm-dd HH:MM::SS.ms
(so year is optional); - more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
- extended with new default date-pattern
- extended with mode parameter, allows to avoid matching of messages like
auth challenge (REGISTER)
(see gh-2163) (currentlyextra
as default to be backwards-compatible), see comments in filter how to set it to modenormal
.
- provide compatibility for log-format from gh-2193:
filter.d/domino-smtp.conf
:- recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
- failregex extended to catch connections rejected for policy reasons (gh-2228);
action.d/hostsdeny.conf
: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions), see gh-2114;- decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
- fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
UTF-8
in opposite toascii
previously, so minimizes influence of implicit conversions errors; - actions: avoid possible conversion errors on wrong-chars by replace tags;
- database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database; additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
- logging in fail2ban is process-wide exception-safe now.
- fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
- repaired start-time of initial seek to time (as well as other log-parsing related data),
if parameter
logpath
specified beforefindtime
,backend
,datepattern
, etc (gh-2173) - systemd: fixed type error on option
journalflags
: an integer is required (gh-2125);
- new option
ignorecache
to improve performance of ignore failure check (using caching ofignoreip
,ignoreself
andignorecommand
), seeman jail.conf
for syntax-example; ignorecommand
extended to use actions-similar replacement (capable to interpolate all possible tags like<ip-host>
,<family>
,<fid>
,F-USER
etc.)
filter.d/dovecot.conf
: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)- since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
additionally option
-V
can be used to get version in normalized machine-readable short format.
- fixed JSON serialization for the set-object within dump into database (gh-2103).
filter.d/asterisk.conf
: fixed failregex prefix by log over remote syslog server (gh-2060);filter.d/exim.conf
: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);filter.d/recidive.conf
: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069;filter.d/sendmail-auth.conf
,filter.d/sendmail-reject.conf
:- fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064);
filter.d/sshd.conf
:- failregex got an optional space in order to match new log-format (see gh-2061);
- fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
- fixed root login refused regex (optional port before preauth, gh-2080);
- avoid banning of legitimate users when pam_unix used in combination with other password method, so bypass pam_unix failures if accepted available for this user gh-2070;
- amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediately);
- mode
ddos
(andaggressive
) extended to catchConnection closed by ... [preauth]
, so in DDOS mode it counts failure on closing connection within preauth-stage (gh-2085);
action.d/abuseipdb.conf
: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);action.d/badips.py
: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);action.d/hostsdeny.conf
: fixed IPv6 syntax (enclosed in square brackets, gh-2066);- (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
- several stability and performance optimizations, more effective filter parsing, etc;
- stable runnable within python versions 3.6 (as well as within 3.7-dev);
filter.d/apache-auth.conf
: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);filter.d/apache-noscript.conf
: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);- date-detector extended with long epoch (
LEPOCH
) to parse milliseconds/microseconds posix-dates (gh-2029); - possibility to specify own regex-pattern to match epoch date-time, e. g.
^\[{EPOCH}\]
or^\[{LEPOCH}\]
(gh-2038); the epoch-pattern similar to{DATE}
patterns does the capture and cuts out the match of whole pattern from the log-line, e. g. date-pattern^\[{LEPOCH}\]\s+:
will match and cut out[1516469849551000] :
from begin of the log-line. - badips.py now uses https instead of plain http when requesting badips.com (gh-2057);
- add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056);
- Introduced new parameter
padding
for logging within fail2ban-server (default on, excepting SYSLOG): Usagelogtarget = target[padding=on|off]
- The configuration for jails using banaction
pf
can be incompatible after upgrade, because pf-action uses anchors now (seeaction.d/pf.conf
for more information). If you want use obsolete handling without anchors, just rewrite it in thejail.local
by overwrite ofpfctl
parameter, e. g. likebanaction = pf[pfctl="pfctl"]
.
- Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
- Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
- jail.conf: port
imap3
replaced withimap
everywhere, since imap3 is not a standard port and old rarely (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942. - config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf) in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
action.d/pf.conf
:- fixed syntax error in achnor definition (documentation, see gh-1919);
- enclose ports in braces for multiport jails (see gh-1925);
action.d/firewallcmd-ipset.conf
: fixed create of set for ipv6 (missingfamily inet6
, gh-1990)filter.d/sshd.conf
:- extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
- fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
- datedetector: extended default date-patterns (allows extra space between the date and time stamps);
introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
- %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock, (corresponds %H, but allows space if not zero-padded).
- %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock, (corresponds %I, but allows space if not zero-padded).
filter.d/exim.conf
: added modeaggressive
to ban flood resp. DDOS-similar failures (gh-1983);- New Actions:
action.d/nginx-block-map.conf
- in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file);
- jail.conf: extended with new parameter
mode
for the filters supporting it (gh-1988); - action.d/pf.conf: extended with bulk-unban, command
actionflush
in order to flush all bans at once. - Introduced new parameters for logging within fail2ban-server (gh-1980).
Usage
logtarget = target[facility=..., datetime=on|off, format="..."]
:facility
- specify syslog facility (defaultdaemon
, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler for the list of facilities);datetime
- add date-time to the message (default on, ignored ifformat
specified);format
- specify own format how it will be logged, for example for short-log into STDOUT:fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start
;
- Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 'database disk image is malformed'). Fail2ban will create a backup, try to repair the database, if repair fails - recreate new database (gh-1465, gh-2004).
-
fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891)
-
jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884)
-
avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables 'LANGUAGE', 'LC_ALL', 'LC_CTYPE', and 'LANG', see gh-1587).
-
action.d/pf.conf: several fixes for pf-action like anchoring, etc. (see gh-1866, gh-1867);
-
fixed ignoreself issue "Retrieving own IPs of localhost failed: inet_pton() argument 2 must be string, not int" (see gh-1865);
-
fixed tags
<fq-hostname>
and<sh-hostname>
, could be used without ticket (a. g. inactionstart
etc., gh-1859). -
setup.py: fixed several setup facilities (gh-1874):
- don't check return code by dry-run: returns 256 on some python/setuptool versions;
files/fail2ban.service
renamed as template tofiles/fail2ban.service.in
;- setup process generates
build/fail2ban.service
fromfiles/fail2ban.service.in
using distribution related bin-path; - bug-fixing by running setup with option
--dry-run
;
- introduced new command-line options
--dp
,--dump-pretty
to dump the configuration using more human readable representation (opposite to-d
);
- nftables actions are IPv6-capable now (gh-1893)
- filter.d/dovecot.conf: introduced mode
aggressive
for cases like "disconnected before auth was ready" (gh-1880)
TODO: implementing of options resp. other tasks from PR #1346 documentation should be extended (new options, etc)
filter.d/apache-auth.conf
:- better failure recognition using short form of regex (url/referer are foreign inputs, see gh-1645)
filter.d/apache-common.conf
(filter.d/apache-*.conf
):- support of apache log-format if logging into syslog/systemd (gh-1695), using parameter
logging
, parameter usage for jail: filter = apache-auth[logging=syslog] parameter usage forapache-common.local
: logging = syslog
- support of apache log-format if logging into syslog/systemd (gh-1695), using parameter
filter.d/pam-generic.conf
:- [grave] injection on user name to host fixed
filter.d/sshd.conf
:- rewritten using
prefregex
and used MLFID-related multi-line parsing (by using tag<F-MLFID>
instead of buffering withmaxlines
); - optional parameter
mode
rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details)
- rewritten using
filter.d/sendmail-reject.conf
:- rewritten using
prefregex
and used MLFID-related multi-line parsing; - optional parameter
mode
introduced: normal (default), extra or aggressive
- rewritten using
filter.d/haproxy-http-auth
: do not mistake client port for part of an IPv6 address (gh-1745)filter.d/postfix.conf
:- updated to latest postfix formats
- joined several postfix filter together (normalized and optimized version, gh-1825)
- introduced new parameter
mode
(see gh-1825): more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) - postfix postscreen (resp. other RBL's compatibility fix, gh-1764, gh-1825)
filter.d/postfix-rbl.conf
: removed (replaced withpostfix[mode=rbl]
)filter.d/postfix-sasl.conf
: removed (replaced withpostfix[mode=auth]
)filter.d/roundcube-auth.conf
:- fixed regex when
X-Real-IP
or/andX-Forwarded-For
are present after host (gh-1303); - fixed regex when logging authentication errors to journal instead to a local file (gh-1159);
- additionally fixed more complex injections on username (e. g. using dot after fake host).
- fixed regex when
filter.d/ejabberd-auth.conf
: fixed failregex - accept new log-format (gh-993)action.d/complain.conf
- fixed using new tag
<ip-rev>
(sh/dash compliant now)
- fixed using new tag
action.d/sendmail-geoip-lines.conf
- fixed using new tag
<ip-host>
(without external command execution)
- fixed using new tag
- fail2ban-regex: fixed matched output by multi-line (buffered) parsing
- fail2ban-regex: support for multi-line debuggex URL implemented (gh-422)
- fixed ipv6-action errors on systems not supporting ipv6 and vice versa (gh-1741)
- fixed directory-based log-rotate for pyinotify-backend (gh-1778)
-
New Actions:
-
New Filters:
- Introduced new filter option
prefregex
for pre-filtering using single regular expression (gh-1698); - Many times faster and fewer CPU-hungry because of parsing with
maxlines=1
, so without line buffering (scrolling of the buffer-window). Combination of tags<F-MLFID>
and<F-NOFAIL>
can be used now to process multi-line logs using single-line expressions:- tag
<F-MLFID>
: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by<F-MLFID>(?:conn-id)</F-MLFID>
, see sshd.conf for example); - tag
<F-MLFFORGET>
: can be used as mark to forget current multi-line MLFID (e. g. by connection closed, reset or disconnect etc); - tag
<F-NOFAIL>
: used as mark for no-failure (helper to accumulate common failure-info, e. g. from lines that contain IP-address); Opposite to obsolete multi-line parsing (using buffering withmaxlines
) it is more precise and can recognize multiple failure attempts within the same connection (MLFID).
- tag
- Several filters optimized with pre-filtering using new option
prefregex
, and multiline filter using<F-MLFID>
+<F-NOFAIL>
combination; - Exposes filter group captures in actions (non-recursive interpolation of tags
<F-...>
, see gh-1698, gh-1110) - Some filters extended with user name (can be used in gh-1243 to distinguish IP and user, resp. to remove after success login the user-related failures only);
- Safer, more stable and faster replaceTag interpolation (switched from cycle over all tags to re.sub with callable)
- substituteRecursiveTags optimization + moved in helpers facilities (because currently used commonly in server and in client)
- New tags (usable in actions):
<fid>
- failure identifier (if raw resp. failures without IP address)<ip-rev>
- PTR reversed representation of IP address<ip-host>
- host name of the IP address<bancount>
- ban count of this offender if known as bad (started by 1 for unknown)<bantime>
- current ban-time of the ticket (prolongation can be retarded up to 10 sec.)<F-...>
- interpolates to the corresponding filter group capture...
<fq-hostname>
- fully-qualified name of host (the same as$(hostname -f)
)<sh-hostname>
- short hostname (the same as$(uname -n)
)
- Introduced new action command
actionprolong
to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic withactionprolong
. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local). - Allow to use filter options by
fail2ban-regex
, example: fail2ban-regex text.log "sshd[mode=aggressive]" - Samples test case factory extended with filter options - dict in JSON to control filter options (e. g. mode, etc.):
- Introduced new jail option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true). Fail2ban will not ban a host which matches such addresses. Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
- Regex will be compiled as MULTILINE only if needed (buffering with
maxlines
> 1), that enables:- to improve performance by the single line parsing (see gh-1733);
- make regex more precise (because distinguish between anchors
^
/$
for the begin/end of string and the new-line character '\n', e. g. if coming from filters (like systemd journal) that allow the parsing of log-entries contain new-line chars (as single entry); - if multiline regex however expected (by single-line parsing without buffering) - prefix
(?m)
could be used in regex to enable it;
- Implemented execution of
actionstart
on demand (conditional), if action depends onfamily
(gh-1742):- new action parameter
actionstart_on_demand
(bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameterparam?family=...
presents in action properties), seeaction.d/pf.conf
for example; - additionally
actionstop
will be executed only for families previously executingactionstart
(starting on demand only)
- new action parameter
- Introduced new command
actionflush
: executed in order to flush all bans at once e. g. by unban all, reload with removing action, stop, shutdown the system (gh-1743), the actions havingactionflush
do not executeactionunban
for each single ticket - Add new command
actionflush
default for several iptables/iptables-ipset actions (and common include); - Add new jail option
logtimezone
to force the timezone on log lines that don't have an explicit one (gh-1773) - Implemented zone abbreviations (like CET, CEST, etc.) and abbr+-offset functionality (accept zones like 'CET+0100'), for the list of abbreviations see strptime.TZ_STR;
- Introduced new option
--timezone
(resp.--TZ
) forfail2ban-regex
. - Tokens
%z
and%Z
are changed (more precise now); - Introduced new tokens
%Exz
and%ExZ
that fully support zone abbreviations and/or offset-based zones (implemented as enhancement using customdatepattern
, because may be too dangerous for default patterns and tokens like%z
); Note: the extended tokens supported zone abbreviations, but it can parse 1 or 3-5 char(s) in lowercase. Don't use them in default date-patterns (if not anchored, few precise resp. optional). Because python currently does not support mixing of case-sensitive with case-insensitive matching, the TZ (in uppercase) cannot be combined with%a
/%b
etc (that are currently case-insensitive), to avoid invalid date-time recognition in strings like '11-Aug-2013 03:36:11.372 error ...' with wrong TZ "error". Hence%z
currently match literal Z|UTC|GMT only (and offset-based), and%Exz
- all zone abbreviations. filter.d/courier-auth.conf
: support failed logins with method only- Config reader's: introduced new syntax
%(section/option)s
, in opposite to extended interpolation of python 3${section:option}
work with all supported python version in fail2ban and this syntax is like our another features like%(known/option)s
, etc. (gh-1750) - Variable
default_backend
switched to%(default/backend)s
, so totally backwards compatible now, but now the setting of parameterbackend
in default section ofjail.local
can overwrite default backend also (see gh-1750). In the future versions parameterdefault_backend
can be removed (incompatibility, possibly some distributions affected).
- [Grave] memory leak's fixed (gh-1277, gh-1234)
- [Grave] Misleading date patterns defined more precisely (using extended syntax
%Ex[mdHMS]
for exact two-digit match or e. g.%ExY
as more precise year pattern, within same century of last year and the next 3 years) - [Grave] extends date detector template with distance (position of match in log-line), to prevent grave collision using (re)ordered template list (e.g. find-spot of wrong date-match inside foreign input, misleading date patterns by ambiguous formats, etc.)
- Distance collision check always prefers template with shortest distance (left for right) if date pattern is not anchored
- Tricky bug fix: last position of log file will be never retrieved (gh-795), because of CASCADE all log entries will be deleted from logs table together with jail, if used "INSERT OR REPLACE" statement
- Asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
- testSocket: sporadical bug repaired - wait for server thread starts a socket (listener)
- testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid file inside bash, kill tree in any case (gh-1155)
- purge database will be executed now (within observer).
- restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
- Fixed high-load of pyinotify-backend, see fail2ban#885 (comment)
- Database: stability fix - repack cursor iterator as long as locked
- File filter backends: stability fix for sporadically errors - always close file handle, otherwise may be locked (prevent log-rotate, etc.)
- Pyinotify-backend: stability fix for sporadically errors in multi-threaded environment (without lock)
- Fixed sporadically error in testCymruInfoNxdomain, because of unsorted values
- Misleading errors logged from ignorecommand in success case on retcode 1 (gh-1194)
- fail2ban.service - systemd service updated (gh-1618):
- starting service in normal mode (without forking)
- does not restart if service exited normally (exit-code 0, e.g. stopped via fail2ban-client)
- does not restart if service can not start (exit-code 255, e.g. wrong configuration, etc.)
- service can be additionally started/stopped with commands (fail2ban-client, fail2ban-server)
- automatically creates
/var/run/fail2ban
directory before start fail2ban (systems with virtual resp. memory-based FS for/var/run
), see gh-1531 - if fail2ban running as systemd-service, for logging to the systemd-journal,
the
logtarget
could be set to STDOUT - value
logtarget
for system targets allowed also in lowercase (stdout, stderr, syslog, etc.)
- Fixed UTC/GMT named time zone, using
%Z
and%z
patterns (special case with 0 zone offset, see gh-1575) filter.d/freeswitch.conf
- Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
- User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)
- IPv6 support:
- IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6
- iptables related actions have been amended to support IPv6 specific actions additionally
- hostsdeny and route actions have been tested to be aware of v4 and v6 already
- pf action for *BSD systems has been improved and supports now also v4 and v6
- name resolution is now working for either address type
- new conditional section functionality used in config resp. includes:
- [Init?family=inet4] - IPv4 qualified hosts only
- [Init?family=inet6] - IPv6 qualified hosts only
- Increment ban time (+ observer) functionality introduced. Thanks Serg G. Brester (sebres)
- Database functionality extended with bad ips.
- New reload functionality (now totally without restart, unbanning/rebanning, etc.), see gh-1557
- Several commands extended and new commands introduced:
restart [--unban] [--if-exists] <JAIL>
- restarts the jail <JAIL> (alias forreload --restart ... <JAIL>
)reload [--restart] [--unban] [--all]
- reloads the configuration without restarting of the server, the option--restart
activates completely restarting of affected jails, thereby can unban IP addresses (if option--unban
specified)reload [--restart] [--unban] [--if-exists] <JAIL>
- reloads the jail <JAIL>, or restarts it (if option--restart
specified), at the same time unbans all IP addresses banned in this jail, if option--unban
specifiedunban --all
- unbans all IP addresses (in all jails and database)unban <IP> ... <IP>
- unbans <IP> (in all jails and database) (see gh-1388)- introduced new option
-t
or--test
to test configuration resp. start server only if configuration is clean (fails by wrong configured jails if option-t
specified)
- New command action parameter
actionrepair
- command executed in order to restore sane environment in error case ofactioncheck
. - Reporting via abuseipdb.com:
- Bans can now be reported to abuseipdb
- Categories must be set in the config
- Relevant log lines included in report
- Huge increasing of fail2ban performance and especially test-cases performance (see gh-1109)
- Datedetector: in-place reordering using hits and last used time: matchTime, template list etc. rewritten because of performance degradation
- Prevent out of memory situation if many IP's makes extremely many failures (maxEntries)
- Introduced string to seconds (str2seconds) for configuration entries with time,
use
1h
instead of3600
,1d
instead of86400
, etc - seekToTime - prevent completely read of big files first time (after start of service), initial seek to start time using half-interval search algorithm (see issue gh-795)
- Ticket and some other modules prepared to easy merge with newest version of 'ban-time-incr'
- Cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name, especially for wrong dns or lazy dns-system
- FailManager memory-optimization: increases performance, prevents memory leakage, because don't copy failures list on some operations
- fail2ban-testcases - new options introduced:
-f
,--fast
to decrease wait intervals, avoid passive waiting, and skip few very slow test cases (implied memory database, see-m
and no gamin tests-g
)-g
,--no-gamin
to prevent running of tests that require the gamin (slow)-m
,--memory-db
- run database tests using memory instead of file-i
,--ignore
- negate [regexps] filter to ignore tests matched specified regexps
- Background servicing: prevents memory leak on some platforms/python versions, using forced GC in periodic intervals (latency and threshold)
- executeCmd partially moved from action to new module utils
- Several functionality of class
DNSUtils
moved to new classIPAddr
, both classes moved to new moduleipdns
- Pseudo-conditional section introduced, for conditional substitution resp.
evaluation of parameters for different family qualified hosts,
syntax
[Section?family=inet6]
(currently use for IPv6-support only). - All the backends were rewritten to get reload-possibility, performance increased, so fewer greedy regarding cpu- resp. system-load now
- Numeric log-level allowed now in server (resp. fail2ban.conf);
- Implemented better error handling in some multi-threaded routines; shutdown of jails rewritten (faster and safer, does not breaks shutdown process if some error occurred)
- Possibility for overwriting some configuration options (read with config-readers) with command line option, e. g.:
## start server with DEBUG log-level (ignore level read from fail2ban.conf):
fail2ban-client --loglevel DEBUG start
## or
fail2ban-server -c /cfg/path --loglevel DEBUG start
## keep server log-level by reload (without restart it)
fail2ban-client --loglevel DEBUG reload
## switch log-level back to INFO:
fail2ban-client set loglevel INFO
- Optimized BanManager: increase performance, fewer system load, try to prevent
memory leakage:
- better ban/unban handling within actions (e.g. used dict instead of list)
- don't copy bans resp. its list on some operations;
- added new unbantime handling to relieve unBanList (prevent permanent searching for tickets to unban)
- prefer failure-ID as identifier of the ticket to its IP (most of the time the same, but it can be something else e.g. user name in some complex jails, as introduced in 0.10)
- Regexp enhancements:
- build replacement of
<HOST>
substitution corresponding parameterusedns
- dns-part will be added only ifusedns
is notno
, also using fail2ban-regex - new replacement for
<ADDR>
in opposition to<HOST>
, for separate usage of 2 address groups only (regardless ofusedns
),ip4
andip6
together, without host (dns)
- build replacement of
- Misconfigured jails don't prevent fail2ban from starting, server starts nevertheless, as long as one jail was successful configured (gh-1619) Message about wrong jail configuration logged in client log (stdout, systemd journal etc.) and in server log with error level
- More precise date template handling (WARNING: theoretically possible incompatibilities):
- datedetector rewritten more strict as earlier;
- default templates can be specified exacter using prefix/suffix syntax (via
datepattern
); - more as one date pattern can be specified using option
datepattern
now (new-line separated); - some default options like
datepattern
can be specified directly in section[Definition]
, that avoids contrary usage of unnecessarily[Init]
section, because of performance (each extra section costs time); - option
datepattern
can be specified in jail also (e. g. jails without filters or custom log-format, new-line separated for multiple patterns); - if first unnamed group specified in pattern, only this will be cut out from
search log-line (e. g.:
^date:[({DATE})]
will cut out only datetime match pattern, and leavesdate:[] ...
for searching in filter); - faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
- several standard filters extended with exact prefixed or anchored date templates;
- Added possibility to recognize restored state of the tickets (see gh-1669).
New option
norestored
introduced, to ignore restored tickets (after restart). To avoid execution of ban/unban for the restored tickets,norestored = true
could be added in definition section of action. For conditional usage in the shell-based actions an interpolation<restored>
could be used also. E. g. it is enough to add following script-piece at begin ofactionban
(oractionunban
) to prevent execution:if [ '<restored>' = '1' ]; then exit 0; fi;
Several actions extended now usingnorestored
option:- complain.conf
- dshield.conf
- mail-buffered.conf
- mail-whois-lines.conf
- mail-whois.conf
- mail.conf
- sendmail-buffered.conf
- sendmail-geoip-lines.conf
- sendmail-whois-ipjailmatches.conf
- sendmail-whois-ipmatches.conf
- sendmail-whois-lines.conf
- sendmail-whois-matches.conf
- sendmail-whois.conf
- sendmail.conf
- smtp.py
- xarf-login-attack.conf
- fail2ban-testcases:
assertLogged
extended with parameter wait (to wait up to specified timeout, before we throw assert exception) + test cases rewritten using that- added
assertDictEqual
for compatibility to early python versions (< 2.7); - new
with_foreground_server_thread
decorator to test several client/server commands
0.9.x line is no longer heavily developed. If you are interested in new features (e.g. IPv6 support), please consider 0.10 branch and its releases.
- Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991. Partially back-ported from v.0.10.
- action.d/bsd-ipfw.conf
- Make the rule number, the action starts looking for a free slot to insert the new rule, configurable (gh-1689)
- Replace not posix-compliant grep option: fgrep with
-q
option can cause 141 exit code in some cases (gh-1389)
- filter.d/apache-overflows.conf:
- Fixes resources greedy expression (see gh-1790);
- Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
- filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882)
- filter.d/asterisk.conf
- fixed failregex AMI Asterisk authentication failed (see gh-1302)
- removed invalid (vulnerable) regex blocking IPs using forign data (from header "from") thus not the IP-address that really originates the request (see gh-1927)
- fixed failregex for the SQL-injection attempts with single-quotes in connect-string (see gh-2011)
- filter.d/dovecot.conf:
- fixed failregex, see gh-1879 (partially cherry-picked from gh-1880)
- extended to match pam_authenticate failures with "Permission denied" (gh-1897)
- filter.d/exim.conf
- fixed failregex for case of flood attempts with
D=0s
(gh-1887) - fixed failregex of "AUTH command used when not advertised" to better handle the foreign input SMTP command (lower/mixed case auth command, prevent injection) (gh-1979)
- fixed failregex for case of flood attempts with
- filter.d/postfix-*.conf - added optional port regex (gh-1902)
- filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
- filter.d/nginx-http-auth.conf - match usernames with spaces (gh-2015)
- action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651)
- action.d/firewallcmd-ipset.conf - new parameter
actiontype
, providesallports
capability (gh-1167) - filter.d/kerio.conf - filter extended with new rules (see gh-1455)
- filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging
- filter.d/zoneminder.conf - new filter for ZoneMinder (gh-1376)
- Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
- filter.d/sshd.conf
- Fixed non-anchored part of failregex (misleading match of colon inside
IPv6 address instead of
:
in the reason-part by missing space, gh-1658) (0.10th resp. IPv6 relevant only, amend for gh-1479)
- Fixed non-anchored part of failregex (misleading match of colon inside
IPv6 address instead of
- config/pathes-freebsd.conf
- Fixed filenames for apache and nginx log files (gh-1667)
- filter.d/exim.conf
- optional part
(...)
after host-name before[IP]
(gh-1751) - new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
- match of complex time like
D=2m42s
in regex "no MAIL in SMTP connection" (gh-1766)
- optional part
- filter.d/sshd.conf
- new aggressive rules (gh-864):
- Connection reset by peer (multi-line rule during authorization process)
- No supported authentication methods available
- single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions), according to gh-1206;
- fixed expression received disconnect auth fail (optional space after port part, gh-1652) and suffix (logged from several ssh versions), according to gh-1206;
- new aggressive rules (gh-864):
- filter.d/suhosin.conf
- greedy catch-all before
<HOST>
fixed (potential vulnerability)
- greedy catch-all before
- filter.d/cyrus-imap.conf
- accept entries without login-info resp. hostname before IP address (gh-1707)
- Filter tests extended with check of all config-regexp, that contains greedy catch-all
before
<HOST>
, that is hard-anchored at end or precise sub expression after<HOST>
-
New Actions:
- action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)
-
New Filters:
- filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)
- Introduced new log-level
MSG
(as INFO-2, equivalent to 18)
- Misleading add resp. enable of (already available) jail in database, that induced a subsequent error: last position of log file will be never retrieved (gh-795)
- Fixed a distribution related bug within testReadStockJailConfForceEnabled (e.g. test-cases faults on Fedora, see gh-1353)
- Fixed pythonic filters and test scripts (running via wrong python version, uses "fail2ban-python" now);
- Fixed test case "testSetupInstallRoot" for not default python version (also using direct call, out of virtualenv);
- Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
- FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
- Monit config: scripting is not supported in path (gh-1556)
filter.d/apache-modsecurity.conf
- Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all replaced for safer match, unneeded catch-all anchoring removed, non-capturing
filter.d/asterisk.conf
- Fixed to match different asterisk log prefix (source file: method:)
filter.d/dovecot.conf
- Fixed failregex ignores failures through some not relevant info (gh-1623)
filter.d/ignorecommands/apache-fakegooglebot
- Fixed error within apache-fakegooglebot, that will be called with wrong python version (gh-1506)
filter.d/assp.conf
- Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
filter.d/postfix-sasl.conf
- Allow for having no trailing space after 'failed:' (gh-1497)
filter.d/vsftpd.conf
- Optional reason part in message after FAIL LOGIN (gh-1543)
filter.d/sendmail-reject.conf
- removed mandatory double space (if dns-host available, gh-1579)
- filter.d/sshd.conf
- recognized "Failed publickey for" (gh-1477);
- optimized failregex to match all of "Failed any-method for ... from " (gh-1479)
- eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
- optional port part after host (see gh-1533, gh-1581)
- New Actions:
action.d/npf.conf
for NPF, the latest packet filter for NetBSD
- New Filters:
filter.d/mongodb-auth.conf
for MongoDB (document-oriented NoSQL database engine) (gh-1586, gh-1606 and gh-1607)
- DateTemplate regexp extended with the word-end boundary, additionally to word-start boundary
- Introduces new command "fail2ban-python", as automatically created symlink to
python executable, where fail2ban currently installed (resp. its modules are located):
- allows to use the same version, fail2ban currently running, e.g. in
external scripts just via replace python with fail2ban-python:
-#!/usr/bin/env python +#!/usr/bin/env fail2ban-python
- always the same pickle protocol
- the same (and also guaranteed available) fail2ban modules
- simplified stand-alone install, resp. stand-alone installation possibility via setup (like gh-1487) is getting closer
- allows to use the same version, fail2ban currently running, e.g. in
external scripts just via replace python with fail2ban-python:
- Several test cases rewritten using new methods assertIn, assertNotIn
- New forward compatibility method assertRaisesRegexp (normally python >= 2.7). Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged are test covered now
- Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
examples:
backend = systemd[journalpath=/run/log/journal/machine-1]
backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]
backend = systemd[journalflags=2]
filter.d/monit.conf
- Extended failregex with new monit "access denied" version (gh-1355)
- failregex of previous monit version merged as single expression
filter.d/postfix.conf
,filter.d/postfix-sasl.conf
- Extended failregex daemon part, matching also
postfix/smtps/smtpd
now (gh-1391)
- Extended failregex daemon part, matching also
- Fixed a grave bug within tags substitutions because of incorrect
detection of recursion in case of multiple inline substitutions
of the same tag (affected actions:
bsd-ipfw
, etc). Now tracks the actual list of the already substituted tags (per tag instead of single list) filter.d/common.conf
- Unexpected extra regex-space in generic
__prefix_line
(gh-1405) - All optional spaces normalized in
common.conf
, test covered now - Generic
__prefix_line
extended with optional brackets for the date ambit (gh-1421), added new parameter__date_ambit
- Unexpected extra regex-space in generic
gentoo-initd
fixed--pidfile
bug:--pidfile
is option ofstart-stop-daemon
, not argument of fail2ban (see gh-1434)filter.d/asterisk.conf
- Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
- Improved log support for PJSIP and Asterisk 13+ with different callID (gh-1458)
- New Actions:
action.d/firewallcmd-rich-rules
andaction.d/firewallcmd-rich-logging
(gh-1367)
- New filters:
- slapd - ban hosts, that were failed to connect with invalid credentials: error code 49 (gh-1478)
- Extreme speedup of all sqlite database operations (gh-1436),
by using of following sqlite options:
- (synchronous = OFF) write data through OS without syncing
- (journal_mode = MEMORY) use memory for the transaction logging
- (temp_store = MEMORY) temporary tables and indices are kept in memory
- journald journalmatch for pure-ftpd (gh-1362)
- Added additional regex filter for dovecot ldap authentication failures (gh-1370)
filter.d/exim*conf
- Added additional regexes (gh-1371)
- Made port entry optional
roundcube-auth
jail typo for logpath- Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
filter.d/apache-badbots.conf
- Updated useragent string regex adding escape for
+
- Updated useragent string regex adding escape for
filter.d/mysqld-auth.conf
- Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
filter.d/sshd.conf
- Updated "Auth fail" regex for OpenSSH 5.9 and later
- Treat failed and killed execution of commands identically (only different log messages), which addresses different behavior on different exit codes of dash and bash (gh-1155)
- Fix jail.conf.5 man's section (gh-1226)
- Fixed default banaction for allports jails like pam-generic, recidive, etc
with new default variable
banaction_allports
(gh-1216) - Fixed
fail2ban-regex
stops working on invalid (wrong encoded) character for python version < 3.x (gh-1248) - Use postfix_log logpath for postfix-rbl jail
filters.d/postfix.conf
- add 'Sender address rejected: Domain not found' failregex- use
fail2ban_agent
as user-agent in actions badips, blocklist_de, etc (gh-1271) - Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
- Changed
filter.d/asterisk
regex for "Call from ..." (few vulnerable now) - Removed compression and rotation count from logrotate (inherit them from the global logrotate config)
- New interpolation feature for definition config readers -
<known/parameter>
(means last known init definition of filters or actions with nameparameter
). This interpolation makes possible to extend a parameters of stock filter or action directly in jail inside jail.local file, without creating a separatelyfilter.d/*.local
file. As extension to interpolation%(known/parameter)s
, that does not works for filter and action init parameters - New actions:
nftables-multiport
andnftables-allports
- filtering using nftables framework. Note: it requires a pre-existing chain for the filtering rule.
- New filters:
openhab
- domotic software authentication failure with the rest api and web interface (gh-1223)nginx-limit-req
- ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module)murmur
- ban hosts that repeatedly attempt to connect to murmur/mumble-server with an invalid server password or certificate.haproxy-http-auth
- filter to match failed HTTP Authentications against a HAProxy server
- New jails:
murmur
- bans TCP and UDP from the bad host on the default murmur port.
sshd
filter got new failregex to match "maximum authentication attempts exceeded" (introduced in openssh 6.8)- Added filter for Mac OS screen sharing (VNC) daemon
- Do not rotate empty log files
- Added new date pattern with year after day (e.g.
Sun Jan 23 2005 21:59:59
) http://bugs.debian.org/798923 - Added openSUSE path configuration (Thanks Johannes Weberhofer)
- Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
- Added a timeout (3 sec) to urlopen within badips.py action (Thanks M. Maraun)
- Added check against atacker's Googlebot PTR fake records (Thanks Pablo Rodriguez Fernandez)
- Enhance filter against atacker's Googlebot PTR fake records (gh-1226)
- Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
- Added filter for openhab domotic software authentication failure with the rest api and web interface (gh-1223)
- Add
*_backend
options for services to allow distros to set the default backend per service, set default to systemd for Fedora as appropriate - Performance improvements while monitoring large number of files (gh-1265). Use associative array (dict) for monitored log files to speed up lookup operations. Thanks @kshetragia
- Specified that fail2ban is PartOf iptables.service
firewalld.service
in.service
file -- would reload fail2ban if those services are restarted - Provides new default
fail2ban_version
and interpolation variablefail2ban_agent
in jail.conf - Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, and to support multiple instances of postfix having varying suffix (gh-1331) (Thanks Tom Hendrikx)
files/gentoo-initd
to usestart-stop-daemon
to robustify restarting the service
filter.d/roundcube-auth.conf
- Changed logpath to 'errors' log (was 'userlogins')
action.d/iptables-common.conf
- All calls to iptables command now use -w switch introduced in
iptables 1.4.20 (some distribution could have patched their
earlier base version as well) to provide this locking mechanism
useful under heavy load to avoid contesting on iptables calls.
If you need to disable, define
action.d/iptables-common.local
with empty value for 'lockingopt' in[Init]
section.
- All calls to iptables command now use -w switch introduced in
iptables 1.4.20 (some distribution could have patched their
earlier base version as well) to provide this locking mechanism
useful under heavy load to avoid contesting on iptables calls.
If you need to disable, define
mail-whois-lines
,sendmail-geoip-lines
andsendmail-whois-lines
actions now include by default only the first 1000 log lines in the emails. Adjust<grepopts>
to augment the behavior.
- reload in interactive mode appends all the jails twice (gh-825)
- reload server/jail failed if database used (but was not changed) and some jail active (gh-1072)
filter.d/dovecot.conf
- also match unknown user in passwd-file. Thanks Anton Shestakov- Fix fail2ban-regex not parsing journalmatch correctly from filter config
filter.d/asterisk.conf
- fix security log support for Asterisk 12+filter.d/roundcube-auth.conf
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
- Added regex to work with 'userlogins' log
action.d/sendmail*.conf
- use LC_ALL (superseding LC_TIME) to override locale on systems with customized LC_ALL- performance fix: minimizes connection overhead, close socket only at communication end (gh-1099)
- unbanip always deletes ip from database (independent of bantime, also if currently not banned or persistent)
- guarantee order of dbfile to be before dbpurgeage (gh-1048)
- always set 'dbfile' before other database options (gh-1050)
- kill the entire process group of the child process upon timeout (gh-1129). Otherwise could lead to resource exhaustion due to hanging whois processes.
- resolve
/var/run/fail2ban
path in setup.py to help installation on platforms with/var/run
-> /run symlink (gh-1142)
- RETURN iptables target is now a variable:
<returntype>
- New type of operation: pass2allow, use fail2ban for "knocking", opening a closed port by swapping blocktype and returntype
- New filters:
- froxlor-auth - Thanks Joern Muehlencord
- apache-pass - filter Apache access log for successful authentication
- New actions:
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires manual pre-configuration of the shorewall. See the action file for detail.
- New jails:
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
action.d/cloudflare.conf
- improved documentation on how to allow multiple CF accounts, and jail.conf got new compound action definition action_cf_mwl to submit cloudflare report.- Check access to socket for more detailed logging on error (gh-595)
- fail2ban-testcases man page
filter.d/apache-badbots.conf
,filter.d/nginx-botsearch.conf
- add HEAD method verb- Revamp of Travis and coverage automated testing
- Added a space between IP address and the following colon in notification emails for easier text selection
- Character detection heuristics for whois output via optional setting
in mail-whois*.conf. Thanks Thomas Mayer.
Not enabled by default, if _whois_command is set to be
%(_whois_convert_charset)s (e.g. in
action.d/mail-whois-common.local
), it- detects character set of whois output (which is undefined by RFC 3912) via heuristics of the file command
- converts whois data to UTF-8 character set with iconv
- sends the whois output in UTF-8 character set to mail program
- avoids that heirloom mailx creates binary attachment for input with unknown character set
- Fix ufw action commands
- infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907. Thanks TonyThompson
- port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner (fnerdwq)
- $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
- grep'ing for IP in *mail-whois-lines.conf should now match also at the beginning and EOL. Thanks Dean Lee
jail.conf
php-url-fopen
: separate logpath entries by newline
- failregex declared direct in jail was joined to single line (specifying of multiple expressions was not possible).
filters.d/exim.conf
- cover different settings of exim logs details. Thanks bes.internalfilter.d/postfix-sasl.conf
- failregex is now case insensitivefilters.d/postfix.conf
- add 'Client host rejected error message' failregexfail2ban/__init__.py
- add strptime thread safety hack-around- recidive uses
iptables-allports
banaction by default now. Avoids problems with iptables versions not understanding 'all' for protocols and ports filter.d/dovecot.conf
- match pam_authenticate line from EL7
- match unknown user line from EL7
- Use
use_poll=True
for Python 2.7 and >=3.4 to overcome "Bad file descriptor" msgs issue (gh-161) filter.d/postfix-sasl.conf
- tweak failregex and add ignoreregex to ignore system authentication issues- fail2ban-regex reads filter file(s) completely, incl. '.local' file etc. (gh-954)
- firewallcmd-* actions: split output into separate lines for grepping (gh-908)
- Guard unicode encode/decode issues while storing records in the database. Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot for reporting
filter.d/sshd
added regex for matching openSUSE ssh authentication failurefilter.d/asterisk.conf
:- Dropped "Sending fake auth rejection" failregex since it incorrectly targets the asterisk server itself
- match "hacking attempt detected" logs
- New filters:
- postfix-rbl Thanks Lee Clemens
- apache-fakegooglebot.conf Thanks Lee Clemens
- nginx-botsearch Thanks Frantisek Sumsal
- drupal-auth Thanks Lee Clemens
- New recursive embedded substitution feature added:
<<PREF>HOST>
becomes<IPV4HOST>
for PREF=IPV4
;<<PREF>HOST>
becomes1.2.3.4
for PREF=IPV4
and IPV4HOST=1.2.3.4
;
- New interpolation feature for config readers -
%(known/parameter)s
. (means last known option with nameparameter
). This interpolation makes possible to extend a stock filter or jail regexp in .local file (opposite to simply set failregex/ignoreregex that overwrites it), see gh-867. - Monit config for fail2ban in
files/monit/
- New actions:
action.d/firewallcmd-multiport
andaction.d/firewallcmd-allports
Thanks Donald Yandtaction.d/sendmail-geoip-lines.conf
action.d/nsupdate
to update DNSBL. Thanks Andrew St. Jean
- New status argument for fail2ban-client -- flavor:
fail2ban-client status <jail> [flavor]
- empty or "basic" works as-is
- "cymru" additionally prints (ASN, Country RIR) per banned IP (requires dnspython or dnspython3)
- Flush log at USR1 signal
- Enable multiport for firewallcmd-new action. Closes gh-834
- files/debian-initd migrated from the debian branch and should be suitable for manual installations now (thanks Juan Karlo de Guzman)
- Define empty ignoreregex in filters which didn't have it to avoid warnings (gh-934)
action.d/{sendmail-*,xarf-login-attack}.conf
- report local timezone not UTC time/zone. Closes gh-911- Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
- Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
- Added syslogsocket configuration to fail2ban.conf
- Note in the
jail.conf
for the recidive jail to increase dbpurgeage (gh-964)
iptables-common.conf
replacediptables-blocktype.conf
(iptables-blocktype.local
should still be read) and now also provides defaults for the chain, port, protocol and name tags
- start of file2ban aborted (on slow hosts, systemd considers the server has been timed out and kills him), see gh-824
- UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
- systemd backend error on bad utf-8 in python3
- badips.py action error when logging HTTP error raised with badips request
- fail2ban-regex failed to work in python3 due to space/tab mix
- recidive regex samples incorrect log level
- journalmatch for recidive incorrect PRIORITY
- loglevel couldn't be changed in fail2ban.conf
- Handle case when no sqlite library is available for persistent database
- Only reban once per IP from database on fail2ban restart
- Nginx filter to support missing server_name. Closes gh-676
- fail2ban-regex assertion error caused by miscount missed lines with multiline regex
- Fix actions failing to execute for Python 3.4.0. Workaround for http://bugs.python.org/issue21207
- Database now returns persistent bans on restart (bantime < 0)
- Recursive action tags now fully processed. Fixes issue with bsd-ipfw action
- Fixed TypeError with "ipfailures" and "ipjailfailures" action tags. Thanks Serg G. Brester
- Correct times for non-timezone date times formats during DST
- Pass a copy of, not original, aInfo into actions to avoid side-effects
- Per-distribution paths to the exim's main log
- Ignored IPs are no longer banned when being restored from persistent database
- Manually unbanned IPs are now removed from persistent database, such they won't be banned again when Fail2Ban is restarted
- Pass "bantime" parameter to the actions in default jail's action definition(s)
filters.d/sieve.conf
- fixed typo in _daemon. Thanks Jisoo Park- cyrus-imap -- also catch also failed logins via secured (imaps/pop3s). Regression was introduced while strengthening failregex in 0.8.11 (bd175f) Debian bug #755173
- postfix-sasl - added journalmatch. Thanks Luc Maisonobe
- postfix* - match with a new daemon string (postfix/submission/smtpd). Closes gh-804 . Thanks Paul Traina
- apache - added filter for AH01630 client denied by server configuration.
- New filters:
- monit Thanks Jason H Martin
- directadmin Thanks niorg
- apache-shellshock Thanks Eugene Hopkinson (SlowRiot)
- New actions:
- symbiosis-blacklist-allports for Bytemark symbiosis firewall
- fail2ban-client can fetch the running server version
- Added Cloudflare API action
- Start performance of fail2ban-client (and tests) increased, start time and cpu usage rapidly reduced. Introduced a shared storage logic, to bypass reading lots of config files (see gh-824). Thanks to Joost Molenaar for good catch (reported gh-820).
- Fail2ban-regex - add print-all-matched option. Closes gh-652
- Suppress fail2ban-client warnings for non-critical config options
- Match non "Bye Bye" disconnect messages for sshd locked account regex
- courier-smtp filter:
- match lines with user names
- match lines containing "535 Authentication failed" attempts
- Add
<chain>
tag to iptables-ipsets - Realign fail2ban log output with white space to improve readability. Does not affect SYSLOG output
- Log unhandled exceptions
- cyrus-imap: catch "user not found" attempts
- Add support for Portsentry
Carries all fixes, features and enhancements from 0.8.13 (unreleased) with major changes.
The minimum supported python version is now 2.6. If you have python-2.4 or 2.5 you can use the 0.8.12 version of fail2ban.
Please take note of release notes: https://github.com/fail2ban/fail2ban/releases/tag/0.9.0
Please test your configuration before relying on it.
Nearly all development is thanks to Steven Hiscocks (THANKS!), merging, testcases and timezone support from Daniel Black, and code-review and minor additions from Yaroslav Halchenko.
- [..bddbf1e] jail.conf was heavily refactored and now is similar
to how it looked on Debian systems:
- default action could be configured once for all jails
- jails definitions only provide customizations (port, logpath)
- no need to specify 'filter' if name matches jail name
- [..5aef036] Core functionality moved into fail2ban/ module.
Closes gh-26
- tests included in module to aid testing and debugging
- Added fail2ban persistent database
- default location at
/var/lib/fail2ban/fail2ban.sqlite3
- allows active bans to be reinstated on restart
- log files read from last position after restart
- default location at
- Added systemd journal backend
- Dependency on python-systemd
- New "journalmatch" option added to filter configs files
- New "systemd-journal" option added to fail2ban-regex
- Added python3 support
- Support %z (Timezone offset) and %f (sub-seconds) support for datedetector. Enhanced existing date/time have been updated patterns to support these. ISO8601 now defaults to localtime unless specified otherwise. Some filters have been change as required to capture these elements in the right timezone correctly.
- Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
- Log level INFO is now more verbose
- Optionally can read log files starting from "head" or "tail".
- See "logpath" option in jail.conf(5) man page.
- Can now set log encoding for files per jail.
- Default uses systemd locale.
- [..c7ae460] Multiline failregex. Close gh-54
- [8af32ed] Guacamole filter and support for Apache Tomcat date format
- [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug #410077. Also it would now capture and include stdout and stderr into logging messages in case of error or at DEBUG loglevel.
- Added action xarf-login-attack to report formatted attack messages according to the XARF standard (v0.2). Close gh-105
- Support PyPy
- Add filter for apache-botsearch
- Add filter for kerio. Thanks Tony Lawrence for blog of regexs and providing samples. Close gh-120
- Filter for stunnel
- Filter for Counter Strike 1.6. Thanks to onorua for logs. Close gh-347
- Filter for squirrelmail. Close gh-261
- Filter for tine20. Close gh-583
- Custom date formats (strptime) can now be set in filters and jail.conf
- Python based actions can now be created.
- SMTP action for sending emails on jail start, stop and ban.
- Added action to use badips.com reporting and blacklist
- Requires Python 2.7+
- Fail2ban-regex - don't accumulate lines if not printing them. add options to suppress output of missed/ignored lines. Close gh-644
- Asterisk now supports syslog format
- Jail names increased to 26 characters and iptables prefix reduced from fail2ban- to f2b- as suggested by buanzo in gh-462.
- Multiline filter for sendmail-spam. Close gh-418
- Multiline regex for Disconnecting: Too many authentication failures for root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]
- Multiline regex for Disconnecting: Connection from 61.XX.XX.XX port 51353\nToo many authentication failures for root [preauth]. Thanks Helmut Grohne. Close gh-457
- Replacing use of deprecated API (.warning, .assertEqual, etc)
- [..a648cc2] Filters can have options now too which are substituted into failregex / ignoreregex
- [..e019ab7] Multiple instances of the same action are allowed in the same jail -- use actname option to disambiguate.
- Add honeypot email address to exim-spam filter as argument
- Properties and methods of actions accessible from fail2ban-client
- Use of properties replaces command actions "cinfo" interface
- action firewallcmd-ipset had non-working actioncheck. Removed. redhat bug #1046816.
- filter pureftpd - added _daemon which got removed. Added
- filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
- filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
- filter asterisk now supports syslog format
- filter pureftpd - added all translations of "Authentication failed for user"
- filter dovecot - lip= was optional and extended TLS errors can occur. Thanks Noel Butler.
- IMPORTANT incompatible changes:
- Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name name length. As per gh-395
- mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog. Part of gh-447.
- allow for ",milliseconds" in the custom date format of proftpd.log
- allow for ", referer ..." in apache-* filter for apache error logs.
- allow for spaces at the beginning of kernel messages. Closes gh-448
- recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias
- smtps not a IANA standard and has been removed from Arch. Replaced with 465. Thanks Stefan. Closes gh-447
- add 'flushlogs' command to allow logrotation without clobbering logtarget settings. Closes gh-458, Debian bug #697333, Redhat bug #891798.
- complain action - ensure where not matching other IPs in log sample. Closes gh-467
- Fix firewall-cmd actioncheck - patch from Adam Tkac. Redhat Bug #979622
- Fix apache-common for apache-2.4 log file format. Thanks Mark White. Closes gh-516
- Asynchat changed to use push method which verifys whether all data was send. This ensures that all data is sent before closing the connection.
- Removed unnecessary reference to as yet undeclared $jail_name when checking a specific jail in nagios script.
- Filter dovecot reordered session and TLS items in regex with wider scope for session characters. Thanks Ivo Truxa. Closes gh-586
- A single bad failregex or command syntax in configuration files won't stop fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585.
- long names on jails documented based on iptables limit of 30 less len("fail2ban-").
- remove indentation of name and loglevel while logging to SYSLOG to resolve syslog(-ng) parsing problems. Closes Debian bug #730202.
- updated check_fail2ban to return performance data for all jails.
- filter apache-noscript now includes php cgi scripts. Thanks dani. Closes gh-503
- exim-spam filter to match spamassassin log entry for option SAdevnull. Thanks Ivo Truxa. Closes gh-533
filter.d/nsd.conf
-- also amended Unix date template to match nsd format- Added to sshd filter expression for
Received disconnect from <HOST>: 3: ...: Auth fail
. Thanks Marcel Dopita. Closes gh-289 - loglines now also report "[PID]" after the name portion
- Added
filter.d/ejabberd-auth
- Improved ACL-handling for Asterisk
- loglines now also report "[PID]" after the name portion
- Added improper command pipelining to postfix filter.
filter.d/solid-pop3d
-- added thanks to Jacques Lav!gnotte on mailinglist.- Add filter for apache-modsecurity.
filter.d/nsd.conf
-- also amended Unix date template to match nsd format- Added openwebmail filter thanks Ivo Truxa. Closes gh-543
- Added filter for freeswitch. Thanks Jim and editors and authors of http://wiki.freeswitch.org/wiki/Fail2ban
- Added groupoffice filter thanks to logs from Merijn Schering. Closes gh-566
- Added filter for horde
- Added filter for squid. Thanks Roman Gelfand.
- Added filter for ejabberd-auth.
- Added
filter.d/openwebmail
filter thanks Ivo Truxa. Closes gh-543 - Added
filter.d/groupoffice
filter thanks to logs from Merijn Schering. Closes gh-566 - Added
action.d/badips
. Thanks to Amy for making a nice API. - Added firewallcmd-ipset action.
- Added ufw action. Thanks Guilhem Lettron. lp-#701522
- Added blocklist_de action.
In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. All filters have been updated and some to catch more login/authentication failures and to support for newer application versions. There are test cases for most log cases of failures now.
As usual, if you have other examples that demonstrate that a filter is insufficient, or if we have inadvertently introduced a regression, please provide us with example log lines on the github issue tracker http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in some obscure corner of the Internet.
Many thanks to our contributors for this release Daniel Black, Yaroslav Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski, Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François Boulogne and others who have helped on IRC and mailing list, logged issues and bug requests.
Filter name changes: * 'lighttpd-fastcgi' filter has been renamed to 'suhosin' * 'sasl' has been renamed to 'postfix-sasl' * 'exim' spam catching failregexes was split out into 'exim-spam' These changes will require changing jail.{conf,local} if any of those filters were used.
- Jonathan Lanning
filter.d/asterisk
-- identified another regex for blocking. Also channel ID is hex not decimal as noted in sample logs provided.
- Daniel Black & Marcel Dopita
filter.d/apache-auth
-- fixed and apache auth samples provide. Closes gh-286
- Yaroslav Halchenko
filter.d/common.conf
-- make colon after [daemon] optional. Closes gh-267filter.d/apache-common.conf
-- support apache 2.4 more detailed error log format. Closes gh-268- Backends changes detection and parsing. Close gh-223 and gh-103:
- Polling backend: detect changes in the files not only based on mtime, but also on the size and inode. It should allow for better detection of changes and log rotations on busy servers, older python 2.4, and file systems with precision of mtime only up to a second (e.g. ext3).
- All backends, possible race condition: do not read from a file initially reported empty. Originally could have lead to accounting for detected log lines multiple times.
- Do not crash if executing a command in fail2ban-client interactive mode has failed (e.g. due to incorrect syntax). Closes gh-353
- Daniel Black & Мернов Георгий
filter.d/dovecot.conf
-- Fix when no TLS enabled - line doesn't end in ,
- Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
filter.d/exim.conf
-- regex hardening and extra failure examples in sample logsfilter.d/named-refused.conf
- BIND 9.9.3 regex changes
- Daniel Black & Sebastian Arcus
filter.d/asterisk
-- more regexes
- Daniel Black
action.d/hostsdeny
-- NOTE: new dependency 'ed'. Switched to use 'ed' across all platforms to ensure permissions are the same before and after a ban. Closes gh-266. hostsdeny supports daemon_list now too.action.d/bsd-ipfw
- action option unused. Change blocktype to port unreach instead of deny for consistency.filter.d/dovecot
- added to support different dovecot failure "..disallowed plaintext auth". Closes Debian bug #709324filter.d/roundcube-auth
- timezone offset can be positive or negativeaction.d/bsd-ipfw
- action option unused. Fixed to blocktype for consistency. default to port unreach instead of denyfilter.d/dropbear
- fix regexs to match standard dropbear and the patched http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch and add PAM is it in dropbear-2013.60 source code.filter.d/{asterisk,assp,dovecot,proftpd}.conf
-- regex hardening and extra failure examples in sample logsfilter.d/apache-auth
- added expressions for mod_authz, mod_auth and mod_auth_digest failures.filter.d/recidive
-- support f2b syslog target and anchor regex at startfilter.d/mysqld-auth.conf
- mysql can use syslogfilter.d/sshd
- regex enhancements to support openssh-6.3. Closes Debian bug #722970. Thanks Colin Watson for the regex analysis.filter.d/wuftpd
- regex enhancements to support pam and wuftpd. Closes Debian bug #665925
- Rolf Fokkens
action.d/dshield.conf
and complain.conf -- reorder mailx arguments. https://bugzilla.redhat.com/show_bug.cgi?id=998020
- John Doe (ache)
action.d/bsd-ipfw.conf
- invert actionstop logic to make exist status 0. Closes gh-343.
- JP Espinosa (Reviewed by O.Poplawski)
- files/redhat-initd - rewritten to use stock init.d functions thus avoiding problems with getpid. Also $network and iptables moved to Should- rc init fields
- Rick Mellor
filter.d/vsftp
- fix capture with tty=ftp
- Edgar Hoch
action.d/firewall-cmd-direct-new.conf
- action for firewalld from https://bugzilla.redhat.com/show_bug.cgi?id=979622 NOTE: requires firewalld-0.3.8+
- Andy Fragen and Daniel Black
filter.d/osx-ipfw.conf
- ipfw action for OSX based on random rule numbers.
- Anonymous:
action.d/osx-afctl
- an action based on afctl for osx
- Daniel Black & ykimon
filter.d/3proxy.conf
-- filter added- fail2ban-regex - now generates http://www.debuggex.com urls for debugging regular expressions with the -D parameter.
- Daniel Black
filter.d/exim-spam.conf
-- a splitout of exim's spam regexes with additions for greater control over filtering spam.- add date expression for apache-2.4 - milliseconds
filter.d/nginx-http-auth
-- filter added for http basic authentication failures in nginx. Partially fulfills gh-405.
- Christophe Carles & Daniel Black
filter.d/perdition.conf
-- filter added
- Mark McKinstry
action.d/apf.conf
- add action for Advanced Policy Firewall (apf)
- Amir Caspi and kjohnsonecl
filter.d/uwimap-auth
- filter for uwimap-auth IMAP/POP server
- Steven Hiscocks and Daniel Black
filter.d/selinux-{common,ssh
} -- add SELinux date and ssh filter
- François Boulogne and Frédéric
filter.d/lighttpd
- auth regexs for lighttpd-1.4.31
- Daniel Black
- reorder parsing of jail.conf,
jail.d/*.conf
,jail.local
,jail.d/*.local
and likewise forfail2ban.{conf|local|d/*.conf|d/*.local
}. Closes gh-392 - jail.conf now has asterisk jail - no need for asterisk-tcp and asterisk-udp. Users should replace existing jails with asterisk to reduce duplicate parsing of the asterisk log file.
filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin
}- regex anchor at startfilter.d/vsftpd
- anchored regex at start. disable old pam format regexfilter.d/pam-generic
- added syslog prefix. Disabled support for linux-pam before version 0.99.2.0 (2005)filter.d/postfix-sasl
- renamed from sasl, anchor at start and base on syslogfilter.d/qmail
- rewrote regex to anchor at start. Added regex for another "in the wild" patch to rblsmtp.
- reorder parsing of jail.conf,
- Yaroslav Halchenko
- fail2ban-regex -- refactored to provide more details (missing and ignored lines, control over logging, etc) while maintaining look&feel
- fail2ban-client -- log to standard error. Closes gh-264
- Fail to configure if not a single log file was found for an enabled jail. Closes gh-63
<HOST>
is now enforced to end with an alphanumericfilter.d/roundcube-auth.conf
-- anchored version- date matching - for standard asctime formats prefer more detailed first (thus use year if available)
- files/gen_badbots was added and
filter.d/apache-badbots.conf
was regenerated to get updated (although now still an old) list of "bad" bots
- Alexander Dietrich
action.d/sendmail-common.conf
-- added common sendmail settings file and made the sender display name configurable
- Steven Hiscocks
filter.d/dovecot
- Addition of session, time values and possible blank user
- Zurd and Daniel Black
filter.d/named-refused
- added refused on zone transferfilter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd
} - General regex improvements
- Zurd
filter.d/postfix
- add filter for VRFY failures. Closes gh-322.
- Orion Poplawski
fail2ban.d/
andjail.d/
directories are added toetc/fail2ban
to facilitate their use
Primarily bugfix and enhancements release, triggered by "bugs" in apache- filters. If you are relying on listed below apache- filters, upgrade asap and seek your distributions to patch their fail2ban distribution with [6ccd5781].
- Yaroslav Halchenko
- [6ccd5781]
filter.d/apache-{auth,nohome,noscript,overflows
} - anchor failregex at the beginning (and where applicable at the end). Addresses a possible DoS. Closes gh-248 action.d/{route,shorewall}.conf
- blocktype must be defined within [Init]. Closes gh-232
- [6ccd5781]
- Yaroslav Halchenko
- jail.conf -- assure all jails have actions and remove unused ports specifications
- Terence Namusonge
filter.d/roundcube-auth.conf
-- support roundcube 0.9+
- Daniel Black
files/suse-initd
-- update to the copy from stock SUSE silviogarbes & Daniel Black- Updates to asterisk filter. Closes gh-227/gh-230.
- Carlos Alberto Lopez Perez
- Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
Originally targeted as a bugfix release, it incorporated many new enhancements, few new features, and more importantly -- quite extended tests battery with current 94% coverage (from 56% of 0.8.8).
This release introduces over 200 of non-merge commits from 16 contributors (sorted by number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki, ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither, Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.
Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom Hendrikx, Yehuda Katz and other TBN heroes supporting users on fail2ban-users mailing list and IRC.
- Yaroslav Halchenko
- [6f4dad46] python-2.4 is the minimal version.
- [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
- [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for insight. Closes gh-103.
- [ab044b75] delay check for the existence of config directory until read.
- [3b4084d4] fixing up for handling of TAI64N timestamps.
- [154aa38e] do not shutdown logging until all jails stop.
- [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184. Thanks to Jon Foster for report and troubleshooting.
- Orion Poplawski
- [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories.
- Nicolas Collignon
- [39667ff6] Avoid leaking file descriptors. Closes gh-167.
- Sergey Brester
- [b6bb2f88 and d17b4153] invalid date recognition, irregular because of sorting template list.
- Steven Hiscocks
- [7a442f07] When changing log target with python2.{4,5} handle KeyError. Closes gh-147, gh-148.
- [b6a68f51] Fix delaction on server side. Closes gh-124.
- Daniel Black
- [f0610c01] Allow more that a one word command when changing and Action via the fail2ban-client. Closes gh-134.
- [945ad3d9] Fix dates on email actions to work in different locals. Closes gh-70. Thanks to iGeorgeX for the idea.
- blotus
- [96eb8986] ' and " should also be escaped in action tags Closes gh-109
- Christoph Theis, Nick Hilliard, Daniel Black
- [b3bd877d,cde71080] Make
syslog -v
andsyslog -vv
formats work on FreeBSD
- [b3bd877d,cde71080] Make
- Yaroslav Halchenko
- [9ba27353] Add support for
jail.d/{confilefile}
andfail2ban.d/{configfile}
to provide additional flexibility to system administrators. Thanks to beilber for the idea. Closes gh-114. - [3ce53e87] Add exim filter.
- [9ba27353] Add support for
- Erwan Ben Souiden
- [d7d5228] add nagios integration documentation and script to ensure fail2ban is running. Closes gh-166.
- Artur Penttinen
- [29d0df5] Add mysqld filter. Closes gh-152.
- ArndRaphael Brandes
- [bba3fd8] Add Sogo filter. Closes gh-117.
- Michael Gebetsriother
- [f9b78ba] Add action route to block at routing level.
- Teodor Micu & Yaroslav Halchenko
- [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
- Daniel Black
- [be06b1b] Add action for iptables-ipsets. Closes gh-102.
- Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
- [b6d0e8a] Add and enhance the bsd-ipfw action from FreeBSD ports.
- Soulard Morgan
- [f336d9f] Add filter for webmin. Closes gh-99.
- Steven Hiscocks
- [..746c7d9] bash interactive shell completions for fail2ban-*'s
- Nick Hilliard
- [0c5a9c5] Add pf action.
- Enrico Labedzki
- [24a8d07] Added new date format for ASSP SMTP Proxy.
- Steven Hiscocks
- [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172.
- [MANY] Improvements to test cases, travis, and code coverage (coveralls).
- [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
- [ce3ab34] Added ability to specify PID file.
- Orion Poplawski
- [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. Closes gh-142.
- Yaroslav Halchenko
- [MANY] Lots of improvements to log messages, man pages and test cases.
- [91d5736] Postfix filter improvements - empty helo, from and rcpt to. Closes gh-126. Bug report by Michael Heuberger.
- [40c5a2d] adding more of diagnostic messages into -client while starting the daemon.
- [8e63d4c] Compare against None with 'is' instead of '=='.
- [6fef85f] Strip CR and LF while analyzing the log line
- Daniel Black
- [3aeb1a9] Add jail.conf manual page. Closes gh-143.
- [MANY] man page edits.
- [7cd6dab] Added help command to fail2ban-client.
- [c8c7b0b,23bbc60] Better logging of log file read errors.
- [3665e6d] Added code coverage to development process.
- [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh source. Also include BSD changes.
- [1d9abd1] Action files can have tags in definition that refer to other tags.
- [10886e7,cec5da2,adb991a] Change actions to response with ICMP port unreachable rather than just a drop of the packet.
- Pascal Borreli
- [a2b29b4] Fixed lots of typos in config files and documentation.
- hamilton5
- [7ede1e8] Update dovecot filter config.
- Romain Riviere
- [0ac8746] Enhance named-refused filter for views.
- James Stout
- [..2143cdf] Solaris support enhancements:
README.Solaris
- failregex'es tune ups (
sshd.conf
) - hostsdeny: do not rely on support of '-i' in sed
- [..2143cdf] Solaris support enhancements:
- Alan Jenkins
- [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid banning due to misconfigured DNS. Closes gh-64
- Yaroslav Halchenko
- [83109bc] IMPORTANT: escape the content of (if used in custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team
- [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83
- [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
- [37a2e59] store IP as a base, non-unicode str to avoid spurious messages in the console. Closes gh-91
- David Engeset
- [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86
- [2d66f31] replaced uninformative "Invalid command" message with warning log exception why command actually failed
- [958a1b0] improved failregex to "support" auth.backend = "htdigest"
- [9e7a3b7] until we make it proper module -- adjusted sys.path only if system-wide run
- [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79
- [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 for this gh-87)
- Various others: travis-ci integration, script to run tests against all available Python versions, etc
- [e9762f3] Removed sneaked in comment on sys.path.insert
- Tom Hendrikx & Jeremy Olexa
- [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated. See http://forums.gentoo.org/viewtopic-t-899018.html
- Chris Reffett
- [a018a26] Fixed addBannedIP to add enough failures to trigger a ban, rather than just one failure.
- Yaroslav Halchenko
- [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
- [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
- [ed16ecc] enforce "ip" field returned as str, not unicode so that log message stays non-unicode. Close gh-32
- [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if already present in the pattern
- [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be friend to developers stuck with Windows (Closes gh-66)
- [80b191c] anchor grep regexp in actioncheck to not match partial names of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
- François Boulogne
- [a7cb20e..] add lighttpd-auth filter/jail
- Lee Clemens & Yaroslav Halchenko
- [e442503] pyinotify backend (default if backend='auto' and pyinotify is available)
- [d73a71f,3989d24] usedns parameter for the jails to allow disabling use of DNS
- Tom Hendrikx
- [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban repeated offenders. Close gh-19
- Xavier Devlamynck
- [7d465f9..] Add asterisk support
- Zbigniew Jędrzejewski-Szmek
- [de502cf..] allow running fail2ban as non-root user (disabled by default) via xt_recent. See doc/run-rootless.txt
- Lee Clemens
- [47c03a2] files/nagios - spelling/grammar fixes
- [b083038] updated Free Software Foundation's address
- [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
- [642d9af,3282f86] reformatted printing of jail's name to be consistent with init's info messages
- [3282f86] uniform use of capitalized Jail in the messages
- Leonardo Chiquitto
- [4502adf] Fix comments in dshield.conf and mynetwatchman.conf to reflect code
- [a7d47e8] Update Free Software Foundation's address
- Petr Voralek
- [4007751] catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063)
- Yaroslav Halchenko
- [MANY] extended and robustified unittests: test different backends
- [d9248a6] refactored Filter's to avoid duplicate functionality
- [7821174] direct users to issues on github
- [d2ffee0..] re-factored fail2ban-regex -- more condensed output by default with -v to control verbosity
- [b4099da] adjusted header for config/*.conf to mention .local and way to comment (Thanks Stefano Forli for the note)
- [6ad55f6] added failregex for wu-ftpd to match against syslog instead of DoS-prone auth.log's rhost (Closes: #514239)
- [2082fee] match possibly present "pam_unix(sshd:auth):" portion for sshd filter (Closes: #648020)
- Yehuda Katz & Yaroslav Halchenko
- [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
- Markos Chandras & Yaroslav Halchenko
- [492d8e5,bd658fc] Use hashlib (instead of deprecated md5) where available
- Robert Trace & Michael Lorant
- [c48c2b1] gentoo-initd cleanup and fixes: assure
/var/run
+ remove stale sock file
- [c48c2b1] gentoo-initd cleanup and fixes: assure
- Michael Saavedra
- [3a58d0e] Lock server's executeCmd to prevent racing among iptables calls: see http://bugs.debian.org/554162
- Yaroslav Halchenko
- [3eb5e3b] Allow for trailing spaces in sasl logs
- [1632244] Stop server-side communication before stopping the jails (prevents lockup if actions use fail2ban-client upon unban): see fail2ban#7
- [5a2d518] Various changes to reincarnate unittests
- Yehuda Katz
- Wiki was cleaned from SPAM
- Adam Spiers
- [3152afb] Recognise time-stamped kernel messages
- Guido Bozzetto
- [713fea6] Added ipmasq rule file to restart fail2ban when iptables are wiped out: see http://bugs.debian.org/461417
- Łukasz
- [5f23542] Matching of month names in Polish (thanks michaelberg79 for QA)
- Tom Hendrikx
- [9fa54cf] Added Date: header for sendmail*.conf actions
- Yaroslav Halchenko & Tom Hendrikx
- [b52d420..22b7007] in action files now can be used to provide matched loglines which triggered action
- Yaroslav Halchenko
- [ed0bf3a] Removed duplicate entry for DataCha0s/2.0 in badbots: see http://bugs.debian.org/519557
- [dad91f7] sshd.conf: allow user names to have spaces and trailing spaces in the line
- [a9be451] removed expansions for few Date and Revision SVN keywords
- [a33135c] set/getFile for ticket.py -- found in source distribution of 0.8.4
- [fbce415] additional logging while stopping the jails
- Fix: use addfailregex instead of failregex while processing per-jail "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to Marat Khayrullin for the patch and Daniel T Chen for forwarding to Debian.
- Fix: use os.path.join to generate full path - fixes includes in configs given local filename (5 weeks ago) [yarikoptic]
- Fix: allowed for trailing spaces in proftpd logs
- Fix: escaped () in pure-ftpd filter. Thanks to Teodor
- Fix: allowed space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314
- Fix: use
/var/run/fail2ban
instead of/tmp
for temp files in actions: see http://bugs.debian.org/544232 - Fix: Tai64N stores time in GMT, needed to convert to local time before returning
- Fix: disabled named-refused-udp jail entirely with a big fat warning
- Fix: added time module. Bug reported in buanzo's blog: see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
- Fix: Patch to make log file descriptors cloexec to stop leaking file descriptors on fork/exec. Thanks to Jonathan Underwood: see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24
- Enhancement: added author for dovecot filter and pruned unneeded space in the regexp
- Enhancement: proftpd filter -- if login failed -- count regardless of the reason for failure
- Enhancement: added to
action.d/iptables*
. Thanks to Matthijs Kooijman: see http://bugs.debian.org/515599 - Enhancement: added
filter.d/dovecot.conf
from Martin Waschbuesch - Enhancement: made
filter.d/apache-overflows.conf
catch more: see http://bugs.debian.org/574182 - Enhancement: added dropbear filter from Francis Russell and Zak B. Elep: see http://bugs.debian.org/546913
- Enhancement: changed default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200
- Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer
- Few minor cosmetic changes
- Check the inode number for rotation in addition to checking the first line of the file. Thanks to Jonathan Kamens. Red Hat #503852. Tracker #2800279.
- Moved the shutdown of the logging subsystem out of Server.quit() to the end of Server.start(). Fixes the 'cannot release un-acquired lock' error.
- Added "Ban IP" command. Thanks to Arturo 'Buanzo' Busleiman.
- Added two new filters: lighttpd-fastcgi and php-url-fopen.
- Fixed the 'unexpected communication error' problem by means of use_poll=False in Python >= 2.6.
- Merged patches from Debian package. Thanks to Yaroslav Halchenko.
- Use current day and month instead of Jan 1st if both are not available in the log. Thanks to Andreas Itzchak Rehberg.
- Try to match the regex even if the line does not contain a valid date/time. Described in Debian #491253. Thanks to Yaroslav Halchenko.
- Added/improved filters and date formats.
- Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to Russell Odom.
- Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to Detlef Reichelt.
- Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
- Added nagios script. Thanks to Sebastian Mueller.
- Added CPanel date format. Thanks to David Collins. Tracker #1967610.
- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
- Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115.
- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
- Changed
<HOST>
template to be more restrictive. Debian bug #514163. - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct fix but seems to work. Tracker #2500276.
- Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea.
- Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714
- Process failtickets as long as failmanager is not empty.
- Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav Halchenko.
- Fixed socket path in redhat and suse init script. Thanks to Jim Wight.
- Fixed PID file while started in daemon mode. Thanks to Christian Jobic who submitted a similar patch.
- Fixed
fail2ban-client get <jail> logpath
. Bug #1916986. - Added gssftpd filter. Thanks to Kevin Zembower.
- Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis Winter.
- Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber.
- Added ISO 8601 date/time format.
- Added and changed some logging level and messages.
- Added missing ignoreregex to filters. Thanks to Klaus Lehmann.
- Use poll instead of select in asyncore.loop. This should solve the "Unknown error 514". Thanks to Michael Geiger and Klaus Lehmann.
- Fixed named filter. Thanks to Yaroslav Halchenko
- Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines
- Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection
- Fixed ipfw action script. Thanks to Nick Munger
- Removed date from logging message when using SYSLOG. Thanks to Iain Lea
- Fixed "ignore IPs". Only the first value was taken into account. Thanks to Adrien Clerc
- Moved socket to
/var/run/fail2ban
. - Rewrote the communication server.
- Refactoring. Reduced number of files.
- Removed Python 2.4. Minimum required version is now Python 2.3.
- New log rotation detection algorithm.
- Print monitored files in status.
- Create a PID file in
/var/run/fail2ban/
. Thanks to Julien Perez. - Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks to Yaroslav Halchenko for the fix.
reload <jail>
reloads a single jail and the parameters in fail2ban.conf.- Added Mac OS/X startup script. Thanks to Bill Heaton.
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
- Replaced "echo" with "printf" in actions. Fix #1839673
- Replaced "reject" with "drop" in shorwall action. Fix #1854875
- Fixed Debian bug #456567, #468477, #462060, #461426
- readline is now optional in fail2ban-client (not needed in fail2ban-server).
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
- Expand in ignoreregex. Thanks to Yaroslav Halchenko
- Improved regular expressions. Thanks to Yaroslav Halchenko and others
- Added sendmail actions. The action started with "mail" are now deprecated. Thanks to Raphaël Marichez
- Added "ignoreregex" support to fail2ban-regex
- Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch
- Tightening up the pid check in redhat-initd. Thanks to David Nutter
- Added webmin authentication filter. Thanks to Guillaume Delvit
- Removed textToDns() which is not required anymore. Thanks to Yaroslav Halchenko
- Added new action iptables-allports. Thanks to Yaroslav Halchenko
- Added "named" date format to date detector. Thanks to Yaroslav Halchenko
- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko
- Fixed RedHat init script. Thanks to Jonathan Underwood
- Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner
- Close opened handlers. Thanks to Yaroslav Halchenko
- Fixed "reload" bug. Many many thanks to Yaroslav Halchenko
- Added date format for asctime without year
- Modified filters config. Thanks to Michael C. Haller
- Fixed a small bug in mail-buffered.conf
- Fixed asctime pattern in datedetector.py
- Added new filters/actions. Thanks to Yaroslav Halchenko
- Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch
- Moved every locking statements in a try..finally block
- Added signal handling in fail2ban-client
- Added a wonderful visual effect when waiting on the server
- fail2ban-client returns an error code if configuration is not valid
- Added new filters/actions. Thanks to Yaroslav Halchenko
- Call Python interpreter directly (instead of using "env")
- Added file support to fail2ban-regex. Benchmark feature has been removed
- Added cacti script and template.
- Added IP list in "status ". Thanks to Eric Gerbier
- Added a "sleep 1" in redhat-initd. Thanks to Jim Wight
- Use
/dev/log
for SYSLOG output. Thanks to Joerg Sommrey - Use numeric output for iptables in "actioncheck"
- Fixed removal of host in hosts.deny. Thanks to René Berber
- Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI
- Several "failregex" and "ignoreregex" are now accepted. Creation of rules should be easier now.
- Added license in COPYING. Thanks to Axel Thimm
- Allow comma in action options. The value of the option must be escaped with " or '. Thanks to Yaroslav Halchenko
- Now Fail2ban goes in
/usr/share/fail2ban
instead of/usr/lib/fail2ban
. This is more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko
- Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko
- The supported tags in "action(un)ban" are
<ip>
,<failures>
and<time>
- Fixed refactoring bug (getLastcommand -> getLastAction)
- Added option "ignoreregex" in filter scripts and
jail.conf
. Feature Request #1283304 - Fixed a bug in user defined time regex/pattern
- Improved documentation
- Moved
version.py
andprotocol.py
tocommon/
- Merged "maxtime" option with "findtime"
- Added
<HOST>
tag support in failregex which matches default IP address/hostname.(?P<host>\S)
is still valid and supported - Fixed exception when calling fail2ban-server with unknown option
- Fixed Debian bug 400162. The "socket" option is now handled correctly by
fail2ban-client
- Fixed RedHat init script. Thanks to Justin Shore
- Changed timeout to 30 secondes before assuming the server cannot be started. Thanks to Joël Bertrand
- Improved configuration files. Thanks to Yaroslav Halchenko
- Added man page for "fail2ban-regex"
- Moved ban/unban messages from "info" level to "warn"
- Added "-s" option to specify the socket path and "socket" option in "fail2ban.conf"
- Added "backend" option in "jail.conf"
- Added more filters/actions and jail samples. Thanks to Nick Munger, Christoph Haas
- Improved testing framework
- Fixed a bug in the return code handling of the executed commands. Thanks to Yaroslav Halchenko
- Signal handling. There is a bug with join() and signal in Python
- Better debugging output for "fail2ban-regex"
- Added support for more date format
- cPickle does not work with Python 2.5. Use pickle instead (performance is not a problem in our case)
- Added man pages. Thanks to Yaroslav Halchenko
- Added wildcard support for "logpath"
- Added Gamin (file and directory monitoring system) support
- (Re)added "ignoreip" option
- Added more concurrency protection
- First attempt at solving bug #1457620 (locale issue)
- Performance improvements
- (Re)added permanent banning with banTime < 0
- Added DNS support to "ignoreip". Feature Request #1285859
- Refactoring and code cleanup
- Improved client output
- Added more get/set commands
- Added more configuration templates
- Removed "logpath" and "maxretry" from filter templates. They must be defined in jail.conf now
- Added interactive mode. Use "-i"
- Added a date detector. "timeregex" and "timepattern" are no more needed
- Added "fail2ban-regex". This is a tool to help finding "failregex"
- Improved server communication. Start a new thread for each incoming request. Fail2ban is not really thread-safe yet
- Fixed daemon mode bug
- Added Gentoo init.d script
- Fixed path bug when trying to start "fail2ban-server"
- Fixed reload command
- Almost a complete rewrite :) Fail2ban design is really better (IMHO). There is a lot of new features
- Client/Server architecture
- Multithreading. Each jail has its own threads: one for the log reading and another for the actions
- Execute several actions
- Split configuration files. They are more readable and easy to use
- failregex uses group () now. This feature was already present in the Debian package
- lots of things...
- Added permanent banning. Set banTime to a negative value to enable this feature (-1 is perfect). Thanks to Mannone
- Fixed locale bug. Thanks to Fernando José
- Fixed crash when time format does not match data
- Propagated patch from Debian to fix fail2ban search path addition to the path search list: now it is added first. Thanks to Nick Craig-Wood
- Added SMTP authentication for mail notification. Thanks to Markus Hoffmann
- Removed debug mode as it is confusing for people
- Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark Edgington
- Added patch #1382936 (Default formatted syslog logging). Thanks to Patrick Börjesson
- Removed 192.168.0.0/16 from ignoreip. Attacks could also come from the local network.
- Robust startup: if iptables module does not get fully initialized after startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its own firewall. It will sleep between attempts for "polltime" number of seconds (closes Debian: #334272). Thanks to Yaroslav Halchenko
- Added "interpolations" in fail2ban.conf. This is provided by the ConfigParser module. Old configuration files still work. Thanks to Yaroslav Halchenko
- Added initial support for hosts.deny and shorewall. Need more testing. Please test. Thanks to kojiro from Gentoo forum for hosts.deny support
- Added support for vsftpd. Thanks to zugeschmiert
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
- Added an option to report local time (including timezone) or GMT in mail notification.
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
- Introduced fwcheck option to verify consistency of the chains. Implemented automatic restart of fail2ban main function in case check of fwban or fwunban command failed (closes: #329163, #331695). (Introduced patch was further adjusted by upstream author).
- Added -f command line parameter for [findtime].
- Added a cleanup of firewall rules on emergency shutdown when unknown exception is caught.
- Fail2ban should not crash now if a wrong file name is specified in config.
- reordered code a bit so that log targets are setup right after background and then only loglevel (verbose, debug) is processed, so the warning could be seen in the logs
- Added a keyword
<section>
in parsing of the subject and the body of an email sent out by fail2ban (closes: #330311)
- Fixed bug #1286222.
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
- Fixed handling of SYSLOG logging target. Now it can log to any SYSLOG target and facility as directed by the config
- Format of SYSLOG entries fixed to look closer to standard
- Fixed errata in config/gentoo-confd
- Introduced findtime configuration variable to control the lifetime of caught "failed" log entries
- Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav Halchenko
- Added more debug output if an error occurs when sending mail. Thanks to Stephen Gildea
- Renamed "maxretry" to "maxfailures" and changed default value to 5. Thanks to Stephen Gildea
- Hopefully fixed bug #1256075
- Fixed bug #1262345
- Fixed exception handling in PIDLock
- Removed warning when using "-V" or "-h" with no config file. Thanks to Yaroslav Halchenko
- Removed "-i eth0" from config file. Thanks to Yaroslav Halchenko
- Better PID lock file handling. Should close #1239562
- Added man pages
- Removed log4py dependency. Use logging module instead
- "maxretry" and "bantime" can be overridden in each section
- Fixed bug #1246278 (excessive memory usage)
- Fixed crash on wrong option value in configuration file
- Changed custom chains to lowercase
- Fixed bugs #1241756, #1239557
- Added log targets in configuration file. Removed -l option
- Changed iptables rules in order to create a separated chain for each section
- Fixed static banList in firewall.py
- Added an initd script for Debian. Thanks to Yaroslav Halchenko
- Check for obsolete files after install
- Added support for CIDR mask in ignoreip
- Added mail notification support
- Fixed bug #1234699
- Added tags replacement in rules definition. Should allow a clean solution for Feature Request #1229479
- Removed "interface" and "firewall" options
- Added start and end commands in the configuration file. Thanks to Yaroslav Halchenko
- Added firewall rules definition in the configuration file
- Cleaned fail2ban.py
- Added an initd script for RedHat/Fedora. Thanks to Andrey G. Grozin
- Fixed textToDNS method which generated wrong matches for "rhost=12-xyz...". Thanks to Tom Pike
fail2ban.conf
modified for readability. Thanks to Iain Lea- Added an initd script for Gentoo
- Changed default PID lock file location from
/tmp
to/var/run
- Fixed textToDNS which did not recognize strings like "12-345-67-890.abcd.mnopqr.xyz"
- Corrected level of messages
- Added DNS lookup support
- Improved parsing speed. Only parse the new log messages
- Added a second verbose level (-vv)
- Re-writting of parts of the code in order to handle several log files with different rules
- Removed
sshd.py
because it is no more needed - Fixed a bug when exiting with IP in the ban list
- Added PID lock file
- Improved some parts of the code
- Added
ipfw-start-rule
option (thanks to Robert Edeker) - Added -k option which kills a currently running Fail2Ban
- Add ipfw and ipfwadm support. The rules are taken from BlockIt. Thanks to Robert Edeker
- Add -e option which allows to set the interface. Thanks to Robert Edeker who reminded me this
- Small code cleaning
- Add SIGTERM handler in order to exit nicely when in daemon mode
- Add -r option which allows to set the maximum number of login failures
- Remove the Metalog class as the log file are not so syslog daemon specific
- Rewrite log reader to be service centered. Sshd support added. Match "Failed password" and "Illegal user"
- Add
/etc/fail2ban.conf
configuration support - Code documentation
- Initial release