------------------------------------------------------------------- Thu Dec 6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at One of the important changes is escaping of the content -- so if you crafted some custom action which uses it -- you must upgrade, or you would be at a significant security risk. - Fixes: Alan Jenkins * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid banning due to misconfigured DNS. Close gh-64 Yaroslav Halchenko * [83109bc] IMPORTANT: escape the content of (if used in custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83 * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages in the console. Close gh-91 - New features: David Engeset * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86 - Enhancements: * [2d66f31] replaced uninformative "Invalid command" message with warning log exception why command actually failed * [958a1b0] improved failregex to "support" auth.backend = "htdigest" * [9e7a3b7] until we make it proper module -- adjusted sys.path only if system-wide run * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79 * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 for this gh-87) * Various others: travis-ci integration, script to run tests against all available Python versions, etc ------------------------------------------------------------------- Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at - Fixed initscript as discussed in bnc#790557 ------------------------------------------------------------------- Wed Oct 3 09:53:40 UTC 2012 - meissner@suse.com - use Source URL pointing to github ------------------------------------------------------------------- Tue Oct 2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at - Do not longer replace main config-files - Use variables for directories in spec file ------------------------------------------------------------------- Tue Oct 2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at - Added dependencies to python-pyinotifyi, python-gamin and iptables ------------------------------------------------------------------- Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at - Upgraded to version 0.8.7.1 - Yaroslav Halchenko * [e9762f3] Removed sneaked in comment on sys.path.insert Tom Hendrikx & Jeremy Olexa * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated. See http://forums.gentoo.org/viewtopic-t-899018.html - Chris Reffett * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban, rather than just one failure. - Yaroslav Halchenko * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf * [ed16ecc] enforce "ip" field returned as str, not unicode so that log message stays non-unicode. Close gh-32 * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if already present in the pattern * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be friend to developers stuck with Windows (Closes gh-66) * [80b191c] anchor grep regexp in actioncheck to not match partial names of the jails (Closes: #672228) (Thanks Szépe Viktor for the report) - New features: - François Boulogne * [a7cb20e..] add lighttpd-auth filter/jail - Lee Clemens & Yaroslav Halchenko * [e442503] pyinotify backend (default if backend='auto' and pyinotify is available) * [d73a71f,3989d24] usedns parameter for the jails to allow disabling use of DNS - Tom Hendrikx * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban repeated offenders. Close gh-19 - Xavier Devlamynck * [7d465f9..] Add asterisk support - Zbigniew Jedrzejewski-Szmek * [de502cf..] allow running fail2ban as non-root user (disabled by default) via xt_recent. See doc/run-rootless.txt - Enhancements - Lee Clemens * [47c03a2] files/nagios - spelling/grammar fixes * [b083038] updated Free Software Foundation's address * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606 * [642d9af,3282f86] reformated printing of jail's name to be consistent with init's info messages * [3282f86] uniform use of capitalized Jail in the messages - Leonardo Chiquitto * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf to reflect code * [a7d47e8] Update Free Software Foundation's address - Petr Voralek * [4007751] catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) - Yaroslav Halchenko * [MANY] extended and robustified unittests: test different backends * [d9248a6] refactored Filter's to avoid duplicate functionality * [7821174] direct users to issues on github * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by default with -v to control verbosity * [b4099da] adjusted header for config/*.conf to mention .local and way to comment (Thanks Stefano Forli for the note) * [6ad55f6] added failregex for wu-ftpd to match against syslog instead of DoS-prone auth.log's rhost (Closes: #514239) * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for sshd filter (Closes: #648020) - Yehuda Katz & Yaroslav Halchenko * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers ------------------------------------------------------------------- Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de - Adding to fail2ban.init remove of pid and sock files on stop in case not removed before (prevents start fail) ------------------------------------------------------------------- Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at - Update to version 0.8.6. containing various fixes and enhancements ------------------------------------------------------------------- Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com - Update to version 0.8.5: many bug fixes, enhancements and, as a bonus, drop two patches that are now upstream - Update FSF address to silent rpmlint warnings - Drop stale socket files on startup (bnc#537239, bnc#730044) ------------------------------------------------------------------- Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de - Apply packaging guidelines (remove redundant/obsolete tags/sections from specfile, etc.) ------------------------------------------------------------------- Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com - Use /var/run/fail2ban instead of /tmp for temp files in actions: see bugs.debian.org/544232, bnc#690853, CVE-2009-5023 ------------------------------------------------------------------- Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com - Use $FAIL2BAN_OPTIONS when starting (bnc#662495) - Clean up sysconfig file ------------------------------------------------------------------- Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org - Use O_CLOEXEC on fds (patch from Fedora) ------------------------------------------------------------------- Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com - Create /var/run/fail2ban during startup to support systems that mount /var/run as tmpfs - Build package as noarch - Spec file cleanup: fix a couple of rpmlint warnings - Init script: look for fail2ban-server when checking if the daemon is running ------------------------------------------------------------------- Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com - Update to version 0.8.4. Important changes: * New "Ban IP" command * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve * Fixed the 'unexpected communication error' problem * Remove socket file on startup if fail2ban crashed (bnc#537239) ------------------------------------------------------------------- Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de - Initial version: 0.8.3