------------------------------------------------------------------- Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at - Included logrotate configuration for fail2ban ------------------------------------------------------------------- Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at - Init-Script does no longer require $syslog to be started as file-base logging is the default. Synced with Debian script. - Upgrade to version 0.8.9 - Fixes: Yaroslav Halchenko * [6f4dad46] python-2.4 is the minimal version. * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. on Fedora. Closes gh-112. Thanks to Camusensei for the bug report. * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for insight. Closes gh-103. * [ab044b75] delay check for the existence of config directory until read. * [3b4084d4] fixing up for handling of TAI64N timestamps. * [154aa38e] do not shutdown logging until all jails stop. * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184. Thanks to Jon Foster for report and troubleshooting. Orion Poplawski * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories. Nicolas Collignon * [39667ff6] Avoid leaking file descriptors. Closes gh-167. Sergey Brester * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of sorting template list. Steven Hiscocks * [7a442f07] When changing log target with python2.{4,5} handle KeyError. Closes gh-147, gh-148. * [b6a68f51] Fix delaction on server side. Closes gh-124. Daniel Black * [f0610c01] Allow more that a one word command when changing and Action via the fail2ban-client. Closes gh-134. * [945ad3d9] Fix dates on email actions to work in different locals. Closes gh-70. Thanks to iGeorgeX for the idea. blotus * [96eb8986] ' and " should also be escaped in action tags Closes gh-109 Christoph Theis, Nick Hilliard, Daniel Black * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD - New features: Yaroslav Halchenko * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} to provide additional flexibility to system adminstrators. Thanks to beilber for the idea. Closes gh-114. * [3ce53e87] Add exim filter. Erwan Ben Souiden * [d7d5228] add nagios integration documentation and script to ensure fail2ban is running. Closes gh-166. Artur Penttinen * [29d0df5] Add mysqld filter. Closes gh-152. ArndRaphael Brandes * [bba3fd8] Add Sogo filter. Closes gh-117. Michael Gebetsriother * [f9b78ba] Add action route to block at routing level. Teodor Micu & Yaroslav Halchenko * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. Daniel Black * [be06b1b] Add action for iptables-ipsets. Closes gh-102. Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk * [b6d0e8a] Add and enhance the bsd-ipfw action from FreeBSD ports. Soulard Morgan * [f336d9f] Add filter for webmin. Closes gh-99. Steven Hiscocks * [..746c7d9] bash interactive shell completions for fail2ban-*'s Nick Hilliard * [0c5a9c5] Add pf action. - Enhancements: Enrico Labedzki * [24a8d07] Added new date format for ASSP SMTP Proxy. Steven Hiscocks * [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172. * [MANY] Improvements to test cases, travis, and code coverage (coveralls). * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124. * [ce3ab34] Added ability to specify PID file. Orion Poplawski * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. Closes gh-142. Yaroslav Halchenko * [MANY] Lots of improvements to log messages, man pages and test cases. * [91d5736] Postfix filter improvements - empty helo, from and rcpt to. Closes gh-126. Bug report by Michael Heuberger. * [40c5a2d] adding more of diagnostic messages into -client while starting the daemon. * [8e63d4c] Compare against None with 'is' instead of '=='. * [6fef85f] Strip CR and LF while analyzing the log line Daniel Black * [3aeb1a9] Add jail.conf manual page. Closes gh-143. * [MANY] man page edits. * [7cd6dab] Added help command to fail2ban-client. * [c8c7b0b,23bbc60] Better logging of log file read errors. * [3665e6d] Added code coverage to development process. * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh source. Also include BSD changes. * [1d9abd1] Action files can have tags in definition that refer to other tags. * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port unreachable rather than just a drop of the packet. Pascal Borreli * [a2b29b4] Fixed lots of typos in config files and documentation. hamilton5 * [7ede1e8] Update dovecot filter config. Romain Riviere * [0ac8746] Enhance named-refused filter for views. James Stout * [..2143cdf] Solaris support enhancements: - README.Solaris - failregex'es tune ups (sshd.conf) - hostsdeny: do not rely on support of '-i' in sed ------------------------------------------------------------------- Thu Dec 6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at One of the important changes is escaping of the content -- so if you crafted some custom action which uses it -- you must upgrade, or you would be at a significant security risk. - Fixes: Alan Jenkins * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid banning due to misconfigured DNS. Close gh-64 Yaroslav Halchenko * [83109bc] IMPORTANT: escape the content of (if used in custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83 * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages in the console. Close gh-91 - New features: David Engeset * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86 - Enhancements: * [2d66f31] replaced uninformative "Invalid command" message with warning log exception why command actually failed * [958a1b0] improved failregex to "support" auth.backend = "htdigest" * [9e7a3b7] until we make it proper module -- adjusted sys.path only if system-wide run * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79 * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 for this gh-87) * Various others: travis-ci integration, script to run tests against all available Python versions, etc ------------------------------------------------------------------- Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at - Fixed initscript as discussed in bnc#790557 ------------------------------------------------------------------- Wed Oct 3 09:53:40 UTC 2012 - meissner@suse.com - use Source URL pointing to github ------------------------------------------------------------------- Tue Oct 2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at - Do not longer replace main config-files - Use variables for directories in spec file ------------------------------------------------------------------- Tue Oct 2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at - Added dependencies to python-pyinotifyi, python-gamin and iptables ------------------------------------------------------------------- Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at - Upgraded to version 0.8.7.1 - Yaroslav Halchenko * [e9762f3] Removed sneaked in comment on sys.path.insert Tom Hendrikx & Jeremy Olexa * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated. See http://forums.gentoo.org/viewtopic-t-899018.html - Chris Reffett * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban, rather than just one failure. - Yaroslav Halchenko * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf * [ed16ecc] enforce "ip" field returned as str, not unicode so that log message stays non-unicode. Close gh-32 * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if already present in the pattern * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be friend to developers stuck with Windows (Closes gh-66) * [80b191c] anchor grep regexp in actioncheck to not match partial names of the jails (Closes: #672228) (Thanks Szépe Viktor for the report) - New features: - François Boulogne * [a7cb20e..] add lighttpd-auth filter/jail - Lee Clemens & Yaroslav Halchenko * [e442503] pyinotify backend (default if backend='auto' and pyinotify is available) * [d73a71f,3989d24] usedns parameter for the jails to allow disabling use of DNS - Tom Hendrikx * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban repeated offenders. Close gh-19 - Xavier Devlamynck * [7d465f9..] Add asterisk support - Zbigniew Jedrzejewski-Szmek * [de502cf..] allow running fail2ban as non-root user (disabled by default) via xt_recent. See doc/run-rootless.txt - Enhancements - Lee Clemens * [47c03a2] files/nagios - spelling/grammar fixes * [b083038] updated Free Software Foundation's address * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606 * [642d9af,3282f86] reformated printing of jail's name to be consistent with init's info messages * [3282f86] uniform use of capitalized Jail in the messages - Leonardo Chiquitto * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf to reflect code * [a7d47e8] Update Free Software Foundation's address - Petr Voralek * [4007751] catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) - Yaroslav Halchenko * [MANY] extended and robustified unittests: test different backends * [d9248a6] refactored Filter's to avoid duplicate functionality * [7821174] direct users to issues on github * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by default with -v to control verbosity * [b4099da] adjusted header for config/*.conf to mention .local and way to comment (Thanks Stefano Forli for the note) * [6ad55f6] added failregex for wu-ftpd to match against syslog instead of DoS-prone auth.log's rhost (Closes: #514239) * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for sshd filter (Closes: #648020) - Yehuda Katz & Yaroslav Halchenko * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers ------------------------------------------------------------------- Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de - Adding to fail2ban.init remove of pid and sock files on stop in case not removed before (prevents start fail) ------------------------------------------------------------------- Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at - Update to version 0.8.6. containing various fixes and enhancements ------------------------------------------------------------------- Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com - Update to version 0.8.5: many bug fixes, enhancements and, as a bonus, drop two patches that are now upstream - Update FSF address to silent rpmlint warnings - Drop stale socket files on startup (bnc#537239, bnc#730044) ------------------------------------------------------------------- Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de - Apply packaging guidelines (remove redundant/obsolete tags/sections from specfile, etc.) ------------------------------------------------------------------- Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com - Use /var/run/fail2ban instead of /tmp for temp files in actions: see bugs.debian.org/544232, bnc#690853, CVE-2009-5023 ------------------------------------------------------------------- Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com - Use $FAIL2BAN_OPTIONS when starting (bnc#662495) - Clean up sysconfig file ------------------------------------------------------------------- Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org - Use O_CLOEXEC on fds (patch from Fedora) ------------------------------------------------------------------- Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com - Create /var/run/fail2ban during startup to support systems that mount /var/run as tmpfs - Build package as noarch - Spec file cleanup: fix a couple of rpmlint warnings - Init script: look for fail2ban-server when checking if the daemon is running ------------------------------------------------------------------- Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com - Update to version 0.8.4. Important changes: * New "Ban IP" command * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve * Fixed the 'unexpected communication error' problem * Remove socket file on startup if fail2ban crashed (bnc#537239) ------------------------------------------------------------------- Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de - Initial version: 0.8.3