forked from pool/fail2ban
7b7f0beacb
- added 1783.patch from upstream: "Updated roundcube authentication filter" - use tmpfiles_create macro OBS-URL: https://build.opensuse.org/request/show/506341 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=81
1008 lines
45 KiB
Plaintext
1008 lines
45 KiB
Plaintext
-------------------------------------------------------------------
|
|
Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at
|
|
|
|
- added 1783.patch from upstream: "Updated roundcube authentication filter"
|
|
- use tmpfiles_create macro
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at
|
|
|
|
- added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP"
|
|
this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no
|
|
action as a result"
|
|
|
|
- Update to 0.9.7
|
|
* Fixed a systemd-journal handling in fail2ban-regex
|
|
(gh#fail2ban/fail2ban#1657)
|
|
* filter.d/sshd.conf
|
|
- Fixed non-anchored part of failregex (misleading match of colon inside
|
|
IPv6 address instead of `: ` in the reason-part by missing space,
|
|
gh#fail2ban/fail2ban#1658)
|
|
(0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479)
|
|
* config/pathes-freebsd.conf
|
|
- Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667)
|
|
* filter.d/exim.conf
|
|
- optional part `(...)` after host-name before `[IP]`
|
|
(gh#fail2ban/fail2ban#1751)
|
|
- new reason "Unrouteable address" for "rejected RCPT" regex
|
|
(gh#fail2ban/fail2ban#1762)
|
|
- match of complex time like `D=2m42s` in regex "no MAIL in SMTP
|
|
connection" (gh#fail2ban/fail2ban#1766)
|
|
* filter.d/sshd.conf
|
|
- new aggressive rules (gh#fail2ban/fail2ban#864):
|
|
- Connection reset by peer (multi-line rule during authorization process)
|
|
- No supported authentication methods available
|
|
- single line and multi-line expression optimized, added optional prefixes
|
|
and suffix (logged from several ssh versions), according
|
|
to gh#fail2ban/fail2ban#1206;
|
|
- fixed expression received disconnect auth fail (optional space after port
|
|
part, gh#fail2ban/fail2ban#1652)
|
|
and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206;
|
|
* filter.d/suhosin.conf
|
|
- greedy catch-all before `<HOST>` fixed (potential vulnerability)
|
|
* filter.d/cyrus-imap.conf
|
|
- accept entries without login-info resp. hostname before IP address (#fail2ban/fail2ban#707)
|
|
* Filter tests extended with check of all config-regexp, that contains greedy catch-all
|
|
before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`
|
|
|
|
* New Actions:
|
|
- action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh#fail2ban/fail2ban#1663)
|
|
|
|
* New Filters:
|
|
- filter.d/domino-smtp: IBM Domino SMTP task (gh#fail2ban/fail2ban#1603)
|
|
|
|
* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 5 12:56:10 UTC 2017 - wagner-thomas@gmx.at
|
|
|
|
- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 26 23:16:49 UTC 2017 - chris@computersalat.de
|
|
|
|
- Update to 0.9.6 (2016/12/10)
|
|
|
|
### Fixes
|
|
* Misleading add resp. enable of (already available) jail in database, that
|
|
induced a subsequent error: last position of log file will be never retrieved (gh-795)
|
|
* Fixed a distribution related bug within testReadStockJailConfForceEnabled
|
|
(e.g. test-cases faults on Fedora, see gh-1353)
|
|
* Fixed pythonic filters and test scripts (running via wrong python version,
|
|
uses "fail2ban-python" now);
|
|
* Fixed test case "testSetupInstallRoot" for not default python version (also
|
|
using direct call, out of virtualenv);
|
|
* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
|
|
* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
|
|
* Monit config: scripting is not supported in path (gh-1556)
|
|
* `filter.d/apache-modsecurity.conf`
|
|
- Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
|
|
replaced for safer match, unneeded catch-all anchoring removed, non-capturing
|
|
* `filter.d/asterisk.conf`
|
|
- Fixed to match different asterisk log prefix (source file: method:)
|
|
* `filter.d/dovecot.conf`
|
|
- Fixed failregex ignores failures through some not relevant info (gh-1623)
|
|
* `filter.d/ignorecommands/apache-fakegooglebot`
|
|
- Fixed error within apache-fakegooglebot, that will be called
|
|
with wrong python version (gh-1506)
|
|
* `filter.d/assp.conf`
|
|
- Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
|
|
* `filter.d/postfix-sasl.conf`
|
|
- Allow for having no trailing space after 'failed:' (gh-1497)
|
|
* `filter.d/vsftpd.conf`
|
|
- Optional reason part in message after FAIL LOGIN (gh-1543)
|
|
* `filter.d/sendmail-reject.conf`
|
|
- removed mandatory double space (if dns-host available, gh-1579)
|
|
* filter.d/sshd.conf
|
|
- recognized "Failed publickey for" (gh-1477);
|
|
- optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479)
|
|
- eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
|
|
- optional port part after host (see gh-1533, gh-1581)
|
|
|
|
### New Features
|
|
* New Actions:
|
|
- `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
|
|
* New Filters:
|
|
- `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
|
|
(gh-1586, gh-1606 and gh-1607)
|
|
|
|
### Enhancements
|
|
* DateTemplate regexp extended with the word-end boundary, additionally to
|
|
word-start boundary
|
|
* Introduces new command "fail2ban-python", as automatically created symlink to
|
|
python executable, where fail2ban currently installed (resp. its modules are located):
|
|
- allows to use the same version, fail2ban currently running, e.g. in
|
|
external scripts just via replace python with fail2ban-python:
|
|
```diff
|
|
-#!/usr/bin/env python
|
|
+#!/usr/bin/env fail2ban-python
|
|
```
|
|
- always the same pickle protocol
|
|
- the same (and also guaranteed available) fail2ban modules
|
|
- simplified stand-alone install, resp. stand-alone installation possibility
|
|
via setup (like gh-1487) is getting closer
|
|
* Several test cases rewritten using new methods assertIn, assertNotIn
|
|
* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
|
|
Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
|
|
are test covered now
|
|
* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
|
|
examples:
|
|
- `backend = systemd[journalpath=/run/log/journal/machine-1]`
|
|
- `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
|
|
- `backend = systemd[journalflags=2]`
|
|
|
|
- rebase fail2ban-opensuse-locations.patch, fail2ban-opensuse-service.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.9.5
|
|
|
|
New Features
|
|
* New Actions: action.d/firewallcmd-rich-rules and
|
|
action.d/firewallcmd-rich-logging (gh#fail2ban/fail2ban#1367)
|
|
* New filter: slapd - ban hosts, that were failed to connect with invalid
|
|
credentials: error code 49 (gh#fail2ban/fail2ban#1478)
|
|
|
|
Enhancements
|
|
* Extreme speedup of all sqlite database operations
|
|
(gh#fail2ban/fail2ban#1436), by using of following sqlite options:
|
|
- (synchronous = OFF) write data through OS without syncing
|
|
- (journal_mode = MEMORY) use memory for the transaction logging
|
|
- (temp_store = MEMORY) temporary tables and indices are kept in memory
|
|
* journald journalmatch for pure-ftpd (gh#fail2ban/fail2ban#1362)
|
|
* Added additional regex filter for dovecot ldap authentication
|
|
failures (gh#fail2ban/fail2ban#1370)
|
|
* filter.d/exim*conf
|
|
- Added additional regexes (gh#fail2ban/fail2ban#1371)
|
|
- Made port entry optional
|
|
|
|
Fixes
|
|
* filter.d/monit.conf
|
|
- Extended failregex with new monit "access denied" version
|
|
(gh#fail2ban/fail2ban#1355)
|
|
- failregex of previous monit version merged as single expression
|
|
* filter.d/postfix.conf, filter.d/postfix-sasl.conf
|
|
- Extended failregex daemon part, matching also postfix/smtps/smtpd now
|
|
(gh#fail2ban/fail2ban#1391)
|
|
|
|
* Fixed a grave bug within tags substitutions because of incorrect detection
|
|
of recursion in case of multiple inline substitutions of the same tag
|
|
(affected actions: bsd-ipfw, etc). Now tracks the actual list of the
|
|
already substituted tags (per tag instead of single list)
|
|
|
|
* filter.d/common.conf
|
|
- Unexpected extra regex-space in generic __prefix_line
|
|
(gh#fail2ban/fail2ban#1405)
|
|
- All optional spaces normalized in common.conf, test covered now
|
|
- Generic __prefix_line extended with optional brackets for the date ambit
|
|
(gh#fail2ban/fail2ban#1421), added new parameter __date_ambit
|
|
|
|
* gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon,
|
|
not argument of fail2ban (see gh#fail2ban/fail2ban#1434)
|
|
|
|
* filter.d/asterisk.conf
|
|
- Fixed security log support for PJSIP and Asterisk 13+
|
|
(gh#fail2ban/fail2ban#1456)
|
|
- Improved log support for PJSIP and Asterisk 13+ with different callID
|
|
(gh#fail2ban/fail2ban#1458)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 10 14:09:51 UTC 2016 - jweberhofer@weberhofer.at
|
|
|
|
- Mark /etc/fail2ban/fail2ban.conf as noreplace.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at
|
|
|
|
- Removed patch: fail2ban-exclude-dev-log-tests.patch
|
|
- Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
|
|
- rebased other patches
|
|
- Defined services which per default uses systemd logger
|
|
- Provide /usr/sbin/rcfail2ban also on systemd based distros
|
|
|
|
- All files in /etc/fail2ban/ except jail.local are now automatically replaced
|
|
upon installation of fail2ban
|
|
|
|
- The update to this versions allow to close boo#917818, as the logger-backends for
|
|
several services are now centrally set in /etc/fail2ban/paths-opensuse.conf
|
|
|
|
- Update to version 0.9.4
|
|
New Features:
|
|
* New interpolation feature for definition config readers - `<known/parameter>`
|
|
(means last known init definition of filters or actions with name `parameter`).
|
|
This interpolation makes possible to extend a parameters of stock filter or
|
|
action directly in jail inside jail.local file, without creating a separately
|
|
filter.d/*.local file.
|
|
As extension to interpolation `%(known/parameter)s`, that does not works for
|
|
filter and action init parameters
|
|
* New actions:
|
|
- nftables-multiport and nftables-allports - filtering using nftables
|
|
framework. Note: it requires a pre-existing chain for the filtering rule.
|
|
* New filters:
|
|
- openhab - domotic software authentication failure with the
|
|
rest api and web interface (gh-1223)
|
|
- nginx-limit-req - ban hosts, that were failed through nginx by limit
|
|
request processing rate (ngx_http_limit_req_module)
|
|
- murmur - ban hosts that repeatedly attempt to connect to
|
|
murmur/mumble-server with an invalid server password or certificate.
|
|
- haproxy-http-auth - filter to match failed HTTP Authentications against a
|
|
HAProxy server
|
|
* New jails:
|
|
- murmur - bans TCP and UDP from the bad host on the default murmur port.
|
|
* sshd filter got new failregex to match "maximum authentication
|
|
attempts exceeded" (introduced in openssh 6.8)
|
|
* Added filter for Mac OS screen sharing (VNC) daemon
|
|
|
|
Enhancements:
|
|
* Do not rotate empty log files
|
|
* Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59)
|
|
http://bugs.debian.org/798923
|
|
* Added openSUSE path configuration (Thanks Johannes Weberhofer)
|
|
* Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
|
|
* Added a timeout (3 sec) to urlopen within badips.py action
|
|
(Thanks M. Maraun)
|
|
* Added check against atacker's Googlebot PTR fake records
|
|
(Thanks Pablo Rodriguez Fernandez)
|
|
* Enhance filter against atacker's Googlebot PTR fake records
|
|
(gh-1226)
|
|
* Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
|
|
* Added filter for openhab domotic software authentication failure with the
|
|
rest api and web interface (gh-1223)
|
|
* Add *_backend options for services to allow distros to set the default
|
|
backend per service, set default to systemd for Fedora as appropriate
|
|
* Performance improvements while monitoring large number of files (gh-1265).
|
|
Use associative array (dict) for monitored log files to speed up lookup
|
|
operations. Thanks @kshetragia
|
|
* Specified that fail2ban is PartOf iptables.service firewalld.service in
|
|
.service file -- would reload fail2ban if those services are restarted
|
|
* Provides new default `fail2ban_version` and interpolation variable
|
|
`fail2ban_agent` in jail.conf
|
|
* Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
|
|
and to support multiple instances of postfix having varying suffix (gh-1331)
|
|
(Thanks Tom Hendrikx)
|
|
* files/gentoo-initd to use start-stop-daemon to robustify restarting the service
|
|
|
|
Fixes:
|
|
* roundcube-auth jail typo for logpath
|
|
* Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
|
|
* filter.d/apache-badbots.conf
|
|
- Updated useragent string regex adding escape for `+`
|
|
* filter.d/mysqld-auth.conf
|
|
gg - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
|
|
* filter.d/sshd.conf
|
|
- Updated "Auth fail" regex for OpenSSH 5.9 and later
|
|
* Treat failed and killed execution of commands identically (only
|
|
different log messages), which addresses different behavior on different
|
|
exit codes of dash and bash (gh-1155)
|
|
* Fix jail.conf.5 man's section (gh-1226)
|
|
* Fixed default banaction for allports jails like pam-generic, recidive, etc
|
|
with new default variable `banaction_allports` (gh-1216)
|
|
* Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
|
|
for python version < 3.x (gh-1248)
|
|
* Use postfix_log logpath for postfix-rbl jail
|
|
* filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
|
|
* use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
|
|
* Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
|
|
* Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
|
|
* Removed compression and rotation count from logrotate (inherit them from
|
|
the global logrotate config)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 4 15:50:38 UTC 2016 - jweberhofer@weberhofer.at
|
|
|
|
- Require python-systemd for openSUSE 12.3+
|
|
- Cleaned up the spec file
|
|
- Added /run/fail2ban for openSUSE 13.2+
|
|
- Don't fail on test-errors
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 23 10:10:17 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
|
|
to fix the former failing test and removed
|
|
fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
|
|
|
|
- Do not longer create test-package. Developers should not use the packaged
|
|
version of fail2ban.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 7 09:45:56 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- patches are no longer included conditionally
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 7 06:54:33 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch excludes the
|
|
ExecuteTimeoutWithNastyChildren test, as it doesn't run correctly on
|
|
openSUSE.
|
|
|
|
- fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for
|
|
older releases.
|
|
|
|
- Update to version 0.9.3
|
|
|
|
- IMPORTANT incompatible changes:
|
|
* filter.d/roundcube-auth.conf
|
|
- Changed logpath to 'errors' log (was 'userlogins')
|
|
* action.d/iptables-common.conf
|
|
- All calls to iptables command now use -w switch introduced in
|
|
iptables 1.4.20 (some distribution could have patched their
|
|
earlier base version as well) to provide this locking mechanism
|
|
useful under heavy load to avoid contesting on iptables calls.
|
|
If you need to disable, define 'action.d/iptables-common.local'
|
|
with empty value for 'lockingopt' in `[Init]` section.
|
|
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
|
|
actions now include by default only the first 1000 log lines in
|
|
the emails. Adjust <grepopts> to augment the behavior.
|
|
|
|
- Fixes:
|
|
* reload in interactive mode appends all the jails twice (gh-825)
|
|
* reload server/jail failed if database used (but was not changed) and
|
|
some jail active (gh-1072)
|
|
* filter.d/dovecot.conf - also match unknown user in passwd-file.
|
|
Thanks Anton Shestakov
|
|
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
|
|
* filter.d/asterisk.conf - fix security log support for Asterisk 12+
|
|
* filter.d/roundcube-auth.conf
|
|
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
|
|
- Added regex to work with 'userlogins' log
|
|
* action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
|
|
locale on systems with customized LC_ALL
|
|
* performance fix: minimizes connection overhead, close socket only at
|
|
communication end (gh-1099)
|
|
* unbanip always deletes ip from database (independent of bantime, also if
|
|
currently not banned or persistent)
|
|
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
|
|
* always set 'dbfile' before other database options (gh-1050)
|
|
* kill the entire process group of the child process upon timeout (gh-1129).
|
|
Otherwise could lead to resource exhaustion due to hanging whois
|
|
processes.
|
|
* resolve /var/run/fail2ban path in setup.py to help installation
|
|
on platforms with /var/run -> /run symlink (gh-1142)
|
|
|
|
- New Features:
|
|
* RETURN iptables target is now a variable: <returntype>
|
|
* New type of operation: pass2allow, use fail2ban for "knocking",
|
|
opening a closed port by swapping blocktype and returntype
|
|
* New filters:
|
|
- froxlor-auth - Thanks Joern Muehlencord
|
|
- apache-pass - filter Apache access log for successful authentication
|
|
* New actions:
|
|
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
|
|
manual pre-configuration of the shorewall. See the action file for detail.
|
|
* New jails:
|
|
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
|
|
|
|
- Enhancements:
|
|
* action.d/cloudflare.conf - improved documentation on how to allow
|
|
multiple CF accounts, and jail.conf got new compound action
|
|
definition action_cf_mwl to submit cloudflare report.
|
|
* Check access to socket for more detailed logging on error (gh-595)
|
|
* fail2ban-testcases man page
|
|
* filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
|
|
HEAD method verb
|
|
* Revamp of Travis and coverage automated testing
|
|
* Added a space between IP address and the following colon
|
|
in notification emails for easier text selection
|
|
* Character detection heuristics for whois output via optional setting
|
|
in mail-whois*.conf. Thanks Thomas Mayer.
|
|
Not enabled by default, if _whois_command is set to be
|
|
%(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
|
|
it
|
|
- detects character set of whois output (which is undefined by
|
|
RFC 3912) via heuristics of the file command
|
|
- converts whois data to UTF-8 character set with iconv
|
|
- sends the whois output in UTF-8 character set to mail program
|
|
- avoids that heirloom mailx creates binary attachment for input with
|
|
unknown character set
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 2 06:38:00 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Note: fail2ban-issue_906-strptime.patch has been removed as it is already
|
|
integrated in the current version.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 8 13:27:00 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Removed "backend" setting from paths-opensuse.conf
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 8 14:01:31 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.9.2 (requested in boo#917818)
|
|
|
|
Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog
|
|
|
|
Here are some notes to be read when updating existing installations:
|
|
|
|
The default log-backend for openssue 13.2+ is now systemd
|
|
|
|
* jail.conf was heavily refactored and now is similar to how it looked on
|
|
Debian systems:
|
|
- default action could be configured once for all jails
|
|
- jails definitions only provide customizations (port, logpath)
|
|
- no need to specify 'filter' if name matches jail name
|
|
|
|
* Added fail2ban persistent database
|
|
- default location at /var/lib/fail2ban/fail2ban.sqlite3
|
|
- allows active bans to be reinstated on restart
|
|
- log files read from last position after restart
|
|
|
|
* Added systemd journal backend
|
|
- Dependency on python-systemd
|
|
- New "journalmatch" option added to filter configs files
|
|
- New "systemd-journal" option added to fail2ban-regex
|
|
|
|
* Support %z (Timezone offset) and %f (sub-seconds) support for datedetector.
|
|
Enhanced existing date/time have been updated patterns to support these.
|
|
ISO8601 now defaults to localtime unless specified otherwise. Some filters
|
|
have been change as required to capture these elements in the right
|
|
timezone correctly.
|
|
|
|
* Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
|
|
|
|
* Optionally can read log files starting from "head" or "tail". See "logpath"
|
|
option in jail.conf(5) man page.
|
|
|
|
* Can now set log encoding for files per jail.Default uses systemd locale.
|
|
|
|
* iptables-common.conf replaced iptables-blocktype.conf
|
|
(iptables-blocktype.local should still be read) and now also provides
|
|
defaults for the chain, port, protocol and name tags
|
|
|
|
- Require whois
|
|
|
|
- Whereever possible, path-definitions have been moved paths-opensuse.conf
|
|
which has been submittet upstream
|
|
|
|
- Use default fail2ban.service including fail2ban-opensuse-service.patch
|
|
|
|
- Use default suse-initd from upstream
|
|
|
|
- Run test-cases during build
|
|
|
|
- run fdupes
|
|
|
|
- Tests have been moved to a seperate page
|
|
|
|
- Added rpmlintrc file to ignore some hidden files in the test package
|
|
|
|
- Must build arch-depended packages for SLES 11
|
|
|
|
- Removed two tests which can't run on the build server with openSUSE
|
|
before 13.3: fail2ban-exclude-dev-log-tests.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 14 07:10:43 UTC 2015 - mpluskal@suse.com
|
|
|
|
- Add missing dependency on ed (boo#926943)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 21 21:00:48 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Fixed strptime thread safety issue.
|
|
fail2ban-issue_906-strptime.patch (bnc#914075 gh#fail2ban/fail2ban#906)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 25 11:36:13 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Added syslog to requirements, as this version of fail2ban does not
|
|
work with systemd-logging: bnc#905733
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 17 09:44:12 UTC 2014 - jengelh@inai.de
|
|
|
|
- Recommend installation of the ordering package when all
|
|
constituing parts are installed
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 21 16:50:20 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Fixed check for %_unitdir to make fail2ban build under older systems, too.
|
|
- Changed /usr to %{_prefix} in the spec file
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 20 15:44:54 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- update to 0.8.14
|
|
* minor fixes for claimed Python 2.4 and 2.5 compatibility
|
|
* Handle case when inotify watch is auto deleted on file deletion to stop
|
|
error messages
|
|
* tests - fixed few "leaky" file descriptors when files were not closed while
|
|
being removed physically
|
|
* grep in mail*-whois-lines.conf now also matches end of line to work with
|
|
the recidive filter
|
|
- add fail2ban-opensuse-locations.patch to fix default locations as suggested
|
|
in bnc#878028
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 25 15:13:37 UTC 2014 - lars@linux-schulserver.de
|
|
|
|
- update to 0.8.13:
|
|
+ Fixes:
|
|
- action firewallcmd-ipset had non-working actioncheck. Removed.
|
|
redhat bug #1046816.
|
|
- filter pureftpd - added _daemon which got removed. Added
|
|
|
|
+ New Features:
|
|
- filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
|
|
- filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
|
|
|
|
+ Enhancements:
|
|
- filter asterisk now supports syslog format
|
|
- filter pureftpd - added all translations of "Authentication failed for
|
|
user"
|
|
- filter dovecot - lip= was optional and extended TLS errors can occur.
|
|
Thanks Noel Butler.
|
|
- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed
|
|
upstream
|
|
- split out nagios-plugins-fail2ban package
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 18 00:03:12 UTC 2014 - jengelh@inai.de
|
|
|
|
- Add a new subpackage to install systemd drop-ins that couple
|
|
SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf,
|
|
f2b-restart.conf.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
Security note: The update to version 0.8.11 has fixed two additional security
|
|
issues: A remote unauthenticated attacker may cause arbitrary IP addresses to
|
|
be blocked by Fail2ban causing legitimate users to be blocked from accessing
|
|
services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176
|
|
(postfix)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816
|
|
|
|
- lsof was required for fail2ban's SysVinit scripts only. Not longer used for
|
|
newer versions of openSUSE
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Reviewed and fixed github references in the changelog
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 22 09:27:43 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Use new flushlogs syntax after logrotate
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.8.12
|
|
|
|
* Log rotation can now occur with the command "flushlogs" rather than
|
|
reloading fail2ban or keeping the logtarget settings consistent in
|
|
jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798).
|
|
|
|
* Added ignorecommand option for allowing dynamic determination as to ignore
|
|
and IP or not.
|
|
|
|
* Remove indentation of name and loglevel while logging to SYSLOG to resolve
|
|
syslog(-ng) parsing problems. (dep#730202). Log lines now also
|
|
report "[PID]" after the name portion too.
|
|
|
|
* Epoch dates can now be enclosed within []
|
|
|
|
* New actions: badips, firewallcmd-ipset, ufw, blocklist_de
|
|
|
|
* New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid,
|
|
ejabberd, openwebmail, groupoffice
|
|
|
|
* Filter improvements:
|
|
- apache-noscript now includes php cgi scripts
|
|
- exim-spam filter to match spamassassin log entry for option SAdevnull.
|
|
- Added to sshd filter expression for
|
|
"Received disconnect from : 3: Auth fail"
|
|
- Improved ACL-handling for Asterisk
|
|
- Added improper command pipelining to postfix filter.
|
|
|
|
* General fixes:
|
|
- Added lots of jail.conf entries for missing filters that creaped in
|
|
over the last year.
|
|
- synchat changed to use push method which verifies whether all data was
|
|
send. This ensures that all data is sent before closing the connection.
|
|
- Fixed python 2.4 compatibility (as sub-second in date patterns weren't
|
|
2.4 compatible)
|
|
- Complain/email actions fixed to only include relevant IPs to reporting
|
|
|
|
* Filter fixes:
|
|
- Added HTTP referrer bit of the apache access log to the apache filters.
|
|
- Apache 2.4 perfork regexes fixed
|
|
- Kernel syslog expression can have leading spaces
|
|
- allow for ",milliseconds" in the custom date format of proftpd.log
|
|
- recidive jail to block all protocols
|
|
- smtps not a IANA standard so may be missing from /etc/services. Due to
|
|
(still) common use 465 has been used as the explicit port number
|
|
- Filter dovecot reordered session and TLS items in regex with wider scope
|
|
for session characters
|
|
|
|
* Ugly Fixes (Potentially incompatible changes):
|
|
|
|
- Unfortunately at the end of last release when the action
|
|
firewall-cmd-direct-new was added it was too long and had a broken action
|
|
check. The action was renamed to firewallcmd-new to fit within jail name
|
|
name length. (gh#fail2ban/fail2ban#395).
|
|
|
|
- Last release added mysqld-syslog-iptables as a jail configuration. This
|
|
jailname was too long and it has been renamed to mysqld-syslog.
|
|
|
|
- Fixed formating of github references in changelog
|
|
- reformatted spec-file
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.8.11
|
|
|
|
- In light of CVE-2013-2178 that triggered our last release we have put a
|
|
significant effort into tightening all of the regexs of our filters to avoid
|
|
another similar vulnerability. We haven't examined all of these for a potential
|
|
DoS scenario however it is possible that another DoS vulnerability exists that
|
|
is fixed by this release. A large number of filters have been updated to
|
|
include more failure regexs supporting previously unbanned failures and support
|
|
newer application versions too. We have test cases for most of these now
|
|
however if you have other examples that demonstrate that a filter is
|
|
insufficient we welcome your feedback. During the tightening of the regexs to
|
|
avoid DoS vulnerabilities there is the possibility that we have inadvertently,
|
|
despite our best intentions, incorrectly allowed a failure to continue.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 21 11:38:29 UTC 2013 - schuetzm@gmx.net
|
|
|
|
- Added systemd service file and systemd-tmpfiles configuration
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered
|
|
by "bugs" in apache- filters. If you are relying on listed below apache-
|
|
filters, upgrade asap and seek your distributions to patch their fail2ban
|
|
distribution with [6ccd5781]. The bug's decription can be found in
|
|
https://vndh.net/note:fail2ban-089-denial-service
|
|
|
|
- Fixes
|
|
* [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
|
|
failregex at the beginning (and where applicable at the end).
|
|
Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710
|
|
* action.d/{route,shorewall}.conf - blocktype must be defined
|
|
within [Init]. Closes gh#fail2ban/fail2ban#232
|
|
|
|
- Enhancements
|
|
* jail.conf -- assure all jails have actions and remove unused
|
|
ports specifications
|
|
* config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
|
|
* files/suse-initd -- update to the copy from stock SUSE
|
|
* Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227,
|
|
gh#fail2ban/fail2ban#230.
|
|
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes
|
|
gh#fail2ban/fail2ban#244.
|
|
|
|
------------------------------------------------------------------
|
|
Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at
|
|
|
|
- Included logrotate configuration for fail2ban
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
|
|
|
|
- Init-Script does no longer require $syslog to be started as file-base logging
|
|
is the default. Synced with Debian script.
|
|
|
|
- Upgrade to version 0.8.9
|
|
|
|
- Fixes: Yaroslav Halchenko
|
|
* [6f4dad46] python-2.4 is the minimal version.
|
|
* [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
|
|
on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the
|
|
bug report.
|
|
* [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
|
|
insight. Closes gh#fail2ban/fail2ban#103.
|
|
* [ab044b75] delay check for the existence of config directory until read.
|
|
* [3b4084d4] fixing up for handling of TAI64N timestamps.
|
|
* [154aa38e] do not shutdown logging until all jails stop.
|
|
* [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes
|
|
gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and
|
|
troubleshooting. Orion Poplawski
|
|
* [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
|
|
newly created directories.
|
|
Nicolas Collignon
|
|
* [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167.
|
|
Sergey Brester
|
|
* [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
|
|
sorting template list.
|
|
Steven Hiscocks
|
|
* [7a442f07] When changing log target with python2.{4,5} handle KeyError.
|
|
Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148.
|
|
* [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124.
|
|
Daniel Black
|
|
* [f0610c01] Allow more that a one word command when changing and Action via
|
|
the fail2ban-client. Closes gh#fail2ban/fail2ban#134.
|
|
* [945ad3d9] Fix dates on email actions to work in different locals. Closes
|
|
gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
|
|
blotus
|
|
* [96eb8986] ' and " should also be escaped in action tags Closes
|
|
gh#fail2ban/fail2ban#109
|
|
Christoph Theis, Nick Hilliard, Daniel Black
|
|
* [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
|
|
- New features:
|
|
Yaroslav Halchenko
|
|
* [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
|
|
to provide additional flexibility to system adminstrators. Thanks to
|
|
beilber for the idea. Closes gh#fail2ban/fail2ban#114.
|
|
* [3ce53e87] Add exim filter.
|
|
Erwan Ben Souiden
|
|
* [d7d5228] add nagios integration documentation and script to ensure
|
|
fail2ban is running. Closes gh#fail2ban/fail2ban#166.
|
|
Artur Penttinen
|
|
* [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152.
|
|
ArndRaphael Brandes
|
|
* [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117.
|
|
Michael Gebetsriother
|
|
* [f9b78ba] Add action route to block at routing level.
|
|
Teodor Micu & Yaroslav Halchenko
|
|
* [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
|
|
Daniel Black
|
|
* [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102.
|
|
Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
|
|
* [b6d0e8a] Add and enhance the bsd-ipfw action from
|
|
FreeBSD ports.
|
|
Soulard Morgan
|
|
* [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99.
|
|
Steven Hiscocks
|
|
* [..746c7d9] bash interactive shell completions for fail2ban-*'s
|
|
Nick Hilliard
|
|
* [0c5a9c5] Add pf action.
|
|
- Enhancements:
|
|
Enrico Labedzki
|
|
* [24a8d07] Added new date format for ASSP SMTP Proxy.
|
|
Steven Hiscocks
|
|
* [3d6791f] Ensure restart of Actions after a check fails occurs
|
|
consistently. Closes gh#fail2ban/fail2ban#172.
|
|
* [MANY] Improvements to test cases, travis, and code coverage (coveralls).
|
|
* [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124.
|
|
* [ce3ab34] Added ability to specify PID file.
|
|
Orion Poplawski
|
|
* [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
|
|
Closes gh#fail2ban/fail2ban#142.
|
|
Yaroslav Halchenko
|
|
* [MANY] Lots of improvements to log messages, man pages and test cases.
|
|
* [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
|
|
Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger.
|
|
* [40c5a2d] adding more of diagnostic messages into -client while starting
|
|
the daemon.
|
|
* [8e63d4c] Compare against None with 'is' instead of '=='.
|
|
* [6fef85f] Strip CR and LF while analyzing the log line
|
|
Daniel Black
|
|
* [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143.
|
|
* [MANY] man page edits.
|
|
* [7cd6dab] Added help command to fail2ban-client.
|
|
* [c8c7b0b,23bbc60] Better logging of log file read errors.
|
|
* [3665e6d] Added code coverage to development process.
|
|
* [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
|
|
source. Also include BSD changes.
|
|
* [1d9abd1] Action files can have tags in definition that refer to other
|
|
tags.
|
|
* [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
|
|
unreachable rather than just a drop of the packet.
|
|
Pascal Borreli
|
|
* [a2b29b4] Fixed lots of typos in config files and documentation.
|
|
hamilton5
|
|
* [7ede1e8] Update dovecot filter config.
|
|
Romain Riviere
|
|
* [0ac8746] Enhance named-refused filter for views.
|
|
James Stout
|
|
* [..2143cdf] Solaris support enhancements:
|
|
- README.Solaris
|
|
- failregex'es tune ups (sshd.conf)
|
|
- hostsdeny: do not rely on support of '-i' in sed
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
One of the important changes is escaping of the <matches> content -- so if you
|
|
crafted some custom action which uses it -- you must upgrade, or you
|
|
would be at a significant security risk.
|
|
|
|
- Fixes:
|
|
Alan Jenkins
|
|
* [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
|
|
banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64
|
|
Yaroslav Halchenko
|
|
* [83109bc] IMPORTANT: escape the content of <matches> (if used in
|
|
custom action files) since its value could contain arbitrary
|
|
symbols. Thanks for discovery go to the NBS System security
|
|
team
|
|
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes.
|
|
Close gh#fail2ban/fail2ban#83
|
|
* [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
|
|
* [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
|
|
in the console. Close gh#fail2ban/fail2ban#91
|
|
|
|
- New features:
|
|
David Engeset
|
|
* [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
|
|
the log file to take 'banip' or 'unbanip' in effect.
|
|
Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86
|
|
|
|
- Enhancements:
|
|
* [2d66f31] replaced uninformative "Invalid command" message with warning log
|
|
exception why command actually failed
|
|
* [958a1b0] improved failregex to "support" auth.backend = "htdigest"
|
|
* [9e7a3b7] until we make it proper module -- adjusted sys.path only if
|
|
system-wide run
|
|
* [f52ba99] downgraded "already banned" from WARN to INFO level.
|
|
Closes gh#fail2ban/fail2ban#79
|
|
* [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
|
|
for this gh#fail2ban/fail2ban#87)
|
|
* Various others: travis-ci integration, script to run tests
|
|
against all available Python versions, etc
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Fixed initscript as discussed in bnc#790557
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 3 09:53:40 UTC 2012 - meissner@suse.com
|
|
|
|
- use Source URL pointing to github
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Do not longer replace main config-files
|
|
- Use variables for directories in spec file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Added dependencies to python-pyinotifyi, python-gamin and iptables
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Upgraded to version 0.8.7.1
|
|
|
|
- Yaroslav Halchenko
|
|
* [e9762f3] Removed sneaked in comment on sys.path.insert
|
|
Tom Hendrikx & Jeremy Olexa
|
|
* [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
|
|
See http://forums.gentoo.org/viewtopic-t-899018.html
|
|
- Chris Reffett
|
|
* [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
|
|
rather than just one failure.
|
|
- Yaroslav Halchenko
|
|
* [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
|
|
* [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
|
|
* [ed16ecc] enforce "ip" field returned as str, not unicode so that log
|
|
message stays non-unicode. Close gh#fail2ban/fail2ban#32
|
|
* [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
|
|
already present in the pattern
|
|
* [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
|
|
friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66)
|
|
* [80b191c] anchor grep regexp in actioncheck to not match partial names
|
|
of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
|
|
- New features:
|
|
- François Boulogne
|
|
* [a7cb20e..] add lighttpd-auth filter/jail
|
|
- Lee Clemens & Yaroslav Halchenko
|
|
* [e442503] pyinotify backend (default if backend='auto' and pyinotify
|
|
is available)
|
|
* [d73a71f,3989d24] usedns parameter for the jails to allow disabling
|
|
use of DNS
|
|
- Tom Hendrikx
|
|
* [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
|
|
repeated offenders. Close gh#fail2ban/fail2ban#19
|
|
- Xavier Devlamynck
|
|
* [7d465f9..] Add asterisk support
|
|
- Zbigniew Jedrzejewski-Szmek
|
|
* [de502cf..] allow running fail2ban as non-root user (disabled by
|
|
default) via xt_recent. See doc/run-rootless.txt
|
|
- Enhancements
|
|
- Lee Clemens
|
|
* [47c03a2] files/nagios - spelling/grammar fixes
|
|
* [b083038] updated Free Software Foundation's address
|
|
* [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
|
|
* [642d9af,3282f86] reformated printing of jail's name to be consistent
|
|
with init's info messages
|
|
* [3282f86] uniform use of capitalized Jail in the messages
|
|
- Leonardo Chiquitto
|
|
* [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
|
|
to reflect code
|
|
* [a7d47e8] Update Free Software Foundation's address
|
|
- Petr Voralek
|
|
* [4007751] catch failed ssh logins due to being listed in DenyUsers.
|
|
Close gh#fail2ban/fail2ban#47 (Closes: #669063)
|
|
- Yaroslav Halchenko
|
|
* [MANY] extended and robustified unittests: test different backends
|
|
* [d9248a6] refactored Filter's to avoid duplicate functionality
|
|
* [7821174] direct users to issues on github
|
|
* [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
|
|
default with -v to control verbosity
|
|
* [b4099da] adjusted header for config/*.conf to mention .local and way
|
|
to comment (Thanks Stefano Forli for the note)
|
|
* [6ad55f6] added failregex for wu-ftpd to match against syslog instead
|
|
of DoS-prone auth.log's rhost (Closes: #514239)
|
|
* [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
|
|
sshd filter (Closes: #648020)
|
|
- Yehuda Katz & Yaroslav Halchenko
|
|
* [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de
|
|
|
|
- Adding to fail2ban.init remove of pid and sock files on stop
|
|
in case not removed before (prevents start fail)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.8.6. containing various fixes and enhancements
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com
|
|
|
|
- Update to version 0.8.5: many bug fixes, enhancements and, as
|
|
a bonus, drop two patches that are now upstream
|
|
- Update FSF address to silent rpmlint warnings
|
|
- Drop stale socket files on startup (bnc#537239, bnc#730044)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de
|
|
|
|
- Apply packaging guidelines (remove redundant/obsolete
|
|
tags/sections from specfile, etc.)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com
|
|
|
|
- Use /var/run/fail2ban instead of /tmp for temp files in
|
|
actions: see bugs.debian.org/544232, bnc#690853,
|
|
CVE-2009-5023
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com
|
|
|
|
- Use $FAIL2BAN_OPTIONS when starting (bnc#662495)
|
|
- Clean up sysconfig file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org
|
|
|
|
- Use O_CLOEXEC on fds (patch from Fedora)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com
|
|
|
|
- Create /var/run/fail2ban during startup to support systems that
|
|
mount /var/run as tmpfs
|
|
- Build package as noarch
|
|
- Spec file cleanup: fix a couple of rpmlint warnings
|
|
- Init script: look for fail2ban-server when checking if the
|
|
daemon is running
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com
|
|
|
|
- Update to version 0.8.4. Important changes:
|
|
* New "Ban IP" command
|
|
* New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve
|
|
* Fixed the 'unexpected communication error' problem
|
|
* Remove socket file on startup if fail2ban crashed (bnc#537239)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de
|
|
|
|
- Initial version: 0.8.3
|
|
|