forked from pool/fail2ban
Marcus Meissner
c0917c8a4c
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=120
1451 lines
71 KiB
Plaintext
1451 lines
71 KiB
Plaintext
-------------------------------------------------------------------
|
|
Wed Sep 4 07:54:06 UTC 2024 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- fail2ban-fix-openssh98.patch: fix to work with openssh 9.8 (bsc#1230101)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 26 08:17:28 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
- Use %patch -P N instead of deprecated %patchN.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 5 16:36:47 UTC 2023 - Lars Vogdt <lars@linux-schulserver.de>
|
|
|
|
- use nagios-rpm-macros to define the libexecdir for SUSE distributions
|
|
correctly (defaut here is /usr/lib/nagios/plugins)
|
|
- move conditional for %%pre scripts, to avoid any dependency or other
|
|
stuff getting in the way on old distributions
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Dec 4 21:07:21 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
|
|
|
- update to 1.0.2:
|
|
* Update of major version of fail2ban with primary target to fix a
|
|
dovecot-filter regression #3370.
|
|
* See the ChangeLog for more information.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 12 08:11:52 UTC 2022 - Paolo Stivanin <info@paolostivanin.com>
|
|
|
|
- Update to 1.0.1:
|
|
* https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog
|
|
- Remove fail2ban-0.11.2-upstream-patch-python-3.9.patch.
|
|
- Remove fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch.
|
|
- Remove fail2ban-rpmlintrc since it's no longer needed.
|
|
- Add fail2ban.keyring.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Jan 22 11:17:48 UTC 2022 - Arjen de Korte <suse+build@de-korte.org>
|
|
|
|
- Fail2ban can't be PartOf ipset.service and nftables.service that
|
|
conflict with firewalld.service (as it will prevent restarting the
|
|
latter and which are not provided anymore)
|
|
* fail2ban-opensuse-service.patch
|
|
* harden_fail2ban.service.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 19 13:05:44 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
|
|
|
- add python-rpm-macros buildrequires (bsc#1194752)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 12 10:49:20 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Added fail2ban-0.11.2-upstream-patch-python-3.9.patch to allow
|
|
fail2ban run under under python 3.9+
|
|
|
|
- Shifted the order of the patches
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 14 07:47:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
|
|
* harden_fail2ban.service.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch
|
|
to fixs CVE-2021-32749 - bnc#1188610 to prevent a command injection via mail comand
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Dec 5 17:25:17 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Integrate change to resolve bnc#1146856 and bnc#1180738
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Update to 0.11.2
|
|
increased stability, filter and action updates
|
|
|
|
- New Features and Enhancements
|
|
* fail2ban-regex:
|
|
- speedup formatted output (bypass unneeded stats creation)
|
|
- extended with prefregex statistic
|
|
- more informative output for `datepattern` (e. g. set from filter) - pattern : description
|
|
* parsing of action in jail-configs considers space between action-names as separator also
|
|
(previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b`
|
|
* new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689)
|
|
* new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855)
|
|
* new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723)
|
|
* `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured
|
|
(gh#fail2ban/fail2ban#2631)
|
|
* `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778)
|
|
* introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
|
|
* datetemplate: improved anchor detection for capturing groups `(^...)`;
|
|
* datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc)
|
|
as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814):
|
|
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
|
|
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
|
|
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
|
|
bypass of failure (previously exceeding `findtime`);
|
|
- better interaction with non-matching optional datepattern or invalid timestamps;
|
|
- implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages,
|
|
whereas filter will use now as timestamp (gh#fail2ban/fail2ban#2802)
|
|
* performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template);
|
|
* fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh#fail2ban/fail2ban#2791;
|
|
* extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag
|
|
prefix `<F-TUPLE_`, that would combine value of `<F-V>` with all value of `<F-TUPLE_V?_n?>` tags (gh#fail2ban/fail2ban#2755)
|
|
|
|
- Fixes
|
|
* [stability] prevent race condition - no ban if filter (backend) is continuously busy if
|
|
too many messages will be found in log, e. g. initial scan of large log-file or journal (gh#fail2ban/fail2ban#2660)
|
|
* pyinotify-backend sporadically avoided initial scanning of log-file by start
|
|
* python 3.9 compatibility (and Travis CI support)
|
|
* restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
|
|
* manual ban is written to database, so can be restored by restart (gh#fail2ban/fail2ban#2647)
|
|
* `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead)
|
|
* no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
|
|
per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357
|
|
* ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686)
|
|
* don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes),
|
|
so would bother the action interpolation
|
|
* fixed type conversion in config readers (take place after all interpolations get ready), that allows to
|
|
specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
|
|
* `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy
|
|
between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703)
|
|
* `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing
|
|
with `jq`, gh#fail2ban/fail2ban#2140, gh#fail2ban/fail2ban#2656)
|
|
* `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2763)
|
|
* `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2821)
|
|
* `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836)
|
|
* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
|
|
should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650)
|
|
* `filter.d/dovecot.conf`:
|
|
- add managesieve and submission support (gh#fail2ban/fail2ban#2795);
|
|
- accept messages with more verbose logging (gh#fail2ban/fail2ban#2573);
|
|
* `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697)
|
|
* `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle
|
|
the match of username differently (gh#fail2ban/fail2ban#2693):
|
|
- `normal`: matches 401 with supplied username only
|
|
- `ddos`: matches 401 without supplied username only
|
|
- `aggressive`: matches 401 and any variant (with and without username)
|
|
* `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749)
|
|
|
|
- Rebased patches
|
|
- Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 19 09:04:12 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
- Use %{_tmpfilesdir} consistently throughout the .spec.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu May 21 07:49:38 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
|
|
|
|
- Update to 0.11.1:
|
|
* Increment ban time (+ observer) functionality introduced.
|
|
* Database functionality extended with bad ips.
|
|
* New tags (usable in actions):
|
|
- `<bancount>` - ban count of this offender if known as bad
|
|
(started by 1 for unknown)
|
|
- `<bantime>` - current ban-time of the ticket
|
|
(prolongation can be retarded up to 10 sec.)
|
|
* Introduced new action command `actionprolong` to prolong ban-time
|
|
(e. g. set new timeout if expected);
|
|
* algorithm of restore current bans after restart changed:
|
|
update the restored ban-time (and therefore
|
|
end of ban) of the ticket with ban-time of jail (as maximum),
|
|
for all tickets with ban-time greater (or persistent)
|
|
* added new setup-option `--without-tests` to skip building
|
|
and installing of tests files (gh-2287).
|
|
* added new command `fail2ban-client get <JAIL> banip ?sep-char|--with-time?`
|
|
to get the banned ip addresses (gh-1916).
|
|
* purge database will be executed now (within observer).
|
|
restoring currently banned ip after service restart fixed
|
|
(now < timeofban + bantime), ignore old log failures (already banned)
|
|
* upgrade database: update new created table `bips` with entries
|
|
from table `bans` (allows restore current bans after
|
|
upgrade from version <= 0.10)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 9 14:06:14 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
- Switch to use python3 (upstream supported):
|
|
+ BuildRequire python3-tools instead of python-devel (for the
|
|
2to3 tool).
|
|
+ Drop the python-gamin dependency.
|
|
+ Replace all python-FOO deps for their python3-FOO counterpart.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 12 09:10:37 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
|
|
|
|
- Added fail2ban-0.10.4-env-script-interpreter.patch to define interpretor
|
|
- removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2
|
|
will be removed from Factory (see sr#713247):
|
|
* fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service
|
|
* fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for
|
|
older distributions
|
|
* Removed installation recommendation of the fail2ban-SuSEfirewall2
|
|
package for all distributions as it is deprecated.
|
|
- fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file
|
|
location (boo#1145181, gh#fail2ban/fail2ban#2474)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 11 12:42:54 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
|
|
shortcut the build queues by allowing usage of systemd-mini
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de
|
|
|
|
- ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four
|
|
* https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog
|
|
|
|
- Fixes
|
|
* `filter.d/dovecot.conf`:
|
|
- failregex enhancement to catch sql password mismatch errors (gh-2153);
|
|
- disconnected with "proxy dest auth failed" (gh-2184);
|
|
* `filter.d/freeswitch.conf`:
|
|
- provide compatibility for log-format from gh-2193:
|
|
* extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
|
|
`YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
|
|
* more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
|
|
- extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
|
|
(see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
|
|
how to set it to mode `normal`.
|
|
* `filter.d/domino-smtp.conf`:
|
|
- recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
|
|
- failregex extended to catch connections rejected for policy reasons (gh-2228);
|
|
* `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected
|
|
and don't allowed in command-actions), see gh-2114;
|
|
* decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
|
|
- fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
|
|
`UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors;
|
|
- actions: avoid possible conversion errors on wrong-chars by replace tags;
|
|
- database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
|
|
additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
|
|
- logging in fail2ban is process-wide exception-safe now.
|
|
* repaired start-time of initial seek to time (as well as other log-parsing related data),
|
|
if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
|
|
* systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
|
|
|
|
- New Features
|
|
* new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`,
|
|
`ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
|
|
* `ignorecommand` extended to use actions-similar replacement (capable to interpolate
|
|
all possible tags like `<ip-host>`, `<family>`, `<fid>`, `F-USER` etc.)
|
|
|
|
- Enhancements
|
|
* `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
|
|
* since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
|
|
additionally option `-V` can be used to get version in normalized machine-readable short format.
|
|
|
|
- rebase patches
|
|
* fail2ban-opensuse-locations.patch
|
|
* fail2ban-opensuse-service.patch
|
|
- add signature file
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 21 06:02:12 UTC 2018 - jweberhofer@weberhofer.at
|
|
|
|
- Updated to version 0.10.3.1. Changelog:
|
|
https://github.com/fail2ban/fail2ban/blob/0.10.3.1/ChangeLog
|
|
|
|
* fixed JSON serialization for the set-object within dump into database (gh-2103).
|
|
|
|
- Updated to version 0.10.3. Changelog:
|
|
https://github.com/fail2ban/fail2ban/blob/0.10.3/ChangeLog
|
|
|
|
- Fixes
|
|
* `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
|
|
* `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
|
|
* `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069;
|
|
* `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
|
|
- fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064);
|
|
* `filter.d/sshd.conf`:
|
|
- failregex got an optional space in order to match new log-format (see gh-2061);
|
|
- fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
|
|
- fixed root login refused regex (optional port before preauth, gh-2080);
|
|
- avoid banning of legitimate users when pam_unix used in combination with other password method, so
|
|
bypass pam_unix failures if accepted available for this user gh-2070;
|
|
- amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly);
|
|
- mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
|
|
it counts failure on closing connection within preauth-stage (gh-2085);
|
|
* `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);
|
|
* `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
|
|
* `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
|
|
* (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
|
|
|
|
- New Features
|
|
* several stability and performance optimizations, more effective filter parsing, etc;
|
|
* stable runnable within python versions 3.6 (as well as within 3.7-dev);
|
|
|
|
- Enhancements
|
|
* `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);
|
|
* `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);
|
|
* date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029);
|
|
* possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038);
|
|
the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line,
|
|
e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line.
|
|
* badips.py now uses https instead of plain http when requesting badips.com (gh-2057);
|
|
* add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056);
|
|
* Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG):
|
|
Usage `logtarget = target[padding=on|off]`
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at
|
|
|
|
- Updated to version 0.10.2. Changelog:
|
|
https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog
|
|
|
|
- rebased patch
|
|
|
|
- Incompatibility list (compared to v.0.9):
|
|
* Filter (or `failregex`) internal capture-groups:
|
|
- If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
|
|
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
|
|
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
|
|
Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
|
|
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
|
|
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
|
|
- New internal groups (currently reserved for internal usage):
|
|
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
|
|
mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
|
|
* v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
|
|
user configurations resp. `datepattern`.
|
|
* Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
|
|
IPv6-capable now.
|
|
|
|
- Incompatibility:
|
|
* The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
|
|
anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
|
|
just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.
|
|
|
|
- Fixes
|
|
* Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid
|
|
write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
|
|
* Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
|
|
* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
|
|
(if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
|
|
* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
|
|
in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
|
|
* `action.d/pf.conf`:
|
|
- fixed syntax error in achnor definition (documentation, see gh-1919);
|
|
- enclose ports in braces for multiport jails (see gh-1925);
|
|
* `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
|
|
* `filter.d/sshd.conf`:
|
|
- extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
|
|
forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
|
|
see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
|
|
- fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
|
|
|
|
- New Features
|
|
* datedetector: extended default date-patterns (allows extra space between the date and time stamps);
|
|
introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
|
|
- %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
|
|
(corresponds %H, but allows space if not zero-padded).
|
|
- %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
|
|
(corresponds %I, but allows space if not zero-padded).
|
|
* `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
|
|
|
|
- New Actions:
|
|
* `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
|
|
nginx-location with map-file);
|
|
|
|
- Enhancements
|
|
* jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
|
|
* action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
|
|
* Introduced new parameters for logging within fail2ban-server (gh-1980).
|
|
Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
|
|
- `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
|
|
for the list of facilities);
|
|
- `datetime` - add date-time to the message (default on, ignored if `format` specified);
|
|
- `format` - specify own format how it will be logged, for example for short-log into STDOUT:
|
|
`fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
|
|
* Automatically recover or recreate corrupt persistent database (e. g. if failed to open with
|
|
'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
|
|
if repair fails - recreate new database (gh-1465, gh-2004).
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 23 13:44:10 UTC 2017 - rbrown@suse.com
|
|
|
|
- Replace references to /var/adm/fillup-templates with new
|
|
%_fillupdir macro (boo#1069468)
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Oct 21 04:43:44 UTC 2017 - jweberhofer@weberhofer.at
|
|
|
|
- Updated to version 0.10.1. Changelog:
|
|
https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog
|
|
|
|
- Removed 607568f.patch and 1783.patch
|
|
|
|
- New features:
|
|
* IPv6 support
|
|
- IP addresses are now handled as objects rather than strings capable for
|
|
handling both address types IPv4 and IPv6
|
|
- iptables related actions have been amended to support IPv6 specific actions
|
|
additionally
|
|
- hostsdeny and route actions have been tested to be aware of v4 and v6 already
|
|
- pf action for *BSD systems has been improved and supports now also v4 and v6
|
|
- name resolution is now working for either address type
|
|
- new conditional section functionality used in config resp. includes:
|
|
- [Init?family=inet4] - IPv4 qualified hosts only
|
|
- [Init?family=inet6] - IPv6 qualified hosts only
|
|
* Reporting via abuseipdb.com
|
|
- Bans can now be reported to abuseipdb
|
|
- Catagories must be set in the config
|
|
- Relevant log lines included in report
|
|
* Several commands extended and new commands introduced
|
|
* Implemented execution of `actionstart` on demand
|
|
* nftables actions are IPv6-capable now
|
|
* Introduced new filter option `prefregex` for pre-filtering using single regular expression
|
|
* Many times faster because of several optimizations
|
|
* Several filters optimized
|
|
* Introduced new jail option "ignoreself"
|
|
|
|
|
|
- Lots of fixes and internal improvements
|
|
|
|
- Incompatibitilities:
|
|
* Filter (or `failregex`) internal capture-groups:
|
|
- If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
|
|
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
|
|
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
|
|
|
|
Of course you can always your own capture-group (like below `_cond_ip_`) to do this.
|
|
```
|
|
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
|
|
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
|
|
```
|
|
- New internal groups (currently reserved for internal usage):
|
|
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
|
|
mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
|
|
|
|
* v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
|
|
user configurations resp. `datepattern`.
|
|
|
|
* Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
|
|
IPv6-capable now.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at
|
|
|
|
- added 1783.patch from upstream: "Updated roundcube authentication filter"
|
|
- use tmpfiles_create macro
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at
|
|
|
|
- added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP"
|
|
this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no
|
|
action as a result"
|
|
|
|
- Update to 0.9.7
|
|
* Fixed a systemd-journal handling in fail2ban-regex
|
|
(gh#fail2ban/fail2ban#1657)
|
|
* filter.d/sshd.conf
|
|
- Fixed non-anchored part of failregex (misleading match of colon inside
|
|
IPv6 address instead of `: ` in the reason-part by missing space,
|
|
gh#fail2ban/fail2ban#1658)
|
|
(0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479)
|
|
* config/pathes-freebsd.conf
|
|
- Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667)
|
|
* filter.d/exim.conf
|
|
- optional part `(...)` after host-name before `[IP]`
|
|
(gh#fail2ban/fail2ban#1751)
|
|
- new reason "Unrouteable address" for "rejected RCPT" regex
|
|
(gh#fail2ban/fail2ban#1762)
|
|
- match of complex time like `D=2m42s` in regex "no MAIL in SMTP
|
|
connection" (gh#fail2ban/fail2ban#1766)
|
|
* filter.d/sshd.conf
|
|
- new aggressive rules (gh#fail2ban/fail2ban#864):
|
|
- Connection reset by peer (multi-line rule during authorization process)
|
|
- No supported authentication methods available
|
|
- single line and multi-line expression optimized, added optional prefixes
|
|
and suffix (logged from several ssh versions), according
|
|
to gh#fail2ban/fail2ban#1206;
|
|
- fixed expression received disconnect auth fail (optional space after port
|
|
part, gh#fail2ban/fail2ban#1652)
|
|
and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206;
|
|
* filter.d/suhosin.conf
|
|
- greedy catch-all before `<HOST>` fixed (potential vulnerability)
|
|
* filter.d/cyrus-imap.conf
|
|
- accept entries without login-info resp. hostname before IP address (#fail2ban/fail2ban#707)
|
|
* Filter tests extended with check of all config-regexp, that contains greedy catch-all
|
|
before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`
|
|
|
|
* New Actions:
|
|
- action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh#fail2ban/fail2ban#1663)
|
|
|
|
* New Filters:
|
|
- filter.d/domino-smtp: IBM Domino SMTP task (gh#fail2ban/fail2ban#1603)
|
|
|
|
* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Mar 5 12:56:10 UTC 2017 - wagner-thomas@gmx.at
|
|
|
|
- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 26 23:16:49 UTC 2017 - chris@computersalat.de
|
|
|
|
- Update to 0.9.6 (2016/12/10)
|
|
|
|
### Fixes
|
|
* Misleading add resp. enable of (already available) jail in database, that
|
|
induced a subsequent error: last position of log file will be never retrieved (gh-795)
|
|
* Fixed a distribution related bug within testReadStockJailConfForceEnabled
|
|
(e.g. test-cases faults on Fedora, see gh-1353)
|
|
* Fixed pythonic filters and test scripts (running via wrong python version,
|
|
uses "fail2ban-python" now);
|
|
* Fixed test case "testSetupInstallRoot" for not default python version (also
|
|
using direct call, out of virtualenv);
|
|
* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
|
|
* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
|
|
* Monit config: scripting is not supported in path (gh-1556)
|
|
* `filter.d/apache-modsecurity.conf`
|
|
- Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
|
|
replaced for safer match, unneeded catch-all anchoring removed, non-capturing
|
|
* `filter.d/asterisk.conf`
|
|
- Fixed to match different asterisk log prefix (source file: method:)
|
|
* `filter.d/dovecot.conf`
|
|
- Fixed failregex ignores failures through some not relevant info (gh-1623)
|
|
* `filter.d/ignorecommands/apache-fakegooglebot`
|
|
- Fixed error within apache-fakegooglebot, that will be called
|
|
with wrong python version (gh-1506)
|
|
* `filter.d/assp.conf`
|
|
- Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
|
|
* `filter.d/postfix-sasl.conf`
|
|
- Allow for having no trailing space after 'failed:' (gh-1497)
|
|
* `filter.d/vsftpd.conf`
|
|
- Optional reason part in message after FAIL LOGIN (gh-1543)
|
|
* `filter.d/sendmail-reject.conf`
|
|
- removed mandatory double space (if dns-host available, gh-1579)
|
|
* filter.d/sshd.conf
|
|
- recognized "Failed publickey for" (gh-1477);
|
|
- optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479)
|
|
- eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
|
|
- optional port part after host (see gh-1533, gh-1581)
|
|
|
|
### New Features
|
|
* New Actions:
|
|
- `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
|
|
* New Filters:
|
|
- `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
|
|
(gh-1586, gh-1606 and gh-1607)
|
|
|
|
### Enhancements
|
|
* DateTemplate regexp extended with the word-end boundary, additionally to
|
|
word-start boundary
|
|
* Introduces new command "fail2ban-python", as automatically created symlink to
|
|
python executable, where fail2ban currently installed (resp. its modules are located):
|
|
- allows to use the same version, fail2ban currently running, e.g. in
|
|
external scripts just via replace python with fail2ban-python:
|
|
```diff
|
|
-#!/usr/bin/env python
|
|
+#!/usr/bin/env fail2ban-python
|
|
```
|
|
- always the same pickle protocol
|
|
- the same (and also guaranteed available) fail2ban modules
|
|
- simplified stand-alone install, resp. stand-alone installation possibility
|
|
via setup (like gh-1487) is getting closer
|
|
* Several test cases rewritten using new methods assertIn, assertNotIn
|
|
* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
|
|
Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
|
|
are test covered now
|
|
* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
|
|
examples:
|
|
- `backend = systemd[journalpath=/run/log/journal/machine-1]`
|
|
- `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
|
|
- `backend = systemd[journalflags=2]`
|
|
|
|
- rebase fail2ban-opensuse-locations.patch, fail2ban-opensuse-service.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.9.5
|
|
|
|
New Features
|
|
* New Actions: action.d/firewallcmd-rich-rules and
|
|
action.d/firewallcmd-rich-logging (gh#fail2ban/fail2ban#1367)
|
|
* New filter: slapd - ban hosts, that were failed to connect with invalid
|
|
credentials: error code 49 (gh#fail2ban/fail2ban#1478)
|
|
|
|
Enhancements
|
|
* Extreme speedup of all sqlite database operations
|
|
(gh#fail2ban/fail2ban#1436), by using of following sqlite options:
|
|
- (synchronous = OFF) write data through OS without syncing
|
|
- (journal_mode = MEMORY) use memory for the transaction logging
|
|
- (temp_store = MEMORY) temporary tables and indices are kept in memory
|
|
* journald journalmatch for pure-ftpd (gh#fail2ban/fail2ban#1362)
|
|
* Added additional regex filter for dovecot ldap authentication
|
|
failures (gh#fail2ban/fail2ban#1370)
|
|
* filter.d/exim*conf
|
|
- Added additional regexes (gh#fail2ban/fail2ban#1371)
|
|
- Made port entry optional
|
|
|
|
Fixes
|
|
* filter.d/monit.conf
|
|
- Extended failregex with new monit "access denied" version
|
|
(gh#fail2ban/fail2ban#1355)
|
|
- failregex of previous monit version merged as single expression
|
|
* filter.d/postfix.conf, filter.d/postfix-sasl.conf
|
|
- Extended failregex daemon part, matching also postfix/smtps/smtpd now
|
|
(gh#fail2ban/fail2ban#1391)
|
|
|
|
* Fixed a grave bug within tags substitutions because of incorrect detection
|
|
of recursion in case of multiple inline substitutions of the same tag
|
|
(affected actions: bsd-ipfw, etc). Now tracks the actual list of the
|
|
already substituted tags (per tag instead of single list)
|
|
|
|
* filter.d/common.conf
|
|
- Unexpected extra regex-space in generic __prefix_line
|
|
(gh#fail2ban/fail2ban#1405)
|
|
- All optional spaces normalized in common.conf, test covered now
|
|
- Generic __prefix_line extended with optional brackets for the date ambit
|
|
(gh#fail2ban/fail2ban#1421), added new parameter __date_ambit
|
|
|
|
* gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon,
|
|
not argument of fail2ban (see gh#fail2ban/fail2ban#1434)
|
|
|
|
* filter.d/asterisk.conf
|
|
- Fixed security log support for PJSIP and Asterisk 13+
|
|
(gh#fail2ban/fail2ban#1456)
|
|
- Improved log support for PJSIP and Asterisk 13+ with different callID
|
|
(gh#fail2ban/fail2ban#1458)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 10 14:09:51 UTC 2016 - jweberhofer@weberhofer.at
|
|
|
|
- Mark /etc/fail2ban/fail2ban.conf as noreplace.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at
|
|
|
|
- Removed patch: fail2ban-exclude-dev-log-tests.patch
|
|
- Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
|
|
- rebased other patches
|
|
- Defined services which per default uses systemd logger
|
|
- Provide /usr/sbin/rcfail2ban also on systemd based distros
|
|
|
|
- All files in /etc/fail2ban/ except jail.local are now automatically replaced
|
|
upon installation of fail2ban
|
|
|
|
- The update to this versions allow to close boo#917818, as the logger-backends for
|
|
several services are now centrally set in /etc/fail2ban/paths-opensuse.conf
|
|
|
|
- Update to version 0.9.4
|
|
New Features:
|
|
* New interpolation feature for definition config readers - `<known/parameter>`
|
|
(means last known init definition of filters or actions with name `parameter`).
|
|
This interpolation makes possible to extend a parameters of stock filter or
|
|
action directly in jail inside jail.local file, without creating a separately
|
|
filter.d/*.local file.
|
|
As extension to interpolation `%(known/parameter)s`, that does not works for
|
|
filter and action init parameters
|
|
* New actions:
|
|
- nftables-multiport and nftables-allports - filtering using nftables
|
|
framework. Note: it requires a pre-existing chain for the filtering rule.
|
|
* New filters:
|
|
- openhab - domotic software authentication failure with the
|
|
rest api and web interface (gh-1223)
|
|
- nginx-limit-req - ban hosts, that were failed through nginx by limit
|
|
request processing rate (ngx_http_limit_req_module)
|
|
- murmur - ban hosts that repeatedly attempt to connect to
|
|
murmur/mumble-server with an invalid server password or certificate.
|
|
- haproxy-http-auth - filter to match failed HTTP Authentications against a
|
|
HAProxy server
|
|
* New jails:
|
|
- murmur - bans TCP and UDP from the bad host on the default murmur port.
|
|
* sshd filter got new failregex to match "maximum authentication
|
|
attempts exceeded" (introduced in openssh 6.8)
|
|
* Added filter for Mac OS screen sharing (VNC) daemon
|
|
|
|
Enhancements:
|
|
* Do not rotate empty log files
|
|
* Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59)
|
|
http://bugs.debian.org/798923
|
|
* Added openSUSE path configuration (Thanks Johannes Weberhofer)
|
|
* Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
|
|
* Added a timeout (3 sec) to urlopen within badips.py action
|
|
(Thanks M. Maraun)
|
|
* Added check against atacker's Googlebot PTR fake records
|
|
(Thanks Pablo Rodriguez Fernandez)
|
|
* Enhance filter against atacker's Googlebot PTR fake records
|
|
(gh-1226)
|
|
* Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
|
|
* Added filter for openhab domotic software authentication failure with the
|
|
rest api and web interface (gh-1223)
|
|
* Add *_backend options for services to allow distros to set the default
|
|
backend per service, set default to systemd for Fedora as appropriate
|
|
* Performance improvements while monitoring large number of files (gh-1265).
|
|
Use associative array (dict) for monitored log files to speed up lookup
|
|
operations. Thanks @kshetragia
|
|
* Specified that fail2ban is PartOf iptables.service firewalld.service in
|
|
.service file -- would reload fail2ban if those services are restarted
|
|
* Provides new default `fail2ban_version` and interpolation variable
|
|
`fail2ban_agent` in jail.conf
|
|
* Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
|
|
and to support multiple instances of postfix having varying suffix (gh-1331)
|
|
(Thanks Tom Hendrikx)
|
|
* files/gentoo-initd to use start-stop-daemon to robustify restarting the service
|
|
|
|
Fixes:
|
|
* roundcube-auth jail typo for logpath
|
|
* Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
|
|
* filter.d/apache-badbots.conf
|
|
- Updated useragent string regex adding escape for `+`
|
|
* filter.d/mysqld-auth.conf
|
|
gg - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
|
|
* filter.d/sshd.conf
|
|
- Updated "Auth fail" regex for OpenSSH 5.9 and later
|
|
* Treat failed and killed execution of commands identically (only
|
|
different log messages), which addresses different behavior on different
|
|
exit codes of dash and bash (gh-1155)
|
|
* Fix jail.conf.5 man's section (gh-1226)
|
|
* Fixed default banaction for allports jails like pam-generic, recidive, etc
|
|
with new default variable `banaction_allports` (gh-1216)
|
|
* Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
|
|
for python version < 3.x (gh-1248)
|
|
* Use postfix_log logpath for postfix-rbl jail
|
|
* filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
|
|
* use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
|
|
* Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
|
|
* Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
|
|
* Removed compression and rotation count from logrotate (inherit them from
|
|
the global logrotate config)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 4 15:50:38 UTC 2016 - jweberhofer@weberhofer.at
|
|
|
|
- Require python-systemd for openSUSE 12.3+
|
|
- Cleaned up the spec file
|
|
- Added /run/fail2ban for openSUSE 13.2+
|
|
- Don't fail on test-errors
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 23 10:10:17 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
|
|
to fix the former failing test and removed
|
|
fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch
|
|
|
|
- Do not longer create test-package. Developers should not use the packaged
|
|
version of fail2ban.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 7 09:45:56 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- patches are no longer included conditionally
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 7 06:54:33 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch excludes the
|
|
ExecuteTimeoutWithNastyChildren test, as it doesn't run correctly on
|
|
openSUSE.
|
|
|
|
- fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for
|
|
older releases.
|
|
|
|
- Update to version 0.9.3
|
|
|
|
- IMPORTANT incompatible changes:
|
|
* filter.d/roundcube-auth.conf
|
|
- Changed logpath to 'errors' log (was 'userlogins')
|
|
* action.d/iptables-common.conf
|
|
- All calls to iptables command now use -w switch introduced in
|
|
iptables 1.4.20 (some distribution could have patched their
|
|
earlier base version as well) to provide this locking mechanism
|
|
useful under heavy load to avoid contesting on iptables calls.
|
|
If you need to disable, define 'action.d/iptables-common.local'
|
|
with empty value for 'lockingopt' in `[Init]` section.
|
|
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
|
|
actions now include by default only the first 1000 log lines in
|
|
the emails. Adjust <grepopts> to augment the behavior.
|
|
|
|
- Fixes:
|
|
* reload in interactive mode appends all the jails twice (gh-825)
|
|
* reload server/jail failed if database used (but was not changed) and
|
|
some jail active (gh-1072)
|
|
* filter.d/dovecot.conf - also match unknown user in passwd-file.
|
|
Thanks Anton Shestakov
|
|
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
|
|
* filter.d/asterisk.conf - fix security log support for Asterisk 12+
|
|
* filter.d/roundcube-auth.conf
|
|
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
|
|
- Added regex to work with 'userlogins' log
|
|
* action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
|
|
locale on systems with customized LC_ALL
|
|
* performance fix: minimizes connection overhead, close socket only at
|
|
communication end (gh-1099)
|
|
* unbanip always deletes ip from database (independent of bantime, also if
|
|
currently not banned or persistent)
|
|
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
|
|
* always set 'dbfile' before other database options (gh-1050)
|
|
* kill the entire process group of the child process upon timeout (gh-1129).
|
|
Otherwise could lead to resource exhaustion due to hanging whois
|
|
processes.
|
|
* resolve /var/run/fail2ban path in setup.py to help installation
|
|
on platforms with /var/run -> /run symlink (gh-1142)
|
|
|
|
- New Features:
|
|
* RETURN iptables target is now a variable: <returntype>
|
|
* New type of operation: pass2allow, use fail2ban for "knocking",
|
|
opening a closed port by swapping blocktype and returntype
|
|
* New filters:
|
|
- froxlor-auth - Thanks Joern Muehlencord
|
|
- apache-pass - filter Apache access log for successful authentication
|
|
* New actions:
|
|
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
|
|
manual pre-configuration of the shorewall. See the action file for detail.
|
|
* New jails:
|
|
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
|
|
|
|
- Enhancements:
|
|
* action.d/cloudflare.conf - improved documentation on how to allow
|
|
multiple CF accounts, and jail.conf got new compound action
|
|
definition action_cf_mwl to submit cloudflare report.
|
|
* Check access to socket for more detailed logging on error (gh-595)
|
|
* fail2ban-testcases man page
|
|
* filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
|
|
HEAD method verb
|
|
* Revamp of Travis and coverage automated testing
|
|
* Added a space between IP address and the following colon
|
|
in notification emails for easier text selection
|
|
* Character detection heuristics for whois output via optional setting
|
|
in mail-whois*.conf. Thanks Thomas Mayer.
|
|
Not enabled by default, if _whois_command is set to be
|
|
%(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
|
|
it
|
|
- detects character set of whois output (which is undefined by
|
|
RFC 3912) via heuristics of the file command
|
|
- converts whois data to UTF-8 character set with iconv
|
|
- sends the whois output in UTF-8 character set to mail program
|
|
- avoids that heirloom mailx creates binary attachment for input with
|
|
unknown character set
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 2 06:38:00 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Note: fail2ban-issue_906-strptime.patch has been removed as it is already
|
|
integrated in the current version.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 8 13:27:00 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Removed "backend" setting from paths-opensuse.conf
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 8 14:01:31 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.9.2 (requested in boo#917818)
|
|
|
|
Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog
|
|
|
|
Here are some notes to be read when updating existing installations:
|
|
|
|
The default log-backend for openssue 13.2+ is now systemd
|
|
|
|
* jail.conf was heavily refactored and now is similar to how it looked on
|
|
Debian systems:
|
|
- default action could be configured once for all jails
|
|
- jails definitions only provide customizations (port, logpath)
|
|
- no need to specify 'filter' if name matches jail name
|
|
|
|
* Added fail2ban persistent database
|
|
- default location at /var/lib/fail2ban/fail2ban.sqlite3
|
|
- allows active bans to be reinstated on restart
|
|
- log files read from last position after restart
|
|
|
|
* Added systemd journal backend
|
|
- Dependency on python-systemd
|
|
- New "journalmatch" option added to filter configs files
|
|
- New "systemd-journal" option added to fail2ban-regex
|
|
|
|
* Support %z (Timezone offset) and %f (sub-seconds) support for datedetector.
|
|
Enhanced existing date/time have been updated patterns to support these.
|
|
ISO8601 now defaults to localtime unless specified otherwise. Some filters
|
|
have been change as required to capture these elements in the right
|
|
timezone correctly.
|
|
|
|
* Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
|
|
|
|
* Optionally can read log files starting from "head" or "tail". See "logpath"
|
|
option in jail.conf(5) man page.
|
|
|
|
* Can now set log encoding for files per jail.Default uses systemd locale.
|
|
|
|
* iptables-common.conf replaced iptables-blocktype.conf
|
|
(iptables-blocktype.local should still be read) and now also provides
|
|
defaults for the chain, port, protocol and name tags
|
|
|
|
- Require whois
|
|
|
|
- Whereever possible, path-definitions have been moved paths-opensuse.conf
|
|
which has been submittet upstream
|
|
|
|
- Use default fail2ban.service including fail2ban-opensuse-service.patch
|
|
|
|
- Use default suse-initd from upstream
|
|
|
|
- Run test-cases during build
|
|
|
|
- run fdupes
|
|
|
|
- Tests have been moved to a seperate page
|
|
|
|
- Added rpmlintrc file to ignore some hidden files in the test package
|
|
|
|
- Must build arch-depended packages for SLES 11
|
|
|
|
- Removed two tests which can't run on the build server with openSUSE
|
|
before 13.3: fail2ban-exclude-dev-log-tests.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 14 07:10:43 UTC 2015 - mpluskal@suse.com
|
|
|
|
- Add missing dependency on ed (boo#926943)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 21 21:00:48 UTC 2015 - jweberhofer@weberhofer.at
|
|
|
|
- Fixed strptime thread safety issue.
|
|
fail2ban-issue_906-strptime.patch (bnc#914075 gh#fail2ban/fail2ban#906)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 25 11:36:13 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Added syslog to requirements, as this version of fail2ban does not
|
|
work with systemd-logging: bnc#905733
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 17 09:44:12 UTC 2014 - jengelh@inai.de
|
|
|
|
- Recommend installation of the ordering package when all
|
|
constituing parts are installed
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 21 16:50:20 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Fixed check for %_unitdir to make fail2ban build under older systems, too.
|
|
- Changed /usr to %{_prefix} in the spec file
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 20 15:44:54 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- update to 0.8.14
|
|
* minor fixes for claimed Python 2.4 and 2.5 compatibility
|
|
* Handle case when inotify watch is auto deleted on file deletion to stop
|
|
error messages
|
|
* tests - fixed few "leaky" file descriptors when files were not closed while
|
|
being removed physically
|
|
* grep in mail*-whois-lines.conf now also matches end of line to work with
|
|
the recidive filter
|
|
- add fail2ban-opensuse-locations.patch to fix default locations as suggested
|
|
in bnc#878028
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 25 15:13:37 UTC 2014 - lars@linux-schulserver.de
|
|
|
|
- update to 0.8.13:
|
|
+ Fixes:
|
|
- action firewallcmd-ipset had non-working actioncheck. Removed.
|
|
redhat bug #1046816.
|
|
- filter pureftpd - added _daemon which got removed. Added
|
|
|
|
+ New Features:
|
|
- filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
|
|
- filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
|
|
|
|
+ Enhancements:
|
|
- filter asterisk now supports syslog format
|
|
- filter pureftpd - added all translations of "Authentication failed for
|
|
user"
|
|
- filter dovecot - lip= was optional and extended TLS errors can occur.
|
|
Thanks Noel Butler.
|
|
- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed
|
|
upstream
|
|
- split out nagios-plugins-fail2ban package
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 18 00:03:12 UTC 2014 - jengelh@inai.de
|
|
|
|
- Add a new subpackage to install systemd drop-ins that couple
|
|
SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf,
|
|
f2b-restart.conf.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
Security note: The update to version 0.8.11 has fixed two additional security
|
|
issues: A remote unauthenticated attacker may cause arbitrary IP addresses to
|
|
be blocked by Fail2ban causing legitimate users to be blocked from accessing
|
|
services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176
|
|
(postfix)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816
|
|
|
|
- lsof was required for fail2ban's SysVinit scripts only. Not longer used for
|
|
newer versions of openSUSE
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Reviewed and fixed github references in the changelog
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 22 09:27:43 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Use new flushlogs syntax after logrotate
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.8.12
|
|
|
|
* Log rotation can now occur with the command "flushlogs" rather than
|
|
reloading fail2ban or keeping the logtarget settings consistent in
|
|
jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798).
|
|
|
|
* Added ignorecommand option for allowing dynamic determination as to ignore
|
|
and IP or not.
|
|
|
|
* Remove indentation of name and loglevel while logging to SYSLOG to resolve
|
|
syslog(-ng) parsing problems. (dep#730202). Log lines now also
|
|
report "[PID]" after the name portion too.
|
|
|
|
* Epoch dates can now be enclosed within []
|
|
|
|
* New actions: badips, firewallcmd-ipset, ufw, blocklist_de
|
|
|
|
* New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid,
|
|
ejabberd, openwebmail, groupoffice
|
|
|
|
* Filter improvements:
|
|
- apache-noscript now includes php cgi scripts
|
|
- exim-spam filter to match spamassassin log entry for option SAdevnull.
|
|
- Added to sshd filter expression for
|
|
"Received disconnect from : 3: Auth fail"
|
|
- Improved ACL-handling for Asterisk
|
|
- Added improper command pipelining to postfix filter.
|
|
|
|
* General fixes:
|
|
- Added lots of jail.conf entries for missing filters that creaped in
|
|
over the last year.
|
|
- synchat changed to use push method which verifies whether all data was
|
|
send. This ensures that all data is sent before closing the connection.
|
|
- Fixed python 2.4 compatibility (as sub-second in date patterns weren't
|
|
2.4 compatible)
|
|
- Complain/email actions fixed to only include relevant IPs to reporting
|
|
|
|
* Filter fixes:
|
|
- Added HTTP referrer bit of the apache access log to the apache filters.
|
|
- Apache 2.4 perfork regexes fixed
|
|
- Kernel syslog expression can have leading spaces
|
|
- allow for ",milliseconds" in the custom date format of proftpd.log
|
|
- recidive jail to block all protocols
|
|
- smtps not a IANA standard so may be missing from /etc/services. Due to
|
|
(still) common use 465 has been used as the explicit port number
|
|
- Filter dovecot reordered session and TLS items in regex with wider scope
|
|
for session characters
|
|
|
|
* Ugly Fixes (Potentially incompatible changes):
|
|
|
|
- Unfortunately at the end of last release when the action
|
|
firewall-cmd-direct-new was added it was too long and had a broken action
|
|
check. The action was renamed to firewallcmd-new to fit within jail name
|
|
name length. (gh#fail2ban/fail2ban#395).
|
|
|
|
- Last release added mysqld-syslog-iptables as a jail configuration. This
|
|
jailname was too long and it has been renamed to mysqld-syslog.
|
|
|
|
- Fixed formating of github references in changelog
|
|
- reformatted spec-file
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.8.11
|
|
|
|
- In light of CVE-2013-2178 that triggered our last release we have put a
|
|
significant effort into tightening all of the regexs of our filters to avoid
|
|
another similar vulnerability. We haven't examined all of these for a potential
|
|
DoS scenario however it is possible that another DoS vulnerability exists that
|
|
is fixed by this release. A large number of filters have been updated to
|
|
include more failure regexs supporting previously unbanned failures and support
|
|
newer application versions too. We have test cases for most of these now
|
|
however if you have other examples that demonstrate that a filter is
|
|
insufficient we welcome your feedback. During the tightening of the regexs to
|
|
avoid DoS vulnerabilities there is the possibility that we have inadvertently,
|
|
despite our best intentions, incorrectly allowed a failure to continue.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 21 11:38:29 UTC 2013 - schuetzm@gmx.net
|
|
|
|
- Added systemd service file and systemd-tmpfiles configuration
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered
|
|
by "bugs" in apache- filters. If you are relying on listed below apache-
|
|
filters, upgrade asap and seek your distributions to patch their fail2ban
|
|
distribution with [6ccd5781]. The bug's decription can be found in
|
|
https://vndh.net/note:fail2ban-089-denial-service
|
|
|
|
- Fixes
|
|
* [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
|
|
failregex at the beginning (and where applicable at the end).
|
|
Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710
|
|
* action.d/{route,shorewall}.conf - blocktype must be defined
|
|
within [Init]. Closes gh#fail2ban/fail2ban#232
|
|
|
|
- Enhancements
|
|
* jail.conf -- assure all jails have actions and remove unused
|
|
ports specifications
|
|
* config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
|
|
* files/suse-initd -- update to the copy from stock SUSE
|
|
* Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227,
|
|
gh#fail2ban/fail2ban#230.
|
|
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes
|
|
gh#fail2ban/fail2ban#244.
|
|
|
|
------------------------------------------------------------------
|
|
Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at
|
|
|
|
- Included logrotate configuration for fail2ban
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
|
|
|
|
- Init-Script does no longer require $syslog to be started as file-base logging
|
|
is the default. Synced with Debian script.
|
|
|
|
- Upgrade to version 0.8.9
|
|
|
|
- Fixes: Yaroslav Halchenko
|
|
* [6f4dad46] python-2.4 is the minimal version.
|
|
* [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
|
|
on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the
|
|
bug report.
|
|
* [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
|
|
insight. Closes gh#fail2ban/fail2ban#103.
|
|
* [ab044b75] delay check for the existence of config directory until read.
|
|
* [3b4084d4] fixing up for handling of TAI64N timestamps.
|
|
* [154aa38e] do not shutdown logging until all jails stop.
|
|
* [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes
|
|
gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and
|
|
troubleshooting. Orion Poplawski
|
|
* [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
|
|
newly created directories.
|
|
Nicolas Collignon
|
|
* [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167.
|
|
Sergey Brester
|
|
* [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
|
|
sorting template list.
|
|
Steven Hiscocks
|
|
* [7a442f07] When changing log target with python2.{4,5} handle KeyError.
|
|
Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148.
|
|
* [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124.
|
|
Daniel Black
|
|
* [f0610c01] Allow more that a one word command when changing and Action via
|
|
the fail2ban-client. Closes gh#fail2ban/fail2ban#134.
|
|
* [945ad3d9] Fix dates on email actions to work in different locals. Closes
|
|
gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
|
|
blotus
|
|
* [96eb8986] ' and " should also be escaped in action tags Closes
|
|
gh#fail2ban/fail2ban#109
|
|
Christoph Theis, Nick Hilliard, Daniel Black
|
|
* [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
|
|
- New features:
|
|
Yaroslav Halchenko
|
|
* [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
|
|
to provide additional flexibility to system adminstrators. Thanks to
|
|
beilber for the idea. Closes gh#fail2ban/fail2ban#114.
|
|
* [3ce53e87] Add exim filter.
|
|
Erwan Ben Souiden
|
|
* [d7d5228] add nagios integration documentation and script to ensure
|
|
fail2ban is running. Closes gh#fail2ban/fail2ban#166.
|
|
Artur Penttinen
|
|
* [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152.
|
|
ArndRaphael Brandes
|
|
* [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117.
|
|
Michael Gebetsriother
|
|
* [f9b78ba] Add action route to block at routing level.
|
|
Teodor Micu & Yaroslav Halchenko
|
|
* [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
|
|
Daniel Black
|
|
* [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102.
|
|
Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
|
|
* [b6d0e8a] Add and enhance the bsd-ipfw action from
|
|
FreeBSD ports.
|
|
Soulard Morgan
|
|
* [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99.
|
|
Steven Hiscocks
|
|
* [..746c7d9] bash interactive shell completions for fail2ban-*'s
|
|
Nick Hilliard
|
|
* [0c5a9c5] Add pf action.
|
|
- Enhancements:
|
|
Enrico Labedzki
|
|
* [24a8d07] Added new date format for ASSP SMTP Proxy.
|
|
Steven Hiscocks
|
|
* [3d6791f] Ensure restart of Actions after a check fails occurs
|
|
consistently. Closes gh#fail2ban/fail2ban#172.
|
|
* [MANY] Improvements to test cases, travis, and code coverage (coveralls).
|
|
* [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124.
|
|
* [ce3ab34] Added ability to specify PID file.
|
|
Orion Poplawski
|
|
* [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
|
|
Closes gh#fail2ban/fail2ban#142.
|
|
Yaroslav Halchenko
|
|
* [MANY] Lots of improvements to log messages, man pages and test cases.
|
|
* [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
|
|
Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger.
|
|
* [40c5a2d] adding more of diagnostic messages into -client while starting
|
|
the daemon.
|
|
* [8e63d4c] Compare against None with 'is' instead of '=='.
|
|
* [6fef85f] Strip CR and LF while analyzing the log line
|
|
Daniel Black
|
|
* [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143.
|
|
* [MANY] man page edits.
|
|
* [7cd6dab] Added help command to fail2ban-client.
|
|
* [c8c7b0b,23bbc60] Better logging of log file read errors.
|
|
* [3665e6d] Added code coverage to development process.
|
|
* [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
|
|
source. Also include BSD changes.
|
|
* [1d9abd1] Action files can have tags in definition that refer to other
|
|
tags.
|
|
* [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
|
|
unreachable rather than just a drop of the packet.
|
|
Pascal Borreli
|
|
* [a2b29b4] Fixed lots of typos in config files and documentation.
|
|
hamilton5
|
|
* [7ede1e8] Update dovecot filter config.
|
|
Romain Riviere
|
|
* [0ac8746] Enhance named-refused filter for views.
|
|
James Stout
|
|
* [..2143cdf] Solaris support enhancements:
|
|
- README.Solaris
|
|
- failregex'es tune ups (sshd.conf)
|
|
- hostsdeny: do not rely on support of '-i' in sed
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
One of the important changes is escaping of the <matches> content -- so if you
|
|
crafted some custom action which uses it -- you must upgrade, or you
|
|
would be at a significant security risk.
|
|
|
|
- Fixes:
|
|
Alan Jenkins
|
|
* [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
|
|
banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64
|
|
Yaroslav Halchenko
|
|
* [83109bc] IMPORTANT: escape the content of <matches> (if used in
|
|
custom action files) since its value could contain arbitrary
|
|
symbols. Thanks for discovery go to the NBS System security
|
|
team
|
|
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes.
|
|
Close gh#fail2ban/fail2ban#83
|
|
* [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
|
|
* [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
|
|
in the console. Close gh#fail2ban/fail2ban#91
|
|
|
|
- New features:
|
|
David Engeset
|
|
* [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
|
|
the log file to take 'banip' or 'unbanip' in effect.
|
|
Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86
|
|
|
|
- Enhancements:
|
|
* [2d66f31] replaced uninformative "Invalid command" message with warning log
|
|
exception why command actually failed
|
|
* [958a1b0] improved failregex to "support" auth.backend = "htdigest"
|
|
* [9e7a3b7] until we make it proper module -- adjusted sys.path only if
|
|
system-wide run
|
|
* [f52ba99] downgraded "already banned" from WARN to INFO level.
|
|
Closes gh#fail2ban/fail2ban#79
|
|
* [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
|
|
for this gh#fail2ban/fail2ban#87)
|
|
* Various others: travis-ci integration, script to run tests
|
|
against all available Python versions, etc
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Fixed initscript as discussed in bnc#790557
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 3 09:53:40 UTC 2012 - meissner@suse.com
|
|
|
|
- use Source URL pointing to github
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Do not longer replace main config-files
|
|
- Use variables for directories in spec file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Added dependencies to python-pyinotifyi, python-gamin and iptables
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Upgraded to version 0.8.7.1
|
|
|
|
- Yaroslav Halchenko
|
|
* [e9762f3] Removed sneaked in comment on sys.path.insert
|
|
Tom Hendrikx & Jeremy Olexa
|
|
* [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
|
|
See http://forums.gentoo.org/viewtopic-t-899018.html
|
|
- Chris Reffett
|
|
* [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
|
|
rather than just one failure.
|
|
- Yaroslav Halchenko
|
|
* [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
|
|
* [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
|
|
* [ed16ecc] enforce "ip" field returned as str, not unicode so that log
|
|
message stays non-unicode. Close gh#fail2ban/fail2ban#32
|
|
* [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
|
|
already present in the pattern
|
|
* [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
|
|
friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66)
|
|
* [80b191c] anchor grep regexp in actioncheck to not match partial names
|
|
of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
|
|
- New features:
|
|
- François Boulogne
|
|
* [a7cb20e..] add lighttpd-auth filter/jail
|
|
- Lee Clemens & Yaroslav Halchenko
|
|
* [e442503] pyinotify backend (default if backend='auto' and pyinotify
|
|
is available)
|
|
* [d73a71f,3989d24] usedns parameter for the jails to allow disabling
|
|
use of DNS
|
|
- Tom Hendrikx
|
|
* [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
|
|
repeated offenders. Close gh#fail2ban/fail2ban#19
|
|
- Xavier Devlamynck
|
|
* [7d465f9..] Add asterisk support
|
|
- Zbigniew Jedrzejewski-Szmek
|
|
* [de502cf..] allow running fail2ban as non-root user (disabled by
|
|
default) via xt_recent. See doc/run-rootless.txt
|
|
- Enhancements
|
|
- Lee Clemens
|
|
* [47c03a2] files/nagios - spelling/grammar fixes
|
|
* [b083038] updated Free Software Foundation's address
|
|
* [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
|
|
* [642d9af,3282f86] reformated printing of jail's name to be consistent
|
|
with init's info messages
|
|
* [3282f86] uniform use of capitalized Jail in the messages
|
|
- Leonardo Chiquitto
|
|
* [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
|
|
to reflect code
|
|
* [a7d47e8] Update Free Software Foundation's address
|
|
- Petr Voralek
|
|
* [4007751] catch failed ssh logins due to being listed in DenyUsers.
|
|
Close gh#fail2ban/fail2ban#47 (Closes: #669063)
|
|
- Yaroslav Halchenko
|
|
* [MANY] extended and robustified unittests: test different backends
|
|
* [d9248a6] refactored Filter's to avoid duplicate functionality
|
|
* [7821174] direct users to issues on github
|
|
* [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
|
|
default with -v to control verbosity
|
|
* [b4099da] adjusted header for config/*.conf to mention .local and way
|
|
to comment (Thanks Stefano Forli for the note)
|
|
* [6ad55f6] added failregex for wu-ftpd to match against syslog instead
|
|
of DoS-prone auth.log's rhost (Closes: #514239)
|
|
* [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
|
|
sshd filter (Closes: #648020)
|
|
- Yehuda Katz & Yaroslav Halchenko
|
|
* [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de
|
|
|
|
- Adding to fail2ban.init remove of pid and sock files on stop
|
|
in case not removed before (prevents start fail)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at
|
|
|
|
- Update to version 0.8.6. containing various fixes and enhancements
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com
|
|
|
|
- Update to version 0.8.5: many bug fixes, enhancements and, as
|
|
a bonus, drop two patches that are now upstream
|
|
- Update FSF address to silent rpmlint warnings
|
|
- Drop stale socket files on startup (bnc#537239, bnc#730044)
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de
|
|
|
|
- Apply packaging guidelines (remove redundant/obsolete
|
|
tags/sections from specfile, etc.)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com
|
|
|
|
- Use /var/run/fail2ban instead of /tmp for temp files in
|
|
actions: see bugs.debian.org/544232, bnc#690853,
|
|
CVE-2009-5023
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com
|
|
|
|
- Use $FAIL2BAN_OPTIONS when starting (bnc#662495)
|
|
- Clean up sysconfig file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org
|
|
|
|
- Use O_CLOEXEC on fds (patch from Fedora)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com
|
|
|
|
- Create /var/run/fail2ban during startup to support systems that
|
|
mount /var/run as tmpfs
|
|
- Build package as noarch
|
|
- Spec file cleanup: fix a couple of rpmlint warnings
|
|
- Init script: look for fail2ban-server when checking if the
|
|
daemon is running
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com
|
|
|
|
- Update to version 0.8.4. Important changes:
|
|
* New "Ban IP" command
|
|
* New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve
|
|
* Fixed the 'unexpected communication error' problem
|
|
* Remove socket file on startup if fail2ban crashed (bnc#537239)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de
|
|
|
|
- Initial version: 0.8.3
|
|
|