Resolved Bugs
1169026 – fail2ban jail.conf needs to list multiple log paths in logpath on multiple lines
1128152 – fail2ban pam-generic jail uses /var/log/auth.log, which does not exist
1169024 – Please upgrade to fail2ban 0.9.1
1047436 – Fail2ban fails to start because of /var/log/secure not found<br
ver. 0.9.2 (2015/04/29) – better-quick-now-than-later
———-
– Fixes:
* infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907. Thanks TonyThompson
* port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner (fnerdwq)
* $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
* grep’ing for IP in *mail-whois-lines.conf should now match also at the beginning and EOL. Thanks Dean Lee
* jail.conf
– php-url-fopen: separate logpath entries by newline
* failregex declared direct in jail was joined to single line (specifying of multiple expressions was not possible).
* filters.d/exim.conf – cover different settings of exim logs
details. Thanks bes.internal
* filter.d/postfix-sasl.conf – failregex is now case insensitive
* filters.d/postfix.conf – add ‘Client host rejected error message’ failregex
* fail2ban/__init__.py – add strptime thread safety hack-around
* recidive uses iptables-allports banaction by default now.
Avoids problems with iptables versions not understanding ‘all’ for protocols and ports
* filter.d/dovecot.conf
– match pam_authenticate line from EL7
– match unknown user line from EL7
* Use use_poll=True for Python 2.7 and >=3.4 to overcome “Bad file
descriptor” msgs issue (gh-161)
* filter.d/postfix-sasl.conf – tweak failregex and add ignoreregex to ignore system authentication issues
* fail2ban-regex reads filter file(s) completely, incl. ‘.local’ file etc. (gh-954)
* firewallcmd-* actions: split output into separate lines for grepping (gh-908)
* Guard unicode encode/decode issues while storing records in the database.
Fixes “binding parameter error (unsupported type)” (gh-973), thanks to kot for reporting
* filter.d/sshd added regex for matching openSUSE ssh authentication failure
* filter.d/asterisk.conf:
– Dropped “Sending fake auth rejection” failregex since it incorrectly targets the asterisk server itself
– match “hacking attempt detected” logs
– New Features:
– New filters:
– postfix-rbl Thanks Lee Clemens
– apache-fakegooglebot.conf Thanks Lee Clemens
– nginx-botsearch Thanks Frantisek Sumsal
– drupal-auth Thanks Lee Clemens
– New recursive embedded substitution feature added:
– `<HOST>` becomes “ for PREF=`IPV4`;
– `<HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
– New interpolation feature for config readers – `%(known/parameter)s`. (means last known option with name `parameter`). This interpolation makes possible to extend a stock filter or jail regexp in .local file (opposite to simply set failregex/ignoreregex that overwrites it), see gh-867.
– Monit config for fail2ban in files/monit/
– New actions:
– action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt
– action.d/sendmail-geoip-lines.conf
– action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean
– New status argument for fail2ban-client — flavor:
fail2ban-client status [flavor]
– empty or “basic” works as-is
– “cymru” additionally prints (ASN, Country RIR) per banned IP (requires dnspython or dnspython3)
– Flush log at USR1 signal
– Enhancements:
* Enable multiport for firewallcmd-new action. Closes gh-834
* files/debian-initd migrated from the debian branch and should be suitable for manual installations now (thanks Juan Karlo de Guzman)
* Define empty ignoreregex in filters which didn’t have it to avoid warnings (gh-934)
* action.d/{sendmail-*,xarf-login-attack}.conf – report local
timezone not UTC time/zone. Closes gh-911
* Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
* Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
* Added syslogsocket configuration to fail2ban.conf
* Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964)
– Update to 0.9.1:
Refactoring (IMPORTANT — Please review your setup and configuration):
iptables-common.conf replaced iptables-blocktype.conf (iptables-blocktype.local should still be read) and now also provides defaults for the chain, port, protocol and name tags
Fixes:
start of file2ban aborted (on slow hosts, systemd considers the server has been timed out and kills him), see gh-824
UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
systemd backend error on bad utf-8 in python3
badips.py action error when logging HTTP error raised with badips request
fail2ban-regex failed to work in python3 due to space/tab mix
recidive regex samples incorrect log level
journalmatch for recidive incorrect PRIORITY
loglevel couldn’t be changed in fail2ban.conf
Handle case when no sqlite library is available for persistent database
Only reban once per IP from database on fail2ban restart
Nginx filter to support missing server_name. Closes gh-676
fail2ban-regex assertion error caused by miscount missed lines with multiline regex
Fix actions failing to execute for Python 3.4.0. Workaround for http://bugs.python.org/issue21207
Database now returns persistent bans on restart (bantime < 0)
Recursive action tags now fully processed. Fixes issue with bsd-ipfw action
Fixed TypeError with “ipfailures” and “ipjailfailures” action tags. Thanks Serg G. Brester
Correct times for non-timezone date times formats during DST
Pass a copy of, not original, aInfo into actions to avoid side-effects
Per-distribution paths to the exim’s main log
Ignored IPs are no longer banned when being restored from persistent database
Manually unbanned IPs are now removed from persistent database, such they wont be banned again when Fail2Ban is restarted
Pass “bantime” parameter to the actions in default jail’s action definition(s)
filters.d/sieve.conf – fixed typo in _daemon. Thanks Jisoo Park
cyrus-imap — also catch also failed logins via secured (imaps/pop3s). Regression was introduced while strengthening failregex in 0.8.11 (bd175f) Debian bug #755173
postfix-sasl – added journalmatch. Thanks Luc Maisonobe
postfix* – match with a new daemon string (postfix/submission/smtpd). Closes gh-804 . Thanks Paul Traina
apache – added filter for AH01630 client denied by server configuration.
New features:
New filters:
monit Thanks Jason H Martin
directadmin Thanks niorg
apache-shellshock Thanks Eugene Hopkinson (SlowRiot)
New actions:
symbiosis-blacklist-allports for Bytemark symbiosis firewall
fail2ban-client can fetch the running server version
Added Cloudflare API action
Enhancements
Start performance of fail2ban-client (and tests) increased, start time and cpu usage rapidly reduced. Introduced a shared storage logic, to bypass reading lots of config files (see gh-824). Thanks to Joost Molenaar for good catch (reported gh-820).
Fail2ban-regex – add print-all-matched option. Closes gh-652
Suppress fail2ban-client warnings for non-critical config options
Match non “Bye Bye” disconnect messages for sshd locked account regex
courier-smtp filter:
match lines with user names
match lines containing “535 Authentication failed” attempts
Add tag to iptables-ipsets
Realign fail2ban log output with white space to improve readability. Does not affect SYSLOG output
Log unhandled exceptions
cyrus-imap: catch “user not found” attempts
Add support for Portsentry
– Fix php-url-fopen logpath