• Fixes:
  • minor fixes for claimed Python 2.4 and 2.5 compatibility
  • Handle case when inotify watch is auto deleted on file deletion to stop error messages
  • tests - fixed few "leaky" file descriptors when files were not closed while being removed physically
  • grep in mail*-whois-lines.conf now also matches end of line to work with the recidive filter

This is a maintenance release from 0.8.12. It contains minor fixes in filters.

We recommend using 0.9 version as it includes all fixes from this release and more.

If you're still stuck on python-2.5 (or less), or want to keep a similar jail.conf configuration, you can use this still use this version.

A full list of changes is here: https://github.com/fail2ban/fail2ban/compare/0.8.12...0.8.13

Fail2Ban Scope

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Changes

This 0.9.0 release includes a few major changes from the 0.8.12 branch.

Python version

The minimum supported Python version is now 2.6.

For the first time Python 3.2+ (via 2to3) and PyPy are also supported.

Database

A persistent database in sqlite3 format can be used. Default location at /var/lib/fail2ban/fail2ban.sqlite3 that allows active bans to be reinstated on restart. Log files read from last position after restart

Filters

Fail2ban filters can now support:

• filter patterns that span multiple lines.
• parameters passed from jail.conf
• custom date formats
• date/time log formats that specify a timezone are now parsed correctly. As such processing services that are running in a different timezone setting than Fail2ban. Sub-second granularity in log format is also parsed.
• systemd journal backend has been created. This has a dependency on python-systemd. To use journal match in filters there is a "journalmatch".

Because of these new filter features the following filters are now able to be added:

• Guacamole
• Kerio
• Stunnel
• Counter Strike
• Squirrelmail
• Tine20

Actions

Fail2ban actions can now support

• multiple instances of the same action can be specified in the same jail
• actions can now be written in Python
• A timeout is possible for actions to prevent them blocking jail processing
• Standard output and error for command actions captured and logged on error or debug

New actions include:

• xarf-login-attack
• smtp.py
• badips.py

Users

Users can now specify an action in jail.local that applies to all configured jails.

[DEFAULT]

banaction = iptables-ipset

action = %(action_)s

banaction defines the firewall technology and action defines which of the ban/notification technologies to use. These are defined in jail.conf.

The distributor will have configured a paths-{distro}.conf. If you have configured a path different this can be overwritten in the paths-overrides.local.

Encoding of log files can be specified, defaulting in system locale.

Distributors

The jail.conf has been modified extensively to list only the filters. Variants with different actions and file paths have been removed.

One patch should be needed to change the jail.conf to the required in paths-{distro}.conf.

There is now a separate file paths-{distro}.conf that contains the paths of the log files so hopefully this will be easier to maintain. Patches/additions here welcome.

Python-systemd is an optional dependency for systemd support.

Fail2Ban is now installed as a python module fail2ban.

Full changes: https://github.com/fail2ban/fail2ban/compare/0.8.12...0.9.0

New bits:

Log rotation can now occur with the command "flushlogs" rather than reloading fail2ban or keeping the logtarget settings consistent in jail.conf/local and /etc/logrotate.d/fail2ban. (Debian bug #697333, Redhat bug #891798).

Added ignorecommand option for allowing dynamic determination as to ignore and IP or not.

Remove indentation of name and loglevel while logging to SYSLOG to resolve syslog(-ng) parsing problems. (Debian bug #730202). Log lines now also report "[PID]" after the name portion too.

Epoch dates can now be enclosed within []

New actions:

• badips
• firewallcmd-ipset
• ufw
• blocklist_de

New filters:

• solid-pop3d
• nsd
• openwebmail
• horde
• freeswitch
• squid
• ejabberd
• openwebmail
• groupoffice

Filter improvements:

• apache-noscript now includes php cgi scripts
• exim-spam filter to match spamassassin log entry for option SAdevnull.
• Added to sshd filter expression for "Received disconnect from <HOST>: 3: Auth fail"
• Improved ACL-handling for Asterisk
• Added improper command pipelining to postfix filter.

General fixes:

• Added lots of jail.conf entries for missing filters that creaped in over the last year.
• synchat changed to use push method which verifies whether all data was send. This ensures that all data is sent before closing the connection.
• Fixed python 2.4 compatibility (as sub-second in date patterns weren't 2.4 compatible)
• Complain/email actions fixed to only include relevant IPs to reporting

Filter fixes:

• Added HTTP referrer bit of the apache access log to the apache filters.
• Apache 2.4 perfork regexes fixed
• Kernel syslog expression can have leading spaces
• allow for ",milliseconds" in the custom date format of proftpd.log
• recidive jail to block all protocols
• smtps not a IANA standard so may be missing from /etc/services. Due to (still) common use 465 has been used as the explicit port number
• Filter dovecot reordered session and TLS items in regex with wider scope for session characters

Ugly Fixes (Potentially incompatible changes):

Unfortunately at the end of last release when the action firewall-cmd-direct-new was added it was too long and had a broken action check. The action was renamed to firewallcmd-new to fit within jail name name length. (#395).

Last release added mysqld-syslog-iptables as a jail configuration. This jailname was too long and it has been renamed to mysqld-syslog.

Full changes: https://github.com/fail2ban/fail2ban/compare/0.8.11...0.8.12

The 0.8.11 release is available at https://github.com/fail2ban/fail2ban/releases

In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue.

After we do this release well look at doing a 0.9.0alpha release that has a significant reworking of its back end to support multiline matches, true timezone support, and more flexibility for actions.

There is a full ChangeLog in the distribution.

As usual, any bugs or enhancements feel free to tell us https://github.com/fail2ban/fail2ban/issues.

For user support please use the mailing list http://sourceforge.net/p/fail2ban/mailman/fail2ban-users/ or the #fail2ban freenode IRC channel.

Your friendly fail2ban devs,

0.8.11 Prerelease to Package Maintainers

Dear package maintainers of fail2ban,

We are just about to release 0.8.11 and we'd like to check that everything is packaged as best as possible. After we do this release well look at doing a 0.9.0alpha release that has a significant reworking of its back end and time functions.

The 0.8.11 pre-release 1 is available at https://github.com/fail2ban/fail2ban/releases

Please give feedback via https://github.com/fail2ban/fail2ban/issues if there are issues that need to be addressed before the final release.

In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue.

There is a full ChangeLog in the distribution.

We believe the key factors for maintainers are:

• action.d/hostsdeny -- NOTE: new dependency 'ed'. Switched to use 'ed' across all platforms to ensure permissions are the same before and after a ban
• action.d/iptables-ipset* - there is proto4 and proto6 - you may want to remove the one(s) that don't apply (ipset -V to see which protocol ipset uses). Also selinux permissions for fail2ban to use the ipset kernel interface may be needed.
• files/redhat-initd - rewritten to use stock init.d functions thus avoiding problems with getpid. Also $network and iptables moved to Should- rc init fields
• filter.d/pam-generic and other pam regexs - Disabled support for linux-pam before version 0.99.2.0 (2005)
• The order of configuration file processing has changed to jail.conf, jail.d/.conf, jail.local, jail.d/.local (previously jail.conf, jail.local, jail.d/.conf, jail.d/.local). Likewise for fail2ban configurations if you replace jail with fail2ban in previous sentence but we don't expect any problems (https://github.com/fail2ban/fail2ban/pull/392#issuecomment-26084729).

Filter changes that may affect user configured jails:

• filter.d/exim-spam.conf -- a splitout of exim's spam regexes that where in filter.d/exim.conf leaving exim.conf to contain just authentication failures
• lighttpd-fastcgi filter has been renamed to 'suhosin'
• filter.d/sasl filter has been renamed to filter.d/postfix-sasl

For the last two a symlink from the old name should provide compatibility.

We see that a lot of available packages include patches for different distribution-specific paths. If there are any good Python packaged programs that allow easy configuration of this let us know and we'll try to make this aspect easier for you.

We also acknowledge that the logpaths in jail.conf are very distribution specific and we will look into making their configuration simpler in the next release. Hopefully new jail.d/ and fail2ban.d/ directories will assist you with this so you could e.g. introduce a jail.d/00_{distro}.conf to define the local paths for logfiles e.g.:

[perdition] logpath = /var/log/mail.log

Cheers,

Your friendly fail2ban devs,

Originally targeted as a bugfix release, it incorporated many new enhancements, few new features, and more importantly -- quite extended tests battery with current 94% coverage (from 56% of 0.8.8).

This release introduces over 200 of non-merge commits from 16 contributors (sorted by number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki, ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither, Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.

Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom Hendrikx, Yehuda Katz and other TBN heroes supporting users on fail2ban-users mailing list and IRC.

• Fixes: Yaroslav Halchenko
  • [6f4dad46] python-2.4 is the minimal version.
  • [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
  • [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for insight. Closes gh-103.
  • [ab044b75] delay check for the existence of config directory until read.
  • [3b4084d4] fixing up for handling of TAI64N timestamps.
  • [154aa38e] do not shutdown logging until all jails stop.
  • [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184. Thanks to Jon Foster for report and troubleshooting. Orion Poplawski
  • [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories. Nicolas Collignon
  • [39667ff6] Avoid leaking file descriptors. Closes gh-167. Sergey Brester
  • [b6bb2f88 and d17b4153] invalid date recognition, irregular because of sorting template list. Steven Hiscocks
  • [7a442f07] When changing log target with python2.{4,5} handle KeyError. Closes gh-147, gh-148.
  • [b6a68f51] Fix delaction on server side. Closes gh-124. Daniel Black
  • [f0610c01] Allow more that a one word command when changing and Action via the fail2ban-client. Closes gh-134.
  • [945ad3d9] Fix dates on email actions to work in different locals. Closes gh-70. Thanks to iGeorgeX for the idea. blotus
  • [96eb8986] ' and " should also be escaped in action tags Closes gh-109 Christoph Theis, Nick Hilliard, Daniel Black
  • [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
• New features: Yaroslav Halchenko
  • [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} to provide additional flexibility to system adminstrators. Thanks to beilber for the idea. Closes gh-114.
  • [3ce53e87] Add exim filter. Erwan Ben Souiden
  • [d7d5228] add nagios integration documentation and script to ensure fail2ban is running. Closes gh-166. Artur Penttinen
  • [29d0df5] Add mysqld filter. Closes gh-152. ArndRaphael Brandes
  • [bba3fd8] Add Sogo filter. Closes gh-117. Michael Gebetsriother
  • [f9b78ba] Add action route to block at routing level. Teodor Micu & Yaroslav Halchenko
  • [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. Daniel Black
  • [be06b1b] Add action for iptables-ipsets. Closes gh-102. Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
  • [b6d0e8a] Add and enhance the bsd-ipfw action from FreeBSD ports. Soulard Morgan
  • [f336d9f] Add filter for webmin. Closes gh-99. Steven Hiscocks
  • [..746c7d9] bash interactive shell completions for fail2ban-*'s Nick Hilliard
  • [0c5a9c5] Add pf action.
• Enhancements: Enrico Labedzki
  • [24a8d07] Added new date format for ASSP SMTP Proxy. Steven Hiscocks
  • [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172.
  • [MANY] Improvements to test cases, travis, and code coverage (coveralls).
  • [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
  • [ce3ab34] Added ability to specify PID file. Orion Poplawski
  • [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. Closes gh-142. Yaroslav Halchenko
  • [MANY] Lots of improvements to log messages, man pages and test cases.
  • [91d5736] Postfix filter improvements - empty helo, from and rcpt to. Closes gh-126. Bug report by Michael Heuberger.
  • [40c5a2d] adding more of diagnostic messages into -client while starting the daemon.
  • [8e63d4c] Compare against None with 'is' instead of '=='.
  • [6fef85f] Strip CR and LF while analyzing the log line Daniel Black
  • [3aeb1a9] Add jail.conf manual page. Closes gh-143.
  • [MANY] man page edits.
  • [7cd6dab] Added help command to fail2ban-client.
  • [c8c7b0b,23bbc60] Better logging of log file read errors.
  • [3665e6d] Added code coverage to development process.
  • [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh source. Also include BSD changes.
  • [1d9abd1] Action files can have tags in definition that refer to other tags.
  • [10886e7,cec5da2,adb991a] Change actions to response with ICMP port unreachable rather than just a drop of the packet. Pascal Borreli
  • [a2b29b4] Fixed lots of typos in config files and documentation. hamilton5
  • [7ede1e8] Update dovecot filter config. Romain Riviere
  • [0ac8746] Enhance named-refused filter for views. James Stout
  • [..2143cdf] Solaris support enhancements:
    • README.Solaris
    • failregex'es tune ups (sshd.conf)
    • hostsdeny: do not rely on support of '-i' in sed

Primarily bugfix and enhancements release, triggered by "bugs" in apache- filters. If you are relying on listed below apache- filters, upgrade asap and seek your distributions to patch their fail2ban distribution with [6ccd5781].

• Fixes: Yaroslav Halchenko
  • [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor failregex at the beginning (and where applicable at the end). Addresses a possible DoS. Closes gh-248
  • action.d/{route,shorewall}.conf - blocktype must be defined within [Init]. Closes gh-232
• Enhancements Yaroslav Halchenko
  • jail.conf -- assure all jails have actions and remove unused ports specifications Terence Namusonge
  • config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ Daniel Black
  • files/suse-initd -- update to the copy from stock SUSE silviogarbes & Daniel Black
    • Updates to asterisk filter. Closes gh-227/gh-230. Carlos Alberto Lopez Perez
    • Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.