Release Notes for OX Abuse Shield 2.10.2

Improvements

• Fixed LuaState selection algorithm to use a free pool, which should lead to faster/more consistent selection of lua states by threads.

• powerdns/wforce-minimal image is now available, using alpine for more secure and much smaller image than the existing debian-based image.

Release Notes for 2.10.1

Bug Fixes

• Fixed bug in GeoIP2 lookups where return values were not populated

Fixed bug in GeoIP2 lookups where return values were not populated

The GeoIP2 LookupCity Lua function was never correctly implemented, so results were not exposed to Lua correctly. This fix exposes the results using the correct method to ensure future operation.

Release Notes for OX Abuse Shield 2.10.0

New Features

• Add Enterprise Linux 9 Build Target
• Option to use OpenSSL instead of Libsodium for encryption

Removed Features

• Remove Legacy GeoIP from Packages and Dockerfiles/Images
• Remove the Report API from weakforced entirely

Add Enterprise Linux 9 Build Target

Enterprise Linux 9-based systems are now supported as a build target. Oracle Linux 9 is used as the build environment, but the package should work on any EL-9 environment. Additionally, el-7, el-8 and el-9 aliases are available as build targets.

Option to use OpenSSL instead of Libsodium for encryption

When libsodium is not available, weakforced will now use openssl crypto functions instead for encryption, including encryption between the client and the server, and replication encryption. OpenSSL encryption is used for the docker image, but the default for built packages is still libsodium.

Remove Legacy GeoIP from Packages and Dockerfiles/Images

The legacy GeoIP Library is no longer included in the packages or Dockerfiles/images for weakforced.

Remove the report_api from weakforced entirely

The Report API has been removed from weakforced. This feature was never used (to my knowledge), and was creating a significant burden in terms of the maintenance of the python dependencies.

Release Notes for OX Abuse Shield 2.8.0

New Features

• Support ELK 7.x Stack
• Support Date Expansion in WebHook URLs
• Enable IP and Login substitution in blocklist return messages
• Add config option to disable password for /metrics endpoint
• Support redis usernames and passwords for redis authentication
• Support hostnames for redis configuration in addition to IP addresses

Bug Fixes/Changes

• Fix an issue where IPv6 ComboAddress returned zero port number (which caused v6 HTTP listen addresses to not work)
• Set V6ONLY socket option to stop v6 sockets from managing v4 addresses for replication
• Return the IP address of the client in JSON of ACL denied response

Support ELK 7.x Stack

Support Elasticsearch, Logstash and Kibana 7.x stack:

• Continuous Integration now tests against ELK 7.x
• Logstash Templates now work with 7.x
• Kibana Dashboards are now in ndjson format

Support Date Expansion in WebHook URLs

WebHook URLs can be specified with fields representing years, months and days that are expanded at runtime, for example: config_key["url"] = "https://example.com/foo/index-%{YYYY}-${MM}-{%dd}"

See the wforce_webhook man page for more details.

Enable IP and Login Substitution in blocklist return messages

For example: setBlackistIPRetMsg("Go away your IP {ip} is blacklisted") setBlackistLoginRetMsg("Go away your login {login} is blacklisted")

See the wforce.conf man page for more details.

Add config option to disable password for /metrics endpoint

Adding the following to wforce.conf or trackalert.conf:

setMetricsNoPassword()

will disable the password for the metrics endpoint.

See wforce.conf and trackalert.conf manpages for more details.

Support redis usernames and passwords for redis authentication

Redis authentication is supported with the following configuration in wforce.conf:

blacklistRedisUsername() blacklistRedisPassword() whitelistRedisUsername() whitelistRedisPassword()

The username is optional, depending on whether a username is set in redis.

See wforce.conf manpage for more details.

Support hostnames for redis configuration in addition to IP addresses

The blacklistPersistDB() and whitelistPersistDB() configuration commands now accept hostnames as well as IP addresses.

Release Notes for OX Abuse Shield 2.6.2

Bug Fixes/Changes

• Better error checking in blacklist loading to prevent deadlock
• Fix missing stub for setBlacklistIPRetMsg() Lua function
• Fix trackalert crash when schedules are used before global Lua state is initialised
• Return 401 with appropriate JSON instead of 404 when webserver ACL is used
• New --loglevel flag to control the log level of stdout logging

Better error checking in blacklist loading to prevent deadlock

Under certain conditions, i.e. when Redis was available but non-responsive, the blacklist loading function would not return, causing deadlock. This has been fixed.

Fix missing stub for setBlacklistIPRetMsg() Lua function

The setBlacklistIPRetMsg() Lua function was missing a stub, which meant that it could not be used. This has now been corrected.

Fix trackalert crash when schedules are used before global Lua state is initialised

Fixed an issue where trackalert would crash when a schedule was created which ran immediately, before the global Lua state was initialised.

Return 401 with appropriate JSON instead of 404 when webserver ACL is used

Fixed an issue where the webserver ACL was causing 404 errors instead of 401 errors. Now a 401 and an appropriate JSON message are returned.

New --loglevel flag to control the log level of stdout logging

Previously there was no way to control the loglevel of the stdout logging, which meant that even debug logging would be logged. Now there is a -l or --loglevel flag, which takes the value 0-7 (matching the syslog levels), and which defaults to 6 (infolog). This fix also applies to the built-in webserver, which only logs to stdout, and which previously only logged errors, but which now obeys this flag.

Bug Fixes/Changes

• Fix issue where wforce was complaining about not being able to create tmp file on startup
• Fix timing issue whereby the webserver was not started before syncDB leading to syncDone failures
• Use debian bullseye-slim in wforce docker image to save over 100MB in image size
• Fix issue in wforce docker image where the default config file was overriden with a volume mount but not used

Fix Wforce complaint about not being able to create temporary files on startup

Wforce 2.6.x uses an HTTP library which creates temporary directories for file upload on startup, by default in the current working directory, which for wforce is the config directory. For packaged installation of wforce, this is /etc/wforce, which is typically not writable by wforce itself, leading to errors. This fix changes the directory for those temporary files to /tmp/wforce.

Fix timing issue with webserver and syncDB

In rare cases when starting up, the syncDB command may start, replicate from another wdforce instance, and complete, before the webserver had finished initializing. This would cause the syncDone command from the other wforce instance to fail. This fix forces wforce to wait until the webserver is ready before starting the syncDB checks.

Fix issue in wforce docker image where the default config file was overriden by a volume mount by not used

The wforce docker image documentation states that a volume mount can be used to specify a custom config file in /etc/wforce/wforce.conf, however this was not actually the case. The file was only used if the environment variable WFORCE_CONFIG_FILE was also set, which is incorrect, because that variable is only supposed to be used to specify a new location for the config file. This fix ensures that whenever a volume mount correctly mounts a custom /etc/wforce/wforce.conf file, it is both used, and a log message is output stating that it is being used.

New Features

• REST API supports TLS/HTTPS natively
• Multiple REST API listeners can be configured
• Outbound HTTPS connection TLS behaviour is configurable
• Build on Debian Bullseye
• Remove support for building on Debian Stretch

Bug Fixes/Changes

• Fix issue where building of geoip2 functionality was dependent on legacy geoip library being installed

REST API Supports TLS/HTTPS natively

The webserver() configuration command is now deprecated, and is replaced with addListener(), which enables both TLS and non-TLS listeners to be created, as well as enabling multiple listeners to be created oncurrently. The new command setWebserverPassword() is used to set the password for the REST API (previously this was set as part of the webserver() command).

An example listener without TLS:

• addListener("0.0.0.0:8084", false, "", "", {})

An example listener with TLS:

• addListener("1.2.3.4:1234", true, "/etc/wforce/cert.pem", "/etc/wforce/key.pem", {minimum_protocol="TLSv1.2"}) `

For more details, see the man page for wforce.conf.

Outbound HTTPS connection TLS behaviour is configurable

Various options for the configuration of outbound HTTPS connections are now supported, specifically:

• Mutual TLS Authentication - setCurlClientCertAndKey() is used to specify the location of a client certifcate and key for mTLS.
• Using a different CA for checking server certificates - setCurlCABundleFile() is used to specify the location of a file containing certs to use for this purposes.
• Disable checking peer certificates - disableCurlPeerVerification() disables checking of peer certificates (not recommended except for debugging).
• Disable peer certificate hostname checking - disableCurlHostVerification() disables checking of the hostname in peer certificates (not recommended except for debugging).

Build on Debian Bullseye

Support for building on debian bullseye.

Release Notes for OX Abuse Shield 2.4.1

New Features

• Dynamic management of siblings via Lua functions and REST API
• Optional per-sibling encryption keys
• Packaging for Amazon Linux in pdns-builder

Bug Fixes/Changes

• Fix issue where replication length bytes can be truncated causing syncDB problems

Dynamic Management of Siblings via Lua functions

Before this release, siblings could only be defined as part of the startup configuration; there was no way to add or remove siblings dynamically while wforce was running. With this release all sibling management functions in Lua can be used from the console to add/remove siblings at runtime. In addition, per-sibling encryption keys can optionally be specified.

The complete set of sibling management functions is as follows:

• setSiblings()
• setSiblingsWithKey() (New)
• addSibling()
• addSiblingWithKey() (New)
• removeSibling() (New)

For full details, see the wforce.conf man page.

Dynamic Management of Siblings via REST API

New REST API endpoints enable siblings to be managed dynamically.

The new REST API endpoints are as follows:

• /?command=addSibling
• /?command=removeSibling
• /?command=setSibling

For more details see the wforce OpenAPI specification, which is available at https://powerdns.github.io/weakforced/

Note that the REST API does not currently support TLS natively, so use of a HTTPS reverse proxy on localhost is strongly recommended when specifying per-sibling encryption keys.

Optional Per-Sibling Encryption Keys

All the methods of managing siblings (Lua or REST API) enable per-sibling encryption keys to be set. Encryption keys are are 32-byte strings that are Base-64 encoded before passing to the sibling management functions or REST API.

Release Notes for OX Abuse Shield 2.4.1 (Alpha1)

New Features

• Dynamic management of siblings via Lua functions and REST API
• Optional per-sibling encryption keys
• Packaging for Amazon Linux in pdns-builder

Bug Fixes/Changes

• None

Dynamic Management of Siblings via Lua functions

Before this release, siblings could only be defined as part of the startup configuration; there was no way to add or remove siblings dynamically while wforce was running. With this release all sibling management functions in Lua can be used from the console to add/remove siblings at runtime. In addition, per-sibling encryption keys can optionally be specified.

The complete set of sibling management functions is as follows:

• setSiblings()
• setSiblingsWithKey() (New)
• addSibling()
• addSiblingWithKey() (New)
• removeSibling() (New)

For full details, see the wforce.conf man page.

Dynamic Management of Siblings via REST API

New REST API endpoints enable siblings to be managed dynamically.

The new REST API endpoints are as follows:

• /?command=addSibling
• /?command=removeSibling
• /?command=setSibling

For more details see the wforce OpenAPI specification, which is available at https://powerdns.github.io/weakforced/

Note that the REST API does not currently support TLS natively, so use of a HTTPS reverse proxy on localhost is strongly recommended when specifying per-sibling encryption keys.

Optional Per-Sibling Encryption Keys

All the methods of managing siblings (Lua or REST API) enable per-sibling encryption keys to be set. Encryption keys are are 32-byte strings that are Base-64 encoded before passing to the sibling management functions or REST API.

Release Notes for OX Abuse Shield 2.4.1 (Alpha1)

New Features

• Dynamic management of siblings via Lua functions and REST API
• Optional per-sibling encryption keys
• Packaging for Amazon Linux in pdns-builder

Bug Fixes/Changes

• None

Dynamic Management of Siblings via Lua functions

Before this release, siblings could only be defined as part of the startup configuration; there was no way to add or remove siblings dynamically while wforce was running. With this release all sibling management functions in Lua can be used from the console to add/remove siblings at runtime. In addition, per-sibling encryption keys can optionally be specified.

The complete set of sibling management functions is as follows:

• setSiblings()
• setSiblingsWithKey() (New)
• addSibling()
• addSiblingWithKey() (New)
• removeSibling() (New)

For full details, see the wforce.conf man page.

Dynamic Management of Siblings via REST API

New REST API endpoints enable siblings to be managed dynamically.

The new REST API endpoints are as follows:

• /?command=addSibling
• /?command=removeSibling
• /?command=setSibling

For more details see the wforce OpenAPI specification, which is available at https://powerdns.github.io/weakforced/

Note that the REST API does not currently support TLS natively, so use of a HTTPS reverse proxy on localhost is strongly recommended when specifying per-sibling encryption keys.

Optional Per-Sibling Encryption Keys

All the methods of managing siblings (Lua or REST API) enable per-sibling encryption keys to be set. Encryption keys are are 32-byte strings that are Base-64 encoded before passing to the sibling management functions or REST API.