Releases: fail2ban/fail2ban
0.8.14 AKA take-care-of-the-elderly
- Fixes:
- minor fixes for claimed Python 2.4 and 2.5 compatibility
- Handle case when inotify watch is auto deleted on file deletion to stop
error messages - tests - fixed few "leaky" file descriptors when files were not closed while
being removed physically - grep in mail*-whois-lines.conf now also matches end of line to work
with the recidive filter
0.9.0 Release
Fail2Ban Scope
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
Changes
This 0.9.0 release includes a few major changes from the 0.8.12 branch.
Python version
The minimum supported Python version is now 2.6.
For the first time Python 3.2+ (via 2to3) and PyPy are also supported.
Database
A persistent database in sqlite3 format can be used. Default location at /var/lib/fail2ban/fail2ban.sqlite3 that allows active bans to be reinstated on restart. Log files read from last position after restart
Filters
Fail2ban filters can now support:
- filter patterns that span multiple lines.
- parameters passed from jail.conf
- custom date formats
- date/time log formats that specify a timezone are now parsed correctly. As such processing services that are running in a different timezone setting than Fail2ban. Sub-second granularity in log format is also parsed.
- systemd journal backend has been created. This has a dependency on python-systemd. To use journal match in filters there is a "journalmatch".
Because of these new filter features the following filters are now able to be added:
- Guacamole
- Kerio
- Stunnel
- Counter Strike
- Squirrelmail
- Tine20
Actions
Fail2ban actions can now support
- multiple instances of the same action can be specified in the same jail
- actions can now be written in Python
- A timeout is possible for actions to prevent them blocking jail processing
- Standard output and error for command actions captured and logged on error or debug
New actions include:
- xarf-login-attack
- smtp.py
- badips.py
Users
Users can now specify an action in jail.local that applies to all configured jails.
[DEFAULT]
banaction = iptables-ipset
action = %(action_)s
banaction defines the firewall technology and action defines which of the ban/notification technologies to use. These are defined in jail.conf.
The distributor will have configured a paths-{distro}.conf. If you have configured a path different this can be overwritten in the paths-overrides.local.
Encoding of log files can be specified, defaulting in system locale.
Distributors
The jail.conf has been modified extensively to list only the filters. Variants with different actions and file paths have been removed.
One patch should be needed to change the jail.conf to the required in paths-{distro}.conf.
There is now a separate file paths-{distro}.conf that contains the paths of the log files so hopefully this will be easier to maintain. Patches/additions here welcome.
Python-systemd is an optional dependency for systemd support.
Fail2Ban is now installed as a python module fail2ban.
Full changes:
0.8.12...0.9.0
0.8.13 Maintenance Release
This is a maintenance release from 0.8.12. It contains minor fixes in filters.
We recommend using 0.9 version as it includes all fixes from this release and more.
If you're still stuck on python-2.5 (or less), or want to keep a similar jail.conf configuration, you can use this still use this version.
A full list of changes is here: 0.8.12...0.8.13
0.8.12 Release
New bits:
Log rotation can now occur with the command "flushlogs" rather than reloading fail2ban or keeping the logtarget settings consistent in jail.conf/local and /etc/logrotate.d/fail2ban. (Debian bug #697333, Redhat bug #891798).
Added ignorecommand option for allowing dynamic determination as to ignore and IP or not.
Remove indentation of name and loglevel while logging to SYSLOG to resolve syslog(-ng) parsing problems. (Debian bug #730202). Log lines now also report "[PID]" after the name portion too.
Epoch dates can now be enclosed within []
New actions:
- badips
- firewallcmd-ipset
- ufw
- blocklist_de
New filters:
- solid-pop3d
- nsd
- openwebmail
- horde
- freeswitch
- squid
- ejabberd
- openwebmail
- groupoffice
Filter improvements:
- apache-noscript now includes php cgi scripts
- exim-spam filter to match spamassassin log entry for option SAdevnull.
- Added to sshd filter expression for "Received disconnect from : 3: Auth fail"
- Improved ACL-handling for Asterisk
- Added improper command pipelining to postfix filter.
General fixes:
- Added lots of jail.conf entries for missing filters that creaped in over the last year.
- synchat changed to use push method which verifies whether all data was send. This ensures that all data is sent before closing the connection.
- Fixed python 2.4 compatibility (as sub-second in date patterns weren't 2.4 compatible)
- Complain/email actions fixed to only include relevant IPs to reporting
Filter fixes:
- Added HTTP referrer bit of the apache access log to the apache filters.
- Apache 2.4 perfork regexes fixed
- Kernel syslog expression can have leading spaces
- allow for ",milliseconds" in the custom date format of proftpd.log
- recidive jail to block all protocols
- smtps not a IANA standard so may be missing from /etc/services. Due to (still) common use 465 has been used as the explicit port number
- Filter dovecot reordered session and TLS items in regex with wider scope for session characters
Ugly Fixes (Potentially incompatible changes):
Unfortunately at the end of last release when the action firewall-cmd-direct-new was added it was too long and had a broken action check. The action was renamed to firewallcmd-new to fit within jail name name length. (#395).
Last release added mysqld-syslog-iptables as a jail configuration. This jailname was too long and it has been renamed to mysqld-syslog.
Full changes:
0.8.11...0.8.12
0.8.11 Release
The 0.8.11 release is available at https://github.com/fail2ban/fail2ban/releases
In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue.
After we do this release well look at doing a 0.9.0alpha release that has a significant reworking of its back end to support multiline matches, true timezone support, and more flexibility for actions.
There is a full ChangeLog in the distribution.
As usual, any bugs or enhancements feel free to tell us https://github.com/fail2ban/fail2ban/issues.
For user support please use the mailing list http://sourceforge.net/p/fail2ban/mailman/fail2ban-users/ or the #fail2ban freenode IRC channel.
Your friendly fail2ban devs,
0.8.11.pre1 Prerelease to Package Maintainers
0.8.11 Prerelease to Package Maintainers
Dear package maintainers of fail2ban,
We are just about to release 0.8.11 and we'd like to check that everything is packaged as best as possible. After we do this release well look at doing a 0.9.0alpha release that has a significant reworking of its back end and time functions.
The 0.8.11 pre-release 1 is available at https://github.com/fail2ban/fail2ban/releases
Please give feedback via https://github.com/fail2ban/fail2ban/issues if there are issues that need to be addressed before the final release.
In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue.
There is a full ChangeLog in the distribution.
We believe the key factors for maintainers are:
- action.d/hostsdeny -- NOTE: new dependency 'ed'. Switched to use 'ed' across all platforms to ensure permissions are the same before and after a ban
- action.d/iptables-ipset* - there is proto4 and proto6 - you may want to remove the one(s) that don't apply (ipset -V to see which protocol ipset uses). Also selinux permissions for fail2ban to use the ipset kernel interface may be needed.
- files/redhat-initd - rewritten to use stock init.d functions thus
avoiding problems with getpid. Also $network and iptables moved
to Should- rc init fields - filter.d/pam-generic and other pam regexs - Disabled support for linux-pam before version 0.99.2.0 (2005)
- The order of configuration file processing has changed to jail.conf, jail.d/.conf, jail.local, jail.d/.local (previously jail.conf, jail.local, jail.d/.conf, jail.d/.local). Likewise for fail2ban configurations if you replace jail with fail2ban in previous sentence but we don't expect any problems (#392 (comment)).
Filter changes that may affect user configured jails:
- filter.d/exim-spam.conf -- a splitout of exim's spam regexes that where in filter.d/exim.conf leaving exim.conf to contain just authentication failures
- lighttpd-fastcgi filter has been renamed to 'suhosin'
- filter.d/sasl filter has been renamed to filter.d/postfix-sasl
For the last two a symlink from the old name should provide compatibility.
We see that a lot of available packages include patches for different distribution-specific paths. If there are any good Python packaged programs that allow easy configuration of this let us know and we'll try to make this aspect easier for you.
We also acknowledge that the logpaths in jail.conf are very distribution specific and we will look into making their configuration simpler in the next release. Hopefully new jail.d/ and fail2ban.d/ directories will assist you with this so you could e.g. introduce a jail.d/00_{distro}.conf to define the local paths for logfiles e.g.:
[perdition]
logpath = /var/log/mail.log
Cheers,
Your friendly fail2ban devs,
wanna-be-secure: resolves possible DoS for apache jails
Primarily bugfix and enhancements release, triggered by "bugs" in
apache- filters. If you are relying on listed below apache- filters,
upgrade asap and seek your distributions to patch their fail2ban
distribution with [6ccd578].
- Fixes: Yaroslav Halchenko
- Enhancements
Yaroslav Halchenko- jail.conf -- assure all jails have actions and remove unused
ports specifications
Terence Namusonge - config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
Daniel Black - files/suse-initd -- update to the copy from stock SUSE
silviogarbes & Daniel Black
- jail.conf -- assure all jails have actions and remove unused
Just an alpha 1 of 0.9 branch development
0.9.0a1 Tagging 0.9 branch a1 for reasonable 'git describe' if done within it
wanna-be-stable: major improvements in tests battery
Originally targeted as a bugfix release, it incorporated many new
enhancements, few new features, and more importantly -- quite extended
tests battery with current 94% coverage (from 56% of 0.8.8).
This release introduces over 200 of non-merge commits from 16
contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki,
ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.
Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
Hendrikx, Yehuda Katz and other TBN heroes supporting users on
fail2ban-users mailing list and IRC.
- Fixes: Yaroslav Halchenko
- [6f4dad4] python-2.4 is the minimal version.
- [1eb23cf] do not rely on scripts being under /usr -- might differ e.g.
on Fedora. Closes gh-112. Thanks to Camusensei for the bug report. - [bf4d4af] Changes for atomic writes. Thanks to Steven Hiscocks for
insight. Closes gh-103. - [ab044b7] delay check for the existence of config directory until read.
- [3b4084d] fixing up for handling of TAI64N timestamps.
- [154aa38] do not shutdown logging until all jails stop.
- [f215660] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184.
Thanks to Jon Foster for report and troubleshooting.
Orion Poplawski - [e4aedfd] pyinotify - use bitwise op on masks and do not try tracking
newly created directories.
Nicolas Collignon - [39667ff] Avoid leaking file descriptors. Closes gh-167.
Sergey Brester - [b6bb2f8 and d17b415] invalid date recognition, irregular because of
sorting template list.
Steven Hiscocks - [7a442f0] When changing log target with python2.{4,5} handle KeyError.
Closes gh-147, gh-148. - [b6a68f5] Fix delaction on server side. Closes gh-124.
Daniel Black - [f0610c0] Allow more that a one word command when changing and Action via
the fail2ban-client. Closes gh-134. - [945ad3d] Fix dates on email actions to work in different locals. Closes
gh-70. Thanks to iGeorgeX for the idea.
blotus - [96eb898] ' and " should also be escaped in action tags Closes gh-109
Christoph Theis, Nick Hilliard, Daniel Black - [b3bd877,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
- New features:
Yaroslav Halchenko- [9ba2735] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
to provide additional flexibility to system adminstrators. Thanks to
beilber for the idea. Closes gh-114. - [3ce53e8] Add exim filter.
Erwan Ben Souiden - [d7d5228] add nagios integration documentation and script to ensure
fail2ban is running. Closes gh-166.
Artur Penttinen - [29d0df5] Add mysqld filter. Closes gh-152.
ArndRaphael Brandes - [bba3fd8] Add Sogo filter. Closes gh-117.
Michael Gebetsriother - [f9b78ba] Add action route to block at routing level.
Teodor Micu & Yaroslav Halchenko - [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
Daniel Black - [be06b1b] Add action for iptables-ipsets. Closes gh-102.
Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk - [b6d0e8a] Add and enhance the bsd-ipfw action from
FreeBSD ports.
Soulard Morgan - [f336d9f] Add filter for webmin. Closes gh-99.
Steven Hiscocks - [..746c7d9] bash interactive shell completions for fail2ban-*'s
Nick Hilliard - [0c5a9c5] Add pf action.
- [9ba2735] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
- Enhancements:
Enrico Labedzki- [24a8d07] Added new date format for ASSP SMTP Proxy.
Steven Hiscocks - [3d6791f] Ensure restart of Actions after a check fails occurs
consistently. Closes gh-172. - [MANY] Improvements to test cases, travis, and code coverage (coveralls).
- [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
- [ce3ab34] Added ability to specify PID file.
Orion Poplawski - [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
Closes gh-142.
Yaroslav Halchenko - [MANY] Lots of improvements to log messages, man pages and test cases.
- [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
Closes gh-126. Bug report by Michael Heuberger. - [40c5a2d] adding more of diagnostic messages into -client while starting
the daemon. - [8e63d4c] Compare against None with 'is' instead of '=='.
- [6fef85f] Strip CR and LF while analyzing the log line
Daniel Black - [3aeb1a9] Add jail.conf manual page. Closes gh-143.
- [MANY] man page edits.
- [7cd6dab] Added help command to fail2ban-client.
- [c8c7b0b,23bbc60] Better logging of log file read errors.
- [3665e6d] Added code coverage to development process.
- [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
source. Also include BSD changes. - [1d9abd1] Action files can have tags in definition that refer to other
tags. - [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
unreachable rather than just a drop of the packet.
Pascal Borreli - [a2b29b4] Fixed lots of typos in config files and documentation.
hamilton5 - [7ede1e8] Update dovecot filter config.
Romain Riviere - [0ac8746] Enhance named-refused filter for views.
James Stout - [..2143cdf] Solaris support enhancements:
- README.Solaris
- failregex'es tune ups (sshd.conf)
- hostsdeny: do not rely on support of '-i' in sed
- [24a8d07] Added new date format for ASSP SMTP Proxy.