Latest release

ver. 0.9.7 (2017/05/11) - awaiting-victory

@yarikoptic yarikoptic released this May 11, 2017 · 500 commits to 0.10 since this release

-----------

0.9.x line is no longer heavily developed.  If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.

* Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
* filter.d/sshd.conf
    - Fixed non-anchored part of failregex (misleading match of colon inside
      IPv6 address instead of `: ` in the reason-part by missing space, gh-1658)
      (0.10th resp. IPv6 relevant only, amend for gh-1479)
* config/pathes-freebsd.conf
    - Fixed filenames for apache and nginx log files (gh-1667)
* filter.d/exim.conf
    - optional part `(...)` after host-name before `[IP]` (gh-1751)
    - new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
    - match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh-1766)
* filter.d/sshd.conf
    - new aggressive rules (gh-864):
      - Connection reset by peer (multi-line rule during authorization process)
      - No supported authentication methods available
    - single line and multi-line expression optimized, added optional prefixes
      and suffix (logged from several ssh versions), according to gh-1206;
    - fixed expression received disconnect auth fail (optional space after port
      part, gh-1652)
      and suffix (logged from several ssh versions), according to gh-1206;
* filter.d/suhosin.conf
    - greedy catch-all before `<HOST>` fixed (potential vulnerability)
* filter.d/cyrus-imap.conf
    - accept entries without login-info resp. hostname before IP address (gh-1707)
* Filter tests extended with check of all config-regexp, that contains greedy catch-all
  before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`

* New Actions:
    - action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)

* New Filters:
    - filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)

* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)

Downloads

ver. 0.9.6 (2016/12/10) - stretch-is-coming

@yarikoptic yarikoptic released this Dec 9, 2016 · 540 commits to 0.10 since this release

-----------

0.9.x line is no longer heavily developed.  If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.

* Misleading add resp. enable of (already available) jail in database, that
  induced a subsequent error: last position of log file will be never retrieved (gh-795)
* Fixed a distribution related bug within testReadStockJailConfForceEnabled
  (e.g. test-cases faults on Fedora, see gh-1353)
* Fixed pythonic filters and test scripts (running via wrong python version,
  uses "fail2ban-python" now);
* Fixed test case "testSetupInstallRoot" for not default python version (also
  using direct call, out of virtualenv);
* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
* Monit config: scripting is not supported in path (gh-1556)
* `filter.d/apache-modsecurity.conf`
    - Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
      replaced for safer match, unneeded catch-all anchoring removed, non-capturing
* `filter.d/asterisk.conf`
    - Fixed to match different asterisk log prefix (source file: method:)
* `filter.d/dovecot.conf`
    - Fixed failregex ignores failures through some not relevant info (gh-1623)
* `filter.d/ignorecommands/apache-fakegooglebot`
    - Fixed error within apache-fakegooglebot, that will be called
      with wrong python version (gh-1506)
* `filter.d/assp.conf`
    - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
* `filter.d/postfix-sasl.conf`
    - Allow for having no trailing space after 'failed:' (gh-1497)
* `filter.d/vsftpd.conf`
    - Optional reason part in message after FAIL LOGIN (gh-1543)
* `filter.d/sendmail-reject.conf`
    - removed mandatory double space (if dns-host available, gh-1579)
* filter.d/sshd.conf
    - recognized "Failed publickey for" (gh-1477);
    - optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479)
    - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
    - optional port part after host (see gh-1533, gh-1581)

* New Actions:
    - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
* New Filters:
    - `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
      (gh-1586, gh-1606 and gh-1607)

* DateTemplate regexp extended with the word-end boundary, additionally to
  word-start boundary
* Introduces new command "fail2ban-python", as automatically created symlink to
  python executable, where fail2ban currently installed (resp. its modules are located):
    - allows to use the same version, fail2ban currently running, e.g. in
      external scripts just via replace python with fail2ban-python:
      ```diff
      -#!/usr/bin/env python
      +#!/usr/bin/env fail2ban-python
      ```
    - always the same pickle protocol
    - the same (and also guaranteed available) fail2ban modules
    - simplified stand-alone install, resp. stand-alone installation possibility
      via setup (like gh-1487) is getting closer
* Several test cases rewritten using new methods assertIn, assertNotIn
* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
  Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
  are test covered now
* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
  examples:
    - `backend = systemd[journalpath=/run/log/journal/machine-1]`
    - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
    - `backend = systemd[journalflags=2]`

Downloads

ver. 0.9.5 (2016/07/15) - old-not-obsolete

@yarikoptic yarikoptic released this Jul 15, 2016 · 619 commits to 0.10 since this release

0.9.x line is no longer heavily developed. If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.

Fixes

  • filter.d/monit.conf
    • Extended failregex with new monit "access denied" version (gh-1355)
    • failregex of previous monit version merged as single expression
  • filter.d/postfix.conf, filter.d/postfix-sasl.conf
    • Extended failregex daemon part, matching also postfix/smtps/smtpd
      now (gh-1391)
  • Fixed a grave bug within tags substitutions because of incorrect
    detection of recursion in case of multiple inline substitutions
    of the same tag (affected actions: bsd-ipfw, etc). Now tracks
    the actual list of the already substituted tags (per tag instead
    of single list)
  • filter.d/common.conf
    • Unexpected extra regex-space in generic __prefix_line (gh-1405)
    • All optional spaces normalized in common.conf, test covered now
    • Generic __prefix_line extended with optional brackets for the
      date ambit (gh-1421), added new parameter __date_ambit
  • gentoo-initd fixed --pidfile bug: --pidfile is option of
    start-stop-daemon, not argument of fail2ban (see gh-1434)
  • filter.d/asterisk.conf
    • Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
    • Improved log support for PJSIP and Asterisk 13+ with different
      callID (gh-1458)

New Features

  • New Actions:
    • action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging
      (gh-1367)
  • New filters:
    • slapd - ban hosts, that were failed to connect with invalid
      credentials: error code 49 (gh-1478)

Enhancements

  • Extreme speedup of all sqlite database operations (gh-1436),
    by using of following sqlite options:
    • (synchronous = OFF) write data through OS without syncing
    • (journal_mode = MEMORY) use memory for the transaction logging
    • (temp_store = MEMORY) temporary tables and indices are kept in memory
  • journald journalmatch for pure-ftpd (gh-1362)
  • Added additional regex filter for dovecot ldap authentication failures (gh-1370)
  • filter.d/exim*conf
    • Added additional regexes (gh-1371)
    • Made port entry optional

Downloads

0.10.0-alpha-1 (2016/07/14) - ipv6-support-etc

@sebres sebres released this Jul 14, 2016 · 479 commits to 0.10 since this release

ver. 0.10.0a1 (2016/07/14) - ipv6-support-etc

  • Fixes:
    • [grave] memory leak's fixed (gh-1277, gh-1234)
    • tricky bug fix: last position of log file will be never retrieved (gh-795),
      because of CASCADE all log entries will be deleted from logs table together with jail,
      if used "INSERT OR REPLACE" statement
    • asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
    • testSocket: sporadical bug repaired - wait for server thread starts a socket (listener)
    • testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid file inside bash,
      kill tree in any case (gh-1155)
  • New Features:
    • IPv6 support:
      • IP addresses are now handled as objects rather than strings capable for
        handling both address types IPv4 and IPv6
      • iptables related actions have been amended to support IPv6 specific actions
        additionally
      • hostsdeny and route actions have been tested to be aware of v4 and v6 already
      • pf action for *BSD systems has been improved and supports now also v4 and v6
      • name resolution is now working for either address type
        • new conditional section functionality used in config resp. includes:
      • [Init?family=inet4] - IPv4 qualified hosts only
      • [Init?family=inet6] - IPv6 qualified hosts only
  • Enhancements:
    • huge increasing of fail2ban performance and especially test-cases performance (see gh-1109)
    • datedetector: in-place reordering using hits and last used time:
      matchTime, template list etc. rewritten because of performance degradation
    • prevent out of memory situation if many IP's makes extremely many failures (maxEntries)
    • introduced string to seconds (str2seconds) for configuration entries with time,
      use 1h instead of 3600, 1d instead of 86400, etc
    • seekToTime - prevent completely read of big files first time (after start of service),
      initial seek to start time using half-interval search algorithm (see issue gh-795)
    • ticket and some other modules prepared to easy merge with newest version of 'ban-time-incr'
    • cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name,
      especially for wrong dns or lazy dns-system
    • FailManager memory-optimization: increases performance,
      prevents memory leakage, because don't copy failures list on some operations
    • fail2ban-testcases - new options introduced:
      • -f, --fast to decrease wait intervals, avoid passive waiting, and skip
        few very slow test cases (implied memory database, see -m and no gamin tests -g)
      • -g, --no-gamin to prevent running of tests that require the gamin (slow)
      • -m, --memory-db - run database tests using memory instead of file
      • -i, --ignore - negate [regexps] filter to ignore tests matched specified regexps
    • background servicing: prevents memory leak on some platforms/python versions, using forced GC
      in periodic intervals (latency and threshold)
    • executeCmd partially moved from action to new module utils
    • several functionality of class DNSUtils moved to new class IPAddr,
      both classes moved to new module ipdns
    • pseudo-conditional section introduced, for conditional substitution resp.
      evaluation of parameters for different family qualified hosts,
      syntax [Section?family=inet6] (currently use for IPv6-support only).

ver. 0.9.5 - in-line part of 0.10.a1 release

  • Fixes:
    • filter.d/monit.conf
      • extended failregex with new monit "access denied" version (gh-1355);
      • failregex of previous monit version merged as single expression.
    • filter.d/postfix.conf, filter.d/postfix-sasl.conf
      • extended failregex daemon part, matching also postfix/smtps/smtpd now (gh-1391)
    • fixed a grave bug within tags substitutions because of incorrect detection of recursion
      in case of multiple inline substitutions of the same tag (affected actions: bsd-ipfw, etc).
      Now tracks the actual list of the already substituted tags (per tag instead of single list)
    • filter.d/common.conf
      • unexpected extra regex-space in generic __prefix_line (gh-1405)
      • all optional spaces normalized in common.conf, test covered now
      • generic __prefix_line extended with optional brackets for the date ambit (gh-1421),
        added new parameter __date_ambit
    • gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon,
      not argument of fail2ban (see gh-1434)
    • filter.d/asterisk.conf
      • fix security log support for PJSIP and Asterisk 13+ (gh-1456)
      • improved log support for PJSIP and Asterisk 13+ with different callID (gh-1458)
  • New Features:
    • New Actions:
      • action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging (gh-1367)
  • Enhancements:
    • Extreme speedup of all sqlite database operations (gh-1436),
      by using of following sqlite options:
      • (synchronous = OFF) write data through OS without syncing
      • (journal_mode = MEMORY) use memory for the transaction logging
      • (temp_store = MEMORY) temporary tables and indices are kept in memory
    • journald journalmatch for pure-ftpd (gh-1362)
    • Add additional regex filter for dovecot ldap authentication failures (gh-1370)
    • filter.d/exim*conf
      • added additional regexes (gh-1371)
      • made port entry optional

Downloads

0.9.4 (2016/03/08) - for-you-ladies

@yarikoptic yarikoptic released this Mar 8, 2016 · 719 commits to 0.10 since this release

  • Fixes:
    • roundcube-auth jail typo for logpath
    • Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
    • filter.d/apache-badbots.conf
      • Updated useragent string regex adding escape for +
    • filter.d/mysqld-auth.conf
      • Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
    • filter.d/sshd.conf
      • Updated "Auth fail" regex for OpenSSH 5.9 and later
    • Treat failed and killed execution of commands identically (only
      different log messages), which addresses different behavior on different
      exit codes of dash and bash (gh-1155)
    • Fix jail.conf.5 man's section (gh-1226)
    • Fixed default banaction for allports jails like pam-generic, recidive, etc
      with new default variable banaction_allports (gh-1216)
    • Fixed fail2ban-regex stops working on invalid (wrong encoded) character
      for python version < 3.x (gh-1248)
    • Use postfix_log logpath for postfix-rbl jail
    • filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
    • use fail2ban_agent as user-agent in actions badips, blocklist_de, etc (gh-1271)
    • Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
    • Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
    • Removed compression and rotation count from logrotate (inherit them from
      the global logrotate config)
  • New Features:
    • New interpolation feature for definition config readers - <known/parameter>
      (means last known init definition of filters or actions with name parameter).
      This interpolation makes possible to extend a parameters of stock filter or
      action directly in jail inside jail.local file, without creating a separately
      filter.d/*.local file.
      As extension to interpolation %(known/parameter)s, that does not works for
      filter and action init parameters
    • New actions:
      • nftables-multiport and nftables-allports - filtering using nftables
        framework. Note: it requires a pre-existing chain for the filtering rule.
    • New filters:
      • openhab - domotic software authentication failure with the
        rest api and web interface (gh-1223)
      • nginx-limit-req - ban hosts, that were failed through nginx by limit
        request processing rate (ngx_http_limit_req_module)
      • murmur - ban hosts that repeatedly attempt to connect to
        murmur/mumble-server with an invalid server password or certificate.
      • haproxy-http-auth - filter to match failed HTTP Authentications against a
        HAProxy server
    • New jails:
      • murmur - bans TCP and UDP from the bad host on the default murmur port.
    • sshd filter got new failregex to match "maximum authentication
      attempts exceeded" (introduced in openssh 6.8)
    • Added filter for Mac OS screen sharing (VNC) daemon
  • Enhancements:
    • Do not rotate empty log files
    • Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59)
      http://bugs.debian.org/798923
    • Added openSUSE path configuration (Thanks Johannes Weberhofer)
    • Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
    • Added a timeout (3 sec) to urlopen within badips.py action
      (Thanks M. Maraun)
    • Added check against atacker's Googlebot PTR fake records
      (Thanks Pablo Rodriguez Fernandez)
    • Enhance filter against atacker's Googlebot PTR fake records
      (gh-1226)
    • Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
    • Added filter for openhab domotic software authentication failure with the
      rest api and web interface (gh-1223)
    • Add *_backend options for services to allow distros to set the default
      backend per service, set default to systemd for Fedora as appropriate
    • Performance improvements while monitoring large number of files (gh-1265).
      Use associative array (dict) for monitored log files to speed up lookup
      operations. Thanks @kshetragia
    • Specified that fail2ban is PartOf iptables.service firewalld.service in
      .service file -- would reload fail2ban if those services are restarted
    • Provides new default fail2ban_version and interpolation variable
      fail2ban_agent in jail.conf
    • Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
      and to support multiple instances of postfix having varying suffix (gh-1331)
      (Thanks Tom Hendrikx)
    • files/gentoo-initd to use start-stop-daemon to robustify restarting the service

Downloads