Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.1:Update
fail2ban
fail2ban.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fail2ban.changes of Package fail2ban
------------------------------------------------------------------- Thu Mar 10 14:09:51 UTC 2016 - jweberhofer@weberhofer.at - Mark /etc/fail2ban/fail2ban.conf as noreplace. ------------------------------------------------------------------- Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at - Removed patch: fail2ban-exclude-dev-log-tests.patch - Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch - rebased other patches - Defined services which per default uses systemd logger - Provide /usr/sbin/rcfail2ban also on systemd based distros - All files in /etc/fail2ban/ except jail.local are now automatically replaced upon installation of fail2ban - The update to this versions allow to close boo#917818, as the logger-backends for several services are now centrally set in /etc/fail2ban/paths-opensuse.conf - Update to version 0.9.4 New Features: * New interpolation feature for definition config readers - `<known/parameter>` (means last known init definition of filters or actions with name `parameter`). This interpolation makes possible to extend a parameters of stock filter or action directly in jail inside jail.local file, without creating a separately filter.d/*.local file. As extension to interpolation `%(known/parameter)s`, that does not works for filter and action init parameters * New actions: - nftables-multiport and nftables-allports - filtering using nftables framework. Note: it requires a pre-existing chain for the filtering rule. * New filters: - openhab - domotic software authentication failure with the rest api and web interface (gh-1223) - nginx-limit-req - ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module) - murmur - ban hosts that repeatedly attempt to connect to murmur/mumble-server with an invalid server password or certificate. - haproxy-http-auth - filter to match failed HTTP Authentications against a HAProxy server * New jails: - murmur - bans TCP and UDP from the bad host on the default murmur port. * sshd filter got new failregex to match "maximum authentication attempts exceeded" (introduced in openssh 6.8) * Added filter for Mac OS screen sharing (VNC) daemon Enhancements: * Do not rotate empty log files * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59) http://bugs.debian.org/798923 * Added openSUSE path configuration (Thanks Johannes Weberhofer) * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197) * Added a timeout (3 sec) to urlopen within badips.py action (Thanks M. Maraun) * Added check against atacker's Googlebot PTR fake records (Thanks Pablo Rodriguez Fernandez) * Enhance filter against atacker's Googlebot PTR fake records (gh-1226) * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237) * Added filter for openhab domotic software authentication failure with the rest api and web interface (gh-1223) * Add *_backend options for services to allow distros to set the default backend per service, set default to systemd for Fedora as appropriate * Performance improvements while monitoring large number of files (gh-1265). Use associative array (dict) for monitored log files to speed up lookup operations. Thanks @kshetragia * Specified that fail2ban is PartOf iptables.service firewalld.service in .service file -- would reload fail2ban if those services are restarted * Provides new default `fail2ban_version` and interpolation variable `fail2ban_agent` in jail.conf * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, and to support multiple instances of postfix having varying suffix (gh-1331) (Thanks Tom Hendrikx) * files/gentoo-initd to use start-stop-daemon to robustify restarting the service Fixes: * roundcube-auth jail typo for logpath * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164) * filter.d/apache-badbots.conf - Updated useragent string regex adding escape for `+` * filter.d/mysqld-auth.conf gg - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332) * filter.d/sshd.conf - Updated "Auth fail" regex for OpenSSH 5.9 and later * Treat failed and killed execution of commands identically (only different log messages), which addresses different behavior on different exit codes of dash and bash (gh-1155) * Fix jail.conf.5 man's section (gh-1226) * Fixed default banaction for allports jails like pam-generic, recidive, etc with new default variable `banaction_allports` (gh-1216) * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character for python version < 3.x (gh-1248) * Use postfix_log logpath for postfix-rbl jail * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271) * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now) * Removed compression and rotation count from logrotate (inherit them from the global logrotate config) ------------------------------------------------------------------- Thu Feb 4 15:50:38 UTC 2016 - jweberhofer@weberhofer.at - Require python-systemd for openSUSE 12.3+ - Cleaned up the spec file - Added /run/fail2ban for openSUSE 13.2+ - Don't fail on test-errors ------------------------------------------------------------------- Wed Sep 23 10:10:17 UTC 2015 - jweberhofer@weberhofer.at - Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch to fix the former failing test and removed fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch - Do not longer create test-package. Developers should not use the packaged version of fail2ban. ------------------------------------------------------------------- Mon Sep 7 09:45:56 UTC 2015 - jweberhofer@weberhofer.at - patches are no longer included conditionally ------------------------------------------------------------------- Mon Sep 7 06:54:33 UTC 2015 - jweberhofer@weberhofer.at - fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch excludes the ExecuteTimeoutWithNastyChildren test, as it doesn't run correctly on openSUSE. - fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for older releases. - Update to version 0.9.3 - IMPORTANT incompatible changes: * filter.d/roundcube-auth.conf - Changed logpath to 'errors' log (was 'userlogins') * action.d/iptables-common.conf - All calls to iptables command now use -w switch introduced in iptables 1.4.20 (some distribution could have patched their earlier base version as well) to provide this locking mechanism useful under heavy load to avoid contesting on iptables calls. If you need to disable, define 'action.d/iptables-common.local' with empty value for 'lockingopt' in `[Init]` section. * mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines actions now include by default only the first 1000 log lines in the emails. Adjust <grepopts> to augment the behavior. - Fixes: * reload in interactive mode appends all the jails twice (gh-825) * reload server/jail failed if database used (but was not changed) and some jail active (gh-1072) * filter.d/dovecot.conf - also match unknown user in passwd-file. Thanks Anton Shestakov * Fix fail2ban-regex not parsing journalmatch correctly from filter config * filter.d/asterisk.conf - fix security log support for Asterisk 12+ * filter.d/roundcube-auth.conf - Updated regex to work with 'errors' log (1.0.5 and 1.1.1) - Added regex to work with 'userlogins' log * action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override locale on systems with customized LC_ALL * performance fix: minimizes connection overhead, close socket only at communication end (gh-1099) * unbanip always deletes ip from database (independent of bantime, also if currently not banned or persistent) * guarantee order of dbfile to be before dbpurgeage (gh-1048) * always set 'dbfile' before other database options (gh-1050) * kill the entire process group of the child process upon timeout (gh-1129). Otherwise could lead to resource exhaustion due to hanging whois processes. * resolve /var/run/fail2ban path in setup.py to help installation on platforms with /var/run -> /run symlink (gh-1142) - New Features: * RETURN iptables target is now a variable: <returntype> * New type of operation: pass2allow, use fail2ban for "knocking", opening a closed port by swapping blocktype and returntype * New filters: - froxlor-auth - Thanks Joern Muehlencord - apache-pass - filter Apache access log for successful authentication * New actions: - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires manual pre-configuration of the shorewall. See the action file for detail. * New jails: - pass2allow-ftp - allows FTP traffic after successful HTTP authentication - Enhancements: * action.d/cloudflare.conf - improved documentation on how to allow multiple CF accounts, and jail.conf got new compound action definition action_cf_mwl to submit cloudflare report. * Check access to socket for more detailed logging on error (gh-595) * fail2ban-testcases man page * filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add HEAD method verb * Revamp of Travis and coverage automated testing * Added a space between IP address and the following colon in notification emails for easier text selection * Character detection heuristics for whois output via optional setting in mail-whois*.conf. Thanks Thomas Mayer. Not enabled by default, if _whois_command is set to be %(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local), it - detects character set of whois output (which is undefined by RFC 3912) via heuristics of the file command - converts whois data to UTF-8 character set with iconv - sends the whois output in UTF-8 character set to mail program - avoids that heirloom mailx creates binary attachment for input with unknown character set ------------------------------------------------------------------- Thu Jul 2 06:38:00 UTC 2015 - jweberhofer@weberhofer.at - Note: fail2ban-issue_906-strptime.patch has been removed as it is already integrated in the current version. ------------------------------------------------------------------- Mon Jun 8 13:27:00 UTC 2015 - jweberhofer@weberhofer.at - Removed "backend" setting from paths-opensuse.conf ------------------------------------------------------------------- Fri May 8 14:01:31 UTC 2015 - jweberhofer@weberhofer.at - Update to version 0.9.2 (requested in boo#917818) Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog Here are some notes to be read when updating existing installations: The default log-backend for openssue 13.2+ is now systemd * jail.conf was heavily refactored and now is similar to how it looked on Debian systems: - default action could be configured once for all jails - jails definitions only provide customizations (port, logpath) - no need to specify 'filter' if name matches jail name * Added fail2ban persistent database - default location at /var/lib/fail2ban/fail2ban.sqlite3 - allows active bans to be reinstated on restart - log files read from last position after restart * Added systemd journal backend - Dependency on python-systemd - New "journalmatch" option added to filter configs files - New "systemd-journal" option added to fail2ban-regex * Support %z (Timezone offset) and %f (sub-seconds) support for datedetector. Enhanced existing date/time have been updated patterns to support these. ISO8601 now defaults to localtime unless specified otherwise. Some filters have been change as required to capture these elements in the right timezone correctly. * Log levels are now set by Syslog style strings e.g. DEBUG, ERROR. * Optionally can read log files starting from "head" or "tail". See "logpath" option in jail.conf(5) man page. * Can now set log encoding for files per jail.Default uses systemd locale. * iptables-common.conf replaced iptables-blocktype.conf (iptables-blocktype.local should still be read) and now also provides defaults for the chain, port, protocol and name tags - Require whois - Whereever possible, path-definitions have been moved paths-opensuse.conf which has been submittet upstream - Use default fail2ban.service including fail2ban-opensuse-service.patch - Use default suse-initd from upstream - Run test-cases during build - run fdupes - Tests have been moved to a seperate page - Added rpmlintrc file to ignore some hidden files in the test package - Must build arch-depended packages for SLES 11 - Removed two tests which can't run on the build server with openSUSE before 13.3: fail2ban-exclude-dev-log-tests.patch ------------------------------------------------------------------- Tue Apr 14 07:10:43 UTC 2015 - mpluskal@suse.com - Add missing dependency on ed (boo#926943) ------------------------------------------------------------------- Wed Jan 21 21:00:48 UTC 2015 - jweberhofer@weberhofer.at - Fixed strptime thread safety issue. fail2ban-issue_906-strptime.patch (bnc#914075 gh#fail2ban/fail2ban#906) ------------------------------------------------------------------- Tue Nov 25 11:36:13 UTC 2014 - jweberhofer@weberhofer.at - Added syslog to requirements, as this version of fail2ban does not work with systemd-logging: bnc#905733 ------------------------------------------------------------------- Fri Oct 17 09:44:12 UTC 2014 - jengelh@inai.de - Recommend installation of the ordering package when all constituing parts are installed ------------------------------------------------------------------- Thu Aug 21 16:50:20 UTC 2014 - jweberhofer@weberhofer.at - Fixed check for %_unitdir to make fail2ban build under older systems, too. - Changed /usr to %{_prefix} in the spec file ------------------------------------------------------------------- Wed Aug 20 15:44:54 UTC 2014 - jweberhofer@weberhofer.at - update to 0.8.14 * minor fixes for claimed Python 2.4 and 2.5 compatibility * Handle case when inotify watch is auto deleted on file deletion to stop error messages * tests - fixed few "leaky" file descriptors when files were not closed while being removed physically * grep in mail*-whois-lines.conf now also matches end of line to work with the recidive filter - add fail2ban-opensuse-locations.patch to fix default locations as suggested in bnc#878028 ------------------------------------------------------------------- Wed Jun 25 15:13:37 UTC 2014 - lars@linux-schulserver.de - update to 0.8.13: + Fixes: - action firewallcmd-ipset had non-working actioncheck. Removed. redhat bug #1046816. - filter pureftpd - added _daemon which got removed. Added + New Features: - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23). + Enhancements: - filter asterisk now supports syslog format - filter pureftpd - added all translations of "Authentication failed for user" - filter dovecot - lip= was optional and extended TLS errors can occur. Thanks Noel Butler. - removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed upstream - split out nagios-plugins-fail2ban package ------------------------------------------------------------------- Tue Feb 18 00:03:12 UTC 2014 - jengelh@inai.de - Add a new subpackage to install systemd drop-ins that couple SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf, f2b-restart.conf. ------------------------------------------------------------------- Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at Security note: The update to version 0.8.11 has fixed two additional security issues: A remote unauthenticated attacker may cause arbitrary IP addresses to be blocked by Fail2ban causing legitimate users to be blocked from accessing services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176 (postfix) ------------------------------------------------------------------- Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at - action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816 - lsof was required for fail2ban's SysVinit scripts only. Not longer used for newer versions of openSUSE ------------------------------------------------------------------- Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at - Reviewed and fixed github references in the changelog ------------------------------------------------------------------- Wed Jan 22 09:27:43 UTC 2014 - jweberhofer@weberhofer.at - Use new flushlogs syntax after logrotate ------------------------------------------------------------------- Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at - Update to version 0.8.12 * Log rotation can now occur with the command "flushlogs" rather than reloading fail2ban or keeping the logtarget settings consistent in jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798). * Added ignorecommand option for allowing dynamic determination as to ignore and IP or not. * Remove indentation of name and loglevel while logging to SYSLOG to resolve syslog(-ng) parsing problems. (dep#730202). Log lines now also report "[PID]" after the name portion too. * Epoch dates can now be enclosed within [] * New actions: badips, firewallcmd-ipset, ufw, blocklist_de * New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid, ejabberd, openwebmail, groupoffice * Filter improvements: - apache-noscript now includes php cgi scripts - exim-spam filter to match spamassassin log entry for option SAdevnull. - Added to sshd filter expression for "Received disconnect from : 3: Auth fail" - Improved ACL-handling for Asterisk - Added improper command pipelining to postfix filter. * General fixes: - Added lots of jail.conf entries for missing filters that creaped in over the last year. - synchat changed to use push method which verifies whether all data was send. This ensures that all data is sent before closing the connection. - Fixed python 2.4 compatibility (as sub-second in date patterns weren't 2.4 compatible) - Complain/email actions fixed to only include relevant IPs to reporting * Filter fixes: - Added HTTP referrer bit of the apache access log to the apache filters. - Apache 2.4 perfork regexes fixed - Kernel syslog expression can have leading spaces - allow for ",milliseconds" in the custom date format of proftpd.log - recidive jail to block all protocols - smtps not a IANA standard so may be missing from /etc/services. Due to (still) common use 465 has been used as the explicit port number - Filter dovecot reordered session and TLS items in regex with wider scope for session characters * Ugly Fixes (Potentially incompatible changes): - Unfortunately at the end of last release when the action firewall-cmd-direct-new was added it was too long and had a broken action check. The action was renamed to firewallcmd-new to fit within jail name name length. (gh#fail2ban/fail2ban#395). - Last release added mysqld-syslog-iptables as a jail configuration. This jailname was too long and it has been renamed to mysqld-syslog. - Fixed formating of github references in changelog - reformatted spec-file ------------------------------------------------------------------- Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at - Update to version 0.8.11 - In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue. ------------------------------------------------------------------- Sat Sep 21 11:38:29 UTC 2013 - schuetzm@gmx.net - Added systemd service file and systemd-tmpfiles configuration ------------------------------------------------------------------- Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at - Update to version 0.8.10 Primarily bugfix and enhancements release, triggered by "bugs" in apache- filters. If you are relying on listed below apache- filters, upgrade asap and seek your distributions to patch their fail2ban distribution with [6ccd5781]. The bug's decription can be found in https://vndh.net/note:fail2ban-089-denial-service - Fixes * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor failregex at the beginning (and where applicable at the end). Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710 * action.d/{route,shorewall}.conf - blocktype must be defined within [Init]. Closes gh#fail2ban/fail2ban#232 - Enhancements * jail.conf -- assure all jails have actions and remove unused ports specifications * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ * files/suse-initd -- update to the copy from stock SUSE * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227, gh#fail2ban/fail2ban#230. * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh#fail2ban/fail2ban#244. ------------------------------------------------------------------ Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at - Included logrotate configuration for fail2ban ------------------------------------------------------------------- Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at - Init-Script does no longer require $syslog to be started as file-base logging is the default. Synced with Debian script. - Upgrade to version 0.8.9 - Fixes: Yaroslav Halchenko * [6f4dad46] python-2.4 is the minimal version. * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the bug report. * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for insight. Closes gh#fail2ban/fail2ban#103. * [ab044b75] delay check for the existence of config directory until read. * [3b4084d4] fixing up for handling of TAI64N timestamps. * [154aa38e] do not shutdown logging until all jails stop. * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and troubleshooting. Orion Poplawski * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories. Nicolas Collignon * [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167. Sergey Brester * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of sorting template list. Steven Hiscocks * [7a442f07] When changing log target with python2.{4,5} handle KeyError. Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148. * [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124. Daniel Black * [f0610c01] Allow more that a one word command when changing and Action via the fail2ban-client. Closes gh#fail2ban/fail2ban#134. * [945ad3d9] Fix dates on email actions to work in different locals. Closes gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea. blotus * [96eb8986] ' and " should also be escaped in action tags Closes gh#fail2ban/fail2ban#109 Christoph Theis, Nick Hilliard, Daniel Black * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD - New features: Yaroslav Halchenko * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} to provide additional flexibility to system adminstrators. Thanks to beilber for the idea. Closes gh#fail2ban/fail2ban#114. * [3ce53e87] Add exim filter. Erwan Ben Souiden * [d7d5228] add nagios integration documentation and script to ensure fail2ban is running. Closes gh#fail2ban/fail2ban#166. Artur Penttinen * [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152. ArndRaphael Brandes * [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117. Michael Gebetsriother * [f9b78ba] Add action route to block at routing level. Teodor Micu & Yaroslav Halchenko * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. Daniel Black * [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102. Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk * [b6d0e8a] Add and enhance the bsd-ipfw action from FreeBSD ports. Soulard Morgan * [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99. Steven Hiscocks * [..746c7d9] bash interactive shell completions for fail2ban-*'s Nick Hilliard * [0c5a9c5] Add pf action. - Enhancements: Enrico Labedzki * [24a8d07] Added new date format for ASSP SMTP Proxy. Steven Hiscocks * [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh#fail2ban/fail2ban#172. * [MANY] Improvements to test cases, travis, and code coverage (coveralls). * [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124. * [ce3ab34] Added ability to specify PID file. Orion Poplawski * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. Closes gh#fail2ban/fail2ban#142. Yaroslav Halchenko * [MANY] Lots of improvements to log messages, man pages and test cases. * [91d5736] Postfix filter improvements - empty helo, from and rcpt to. Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger. * [40c5a2d] adding more of diagnostic messages into -client while starting the daemon. * [8e63d4c] Compare against None with 'is' instead of '=='. * [6fef85f] Strip CR and LF while analyzing the log line Daniel Black * [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143. * [MANY] man page edits. * [7cd6dab] Added help command to fail2ban-client. * [c8c7b0b,23bbc60] Better logging of log file read errors. * [3665e6d] Added code coverage to development process. * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh source. Also include BSD changes. * [1d9abd1] Action files can have tags in definition that refer to other tags. * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port unreachable rather than just a drop of the packet. Pascal Borreli * [a2b29b4] Fixed lots of typos in config files and documentation. hamilton5 * [7ede1e8] Update dovecot filter config. Romain Riviere * [0ac8746] Enhance named-refused filter for views. James Stout * [..2143cdf] Solaris support enhancements: - README.Solaris - failregex'es tune ups (sshd.conf) - hostsdeny: do not rely on support of '-i' in sed ------------------------------------------------------------------- Thu Dec 6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at One of the important changes is escaping of the <matches> content -- so if you crafted some custom action which uses it -- you must upgrade, or you would be at a significant security risk. - Fixes: Alan Jenkins * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64 Yaroslav Halchenko * [83109bc] IMPORTANT: escape the content of <matches> (if used in custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh#fail2ban/fail2ban#83 * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages in the console. Close gh#fail2ban/fail2ban#91 - New features: David Engeset * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching the log file to take 'banip' or 'unbanip' in effect. Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86 - Enhancements: * [2d66f31] replaced uninformative "Invalid command" message with warning log exception why command actually failed * [958a1b0] improved failregex to "support" auth.backend = "htdigest" * [9e7a3b7] until we make it proper module -- adjusted sys.path only if system-wide run * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh#fail2ban/fail2ban#79 * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 for this gh#fail2ban/fail2ban#87) * Various others: travis-ci integration, script to run tests against all available Python versions, etc ------------------------------------------------------------------- Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at - Fixed initscript as discussed in bnc#790557 ------------------------------------------------------------------- Wed Oct 3 09:53:40 UTC 2012 - meissner@suse.com - use Source URL pointing to github ------------------------------------------------------------------- Tue Oct 2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at - Do not longer replace main config-files - Use variables for directories in spec file ------------------------------------------------------------------- Tue Oct 2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at - Added dependencies to python-pyinotifyi, python-gamin and iptables ------------------------------------------------------------------- Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at - Upgraded to version 0.8.7.1 - Yaroslav Halchenko * [e9762f3] Removed sneaked in comment on sys.path.insert Tom Hendrikx & Jeremy Olexa * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated. See http://forums.gentoo.org/viewtopic-t-899018.html - Chris Reffett * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban, rather than just one failure. - Yaroslav Halchenko * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf * [ed16ecc] enforce "ip" field returned as str, not unicode so that log message stays non-unicode. Close gh#fail2ban/fail2ban#32 * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if already present in the pattern * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66) * [80b191c] anchor grep regexp in actioncheck to not match partial names of the jails (Closes: #672228) (Thanks Szépe Viktor for the report) - New features: - François Boulogne * [a7cb20e..] add lighttpd-auth filter/jail - Lee Clemens & Yaroslav Halchenko * [e442503] pyinotify backend (default if backend='auto' and pyinotify is available) * [d73a71f,3989d24] usedns parameter for the jails to allow disabling use of DNS - Tom Hendrikx * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban repeated offenders. Close gh#fail2ban/fail2ban#19 - Xavier Devlamynck * [7d465f9..] Add asterisk support - Zbigniew Jedrzejewski-Szmek * [de502cf..] allow running fail2ban as non-root user (disabled by default) via xt_recent. See doc/run-rootless.txt - Enhancements - Lee Clemens * [47c03a2] files/nagios - spelling/grammar fixes * [b083038] updated Free Software Foundation's address * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606 * [642d9af,3282f86] reformated printing of jail's name to be consistent with init's info messages * [3282f86] uniform use of capitalized Jail in the messages - Leonardo Chiquitto * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf to reflect code * [a7d47e8] Update Free Software Foundation's address - Petr Voralek * [4007751] catch failed ssh logins due to being listed in DenyUsers. Close gh#fail2ban/fail2ban#47 (Closes: #669063) - Yaroslav Halchenko * [MANY] extended and robustified unittests: test different backends * [d9248a6] refactored Filter's to avoid duplicate functionality * [7821174] direct users to issues on github * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by default with -v to control verbosity * [b4099da] adjusted header for config/*.conf to mention .local and way to comment (Thanks Stefano Forli for the note) * [6ad55f6] added failregex for wu-ftpd to match against syslog instead of DoS-prone auth.log's rhost (Closes: #514239) * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for sshd filter (Closes: #648020) - Yehuda Katz & Yaroslav Halchenko * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers ------------------------------------------------------------------- Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de - Adding to fail2ban.init remove of pid and sock files on stop in case not removed before (prevents start fail) ------------------------------------------------------------------- Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at - Update to version 0.8.6. containing various fixes and enhancements ------------------------------------------------------------------- Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com - Update to version 0.8.5: many bug fixes, enhancements and, as a bonus, drop two patches that are now upstream - Update FSF address to silent rpmlint warnings - Drop stale socket files on startup (bnc#537239, bnc#730044) ------------------------------------------------------------------- Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de - Apply packaging guidelines (remove redundant/obsolete tags/sections from specfile, etc.) ------------------------------------------------------------------- Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com - Use /var/run/fail2ban instead of /tmp for temp files in actions: see bugs.debian.org/544232, bnc#690853, CVE-2009-5023 ------------------------------------------------------------------- Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com - Use $FAIL2BAN_OPTIONS when starting (bnc#662495) - Clean up sysconfig file ------------------------------------------------------------------- Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org - Use O_CLOEXEC on fds (patch from Fedora) ------------------------------------------------------------------- Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com - Create /var/run/fail2ban during startup to support systems that mount /var/run as tmpfs - Build package as noarch - Spec file cleanup: fix a couple of rpmlint warnings - Init script: look for fail2ban-server when checking if the daemon is running ------------------------------------------------------------------- Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com - Update to version 0.8.4. Important changes: * New "Ban IP" command * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve * Fixed the 'unexpected communication error' problem * Remove socket file on startup if fail2ban crashed (bnc#537239) ------------------------------------------------------------------- Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de - Initial version: 0.8.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor