Overview Repositories Revisions Requests Users Attributes Meta

Revisions of fail2ban

Yuchen Lin's avatar Yuchen Lin (maxlin_factory) accepted request 677464 from Johannes Weberhofer's avatar Johannes Weberhofer (weberho) (revision 54) 
- ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four
  * https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog
- Fixes
  * `filter.d/dovecot.conf`: 
    - failregex enhancement to catch sql password mismatch errors (gh-2153);
    - disconnected with "proxy dest auth failed" (gh-2184);
  * `filter.d/freeswitch.conf`:
    - provide compatibility for log-format from gh-2193:
      * extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
        `YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
      * more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
    - extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
      (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
      how to set it to mode `normal`.
  * `filter.d/domino-smtp.conf`:
    - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
    - failregex extended to catch connections rejected for policy reasons (gh-2228);
  * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected 
    and don't allowed in command-actions), see gh-2114;
  * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
    - fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
      `UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors;
    - actions: avoid possible conversion errors on wrong-chars by replace tags;
    - database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
      additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
    - logging in fail2ban is process-wide exception-safe now.
  * repaired start-time of initial seek to time (as well as other log-parsing related data), 
    if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
  * systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
- New Features
  * new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`, 
    `ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
  * `ignorecommand` extended to use actions-similar replacement (capable to interpolate 
    all possible tags like `<ip-host>`, `<family>`, `<fid>`, `F-USER` etc.)
- Enhancements
  * `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
  * since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
    additionally option `-V` can be used to get version in normalized machine-readable short format.
- rebase patches
  * fail2ban-opensuse-locations.patch
  * fail2ban-opensuse-service.patch
- add signature file
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 578362 from Johannes Weberhofer's avatar Johannes Weberhofer (weberho) (revision 52) 
- Updated to version 0.10.2. Changelog:
  https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog
- rebased patch
- Incompatibility list (compared to v.0.9):
  * Filter (or `failregex`) internal capture-groups:
    - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
      rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
      (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
      Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
      testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
      fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
    - New internal groups (currently reserved for internal usage):
      `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
      mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
  * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
    user configurations resp. `datepattern`.
  * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
    IPv6-capable now.
- Incompatibility:
  * The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
    anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
    just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. 
- Fixes
  * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid 
    write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
  * Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
  * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely 
    (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
  * config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
    in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
  * `action.d/pf.conf`: 
    - fixed syntax error in achnor definition (documentation, see gh-1919);
    - enclose ports in braces for multiport jails (see gh-1925);
  * `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
  * `filter.d/sshd.conf`:
    - extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
      forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", 
      see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
    - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
- New Features
  * datedetector: extended default date-patterns (allows extra space between the date and time stamps);
    introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
    - %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
      (corresponds %H, but allows space if not zero-padded).
    - %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
      (corresponds %I, but allows space if not zero-padded).
  * `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
- New Actions:
  * `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
     nginx-location with map-file);
  - Enhancements
    * jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
    * action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
    * Introduced new parameters for logging within fail2ban-server (gh-1980).
      Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
      - `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
        for the list of facilities);
      - `datetime` - add date-time to the message (default on, ignored if `format` specified);
      - `format` - specify own format how it will be logged, for example for short-log into STDOUT:
        `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
    * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 
     'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
      if repair fails - recreate new database (gh-1465, gh-2004).
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 537301 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 50) 
Automatic submission by obs-autosubmit
Displaying revisions 1 - 20 of 68
openSUSE Build Service is sponsored by
Places