Daemon to ban hosts that cause multiple authentication errors
OTHER License
Bot releases are hidden (Show)
Published by yarikoptic about 10 years ago
Published by grooverdan over 10 years ago
This is a maintenance release from 0.8.12. It contains minor fixes in filters.
We recommend using 0.9 version as it includes all fixes from this release and more.
If you're still stuck on python-2.5 (or less), or want to keep a similar jail.conf configuration, you can use this still use this version.
A full list of changes is here: https://github.com/fail2ban/fail2ban/compare/0.8.12...0.8.13
Published by grooverdan over 10 years ago
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
This 0.9.0 release includes a few major changes from the 0.8.12 branch.
The minimum supported Python version is now 2.6.
For the first time Python 3.2+ (via 2to3) and PyPy are also supported.
A persistent database in sqlite3 format can be used. Default location at /var/lib/fail2ban/fail2ban.sqlite3 that allows active bans to be reinstated on restart. Log files read from last position after restart
Fail2ban filters can now support:
Because of these new filter features the following filters are now able to be added:
Fail2ban actions can now support
New actions include:
Users can now specify an action in jail.local that applies to all configured jails.
[DEFAULT]
banaction = iptables-ipset
action = %(action_)s
banaction defines the firewall technology and action defines which of the ban/notification technologies to use. These are defined in jail.conf.
The distributor will have configured a paths-{distro}.conf. If you have configured a path different this can be overwritten in the paths-overrides.local.
Encoding of log files can be specified, defaulting in system locale.
The jail.conf has been modified extensively to list only the filters. Variants with different actions and file paths have been removed.
One patch should be needed to change the jail.conf to the required in paths-{distro}.conf.
There is now a separate file paths-{distro}.conf that contains the paths of the log files so hopefully this will be easier to maintain. Patches/additions here welcome.
Python-systemd is an optional dependency for systemd support.
Fail2Ban is now installed as a python module fail2ban.
Full changes:
https://github.com/fail2ban/fail2ban/compare/0.8.12...0.9.0
Published by grooverdan over 10 years ago
New bits:
Log rotation can now occur with the command "flushlogs" rather than reloading fail2ban or keeping the logtarget settings consistent in jail.conf/local and /etc/logrotate.d/fail2ban. (Debian bug #697333, Redhat bug #891798).
Added ignorecommand option for allowing dynamic determination as to ignore and IP or not.
Remove indentation of name and loglevel while logging to SYSLOG to resolve syslog(-ng) parsing problems. (Debian bug #730202). Log lines now also report "[PID]" after the name portion too.
Epoch dates can now be enclosed within []
New actions:
New filters:
Filter improvements:
General fixes:
Filter fixes:
Ugly Fixes (Potentially incompatible changes):
Unfortunately at the end of last release when the action firewall-cmd-direct-new was added it was too long and had a broken action check. The action was renamed to firewallcmd-new to fit within jail name name length. (#395).
Last release added mysqld-syslog-iptables as a jail configuration. This jailname was too long and it has been renamed to mysqld-syslog.
Full changes:
https://github.com/fail2ban/fail2ban/compare/0.8.11...0.8.12
Published by grooverdan almost 11 years ago
The 0.8.11 release is available at https://github.com/fail2ban/fail2ban/releases
In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue.
After we do this release well look at doing a 0.9.0alpha release that has a significant reworking of its back end to support multiline matches, true timezone support, and more flexibility for actions.
There is a full ChangeLog in the distribution.
As usual, any bugs or enhancements feel free to tell us https://github.com/fail2ban/fail2ban/issues.
For user support please use the mailing list http://sourceforge.net/p/fail2ban/mailman/fail2ban-users/ or the #fail2ban freenode IRC channel.
Your friendly fail2ban devs,
Published by grooverdan almost 11 years ago
0.8.11 Prerelease to Package Maintainers
Dear package maintainers of fail2ban,
We are just about to release 0.8.11 and we'd like to check that everything is packaged as best as possible. After we do this release well look at doing a 0.9.0alpha release that has a significant reworking of its back end and time functions.
The 0.8.11 pre-release 1 is available at https://github.com/fail2ban/fail2ban/releases
Please give feedback via https://github.com/fail2ban/fail2ban/issues if there are issues that need to be addressed before the final release.
In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue.
There is a full ChangeLog in the distribution.
We believe the key factors for maintainers are:
Filter changes that may affect user configured jails:
For the last two a symlink from the old name should provide compatibility.
We see that a lot of available packages include patches for different distribution-specific paths. If there are any good Python packaged programs that allow easy configuration of this let us know and we'll try to make this aspect easier for you.
We also acknowledge that the logpaths in jail.conf are very distribution specific and we will look into making their configuration simpler in the next release. Hopefully new jail.d/ and fail2ban.d/ directories will assist you with this so you could e.g. introduce a jail.d/00_{distro}.conf to define the local paths for logfiles e.g.:
[perdition]
logpath = /var/log/mail.log
Cheers,
Your friendly fail2ban devs,
Published by yarikoptic over 11 years ago
Originally targeted as a bugfix release, it incorporated many new
enhancements, few new features, and more importantly -- quite extended
tests battery with current 94% coverage (from 56% of 0.8.8).
This release introduces over 200 of non-merge commits from 16
contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki,
ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.
Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
Hendrikx, Yehuda Katz and other TBN heroes supporting users on
fail2ban-users mailing list and IRC.
Published by yarikoptic over 11 years ago
Published by yarikoptic over 11 years ago
Primarily bugfix and enhancements release, triggered by "bugs" in
apache- filters. If you are relying on listed below apache- filters,
upgrade asap and seek your distributions to patch their fail2ban
distribution with [6ccd5781].