Daemon to ban hosts that cause multiple authentication errors

Overview
                     __      _ _ ___ _               
                    / _|__ _(_) |_  ) |__  __ _ _ _  
                   |  _/ _` | | |/ /| '_ \/ _` | ' \ 
                   |_| \__,_|_|_/___|_.__/\__,_|_||_|
                   v1.0.1.dev1            20??/??/??

Fail2Ban: ban hosts that cause multiple authentication errors

Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time. Fail2Ban comes out-of-the-box ready to read many standard log files, such as those for sshd and Apache, and is easily configured to read any log file of your choosing, for any error you wish.

Though Fail2Ban is able to reduce the rate of incorrect authentication attempts, it cannot eliminate the risk presented by weak authentication. Set up services to use only two factor, or public/private authentication mechanisms if you really want to protect services.

Since v0.10 fail2ban supports the matching of IPv6 addresses.

This README is a quick introduction to Fail2Ban. More documentation, FAQ, and HOWTOs to be found on fail2ban(1) manpage, Wiki, Developers documentation and the website: https://www.fail2ban.org

Installation:

It is possible that Fail2Ban is already packaged for your distribution. In this case, you should use that instead.

Required:

Optional:

To install:

tar xvfj fail2ban-1.0.1.tar.bz2
cd fail2ban-1.0.1
sudo python setup.py install

Alternatively, you can clone the source from GitHub to a directory of Your choice, and do the install from there. Pick the correct branch, for example, master or 0.11

git clone https://github.com/fail2ban/fail2ban.git
cd fail2ban
sudo python setup.py install 

This will install Fail2Ban into the python library directory. The executable scripts are placed into /usr/bin, and configuration in /etc/fail2ban.

Fail2Ban should be correctly installed now. Just type:

fail2ban-client -h

to see if everything is alright. You should always use fail2ban-client and never call fail2ban-server directly. You can verify that you have the correct version installed with

fail2ban-client version

Please note that the system init/service script is not automatically installed. To enable fail2ban as an automatic service, simply copy the script for your distro from the files directory to /etc/init.d. Example (on a Debian-based system):

cp files/debian-initd /etc/init.d/fail2ban
update-rc.d fail2ban defaults
service fail2ban start

Configuration:

You can configure Fail2Ban using the files in /etc/fail2ban. It is possible to configure the server using commands sent to it by fail2ban-client. The available commands are described in the fail2ban-client(1) manpage. Also see fail2ban(1) and jail.conf(5) manpages for further references.

Code status:

  • travis-ci.org: tests status / tests status (0.11 branch) / tests status (0.10 branch)

  • coveralls.io: Coverage Status / Coverage Status (0.11 branch) / Coverage Status / (0.10 branch)

  • codecov.io: codecov.io / codecov.io (0.11 branch) / codecov.io (0.10 branch)

Contact:

Bugs, feature requests, discussions?

See CONTRIBUTING.md

You just appreciate this program:

Send kudos to the original author (Cyril Jaquier) or better to the mailing list since Fail2Ban is "community-driven" for years now.

Thanks:

See THANKS file.

License:

Fail2Ban is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Fail2Ban; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, USA

Comments
  • WiP: do not merge!  0.10 -> master  merge whenever it is ready to be named a 'stable'-ish one

    WiP: do not merge! 0.10 -> master merge whenever it is ready to be named a 'stable'-ish one

    This PR is staging to make sure that we can progress from current state of master into the world of 0.10. To be "merged" after a few of 0.10.x experimental releases

    enhancement needs-testing ipv6 WiP 
    opened by yarikoptic 158
  • IPv6 Support

    IPv6 Support

    fail2ban doesn't appear to have any IPv6 support. With lots of networks (and thus hosts) trying to turn it on for World IPv6 Launch on June 6[1], this is a blocker.

    http://www.worldipv6launch.org/

    wishlish enhancement ipv6 
    opened by raccettura 104
  • Fail2ban using 2+ GB of RAM and 106-108% CPU...

    Fail2ban using 2+ GB of RAM and 106-108% CPU...

    hi, CentOS 7 64bit + fail2ban-0.9-9.el7.noarch

    here is using 2+ GB of RAM and 106-108% CPU...

    my jail.local:

    #
    # WARNING: heavily refactored in 0.9.0 release.  Please review and
    #          customize settings for your setup.
    #
    # Changes:  in most of the cases you should not modify this
    #           file, but provide customizations in jail.local file,
    #           or separate .conf files under jail.d/ directory, e.g.:
    #
    # HOW TO ACTIVATE JAILS:
    #
    # YOU SHOULD NOT MODIFY THIS FILE.
    #
    # It will probably be overwitten or improved in a distribution update.
    #
    # Provide customizations in a jail.local file or a jail.d/customisation.local.
    # For example to change the default bantime for all jails and to enable the
    # ssh-iptables jail the following (uncommented) would appear in the .local file.
    # See man 5 jail.conf for details.
    #
    # [DEFAULT]
    # bantime = 3600
    #
    # [sshd]
    # enabled = true
    #
    # See jail.conf(5) man page for more information
    
    
    
    # Comments: use '#' for comment lines and ';' (following a space) for inline comments
    
    
    [INCLUDES]
    
    #before = paths-disto.conf
    before = paths-fedora.conf
    
    # The DEFAULT allows a global definition of the options. They can be overridden
    # in each jail afterwards.
    
    [DEFAULT]
    
    #
    # MISCELLANEOUS OPTIONS
    #
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip = 127.0.0.1/8 66.249.64.0/19 157.54.0.0/15 157.60.0.0/16 157.56.0.0/14 65.52.0.0/14
    
    # External command that will take an tagged arguments to ignore, e.g. <ip>,
    # and return true if the IP is to be ignored. False otherwise.
    #
    # ignorecommand = /path/to/command <ip>
    ignorecommand =
    
    # "bantime" is the number of seconds that a host is banned.
    bantime  = 3600
    
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 600
    
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 5
    
    # "backend" specifies the backend used to get files modification.
    # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
    # This option can be overridden in each jail as well.
    #
    # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
    #              If pyinotify is not installed, Fail2ban will use auto.
    # gamin:     requires Gamin (a file alteration monitor) to be installed.
    #              If Gamin is not installed, Fail2ban will use auto.
    # polling:   uses a polling algorithm which does not require external libraries.
    # systemd:   uses systemd python library to access the systemd journal.
    #              Specifying "logpath" is not valid for this backend.
    #              See "journalmatch" in the jails associated filter config
    # auto:      will try to use the following backends, in order:
    #              pyinotify, gamin, polling.
    backend = auto
    
    # "usedns" specifies if jails should trust hostnames in logs,
    #   warn when DNS lookups are performed, or ignore all hostnames in logs
    #
    # yes:   if a hostname is encountered, a DNS lookup will be performed.
    # warn:  if a hostname is encountered, a DNS lookup will be performed,
    #        but it will be logged as a warning.
    # no:    if a hostname is encountered, will not be used for banning,
    #        but it will be logged as info.
    usedns = warn
    
    # "logencoding" specifies the encoding of the log files handled by the jail
    #   This is used to decode the lines from the log file.
    #   Typical examples:  "ascii", "utf-8"
    #
    #   auto:   will use the system locale setting
    logencoding = auto
    
    # "enabled" enables the jails.
    #  By default all jails are disabled, and it should stay this way.
    #  Enable only relevant to your setup jails in your .local or jail.d/*.conf
    #
    # true:  jail will be enabled and log files will get monitored for changes
    # false: jail is not enabled
    enabled = false
    
    
    # "filter" defines the filter to use by the jail.
    #  By default jails have names matching their filter name
    #
    filter = %(__name__)s
    
    
    #
    # ACTIONS
    #
    
    # Some options used for actions
    
    # Destination email address used solely for the interpolations in
    # jail.{conf,local,d/*} configuration files.
    destemail = [email protected]
    
    # Sender email address used solely for some actions
    sender = [email protected]
    
    # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
    # mailing. Change mta configuration parameter to mail if you want to
    # revert to conventional 'mail'.
    mta = sendmail
    
    # Default protocol
    protocol = tcp
    
    # Specify chain where jumps would need to be added in iptables-* actions
    chain = INPUT
    
    # Ports to be banned
    # Usually should be overridden in a particular jail
    port = 0:65535
    
    #
    # Action shortcuts. To be used to define action parameter
    
    # Default banning action (e.g. iptables, iptables-new,
    # iptables-multiport, shorewall, etc) It is used to define
    # action_* variables. Can be overridden globally or per
    # section within jail.local file
    banaction = iptables-multiport
    
    # The simplest action to take: ban only
    action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
    
    # ban & send an e-mail with whois report to the destemail.
    action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
    
    # ban & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                 %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
    
    # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
    #
    # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
    # to the destemail.
    action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                 xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
    
    
    # Report block via blocklist.de fail2ban reporting service API
    # 
    # See the IMPORTANT note in action.d/blocklist_de.conf for when to
    # use this action. Create a file jail.d/blocklist_de.local containing
    # [Init]
    # blocklist_de_apikey = {api key from registration]
    #
    action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="MYAPIKEY"]
    
    
    
    # Report ban via badips.com, and use as blacklist
    #
    # See BadIPsAction docstring in config/action.d/badips.py for
    # documentation for this action.
    #
    # NOTE: This action relies on banaction being present on start and therefore
    # should be last action defined for a jail.
    #
    action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
    
    # Choose default action.  To change, just override value of 'action' with the
    # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
    # globally (section [DEFAULT]) or per specific section
    action = %(action_mwl)s
    
    
    
    #
    # JAILS
    #
    
    #
    # SSH servers
    #
    
    [sshd]
    enabled = true
    port    = ssh
    logpath = %(sshd_log)s
    bantime  = 3600
    findtime  = 600
    maxretry = 2
    action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
             blocklist_de[email="%(sender)s", service=%(filter)s, apikey="MYAPIKEY"]
    
    [sshd-ddos]
    # This jail corresponds to the standard configuration in Fail2ban.
    # The mail-whois action send a notification e-mail with a whois request
    # in the body.
    port    = ssh
    logpath = %(sshd_log)s
    
    
    [dropbear]
    
    port     = ssh
    logpath  = %(dropbear_log)s
    
    
    [selinux-ssh]
    
    port     = ssh
    logpath  = %(auditd_log)s
    maxretry = 5
    
    
    #
    # HTTP servers
    #
    
    [apache-auth]
    enabled = true
    port     = http,https
    logpath  = %(apache_error_log)s
    bantime  = 3600
    findtime  = 600
    maxretry = 2
    
    [apache-badbots]
    # Ban hosts which agent identifies spammer robots crawling the web
    # for email addresses. The mail outputs are buffered.
    enabled = true
    port     = http,https
    logpath  = %(apache_access_log)s
    bantime  = 172800
    maxretry = 2
    
    [apache-noscript]
    enabled = true
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 6
    
    [apache-overflows]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-nohome]
    enabled = true
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    [apache-botsearch]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-modsecurity]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [nginx-http-auth]
    
    ports   = http,https
    logpath = %(nginx_error_log)s
    
    
    # Ban attackers that try to use PHP's URL-fopen() functionality
    # through GET/POST variables. - Experimental, with more than a year
    # of usage in production environments.
    
    [php-url-fopen]
    enabled = true
    port    = http,https
    logpath = %(apache_access_log)s
    
    [suhosin]
    
    port    = http,https
    logpath = %(suhosin_log)s
    
    
    [lighttpd-auth]
    # Same as above for Apache's mod_auth
    # It catches wrong authentifications
    port    = http,https
    logpath = %(lighttpd_error_log)s
    
    
    #
    # Webmail and groupware servers
    #
    
    [roundcube-auth]
    
    port     = http,https
    logpath  = /var/log/roundcube/userlogins
    
    
    [openwebmail]
    
    port     = http,https
    logpath  = /var/log/openwebmail.log
    
    
    [horde]
    
    port     = http,https
    logpath  = /var/log/horde/horde.log
    
    
    [groupoffice]
    
    port     = http,https
    logpath  = /home/groupoffice/log/info.log
    
    
    [sogo-auth]
    # Monitor SOGo groupware server
    # without proxy this would be:
    # port    = 20000
    port     = http,https
    logpath  = /var/log/sogo/sogo.log
    
    
    [tine20]
    
    logpath  = /var/log/tine20/tine20.log
    port     = http,https
    maxretry = 5
    
    
    #
    # Web Applications
    #
    #
    
    [guacamole]
    
    port     = http,https
    logpath  = /var/log/tomcat*/catalina.out
    
    
    [webmin-auth]
    enabled = true
    port    = 10000
    logpath = %(syslog_authpriv)s
    action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
             blocklist_de[email="%(sender)s", service=%(filter)s, apikey="MYAPIKEY"]
    
    #
    # HTTP Proxy servers
    #
    #
    
    [squid]
    
    port     =  80,443,3128,8080
    logpath = /var/log/squid/access.log
    
    
    [3proxy]
    
    port    = 3128
    logpath = /var/log/3proxy.log
    
    #
    # FTP servers
    #
    
    
    [proftpd]
    enabled = true
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(proftpd_log)s
    bantime  = 3600
    findtime  = 600
    maxretry = 2
    action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
             blocklist_de[email="%(sender)s", service=%(filter)s, apikey="MYAPIKEY"]
    
    [pure-ftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(pureftpd_log)s
    maxretry = 6
    
    
    [gssftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(syslog_daemon)s
    maxretry = 6
    
    
    [wuftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(wuftpd_log)s
    maxretry = 6
    
    
    [vsftpd]
    # or overwrite it in jails.local to be
    # logpath = %(syslog_authpriv)s
    # if you want to rely on PAM failed login attempts
    # vsftpd's failregex should match both of those formats
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(vsftpd_log)s
    
    
    #
    # Mail servers
    #
    
    # ASSP SMTP Proxy Jail
    [assp]
    
    port     = smtp,465,submission
    logpath  = /root/path/to/assp/logs/maillog.txt
    
    
    [courier-smtp]
    
    port     = smtp,465,submission
    logpath  = %(syslog_mail)s
    
    
    [postfix]
    enabled = true
    port     = smtp,465,submission
    logpath  = %(postfix_log)s
    bantime  = 3600
    findtime  = 600
    maxretry = 2
    action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
             blocklist_de[email="%(sender)s", service=%(filter)s, apikey="MYAPIKEY"]
    
    [sendmail-auth]
    
    port    = submission,465,smtp
    logpath = %(syslog_mail)s
    
    
    [sendmail-reject]
    
    port     = smtp,465,submission
    logpath  = %(syslog_mail)s
    
    
    [qmail-rbl]
    
    filter  = qmail
    port    = smtp,465,submission
    logpath = /service/qmail/log/main/current
    
    
    # dovecot defaults to logging to the mail syslog facility
    # but can be set by syslog_facility in the dovecot configuration.
    [dovecot]
    enabled = true
    port    = pop3,pop3s,imap,imaps,submission,465,sieve
    logpath = %(dovecot_log)s
    bantime  = 3600
    findtime  = 600
    maxretry = 2
    action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
             blocklist_de[email="%(sender)s", service=%(filter)s, apikey="MYAPIKEY"]
    
    [sieve]
    
    port   = smtp,465,submission
    logpath = %(dovecot_log)s
    
    
    [solid-pop3d]
    
    port    = pop3,pop3s
    logpath = %(solidpop3d_log)s
    
    
    [exim]
    
    port   = smtp,465,submission
    logpath = /var/log/exim/mainlog
    
    
    [exim-spam]
    
    port   = smtp,465,submission
    logpath = /var/log/exim/mainlog
    
    
    [kerio]
    
    port    = imap,smtp,imaps,465
    logpath = /opt/kerio/mailserver/store/logs/security.log
    
    
    #
    # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
    # all relevant ports get banned
    #
    
    [courier-auth]
    
    port     = smtp,465,submission,imap3,imaps,pop3,pop3s
    logpath  = %(syslog_mail)s
    
    
    [postfix-sasl]
    enabled = true
    port     = smtp,465,submission,imap3,imaps,pop3,pop3s
    # You might consider monitoring /var/log/mail.warn instead if you are
    # running postfix since it would provide the same log lines at the
    # "warn" level but overall at the smaller filesize.
    logpath  = %(postfix_log)s
    
    
    [perdition]
    
    port   = imap3,imaps,pop3,pop3s
    logpath = %(syslog_mail)s
    
    
    [squirrelmail]
    
    port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
    logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
    
    
    [cyrus-imap]
    
    port   = imap3,imaps
    logpath = %(syslog_mail)s
    
    
    [uwimap-auth]
    
    port   = imap3,imaps
    logpath = %(syslog_mail)s
    
    
    #
    #
    # DNS servers
    #
    
    
    # !!! WARNING !!!
    #   Since UDP is connection-less protocol, spoofing of IP and imitation
    #   of illegal actions is way too simple.  Thus enabling of this filter
    #   might provide an easy way for implementing a DoS against a chosen
    #   victim. See
    #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
    #   Please DO NOT USE this jail unless you know what you are doing.
    #
    # IMPORTANT: see filter.d/named-refused for instructions to enable logging
    # This jail blocks UDP traffic for DNS requests.
    # [named-refused-udp]
    #
    # filter   = named-refused
    # port     = domain,953
    # protocol = udp
    # logpath  = /var/log/named/security.log
    
    # IMPORTANT: see filter.d/named-refused for instructions to enable logging
    # This jail blocks TCP traffic for DNS requests.
    
    [named-refused]
    
    port     = domain,953
    logpath  = /var/log/named/security.log
    
    
    [nsd]
    
    port     = 53
    action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
               %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
    logpath = /var/log/nsd.log
    
    
    #
    # Miscelaneous
    #
    
    [asterisk]
    
    port     = 5060,5061
    action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
               %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
               %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
    logpath  = /var/log/asterisk/messages
    maxretry = 10
    
    
    [freeswitch]
    
    port     = 5060,5061
    action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
               %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
               %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
    logpath  = /var/log/freeswitch.log
    maxretry = 10
    
    
    # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
    # equivalent section:
    # log-warning = 2
    #
    # for syslog (daemon facility)
    # [mysqld_safe]
    # syslog
    #
    # for own logfile
    # [mysqld]
    # log-error=/var/log/mysqld.log
    [mysqld-auth]
    enabled = true
    port     = 3306
    logpath  = /var/log/mariadb/mariadb.log
    maxretry = 5
    
    
    # Jail for more extended banning of persistent abusers
    # !!! WARNING !!!
    #   Make sure that your loglevel specified in fail2ban.conf/.local
    #   is not at DEBUG level -- which might then cause fail2ban to fall into
    #   an infinite loop constantly feeding itself with non-informative lines
    
    [recidive]
    enabled = true
    logpath  = /var/log/fail2ban.log
    # port     = all
    # protocol = all
    bantime  = 604800  ; 1 week
    findtime = 86400   ; 1 day
    maxretry = 5
    action = iptables-allports[name=recidive, protocol=all]
             %(mta)s-whois-lines[name=recidive, dest="%(destemail)s", logpath=%(logpath)s]
    
    
    # Generic filter for PAM. Has to be used with action which bans all
    # ports such as iptables-allports, shorewall
    
    [pam-generic]
    # pam-generic filter can be customized to monitor specific subset of 'tty's
    banaction = iptables-allports
    logpath  = %(syslog_authpriv)s
    
    
    [xinetd-fail]
    
    banaction = iptables-multiport-log
    logpath   = %(syslog_daemon)s
    maxretry  = 2
    
    
    # stunnel - need to set port for this
    [stunnel]
    
    logpath = /var/log/stunnel4/stunnel.log
    
    
    [ejabberd-auth]
    
    port    = 5222
    logpath = /var/log/ejabberd/ejabberd.log
    
    
    [counter-strike]
    
    logpath = /opt/cstrike/logs/L[0-9]*.log
    # Firewall: http://www.cstrike-planet.com/faq/6
    tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
    udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
    action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
               %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
    
    # consider low maxretry and a long bantime
    # nobody except your own Nagios server should ever probe nrpe
    [nagios]
    
    enabled  = false
    logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
    maxretry = 1
    

    in summary, there are 14 jails enabled. what can i do? thanks

    p.s.: after 2 hours it drops to 44% then 31% now... what's the source of this behavior?

    opened by 7starsone 85
  • Add ability to use systemd journald, rather than log file

    Add ability to use systemd journald, rather than log file

    I was interested in having fail2ban working with systemd's journald. I've added code to allow fail2ban to read from journald and also allow to set match filters as per journalctl. As far as I can tell, all/most the regex filters still work.

    It required use of a python interface to journald, which I couldn't find anywhere, so I've knocked one up myself. It's python c-api wrap around the systemd journal C API, sd-journal. Code for this is on my github https://github.com/kwirk/pyjournalctl

    Initial testing shows all working okay, but if anyone else could do some testing, that would be great.

    Any feedback appreciated.

    opened by kwirk 83
  • fail2ban's logfile fills disk in out of memory situation

    fail2ban's logfile fills disk in out of memory situation

    So putting aside my memory consumption problem with fail2ban at the moment, which looks like it might be resolved in #1234...

    Once my system runs out of memory, fail2ban continuously fills its log file with this kind of output:

    2015-12-21 09:58:00,065 fail2ban.action         [20922]: ERROR   ipset add fail2ban-sshd 80.82.79.29 timeout 600 -exist -- failed with [Errn
    o 12] Cannot allocate memory
    2015-12-21 09:58:00,065 fail2ban.actions        [20922]: ERROR   Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'CallingM
    ap({'ipjailmatches': <function <lambda> at 0x7ff8f6d63050>, 'matches': 'Nov 29 00:00:50 server sshd[28731]: pam_unix(sshd:auth): authenticat
    ion failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.79.29  user=ftp\nNov 29 00:00:52 server sshd[28731]: Failed password for ftp f
    rom 80.82.79.29 port 49445 ssh2\nNov 29 00:00:52 server sshd[28733]: Invalid user test from 80.82.79.29\nNov 29 00:00:52 server sshd[28733]:
     pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.79.29\nNov 29 00:00:54 server sshd[28733]: Fa
    iled password for invalid user test from 80.82.79.29 port 50032 ssh2\nNov 29 00:00:55 server sshd[28735]: Invalid user osmc from 80.82.79.29
    \nNov 29 00:00:55 server sshd[28735]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.79.29\nN
    ov 29 00:00:57 server sshd[28735]: Failed password for invalid user osmc from 80.82.79.29 port 50627 ssh2\nNov 29 00:00:57 server sshd[28737
    ]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.79.29  user=operator\nNov 29 00:00:59 serve
    r sshd[28737]: Failed password for operator from 80.82.79.29 port 51164 ssh2', 'ip': '80.82.79.29', 'ipmatches': <function <lambda> at 0x7ff
    8eb237f50>, 'ipfailures': <function <lambda> at 0x7ff8f6d630c8>, 'time': 1450691880.062108, 'failures': 10, 'ipjailfailures': <function <lam
    bda> at 0x7ff8f6d63140>})': local variable 'retcode' referenced before assignment
    2015-12-21 09:58:00,065 fail2ban.actions        [20922]: NOTICE  [sshd] Ban 81.108.80.81
    2015-12-21 09:58:00,068 fail2ban.action         [20922]: ERROR   ipset add fail2ban-sshd 81.108.80.81 timeout 600 -exist -- failed with [Err
    no 12] Cannot allocate memory
    2015-12-21 09:58:00,068 fail2ban.actions        [20922]: ERROR   Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'CallingM
    ap({'ipjailmatches': <function <lambda> at 0x7ff8f6d63320>, 'matches': 'Oct  7 22:48:01 server sshd[21573]: Invalid user zhangyan from 81.10
    8.80.81\nOct  7 22:48:01 server sshd[21573]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cpc41-w
    atf10-2-0-cust80.15-2.cable.virginm.net\nOct  7 22:48:03 server sshd[21573]: Failed password for invalid user zhangyan from 81.108.80.81 por
    t 57520 ssh2\nOct  7 22:48:04 server sshd[21575]: Invalid user dff from 81.108.80.81\nOct  7 22:48:04 server sshd[21575]: pam_unix(sshd:auth
    ): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cpc41-watf10-2-0-cust80.15-2.cable.virginm.net\nOct  7 22:48:06 server
     sshd[21575]: Failed password for invalid user dff from 81.108.80.81 port 58216 ssh2\nOct  7 22:48:07 server sshd[21577]: pam_unix(sshd:auth
    ): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cpc41-watf10-2-0-cust80.15-2.cable.virginm.net  user=root\nOct  7 22:4
    8:09 server sshd[21577]: Failed password for root from 81.108.80.81 port 59102 ssh2\nOct  7 22:48:11 server sshd[21579]: pam_unix(sshd:auth)
    : authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cpc41-watf10-2-0-cust80.15-2.cable.virginm.net  user=root\nOct  7 22:48
    :13 server sshd[21579]: Failed password for root from 81.108.80.81 port 59967 ssh2', 'ip': '81.108.80.81', 'ipmatches': <function <lambda> a
    t 0x7ff8f6d632a8>, 'ipfailures': <function <lambda> at 0x7ff8f6d63398>, 'time': 1450691880.065618, 'failures': 10, 'ipjailfailures': <functi
    on <lambda> at 0x7ff8f6d63410>})': local variable 'retcode' referenced before assignment
    2015-12-21 09:58:00,069 fail2ban.actions        [20922]: NOTICE  [sshd] Ban 82.138.1.118
    2015-12-21 09:58:00,076 fail2ban.action         [20922]: ERROR   ipset add fail2ban-sshd 82.138.1.118 timeout 600 -exist -- failed with [Err
    no 12] Cannot allocate memory
    2015-12-21 09:58:00,076 fail2ban.actions        [20922]: ERROR   Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'CallingM
    ap({'ipjailmatches': <function <lambda> at 0x7ff8f6d635f0>, 'matches': 'Nov 17 13:50:06 server sshd[950]: pam_unix(sshd:auth): authenticatio
    n failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 13:50:09 server sshd[950]: Failed password for root fr
    om 82.138.1.118 port 30695 ssh2\nNov 17 13:59:45 server sshd[1857]: Invalid user nmis from 82.138.1.118\nNov 17 13:59:45 server sshd[1857]: 
    pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 13:59:47 server sshd[1857]: Fai
    led password for invalid user nmis from 82.138.1.118 port 20584 ssh2\nNov 17 14:09:13 server sshd[3223]: pam_unix(sshd:auth): authentication
     failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 14:09:14 server sshd[3223]: Failed password for root fr
    om 82.138.1.118 port 22207 ssh2\nNov 17 14:18:28 server sshd[4099]: Invalid user tc from 82.138.1.118\nNov 17 14:18:28 server sshd[4099]: pa
    m_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 14:18:31 server sshd[4099]: Faile
    d password for invalid user tc from 82.138.1.118 port 33977 ssh2\nNov 17 13:50:06 server sshd[950]: pam_unix(sshd:auth): authentication fail
    ure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 13:50:09 server sshd[950]: Failed password for root from 82.
    138.1.118 port 30695 ssh2\nNov 17 13:59:45 server sshd[1857]: Invalid user nmis from 82.138.1.118\nNov 17 13:59:45 server sshd[1857]: pam_un
    ix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 13:59:47 server sshd[1857]: Failed pa
    ssword for invalid user nmis from 82.138.1.118 port 20584 ssh2\nNov 17 14:09:13 server sshd[3223]: pam_unix(sshd:auth): authentication failu
    re; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 14:09:14 server sshd[3223]: Failed password for root from 82.
    138.1.118 port 22207 ssh2\nNov 17 14:18:28 server sshd[4099]: Invalid user tc from 82.138.1.118\nNov 17 14:18:28 server sshd[4099]: pam_unix
    (sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 14:18:31 server sshd[4099]: Failed pass
    word for invalid user tc from 82.138.1.118 port 33977 ssh2\nNov 17 13:50:06 server sshd[950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 13:50:09 server sshd[950]: Failed password for root from 82.138.1.118 port 30695 ssh2\nNov 17 13:59:45 server sshd[1857]: Invalid user nmis from 82.138.1.118\nNov 17 13:59:45 server sshd[1857]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 13:59:47 server sshd[1857]: Failed password for invalid user nmis from 82.138.1.118 port 20584 ssh2\nNov 17 14:09:13 server sshd[3223]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 14:09:14 server sshd[3223]: Failed password for root from 82.138.1.118 port 22207 ssh2\nNov 17 14:18:28 server sshd[4099]: Invalid user tc from 82.138.1.118\nNov 17 14:18:28 server sshd[4099]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 14:18:31 server sshd[4099]: Failed password for invalid user tc from 82.138.1.118 port 33977 ssh2\nNov 17 13:50:06 server sshd[950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 13:50:09 server sshd[950]: Failed password for root from 82.138.1.118 port 30695 ssh2\nNov 17 13:59:45 server sshd[1857]: Invalid user nmis from 82.138.1.118\nNov 17 13:59:45 server sshd[1857]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 13:59:47 server sshd[1857]: Failed password for invalid user nmis from 82.138.1.118 port 20584 ssh2\nNov 17 14:09:13 server sshd[3223]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 14:09:14 server sshd[3223]: Failed password for root from 82.138.1.118 port 22207 ssh2\nNov 17 14:18:28 server sshd[4099]: Invalid user tc from 82.138.1.118\nNov 17 14:18:28 server sshd[4099]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 14:18:31 server sshd[4099]: Failed password for invalid user tc from 82.138.1.118 port 33977 ssh2\nNov 17 15:22:33 server sshd[9160]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 15:22:35 server sshd[9160]: Failed password for root from 82.138.1.118 port 21620 ssh2\nNov 17 15:22:38 server sshd[9160]: Failed password for root from 82.138.1.118 port 21620 ssh2\nNov 17 15:32:09 server sshd[9489]: Invalid user cisco from 82.138.1.118\nNov 17 15:32:09 server sshd[9489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 15:32:12 server sshd[9489]: Failed password for invalid user cisco from 82.138.1.118 port 52414 ssh2\nNov 17 15:41:10 server sshd[9829]: Invalid user Administrator from 82.138.1.118\nNov 17 15:41:10 server sshd[9829]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 15:41:12 server sshd[9829]: Failed password for invalid user Administrator from 82.138.1.118 port 31897 ssh2\nNov 17 15:59:17 server sshd[10950]: Invalid user unknown from 82.138.1.118\nNov 17 15:59:17 server sshd[10950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 15:22:33 server sshd[9160]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 15:22:35 server sshd[9160]: Failed password for root from 82.138.1.118 port 21620 ssh2\nNov 17 15:22:38 server sshd[9160]: Failed password for root from 82.138.1.118 port 21620 ssh2\nNov 17 15:32:09 server sshd[9489]: Invalid user cisco from 82.138.1.118\nNov 17 15:32:09 server sshd[9489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 15:32:12 server sshd[9489]: Failed password for invalid user cisco from 82.138.1.118 port 52414 ssh2\nNov 17 15:41:10 server sshd[9829]: Invalid user Administrator from 82.138.1.118\nNov 17 15:41:10 server sshd[9829]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 15:41:12 server sshd[9829]: Failed password for invalid user Administrator from 82.138.1.118 port 31897 ssh2\nNov 17 15:59:17 server sshd[10950]: Invalid user unknown from 82.138.1.118\nNov 17 15:59:17 server sshd[10950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 15:59:19 server sshd[10950]: Failed password for invalid user unknown from 82.138.1.118 port 62329 ssh2\nNov 17 15:22:33 server sshd[9160]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 15:22:35 server sshd[9160]: Failed password for root from 82.138.1.118 port 21620 ssh2\nNov 17 15:22:38 server sshd[9160]: Failed password for root from 82.138.1.118 port 21620 ssh2\nNov 17 15:32:09 server sshd[9489]: Invalid user cisco from 82.138.1.118\nNov 17 15:32:09 server sshd[9489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 15:32:12 server sshd[9489]: Failed password for invalid user cisco from 82.138.1.118 port 52414 ssh2\nNov 17 15:41:10 server sshd[9829]: Invalid user Administrator from 82.138.1.118\nNov 17 15:41:10 server sshd[9829]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 15:41:12 server sshd[9829]: Failed password for invalid user Administrator from 82.138.1.118 port 31897 ssh2\nNov 17 15:59:17 server sshd[10950]: Invalid user unknown from 82.138.1.118\nNov 17 15:59:17 server sshd[10950]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 15:59:19 server sshd[10950]: Failed password for invalid user unknown from 82.138.1.118 port 62329 ssh2\nNov 17 16:35:25 server sshd[13765]: Invalid user nsrecover from 82.138.1.118\nNov 17 16:35:25 server sshd[13765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 16:35:27 server sshd[13765]: Failed password for invalid user nsrecover from 82.138.1.118 port 12501 ssh2\nNov 17 16:53:32 server sshd[14919]: Invalid user mininet from 82.138.1.118\nNov 17 16:53:32 server sshd[14919]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 16:53:34 server sshd[14919]: Failed password for invalid user mininet from 82.138.1.118 port 48633 ssh2\nNov 17 17:02:32 server sshd[15267]: Invalid user cubie from 82.138.1.118\nNov 17 17:02:32 server sshd[15267]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:02:35 server sshd[15267]: Failed password for invalid user cubie from 82.138.1.118 port 44108 ssh2\nNov 17 17:11:36 server sshd[15645]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118  user=root\nNov 17 17:11:38 server sshd[15645]: Failed password for root from 82.138.1.118 port 61287 ssh2\nNov 17 17:29:35 server sshd[16689]: Invalid user Cisco from 82.138.1.118\nNov 17 17:29:35 server sshd[16689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:29:36 server sshd[16689]: Failed password for invalid user Cisco from 82.138.1.118 port 40605 ssh2\nNov 17 17:38:32 server sshd[17006]: Invalid user applmgr from 82.138.1.118\nNov 17 17:38:32 server sshd[17006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:38:34 server sshd[17006]: Failed password for invalid user applmgr from 82.138.1.118 port 19914 ssh2\nNov 17 17:47:32 server sshd[17318]: Invalid user vagrant from 82.138.1.118\nNov 17 17:47:32 server sshd[17318]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:47:34 server sshd[17318]: Failed password for invalid user vagrant from 82.138.1.118 port 14406 ssh2\nNov 17 17:56:32 server sshd[17697]: Invalid user db2inst1 from 82.138.1.118\nNov 17 17:56:32 server sshd[17697]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:29:35 server sshd[16689]: Invalid user Cisco from 82.138.1.118\nNov 17 17:29:35 server sshd[16689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:29:36 server sshd[16689]: Failed password for invalid user Cisco from 82.138.1.118 port 40605 ssh2\nNov 17 17:38:32 server sshd[17006]: Invalid user applmgr from 82.138.1.118\nNov 17 17:38:32 server sshd[17006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:38:34 server sshd[17006]: Failed password for invalid user applmgr from 82.138.1.118 port 19914 ssh2\nNov 17 17:47:32 server sshd[17318]: Invalid user vagrant from 82.138.1.118\nNov 17 17:47:32 server sshd[17318]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:47:34 server sshd[17318]: Failed password for invalid user vagrant from 82.138.1.118 port 14406 ssh2\nNov 17 17:56:32 server sshd[17697]: Invalid user db2inst1 from 82.138.1.118\nNov 17 17:56:32 server sshd[17697]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:56:34 server sshd[17697]: Failed password for invalid user db2inst1 from 82.138.1.118 port 22645 ssh2\nNov 17 17:29:35 server sshd[16689]: Invalid user Cisco from 82.138.1.118\nNov 17 17:29:35 server sshd[16689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:29:36 server sshd[16689]: Failed password for invalid user Cisco from 82.138.1.118 port 40605 ssh2\nNov 17 17:38:32 server sshd[17006]: Invalid user applmgr from 82.138.1.118\nNov 17 17:38:32 server sshd[17006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:38:34 server sshd[17006]: Failed password for invalid user applmgr from 82.138.1.118 port 19914 ssh2\nNov 17 17:47:32 server sshd[17318]: Invalid user vagrant from 82.138.1.118\nNov 17 17:47:32 server sshd[17318]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:47:34 server sshd[17318]: Failed password for invalid user vagrant from 82.138.1.118 port 14406 ssh2\nNov 17 17:56:32 server sshd[17697]: Invalid user db2inst1 from 82.138.1.118\nNov 17 17:56:32 server sshd[17697]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:56:34 server sshd[17697]: Failed password for invalid user db2inst1 from 82.138.1.118 port 22645 ssh2\nNov 17 17:29:35 server sshd[16689]: Invalid user Cisco from 82.138.1.118\nNov 17 17:29:35 server sshd[16689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:29:36 server sshd[16689]: Failed password for invalid user Cisco from 82.138.1.118 port 40605 ssh2\nNov 17 17:38:32 server sshd[17006]: Invalid user applmgr from 82.138.1.118\nNov 17 17:38:32 server sshd[17006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:38:34 server sshd[17006]: Failed password for invalid user applmgr from 82.138.1.118 port 19914 ssh2\nNov 17 17:47:32 server sshd[17318]: Invalid user vagrant from 82.138.1.118\nNov 17 17:47:32 server sshd[17318]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:47:34 server sshd[17318]: Failed password for invalid user vagrant from 82.138.1.118 port 14406 ssh2\nNov 17 17:56:32 server sshd[17697]: Invalid user db2inst1 from 82.138.1.118\nNov 17 17:56:32 server sshd[17697]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.138.1.118\nNov 17 17:56:34 server sshd[17697]: Failed password for invalid user db2inst1 from 82.138.1.118 port 22645 ssh2', 'ip': '82.138.1.118', 'ipmatches': <function <lambda> at 0x7ff8f6d63578>, 'ipfailures': <function <lambda> at 0x7ff8f6d63668>, 'time': 1450691880.069012, 'failures': 133, 'ipjailfailures': <function <lambda> at 0x7ff8f6d636e0>})': local variable 'retcode' referenced before assignment
    

    Being out of memory is obviously the root cause and should be fixed, but this behaviour should not be occurring either. Can I enable some kind of error output throttling while I try to figure out what is causing this memory issue? Can I reduce the verbosity of these errors?

    CentOS Linux release 7.2.1511 (Core) fail2ban.noarch 0.9.3-1.el7 epel Python 2.7.5

    Switched logging to debug and here's what I get for one instance of the error:

    2015-12-21 13:33:47,949 fail2ban.actions        [2204]: NOTICE  [sshd] Ban 80.82.75.56
    2015-12-21 13:33:47,950 fail2ban.action         [2204]: DEBUG   
    2015-12-21 13:33:47,950 fail2ban.action         [2204]: DEBUG   Nothing to do
    2015-12-21 13:33:47,952 fail2ban.action         [2204]: DEBUG   ipset add fail2ban-sshd 80.82.75.56 timeout 600 -exist
    2015-12-21 13:33:47,952 fail2ban.action         [2204]: ERROR   ipset add fail2ban-sshd 80.82.75.56 timeout 600 -exist -- failed with [Errno 12] Cannot allocate memory
    2015-12-21 13:33:47,952 fail2ban.actions        [2204]: ERROR   Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x7ffa9749d140>, 'matches': 'Sep 26 10:48:27 server sshd[29097]: Invalid user ubnt from 80.82.75.56\nSep 26 10:48:27 server sshd[29097]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.75.56\nSep 26 10:48:29 server sshd[29097]: Failed password for invalid user ubnt from 80.82.75.56 port 55879 ssh2\nSep 26 10:48:30 server sshd[29099]: Invalid user admin from 80.82.75.56\nSep 26 10:48:30 server sshd[29099]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.75.56\nSep 26 10:48:32 server sshd[29099]: Failed password for invalid user admin from 80.82.75.56 port 58003 ssh2\nSep 26 10:48:33 server sshd[29101]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.75.56  user=root\nSep 26 10:48:35 server sshd[29101]: Failed password for root from 80.82.75.56 port 58607 ssh2\nSep 26 10:48:35 server sshd[29103]: Invalid user user from 80.82.75.56\nSep 26 10:48:35 server sshd[29103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.75.56\nSep 26 17:05:05 server sshd[12890]: Invalid user ubnt from 80.82.75.56\nSep 26 17:05:05 server sshd[12890]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.75.56\nSep 26 17:05:07 server sshd[12890]: Failed password for invalid user ubnt from 80.82.75.56 port 58827 ssh2\nSep 26 17:05:08 server sshd[12892]: Invalid user admin from 80.82.75.56\nSep 26 17:05:08 server sshd[12892]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.75.56\nSep 26 17:05:10 server sshd[12892]: Failed password for invalid user admin from 80.82.75.56 port 59523 ssh2\nSep 26 17:05:13 server sshd[12894]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.75.56  user=root\nSep 26 17:05:15 server sshd[12894]: Failed password for root from 80.82.75.56 port 60257 ssh2\nSep 26 17:05:16 server sshd[12896]: Invalid user user from 80.82.75.56\nSep 26 17:05:16 server sshd[12896]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.82.75.56', 'ip': '80.82.75.56', 'ipmatches': <function <lambda> at 0x7ffa9749d320>, 'ipfailures': <function <lambda> at 0x7ffa9749d0c8>, 'time': 1450704827.94964, 'failures': 20, 'ipjailfailures': <function <lambda> at 0x7ffa9749d050>})': local variable 'retcode' referenced before assignment
    Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/fail2ban/server/actions.py", line 319, in __checkBan
        action.ban(aInfo.copy())
      File "/usr/lib/python2.7/site-packages/fail2ban/server/action.py", line 306, in ban
        if not self._processCmd(self.actionban, aInfo):
      File "/usr/lib/python2.7/site-packages/fail2ban/server/action.py", line 532, in _processCmd
        return self.executeCmd(realCmd, self.timeout)
      File "/usr/lib/python2.7/site-packages/fail2ban/server/action.py", line 592, in executeCmd
        std_level = retcode == 0 and logging.DEBUG or logging.ERROR
    UnboundLocalError: local variable 'retcode' referenced before assignment
    

    Just before these errors start spewing out, fail2ban's memory consumption jumps from a nominal amount to filling the entire server's memory.

    grave 
    opened by ghost 65
  • Ban time incr

    Ban time incr

    New feature "automatically exponential increasing ban time". WARNING: by first start the server upgrades sqlite database (table "bans" will recreated with another schema); Option "bantime.increment" in jail.conf allows to use database for searching of previously banned ip's to increase a default ban time using special formula, by default each next ban increase banTime * 1, 2, 4, 8, 16, 32... see "jail.conf" for some other options of "bantime.___"; additional we can configure a little randomization of ban time, to prevent "clever" botnets calculate exact time IP can be unbanned.

    moreinfo enhancement needs-testing 
    opened by sebres 62
  • Some timezone warnings since version 0.11.2

    Some timezone warnings since version 0.11.2

    Environment:

    Fill out and check ([x]) the boxes which apply. If your Fail2Ban version is outdated, and you can't verify that the issue persists in the recent release, better seek support from the distribution you obtained Fail2Ban from

    • Fail2Ban version (including any possible distribution suffixes): 0.11.2 from tar with Setup.py
    • OS, including release name/version: Ubuntu 16.04.7 LTS
    • [ ] Fail2Ban installed via OS/distribution mechanisms
    • [ ] You have not applied any additional foreign patches to the codebase
    • [ ] Some customizations were done to the configuration (provide details below is so)

    The issue:

    The version runs since 2 days and I have got 3 of this log lines for 2 different jails. But most of them seams to work. So I don‘t think that is a generally Problem with this jails?

    WARNING [postfix] Simulate NOW in operation since found time has too large deviation 1606422506.0 ~ 1606422682.04 +/- 60
    2020-11-26 21:31:22,039 fail2ban.filter         [15640]: WARNING [postfix] Please check jail has possibly a timezone issue. Line with odd timestamp: Nov 26 21:28:26 hostname postfix/smtpd[26429]: disconnect from 
    

    This is the jail for postfix for example in ma jail.local:

    [postfix]
    enabled  = true
    logpath = %(syslog_mail)s
    maxretry = 3
    findtime = 24h
    bantime  = 1h
    mode = aggressive
    

    Any ideas?

    Thanks, Alex

    opened by AleksCee 59
  • Default message patterns to protect web apps

    Default message patterns to protect web apps

    Hello,

    This PR solves #1642, using the following rule : user \S* ?(not found|not authorized|password mismatch|sent invalid token|misbehaved|tried to break-in)\b

    Thank you !

    Ben

    opened by benrubson 59
  • IPv6 support

    IPv6 support

    Hi,

    I'm loving fail2ban but really suffered lacking IPv6 support which motivated me working on this pull request.

    Please forgive me that I couldn't keep to one of your principals (Keep the PR small) as this change is huge by nature.

    Therefore I've kept the commits detailed to help understanding the changes. When everything is fine, I can squash them down to a ENH oneline commit.

    Next steps would be, finalizing nftables action including v6 support and maybe adding some more IPv6 related tests (I have get bit more used to the test framework).

    opened by koeppea 56
  • Fail2ban does not work after upgrading to 0.8.11 - Auto detect backend method problem

    Fail2ban does not work after upgrading to 0.8.11 - Auto detect backend method problem

    Hello people!

    Fail2ban does not work after upgrading to 0.8.11 - Auto detect backend method problem

    Read for details: http://www.remoteshaman.com/unix/common/fail2ban-does-not-work-after-upgrading

    or translate version: http://translate.google.com/translate?client=tmpg&hl=en&langpair=ru|en&u=http%3A//www.remoteshaman.com/unix/common/fail2ban-does-not-work-after-upgrading%3Fhitcount%3D0

    moreinfo 
    opened by remotehelp 56
  • fail2ban iptables :  No chain/target/match by that name.

    fail2ban iptables : No chain/target/match by that name.

    hello,

    i use ubuntu 16.04 inside docker. and il obtaines this error :iptables -I fail2ban-octoprint 1 -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For: XX.XX.XX.XX' -j DROP -- stderr: b'iptable s: No chain/target/match by that name.
    (it's an custom action, but it work) what did I do wrong? i just install itpables and fail2ban.

    could you help me ? best regards

    moreinfo 3rd party issue 
    opened by devildant 53
  • run action with every matched log entry

    run action with every matched log entry

    This is no actual issue or request, it's a question if something like that can be realized with fail2ban.

    There is a ssh honeypot running on my server which logs every login attempt to a log file. I use fail2ban to scan the log file and run custom actions on it to execute python scripts which inserts the login attempts to a database.

    The jail looks like this

    [ssh-honeypot]
    enabled   = true
    chain     = INPUT
    logpath   = /remotelogs/ssh-honeypot.log
    findtime  = 5
    bantime   = 5
    banaction =
    maxretry  = 1
    action    = ip2mysql[script="/shared/ip2mysql/ip2mysql.py", name=%(__name__)s]
                pw2mysql[script="/shared/pw2mysql/pw2mysql.py"]
    

    For completeness here is the filter

    [Definition]
    failregex = ^\[.*\]\s<HOST>\s<F-USER>[^\s]+</F-USER>\s<F-PASSWORD>.*</F-PASSWORD>
    ignoreregex = ^\[.*\] ssh-honeypot
    

    and action

    # pw2mysql.conf
    [Definition]
    actionban = python3 "<script>" "<ip>" "<F-USER>" "<F-PASSWORD>"
    actionunban =
    
    [Init]
    
    
    # ip2mysql.conf
    [Definition]
    actionban = python3 "<script>" "<ip>" "<name>"
    actionunban =
    
    [Init]
    

    What I now would like to achieve is to execute the action for every found log entry independent of bantime, which is not a usual use-case for fail2ban, but it would be a very neat functionality. Otherwise I need to implement a log observing script similar to what fail2ban already does.

    opened by xolom 0
  • ENH: Stop scanning of ports and then disconnecting immediately.

    ENH: Stop scanning of ports and then disconnecting immediately.

    Before submitting your PR, please review the following checklist:

    • [x] CHOOSE CORRECT BRANCH: if filing a bugfix/enhancement against certain release version, choose 0.9, 0.10 or 0.11 branch, for dev-edition use master branch
    • [x] CONSIDER adding a unit test if your PR resolves an issue
    • [x] LIST ISSUES this PR resolves
    • [x] MAKE SURE this PR doesn't break existing tests
    • [x] KEEP PR small so it could be easily reviewed.
    • [x] AVOID making unnecessary stylistic changes in unrelated code
    • [x] ACCOMPANY each new failregex for filter X with sample log lines within fail2ban/tests/files/logs/X file
    opened by RickPoleshuck 2
  • [FR]: named-refused matching dns QUERY is too aggressive

    [FR]: named-refused matching dns QUERY is too aggressive

    Hi and a merry christmas to all!

    I'm running f2b version 1.0.2 and today I've enabled the named-refused jail and noticed a strange behavior:

    Entries like:

    client XXX.XXX.XXX.XXX#123456 (domain.com): query (cache) 'domain.com/SOA/IN' denied

    Where triggering a ban on google public and other DNS servers.

    What happens is that in one of my servers, one domain from an ex-customer is still pointing to our dns server in the registrar.

    To resolve this issue I've suppressed in my config the regex:

       ^(?:view (?:internal|external): )?query(?: \(cache\))?
    

    and the issue was resolved.

    I think that this rule would be a good candidate for the "aggressive" mode.

    Thank you very much!

    filter-request 
    opened by brunobergamaschi 2
  • [RFE]: Hide sensetive info when reporting to third party

    [RFE]: Hide sensetive info when reporting to third party

    Feature request type

    Hide sensetive data when reporting to third party ip-db servers e.g. abusedipdb, badips.com via extarnal script or via action.d/abuseipdb.conf

    Description

    When reporting to third party, sensetive data like IP, hostname, mail address, MAC address exposes.

    example ufw-port-scan matches sent to third party 2022-12-11T22:07:58.230240+03:00 mail kernel: [52836.383408] [UFW BLOCK] IN=eth0 OUT= MAC=must_hide SRC=x.x.x.x DST=**must_hide**

    example dovecot matches sent to third party Dec 05 23:50:17 auth-worker(211446): Info: conn unix:auth-worker (pid=211445,uid=97): auth-worker<2>: sql(**must_hide**,2.57.122.10): Password mismatch (given password: **must_hide**)

    Considered alternatives

    Alternatively user able to rewrite matches in jails. Something like tp_comment for just clean and secure reporting to third party server.

    [ufw-port-scan]
    enabled = true
    port = all
    filter = ufw-port-scan
    logpath = /var/log/ufw.log
    tp_comment = Port probing on unauthorized port $PORT $PROTOCOL $maxretry in $findtime sec <-- Suggestion
    maxretry = 5
    findtime = 300
    action = %(action_mwl)s
             %(action_abuseipdb)s[abuseipdb_apikey="xxx", abuseipdb_category="14"]
    
    [dovecot]
    enabled  = true
    mode     = aggressive
    port     = pop3,pop3s,imap,imaps,submission,465,sieve
    logpath  = /var/log/dovecot.log
    tp_comment = Email auth brute force attack $maxretry in $findtime sec  <-- Suggestion (or more generic one for all kind of matches)
    backend  = polling
    findtime = 10800
    maxretry = 3
    bantime  = 7200
    action   = %(action_mwl)s
               %(action_abuseipdb)s[abuseipdb_apikey="xxx", abuseipdb_category="18"]
    

    Any additional information

    abuseipdb.conf

    Option: actionban Notes.: command executed when banning an IP. Take care that the command is executed with Fail2Ban user rights.

          ** IMPORTANT! **
    
          By default, this posts directly to AbuseIPDB's API, unfortunately
          this results in a lot of backslashes/escapes appearing in the
          reports. This also may include info like your hostname.
          If you have your own web server with PHP available, you can
          use my (Shaun's) helper PHP script by commenting out the first #actionban
          line below, uncommenting the second one, and pointing the URL at
          wherever you install the helper script. For the PHP helper script, see
          <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
    

    In the past there was a php script for formatting matches and hiding sensetive data. Nowadays It has been removed.

    actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: <abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data-urlencode "ip=<ip>" --data "categories=<abuseipdb_category>"

    enhancement 
    opened by hsntgm 2
  • enrich ip information from internetdb.shodan.io

    enrich ip information from internetdb.shodan.io

    Action shodan-internetdb adds open ports, vulnerabilities and other information to IPs when being banned. The result is save to /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv. shodan-internetdb use the free InternetDB API that is available to everybody and doesn't require an API key.

    opened by duong22 6
Releases(1.0.2)
  • 1.0.2(Nov 9, 2022)

    ver. 1.0.2 (2022/11/09) - finally war game test tape not a nuclear alarm

    Update of major version of fail2ban with primary target to fix a dovecot-filter regression #3370. See the ChangeLog for more information.

    It also includes debian package, built without a test suite (fail2ban-testcases, fail2ban.test python module) for python 3.

    Source code(tar.gz)
    Source code(zip)
    fail2ban-1.0.2.tar.gz.asc(488 bytes)
    fail2ban_1.0.2-1.upstream1_all.deb(317.48 KB)
    fail2ban_1.0.2-1.upstream1_all.deb.asc(488 bytes)
  • 1.0.1(Sep 27, 2022)

    ver. 1.0.1 (2022/09/27) - energy equals mass times the speed of light squared

    New major version of fail2ban with increased performance, stability, filter and action updates, etc. See the ChangeLog for more information.

    It also includes debian package, built without a test suite (fail2ban-testcases, fail2ban.test python module) for python 3.

    Source code(tar.gz)
    Source code(zip)
    fail2ban-1.0.1.tar.gz.asc(488 bytes)
    fail2ban_1.0.1-1.upstream1_all.deb(316.79 KB)
    fail2ban_1.0.1-1.upstream1_all.deb.asc(488 bytes)
  • 0.11.2(Nov 23, 2020)

  • 0.10.6(Nov 23, 2020)

  • 0.11.1(Jan 11, 2020)

  • 0.10.5(Jan 10, 2020)

  • 0.10.4(Oct 4, 2018)

  • 0.10.3.1(Apr 4, 2018)

  • 0.10.2(Jan 18, 2018)

  • 0.10.1(Oct 12, 2017)

    ver. 0.10.1 (2017/10/12) - succeeded-before-friday-the-13th

    Fixing and more. See the ChangeLog for more information.

    Compatibility warning: Although we have endeavoured to maintain the backwards-compatibility, some custom filter or action configuration files resp. distribution-relevant configs of 0.9th version could be incompatible with this release. Please check it after upgrade to new version.

    Source code(tar.gz)
    Source code(zip)
    fail2ban-0.10.1.tar.gz.asc(455 bytes)
  • 0.10.0(Aug 9, 2017)

    ver. 0.10.0 (2017/08/09) - long-awaited 0.10th version

    IPv6 support, faster more then ever, more secure, many new features etc. See the ChangeLog for more information.

    Compatibility warning: Although we have endeavoured to maintain the backwards-compatibility, some custom filter or action configuration files resp. distribution-relevant configs of 0.9th version could be incompatible with this release. Please check it after upgrade to new version.

    Source code(tar.gz)
    Source code(zip)
    fail2ban-0.10.0.tar.gz.asc(455 bytes)
  • 0.9.5(Jul 15, 2016)

    0.9.x line is no longer heavily developed. If you are interested in new features (e.g. IPv6 support), please consider 0.10 branch and its releases.

    Fixes

    • filter.d/monit.conf
      • Extended failregex with new monit "access denied" version (gh-1355)
      • failregex of previous monit version merged as single expression
    • filter.d/postfix.conf, filter.d/postfix-sasl.conf
      • Extended failregex daemon part, matching also postfix/smtps/smtpd now (gh-1391)
    • Fixed a grave bug within tags substitutions because of incorrect detection of recursion in case of multiple inline substitutions of the same tag (affected actions: bsd-ipfw, etc). Now tracks the actual list of the already substituted tags (per tag instead of single list)
    • filter.d/common.conf
      • Unexpected extra regex-space in generic __prefix_line (gh-1405)
      • All optional spaces normalized in common.conf, test covered now
      • Generic __prefix_line extended with optional brackets for the date ambit (gh-1421), added new parameter __date_ambit
    • gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon, not argument of fail2ban (see gh-1434)
    • filter.d/asterisk.conf
      • Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
      • Improved log support for PJSIP and Asterisk 13+ with different callID (gh-1458)

    New Features

    • New Actions:
      • action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging (gh-1367)
    • New filters:
      • slapd - ban hosts, that were failed to connect with invalid credentials: error code 49 (gh-1478)

    Enhancements

    • Extreme speedup of all sqlite database operations (gh-1436), by using of following sqlite options:
      • (synchronous = OFF) write data through OS without syncing
      • (journal_mode = MEMORY) use memory for the transaction logging
      • (temp_store = MEMORY) temporary tables and indices are kept in memory
    • journald journalmatch for pure-ftpd (gh-1362)
    • Added additional regex filter for dovecot ldap authentication failures (gh-1370)
    • filter.d/exim*conf
      • Added additional regexes (gh-1371)
      • Made port entry optional
    Source code(tar.gz)
    Source code(zip)
  • 0.10.0a1(Jul 14, 2016)

    ver. 0.10.0a1 (2016/07/14) - ipv6-support-etc

    • Fixes:
      • [grave] memory leak's fixed (gh-1277, gh-1234)
      • tricky bug fix: last position of log file will be never retrieved (gh-795), because of CASCADE all log entries will be deleted from logs table together with jail, if used "INSERT OR REPLACE" statement
      • asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
      • testSocket: sporadical bug repaired - wait for server thread starts a socket (listener)
      • testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid file inside bash, kill tree in any case (gh-1155)
    • New Features:
      • IPv6 support:
        • IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6
        • iptables related actions have been amended to support IPv6 specific actions additionally
        • hostsdeny and route actions have been tested to be aware of v4 and v6 already
        • pf action for *BSD systems has been improved and supports now also v4 and v6
        • name resolution is now working for either address type
          • new conditional section functionality used in config resp. includes:
        • [Init?family=inet4] - IPv4 qualified hosts only
        • [Init?family=inet6] - IPv6 qualified hosts only
    • Enhancements:
      • huge increasing of fail2ban performance and especially test-cases performance (see gh-1109)
      • datedetector: in-place reordering using hits and last used time: matchTime, template list etc. rewritten because of performance degradation
      • prevent out of memory situation if many IP's makes extremely many failures (maxEntries)
      • introduced string to seconds (str2seconds) for configuration entries with time, use 1h instead of 3600, 1d instead of 86400, etc
      • seekToTime - prevent completely read of big files first time (after start of service), initial seek to start time using half-interval search algorithm (see issue gh-795)
      • ticket and some other modules prepared to easy merge with newest version of 'ban-time-incr'
      • cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name, especially for wrong dns or lazy dns-system
      • FailManager memory-optimization: increases performance, prevents memory leakage, because don't copy failures list on some operations
      • fail2ban-testcases - new options introduced:
        • -f, --fast to decrease wait intervals, avoid passive waiting, and skip few very slow test cases (implied memory database, see -m and no gamin tests -g)
        • -g, --no-gamin to prevent running of tests that require the gamin (slow)
        • -m, --memory-db - run database tests using memory instead of file
        • -i, --ignore - negate [regexps] filter to ignore tests matched specified regexps
      • background servicing: prevents memory leak on some platforms/python versions, using forced GC in periodic intervals (latency and threshold)
      • executeCmd partially moved from action to new module utils
      • several functionality of class DNSUtils moved to new class IPAddr, both classes moved to new module ipdns
      • pseudo-conditional section introduced, for conditional substitution resp. evaluation of parameters for different family qualified hosts, syntax [Section?family=inet6] (currently use for IPv6-support only).

    ver. 0.9.5 - in-line part of 0.10.a1 release

    • Fixes:
      • filter.d/monit.conf
        • extended failregex with new monit "access denied" version (gh-1355);
        • failregex of previous monit version merged as single expression.
      • filter.d/postfix.conf, filter.d/postfix-sasl.conf
        • extended failregex daemon part, matching also postfix/smtps/smtpd now (gh-1391)
      • fixed a grave bug within tags substitutions because of incorrect detection of recursion in case of multiple inline substitutions of the same tag (affected actions: bsd-ipfw, etc). Now tracks the actual list of the already substituted tags (per tag instead of single list)
      • filter.d/common.conf
        • unexpected extra regex-space in generic __prefix_line (gh-1405)
        • all optional spaces normalized in common.conf, test covered now
        • generic __prefix_line extended with optional brackets for the date ambit (gh-1421), added new parameter __date_ambit
      • gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon, not argument of fail2ban (see gh-1434)
      • filter.d/asterisk.conf
        • fix security log support for PJSIP and Asterisk 13+ (gh-1456)
        • improved log support for PJSIP and Asterisk 13+ with different callID (gh-1458)
    • New Features:
      • New Actions:
        • action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging (gh-1367)
    • Enhancements:
      • Extreme speedup of all sqlite database operations (gh-1436), by using of following sqlite options:
        • (synchronous = OFF) write data through OS without syncing
        • (journal_mode = MEMORY) use memory for the transaction logging
        • (temp_store = MEMORY) temporary tables and indices are kept in memory
      • journald journalmatch for pure-ftpd (gh-1362)
      • Add additional regex filter for dovecot ldap authentication failures (gh-1370)
      • filter.d/exim*conf
        • added additional regexes (gh-1371)
        • made port entry optional
    Source code(tar.gz)
    Source code(zip)
    fail2ban-0.10.0a1.tar.gz.asc(473 bytes)
  • 0.9.4(Mar 8, 2016)

    • Fixes:
      • roundcube-auth jail typo for logpath
      • Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
      • filter.d/apache-badbots.conf
        • Updated useragent string regex adding escape for +
      • filter.d/mysqld-auth.conf
        • Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
      • filter.d/sshd.conf
        • Updated "Auth fail" regex for OpenSSH 5.9 and later
      • Treat failed and killed execution of commands identically (only different log messages), which addresses different behavior on different exit codes of dash and bash (gh-1155)
      • Fix jail.conf.5 man's section (gh-1226)
      • Fixed default banaction for allports jails like pam-generic, recidive, etc with new default variable banaction_allports (gh-1216)
      • Fixed fail2ban-regex stops working on invalid (wrong encoded) character for python version < 3.x (gh-1248)
      • Use postfix_log logpath for postfix-rbl jail
      • filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
      • use fail2ban_agent as user-agent in actions badips, blocklist_de, etc (gh-1271)
      • Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
      • Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
      • Removed compression and rotation count from logrotate (inherit them from the global logrotate config)
    • New Features:
      • New interpolation feature for definition config readers - <known/parameter> (means last known init definition of filters or actions with name parameter). This interpolation makes possible to extend a parameters of stock filter or action directly in jail inside jail.local file, without creating a separately filter.d/*.local file. As extension to interpolation %(known/parameter)s, that does not works for filter and action init parameters
      • New actions:
        • nftables-multiport and nftables-allports - filtering using nftables framework. Note: it requires a pre-existing chain for the filtering rule.
      • New filters:
        • openhab - domotic software authentication failure with the rest api and web interface (gh-1223)
        • nginx-limit-req - ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module)
        • murmur - ban hosts that repeatedly attempt to connect to murmur/mumble-server with an invalid server password or certificate.
        • haproxy-http-auth - filter to match failed HTTP Authentications against a HAProxy server
      • New jails:
        • murmur - bans TCP and UDP from the bad host on the default murmur port.
      • sshd filter got new failregex to match "maximum authentication attempts exceeded" (introduced in openssh 6.8)
      • Added filter for Mac OS screen sharing (VNC) daemon
    • Enhancements:
      • Do not rotate empty log files
      • Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59) http://bugs.debian.org/798923
      • Added openSUSE path configuration (Thanks Johannes Weberhofer)
      • Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
      • Added a timeout (3 sec) to urlopen within badips.py action (Thanks M. Maraun)
      • Added check against atacker's Googlebot PTR fake records (Thanks Pablo Rodriguez Fernandez)
      • Enhance filter against atacker's Googlebot PTR fake records (gh-1226)
      • Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
      • Added filter for openhab domotic software authentication failure with the rest api and web interface (gh-1223)
      • Add *_backend options for services to allow distros to set the default backend per service, set default to systemd for Fedora as appropriate
      • Performance improvements while monitoring large number of files (gh-1265). Use associative array (dict) for monitored log files to speed up lookup operations. Thanks @kshetragia
      • Specified that fail2ban is PartOf iptables.service firewalld.service in .service file -- would reload fail2ban if those services are restarted
      • Provides new default fail2ban_version and interpolation variable fail2ban_agent in jail.conf
      • Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, and to support multiple instances of postfix having varying suffix (gh-1331) (Thanks Tom Hendrikx)
      • files/gentoo-initd to use start-stop-daemon to robustify restarting the service
    Source code(tar.gz)
    Source code(zip)
    fail2ban-0.9.4.tar.gz.asc(473 bytes)
  • 0.9.1(Oct 28, 2014)

    ver. 0.9.1 (2014/10/29) - better, faster, stronger

    • Refactoring (IMPORTANT -- Please review your setup and configuration):
      • iptables-common.conf replaced iptables-blocktype.conf (iptables-blocktype.local should still be read) and now also provides defaults for the chain, port, protocol and name tags
    • Fixes:
      • start of file2ban aborted (on slow hosts, systemd considers the server has been timed out and kills him), see gh-824
      • UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
      • systemd backend error on bad utf-8 in python3
      • badips.py action error when logging HTTP error raised with badips request
      • fail2ban-regex failed to work in python3 due to space/tab mix
      • recidive regex samples incorrect log level
      • journalmatch for recidive incorrect PRIORITY
      • loglevel couldn't be changed in fail2ban.conf
      • Handle case when no sqlite library is available for persistent database
      • Only reban once per IP from database on fail2ban restart
      • Nginx filter to support missing server_name. Closes gh-676
      • fail2ban-regex assertion error caused by miscount missed lines with multiline regex
      • Fix actions failing to execute for Python 3.4.0. Workaround for http://bugs.python.org/issue21207
      • Database now returns persistent bans on restart (bantime < 0)
      • Recursive action tags now fully processed. Fixes issue with bsd-ipfw action
      • Fixed TypeError with "ipfailures" and "ipjailfailures" action tags. Thanks Serg G. Brester
      • Correct times for non-timezone date times formats during DST
      • Pass a copy of, not original, aInfo into actions to avoid side-effects
      • Per-distribution paths to the exim's main log
      • Ignored IPs are no longer banned when being restored from persistent database
      • Manually unbanned IPs are now removed from persistent database, such they wont be banned again when Fail2Ban is restarted
      • Pass "bantime" parameter to the actions in default jail's action definition(s)
      • filters.d/sieve.conf - fixed typo in _daemon. Thanks Jisoo Park
      • cyrus-imap -- also catch also failed logins via secured (imaps/pop3s). Regression was introduced while strengthening failregex in 0.8.11 (bd175f) Debian bug #755173
      • postfix-sasl - added journalmatch. Thanks Luc Maisonobe
      • postfix* - match with a new daemon string (postfix/submission/smtpd). Closes gh-804 . Thanks Paul Traina
      • apache - added filter for AH01630 client denied by server configuration.
    • New features:
      • New filters:
        • monit Thanks Jason H Martin
        • directadmin Thanks niorg
        • apache-shellshock Thanks Eugene Hopkinson (SlowRiot)
      • New actions:
        • symbiosis-blacklist-allports for Bytemark symbiosis firewall
      • fail2ban-client can fetch the running server version
      • Added Cloudflare API action
    • Enhancements
      • Start performance of fail2ban-client (and tests) increased, start time and cpu usage rapidly reduced. Introduced a shared storage logic, to bypass reading lots of config files (see gh-824). Thanks to Joost Molenaar for good catch (reported gh-820).
      • Fail2ban-regex - add print-all-matched option. Closes gh-652
      • Suppress fail2ban-client warnings for non-critical config options
      • Match non "Bye Bye" disconnect messages for sshd locked account regex
      • courier-smtp filter:
        • match lines with user names
        • match lines containing "535 Authentication failed" attempts
      • Add tag to iptables-ipsets
      • Realign fail2ban log output with white space to improve readability. Does not affect SYSLOG output
      • Log unhandled exceptions
      • cyrus-imap: catch "user not found" attempts
      • Add support for Portsentry
    Source code(tar.gz)
    Source code(zip)
  • 0.8.14(Aug 19, 2014)

    • Fixes:
      • minor fixes for claimed Python 2.4 and 2.5 compatibility
      • Handle case when inotify watch is auto deleted on file deletion to stop error messages
      • tests - fixed few "leaky" file descriptors when files were not closed while being removed physically
      • grep in mail*-whois-lines.conf now also matches end of line to work with the recidive filter
    Source code(tar.gz)
    Source code(zip)
  • 0.9.0(Mar 15, 2014)

    Fail2Ban Scope

    Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

    Changes

    This 0.9.0 release includes a few major changes from the 0.8.12 branch.

    Python version

    The minimum supported Python version is now 2.6.

    For the first time Python 3.2+ (via 2to3) and PyPy are also supported.

    Database

    A persistent database in sqlite3 format can be used. Default location at /var/lib/fail2ban/fail2ban.sqlite3 that allows active bans to be reinstated on restart. Log files read from last position after restart

    Filters

    Fail2ban filters can now support:

    • filter patterns that span multiple lines.
    • parameters passed from jail.conf
    • custom date formats
    • date/time log formats that specify a timezone are now parsed correctly. As such processing services that are running in a different timezone setting than Fail2ban. Sub-second granularity in log format is also parsed.
    • systemd journal backend has been created. This has a dependency on python-systemd. To use journal match in filters there is a "journalmatch".

    Because of these new filter features the following filters are now able to be added:

    • Guacamole
    • Kerio
    • Stunnel
    • Counter Strike
    • Squirrelmail
    • Tine20

    Actions

    Fail2ban actions can now support

    • multiple instances of the same action can be specified in the same jail
    • actions can now be written in Python
    • A timeout is possible for actions to prevent them blocking jail processing
    • Standard output and error for command actions captured and logged on error or debug

    New actions include:

    • xarf-login-attack
    • smtp.py
    • badips.py

    Users

    Users can now specify an action in jail.local that applies to all configured jails.

    [DEFAULT]

    banaction = iptables-ipset

    action = %(action_)s

    banaction defines the firewall technology and action defines which of the ban/notification technologies to use. These are defined in jail.conf.

    The distributor will have configured a paths-{distro}.conf. If you have configured a path different this can be overwritten in the paths-overrides.local.

    Encoding of log files can be specified, defaulting in system locale.

    Distributors

    The jail.conf has been modified extensively to list only the filters. Variants with different actions and file paths have been removed.

    One patch should be needed to change the jail.conf to the required in paths-{distro}.conf.

    There is now a separate file paths-{distro}.conf that contains the paths of the log files so hopefully this will be easier to maintain. Patches/additions here welcome.

    Python-systemd is an optional dependency for systemd support.

    Fail2Ban is now installed as a python module fail2ban.

    Full changes: https://github.com/fail2ban/fail2ban/compare/0.8.12...0.9.0

    Source code(tar.gz)
    Source code(zip)
    fail2ban-0.9.0.tar.bz2(221.33 KB)
    fail2ban-0.9.0.tar.gz(260.56 KB)
  • 0.8.13(Mar 15, 2014)

    This is a maintenance release from 0.8.12. It contains minor fixes in filters.

    We recommend using 0.9 version as it includes all fixes from this release and more.

    If you're still stuck on python-2.5 (or less), or want to keep a similar jail.conf configuration, you can use this still use this version.

    A full list of changes is here: https://github.com/fail2ban/fail2ban/compare/0.8.12...0.8.13

    Source code(tar.gz)
    Source code(zip)
    fail2ban-0.8.13-1.noarch.rpm(205.34 KB)
    fail2ban-0.8.13-1.src.rpm(209.24 KB)
    fail2ban-0.8.13.tar.bz2(169.47 KB)
    fail2ban-0.8.13.tar.gz(206.30 KB)
  • 0.8.12(Jan 21, 2014)

    New bits:

    Log rotation can now occur with the command "flushlogs" rather than reloading fail2ban or keeping the logtarget settings consistent in jail.conf/local and /etc/logrotate.d/fail2ban. (Debian bug #697333, Redhat bug #891798).

    Added ignorecommand option for allowing dynamic determination as to ignore and IP or not.

    Remove indentation of name and loglevel while logging to SYSLOG to resolve syslog(-ng) parsing problems. (Debian bug #730202). Log lines now also report "[PID]" after the name portion too.

    Epoch dates can now be enclosed within []

    New actions:

    • badips
    • firewallcmd-ipset
    • ufw
    • blocklist_de

    New filters:

    • solid-pop3d
    • nsd
    • openwebmail
    • horde
    • freeswitch
    • squid
    • ejabberd
    • openwebmail
    • groupoffice

    Filter improvements:

    • apache-noscript now includes php cgi scripts
    • exim-spam filter to match spamassassin log entry for option SAdevnull.
    • Added to sshd filter expression for "Received disconnect from : 3: Auth fail"
    • Improved ACL-handling for Asterisk
    • Added improper command pipelining to postfix filter.

    General fixes:

    • Added lots of jail.conf entries for missing filters that creaped in over the last year.
    • synchat changed to use push method which verifies whether all data was send. This ensures that all data is sent before closing the connection.
    • Fixed python 2.4 compatibility (as sub-second in date patterns weren't 2.4 compatible)
    • Complain/email actions fixed to only include relevant IPs to reporting

    Filter fixes:

    • Added HTTP referrer bit of the apache access log to the apache filters.
    • Apache 2.4 perfork regexes fixed
    • Kernel syslog expression can have leading spaces
    • allow for ",milliseconds" in the custom date format of proftpd.log
    • recidive jail to block all protocols
    • smtps not a IANA standard so may be missing from /etc/services. Due to (still) common use 465 has been used as the explicit port number
    • Filter dovecot reordered session and TLS items in regex with wider scope for session characters

    Ugly Fixes (Potentially incompatible changes):

    Unfortunately at the end of last release when the action firewall-cmd-direct-new was added it was too long and had a broken action check. The action was renamed to firewallcmd-new to fit within jail name name length. (#395).

    Last release added mysqld-syslog-iptables as a jail configuration. This jailname was too long and it has been renamed to mysqld-syslog.

    Full changes: https://github.com/fail2ban/fail2ban/compare/0.8.11...0.8.12

    Source code(tar.gz)
    Source code(zip)
    fail2ban-0.8.12-1.noarch.rpm(202.81 KB)
    fail2ban-0.8.12-1.src.rpm(204.26 KB)
    fail2ban-0.8.12.tar.bz2(165.66 KB)
    fail2ban-0.8.12.tar.gz(201.32 KB)
  • 0.8.11(Nov 12, 2013)

    The 0.8.11 release is available at https://github.com/fail2ban/fail2ban/releases

    In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue.

    After we do this release well look at doing a 0.9.0alpha release that has a significant reworking of its back end to support multiline matches, true timezone support, and more flexibility for actions.

    There is a full ChangeLog in the distribution.

    As usual, any bugs or enhancements feel free to tell us https://github.com/fail2ban/fail2ban/issues.

    For user support please use the mailing list http://sourceforge.net/p/fail2ban/mailman/fail2ban-users/ or the #fail2ban freenode IRC channel.

    Your friendly fail2ban devs,

    Source code(tar.gz)
    Source code(zip)
    fail2ban-0.8.11-1.noarch.rpm(231.53 KB)
    fail2ban-0.8.11-1.src.rpm(188.07 KB)
    fail2ban-0.8.11.tar.bz2(152.74 KB)
    fail2ban-0.8.11.tar.gz(185.25 KB)
  • 0.8.11.pre1(Oct 31, 2013)

    0.8.11 Prerelease to Package Maintainers

    Dear package maintainers of fail2ban,

    We are just about to release 0.8.11 and we'd like to check that everything is packaged as best as possible. After we do this release well look at doing a 0.9.0alpha release that has a significant reworking of its back end and time functions.

    The 0.8.11 pre-release 1 is available at https://github.com/fail2ban/fail2ban/releases

    Please give feedback via https://github.com/fail2ban/fail2ban/issues if there are issues that need to be addressed before the final release.

    In light of CVE-2013-2178 that triggered our last release we have put a significant effort into tightening all of the regexs of our filters to avoid another similar vulnerability. We haven't examined all of these for a potential DoS scenario however it is possible that another DoS vulnerability exists that is fixed by this release. A large number of filters have been updated to include more failure regexs supporting previously unbanned failures and support newer application versions too. We have test cases for most of these now however if you have other examples that demonstrate that a filter is insufficient we welcome your feedback. During the tightening of the regexs to avoid DoS vulnerabilities there is the possibility that we have inadvertently, despite our best intentions, incorrectly allowed a failure to continue.

    There is a full ChangeLog in the distribution.

    We believe the key factors for maintainers are:

    • action.d/hostsdeny -- NOTE: new dependency 'ed'. Switched to use 'ed' across all platforms to ensure permissions are the same before and after a ban
    • action.d/iptables-ipset* - there is proto4 and proto6 - you may want to remove the one(s) that don't apply (ipset -V to see which protocol ipset uses). Also selinux permissions for fail2ban to use the ipset kernel interface may be needed.
    • files/redhat-initd - rewritten to use stock init.d functions thus avoiding problems with getpid. Also $network and iptables moved to Should- rc init fields
    • filter.d/pam-generic and other pam regexs - Disabled support for linux-pam before version 0.99.2.0 (2005)
    • The order of configuration file processing has changed to jail.conf, jail.d/.conf, jail.local, jail.d/.local (previously jail.conf, jail.local, jail.d/.conf, jail.d/.local). Likewise for fail2ban configurations if you replace jail with fail2ban in previous sentence but we don't expect any problems (https://github.com/fail2ban/fail2ban/pull/392#issuecomment-26084729).

    Filter changes that may affect user configured jails:

    • filter.d/exim-spam.conf -- a splitout of exim's spam regexes that where in filter.d/exim.conf leaving exim.conf to contain just authentication failures
    • lighttpd-fastcgi filter has been renamed to 'suhosin'
    • filter.d/sasl filter has been renamed to filter.d/postfix-sasl

    For the last two a symlink from the old name should provide compatibility.

    We see that a lot of available packages include patches for different distribution-specific paths. If there are any good Python packaged programs that allow easy configuration of this let us know and we'll try to make this aspect easier for you.

    We also acknowledge that the logpaths in jail.conf are very distribution specific and we will look into making their configuration simpler in the next release. Hopefully new jail.d/ and fail2ban.d/ directories will assist you with this so you could e.g. introduce a jail.d/00_{distro}.conf to define the local paths for logfiles e.g.:

    [perdition] logpath = /var/log/mail.log

    Cheers,

    Your friendly fail2ban devs,

    Source code(tar.gz)
    Source code(zip)
    fail2ban-0.8.11.pre1-1.noarch.rpm(227.71 KB)
    fail2ban-0.8.11.pre1-1.src.rpm(183.01 KB)
    fail2ban-0.8.11.pre1.tar.bz2(148.46 KB)
    fail2ban-0.8.11.pre1.tar.gz(180.17 KB)
  • 0.8.10(Jul 3, 2013)

    Primarily bugfix and enhancements release, triggered by "bugs" in apache- filters. If you are relying on listed below apache- filters, upgrade asap and seek your distributions to patch their fail2ban distribution with [6ccd5781].

    • Fixes: Yaroslav Halchenko
      • [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor failregex at the beginning (and where applicable at the end). Addresses a possible DoS. Closes gh-248
      • action.d/{route,shorewall}.conf - blocktype must be defined within [Init]. Closes gh-232
    • Enhancements Yaroslav Halchenko
      • jail.conf -- assure all jails have actions and remove unused ports specifications Terence Namusonge
      • config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ Daniel Black
      • files/suse-initd -- update to the copy from stock SUSE silviogarbes & Daniel Black
        • Updates to asterisk filter. Closes gh-227/gh-230. Carlos Alberto Lopez Perez
        • Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
    Source code(tar.gz)
    Source code(zip)
  • 0.8.9(Jul 3, 2013)

    Originally targeted as a bugfix release, it incorporated many new enhancements, few new features, and more importantly -- quite extended tests battery with current 94% coverage (from 56% of 0.8.8).

    This release introduces over 200 of non-merge commits from 16 contributors (sorted by number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki, ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither, Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.

    Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom Hendrikx, Yehuda Katz and other TBN heroes supporting users on fail2ban-users mailing list and IRC.

    • Fixes: Yaroslav Halchenko
      • [6f4dad46] python-2.4 is the minimal version.
      • [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
      • [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for insight. Closes gh-103.
      • [ab044b75] delay check for the existence of config directory until read.
      • [3b4084d4] fixing up for handling of TAI64N timestamps.
      • [154aa38e] do not shutdown logging until all jails stop.
      • [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184. Thanks to Jon Foster for report and troubleshooting. Orion Poplawski
      • [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking newly created directories. Nicolas Collignon
      • [39667ff6] Avoid leaking file descriptors. Closes gh-167. Sergey Brester
      • [b6bb2f88 and d17b4153] invalid date recognition, irregular because of sorting template list. Steven Hiscocks
      • [7a442f07] When changing log target with python2.{4,5} handle KeyError. Closes gh-147, gh-148.
      • [b6a68f51] Fix delaction on server side. Closes gh-124. Daniel Black
      • [f0610c01] Allow more that a one word command when changing and Action via the fail2ban-client. Closes gh-134.
      • [945ad3d9] Fix dates on email actions to work in different locals. Closes gh-70. Thanks to iGeorgeX for the idea. blotus
      • [96eb8986] ' and " should also be escaped in action tags Closes gh-109 Christoph Theis, Nick Hilliard, Daniel Black
      • [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
    • New features: Yaroslav Halchenko
      • [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} to provide additional flexibility to system adminstrators. Thanks to beilber for the idea. Closes gh-114.
      • [3ce53e87] Add exim filter. Erwan Ben Souiden
      • [d7d5228] add nagios integration documentation and script to ensure fail2ban is running. Closes gh-166. Artur Penttinen
      • [29d0df5] Add mysqld filter. Closes gh-152. ArndRaphael Brandes
      • [bba3fd8] Add Sogo filter. Closes gh-117. Michael Gebetsriother
      • [f9b78ba] Add action route to block at routing level. Teodor Micu & Yaroslav Halchenko
      • [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. Daniel Black
      • [be06b1b] Add action for iptables-ipsets. Closes gh-102. Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
      • [b6d0e8a] Add and enhance the bsd-ipfw action from FreeBSD ports. Soulard Morgan
      • [f336d9f] Add filter for webmin. Closes gh-99. Steven Hiscocks
      • [..746c7d9] bash interactive shell completions for fail2ban-*'s Nick Hilliard
      • [0c5a9c5] Add pf action.
    • Enhancements: Enrico Labedzki
      • [24a8d07] Added new date format for ASSP SMTP Proxy. Steven Hiscocks
      • [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172.
      • [MANY] Improvements to test cases, travis, and code coverage (coveralls).
      • [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
      • [ce3ab34] Added ability to specify PID file. Orion Poplawski
      • [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. Closes gh-142. Yaroslav Halchenko
      • [MANY] Lots of improvements to log messages, man pages and test cases.
      • [91d5736] Postfix filter improvements - empty helo, from and rcpt to. Closes gh-126. Bug report by Michael Heuberger.
      • [40c5a2d] adding more of diagnostic messages into -client while starting the daemon.
      • [8e63d4c] Compare against None with 'is' instead of '=='.
      • [6fef85f] Strip CR and LF while analyzing the log line Daniel Black
      • [3aeb1a9] Add jail.conf manual page. Closes gh-143.
      • [MANY] man page edits.
      • [7cd6dab] Added help command to fail2ban-client.
      • [c8c7b0b,23bbc60] Better logging of log file read errors.
      • [3665e6d] Added code coverage to development process.
      • [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh source. Also include BSD changes.
      • [1d9abd1] Action files can have tags in definition that refer to other tags.
      • [10886e7,cec5da2,adb991a] Change actions to response with ICMP port unreachable rather than just a drop of the packet. Pascal Borreli
      • [a2b29b4] Fixed lots of typos in config files and documentation. hamilton5
      • [7ede1e8] Update dovecot filter config. Romain Riviere
      • [0ac8746] Enhance named-refused filter for views. James Stout
      • [..2143cdf] Solaris support enhancements:
        • README.Solaris
        • failregex'es tune ups (sshd.conf)
        • hostsdeny: do not rely on support of '-i' in sed
    Source code(tar.gz)
    Source code(zip)
A cpp project template that uses CMake to build and Google Test / Github Actions to provide a CI

A cpp project template that uses CMake to build and Google Test / Github Actions to provide a CI

Martin Olivier 6 Nov 17, 2022
DataOps framework for Machine Learning projects.

Noronha DataOps Noronha is a Python framework designed to help you orchestrate and manage ML projects life-cycle. It hosts Machine Learning models ins

52 Oct 30, 2022
Run your clouds in RAID.

UniKlaud Run your clouds in RAID Table of Contents About The Project Built With Getting Started Installation Usage Roadmap Contributing License Contac

3 Jan 16, 2022
CTF infrastructure deployment automation tool.

CTF infrastructure deployment automation tool. Focus on the challenges. Mirrored from

Fake News 1 Apr 12, 2022
docker-compose工程部署时的辅助脚本

okta-cmd Introduction docker-compose 辅助脚本

完美风暴666 4 Dec 09, 2021
MagTape is a Policy-as-Code tool for Kubernetes that allows for evaluating Kubernetes resources against a set of defined policies to inform and enforce best practice configurations.

MagTape is a Policy-as-Code tool for Kubernetes that allows for evaluating Kubernetes resources against a set of defined policies to inform and enforce best practice configurations. MagTape includes

T-Mobile 143 Dec 27, 2022
Visual disk-usage analyser for docker images

whaler What? A command-line tool for visually investigating the disk usage of docker images Why? Large images are slow to move and expensive to store.

Treebeard Technologies 194 Sep 01, 2022
A lobby boy will create a VPS server when you need one, and destroy it after using it.

Lobbyboy What is a lobby boy? A lobby boy is completely invisible, yet always in sight. A lobby boy remembers what people hate. A lobby boy anticipate

226 Dec 29, 2022
Azure plugins for Feast (FEAture STore)

Feast on Azure This project provides resources to enable running a feast feature store on Azure. Feast Azure Provider The Feast Azure provider acts li

Microsoft Azure 70 Dec 31, 2022
Tiny Git is a simplified version of Git with only the basic functionalities to gain better understanding of git internals.

Tiny Git is a simplified version of Git with only the basic functionalities to gain better understanding of git internals. Implemented Functi

Ahmed Ayman 2 Oct 15, 2021
Apache Airflow - A platform to programmatically author, schedule, and monitor workflows

Apache Airflow Apache Airflow (or simply Airflow) is a platform to programmatically author, schedule, and monitor workflows. When workflows are define

The Apache Software Foundation 28.6k Jan 01, 2023
SSH to WebSockets Bridge

wssh wssh is a SSH to WebSockets Bridge that lets you invoke a remote shell using nothing but HTTP. The client connecting to wssh doesn't need to spea

Andrea Luzzardi 1.3k Dec 25, 2022
Bugbane - Application security tools for CI/CD pipeline

BugBane Набор утилит для аудита безопасности приложений. Основные принципы и осо

GardaTech 20 Dec 09, 2022
Containerize a python web application

containerize a python web application introduction this document is part of GDSC at the university of bahrain you don't need to follow along, fell fre

abdullah mosibah 1 Oct 19, 2021
The low-level, core functionality of boto 3.

botocore A low-level interface to a growing number of Amazon Web Services. The botocore package is the foundation for the AWS CLI as well as boto3. On

the boto project 1.2k Jan 03, 2023
Dockerized iCloud drive

iCloud-drive-docker is a simple iCloud drive client in Docker environment. It uses pyiCloud python library to interact with iCloud

Mandar Patil 376 Jan 01, 2023
Checkmk kube agent - Checkmk Kubernetes Cluster and Node Collectors

Checkmk Kubernetes Cluster and Node Collectors Checkmk cluster and node collecto

tribe29 GmbH 15 Dec 26, 2022
Wubes is like Qubes but for Windows.

Qubes containerization on Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation.

NCC Group Plc 124 Dec 16, 2022
RMRK spy bot for RMRK hackathon

rmrk_spy_bot RMRK spy bot https://t.me/RMRKspyBot for rmrk hacktoberfest https://rmrk.devpost.com/ Birds and items price and rarity estimation Reports

Victor Ryabinin 2 Sep 06, 2022
Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App

Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App This example provisions a Google Kubernetes Engine

Pas Apicella 2 Feb 09, 2022