"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "ChangeLog" between
fail2ban-0.10.5.tar.gz and fail2ban-0.11.1.tar.gz

About:

ChangeLog  (fail2ban-0.10.5):ChangeLog  (fail2ban-0.11.1)
__ _ _ ___ _ __ _ _ ___ _
/ _|__ _(_) |_ ) |__ __ _ _ _ / _|__ _(_) |_ ) |__ __ _ _ _
| _/ _` | | |/ /| '_ \/ _` | ' \ | _/ _` | | |/ /| '_ \/ _` | ' \
|_| \__,_|_|_/___|_.__/\__,_|_||_| |_| \__,_|_|_/___|_.__/\__,_|_||_|
Fail2Ban: Changelog Fail2Ban: Changelog
=================== ===================
Incompatibility list (compared to v.0.9): ver. 0.11.1 (2020/01/11) - this-is-the-way
----------- -----------
* Filter (or `failregex`) internal capture-groups: ### Compatibility:
* to v.0.10:
- 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), b
ut the database
got some new tables and fields (auto-converted during the first start), so o
nce updated to 0.11, you
have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its diffe
rent to 0.10 schema)
if you would need to downgrade to 0.10 for some reason.
* to v.0.9:
- Filter (or `failregex`) internal capture-groups:
* If you've your own `failregex` or custom filters using conditional match `
(?P=host)`, you should
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)`
instead of `(?P=host)`
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw`
settings).
Of course you can always define your own capture-group (like below `_cond_
ip_`) to do this.
```
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host
(?P=_cond_ip_)$"
```
* New internal groups (currently reserved for internal usage):
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captu
res in lower case if
mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
- If you've your own `failregex` or custom filters using conditional match `(? - v.0.10 and 0.11 use more precise date template handling, that can be theoret
P=host)`, you should ically incompatible to some
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` i user configurations resp. `datepattern`.
nstead of `(?P=host)`
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` s
ettings).
Of course you can always define your own capture-group (like below `_cond_ip
_`) to do this.
```
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (
?P=_cond_ip_)$"
```
- New internal groups (currently reserved for internal usage):
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another capture
s in lower case if
mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
* v.0.10 uses more precise date template handling, that can be theoretically inc - Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ba
ompatible to some n actions are
user configurations resp. `datepattern`. IPv6-capable now.
* Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban ### Fixes
actions are * purge database will be executed now (within observer).
IPv6-capable now. * restoring currently banned ip after service restart fixed
(now < timeofban + bantime), ignore old log failures (already banned)
* upgrade database: update new created table `bips` with entries from table `ban
s` (allows restore
current bans after upgrade from version <= 0.10)
### New Features
* Increment ban time (+ observer) functionality introduced.
* Database functionality extended with bad ips.
* New tags (usable in actions):
- `<bancount>` - ban count of this offender if known as bad (started by 1 for
unknown)
- `<bantime>` - current ban-time of the ticket (prolongation can be retarded u
p to 10 sec.)
* Introduced new action command `actionprolong` to prolong ban-time (e. g. set n
ew timeout if expected);
Several actions (like ipset, etc.) rewritten using net logic with `actionprolo
ng`.
Note: because ban-time is dynamic, it was removed from jail.conf as timeout ar
gument (check jail.local).
### Enhancements
* algorithm of restore current bans after restart changed: update the restored b
an-time (and therefore
end of ban) of the ticket with ban-time of jail (as maximum), for all tickets
with ban-time greater
(or persistent); not affected if ban-time of the jail is unchanged between sto
p/start.
* added new setup-option `--without-tests` to skip building and installing of te
sts files (gh-2287).
* added new command `fail2ban-client get <JAIL> banip ?sep-char|--with-time?` to
get the banned ip addresses (gh-1916).
ver. 0.10.5 (2020/01/10) - deserve-more-respect-a-jedis-weapon-must ver. 0.10.5 (2020/01/10) - deserve-more-respect-a-jedis-weapon-must
----------- -----------
Yes, Hrrrm... Yes, Hrrrm...
### Fixes ### Fixes
* [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixe d in gh-2444 in order to ignore * [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixe d in gh-2444 in order to ignore
user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392) user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392)
* [grave] fixed parsing of multi-line filters (`maxlines` > 1) together with sys temd backend, * [grave] fixed parsing of multi-line filters (`maxlines` > 1) together with sys temd backend,
skipping to change at line 406 skipping to change at line 437
* Some filters extended with user name (can be used in gh-1243 to distinguish IP and user, * Some filters extended with user name (can be used in gh-1243 to distinguish IP and user,
resp. to remove after success login the user-related failures only); resp. to remove after success login the user-related failures only);
* Safer, more stable and faster replaceTag interpolation (switched from cycle ov er all tags * Safer, more stable and faster replaceTag interpolation (switched from cycle ov er all tags
to re.sub with callable) to re.sub with callable)
* substituteRecursiveTags optimization + moved in helpers facilities (because cu rrently used * substituteRecursiveTags optimization + moved in helpers facilities (because cu rrently used
commonly in server and in client) commonly in server and in client)
* New tags (usable in actions): * New tags (usable in actions):
- `<fid>` - failure identifier (if raw resp. failures without IP address) - `<fid>` - failure identifier (if raw resp. failures without IP address)
- `<ip-rev>` - PTR reversed representation of IP address - `<ip-rev>` - PTR reversed representation of IP address
- `<ip-host>` - host name of the IP address - `<ip-host>` - host name of the IP address
- `<bancount>` - ban count of this offender if known as bad (started by 1 for
unknown)
- `<bantime>` - current ban-time of the ticket (prolongation can be retarded u
p to 10 sec.)
- `<F-...>` - interpolates to the corresponding filter group capture `...` - `<F-...>` - interpolates to the corresponding filter group capture `...`
- `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)` ) - `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)` )
- `<sh-hostname>` - short hostname (the same as `$(uname -n)`) - `<sh-hostname>` - short hostname (the same as `$(uname -n)`)
* Introduced new action command `actionprolong` to prolong ban-time (e. g. set n
ew timeout if expected);
Several actions (like ipset, etc.) rewritten using net logic with `actionprolo
ng`.
Note: because ban-time is dynamic, it was removed from jail.conf as timeout ar
gument (check jail.local).
* Allow to use filter options by `fail2ban-regex`, example: * Allow to use filter options by `fail2ban-regex`, example:
fail2ban-regex text.log "sshd[mode=aggressive]" fail2ban-regex text.log "sshd[mode=aggressive]"
* Samples test case factory extended with filter options - dict in JSON to contr ol * Samples test case factory extended with filter options - dict in JSON to contr ol
filter options (e. g. mode, etc.): filter options (e. g. mode, etc.):
# filterOptions: {"mode": "aggressive"} # filterOptions: {"mode": "aggressive"}
* Introduced new jail option "ignoreself", specifies whether the local resp. own IP addresses * Introduced new jail option "ignoreself", specifies whether the local resp. own IP addresses
should be ignored (default is true). Fail2ban will not ban a host which matche s such addresses. should be ignored (default is true). Fail2ban will not ban a host which matche s such addresses.
Option "ignoreip" affects additionally to "ignoreself" and don't need to inclu de the DNS Option "ignoreip" affects additionally to "ignoreself" and don't need to inclu de the DNS
resp. IPs of the host self. resp. IPs of the host self.
* Regex will be compiled as MULTILINE only if needed (buffering with `maxlines` > 1), that enables: * Regex will be compiled as MULTILINE only if needed (buffering with `maxlines` > 1), that enables:
skipping to change at line 481 skipping to change at line 517
by ambiguous formats, etc.) by ambiguous formats, etc.)
* Distance collision check always prefers template with shortest distance * Distance collision check always prefers template with shortest distance
(left for right) if date pattern is not anchored (left for right) if date pattern is not anchored
* Tricky bug fix: last position of log file will be never retrieved (gh-795), * Tricky bug fix: last position of log file will be never retrieved (gh-795),
because of CASCADE all log entries will be deleted from logs table together wi th jail, because of CASCADE all log entries will be deleted from logs table together wi th jail,
if used "INSERT OR REPLACE" statement if used "INSERT OR REPLACE" statement
* Asyncserver (asyncore) code fixed and test cases repaired (again gh-161) * Asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
* testSocket: sporadical bug repaired - wait for server thread starts a socket ( listener) * testSocket: sporadical bug repaired - wait for server thread starts a socket ( listener)
* testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid fi le inside bash, * testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid fi le inside bash,
kill tree in any case (gh-1155) kill tree in any case (gh-1155)
* purge database will be executed now (within observer).
* restoring currently banned ip after service restart fixed
(now < timeofban + bantime), ignore old log failures (already banned)
* Fixed high-load of pyinotify-backend, * Fixed high-load of pyinotify-backend,
see https://github.com/fail2ban/fail2ban/issues/885#issuecomment-248964591 see https://github.com/fail2ban/fail2ban/issues/885#issuecomment-248964591
* Database: stability fix - repack cursor iterator as long as locked * Database: stability fix - repack cursor iterator as long as locked
* File filter backends: stability fix for sporadically errors - always close fil e * File filter backends: stability fix for sporadically errors - always close fil e
handle, otherwise may be locked (prevent log-rotate, etc.) handle, otherwise may be locked (prevent log-rotate, etc.)
* Pyinotify-backend: stability fix for sporadically errors in multi-threaded * Pyinotify-backend: stability fix for sporadically errors in multi-threaded
environment (without lock) environment (without lock)
* Fixed sporadically error in testCymruInfoNxdomain, because of unsorted values * Fixed sporadically error in testCymruInfoNxdomain, because of unsorted values
* Misleading errors logged from ignorecommand in success case on retcode 1 (gh-1 194) * Misleading errors logged from ignorecommand in success case on retcode 1 (gh-1 194)
* fail2ban.service - systemd service updated (gh-1618): * fail2ban.service - systemd service updated (gh-1618):
skipping to change at line 518 skipping to change at line 557
- IP addresses are now handled as objects rather than strings capable for - IP addresses are now handled as objects rather than strings capable for
handling both address types IPv4 and IPv6 handling both address types IPv4 and IPv6
- iptables related actions have been amended to support IPv6 specific action s - iptables related actions have been amended to support IPv6 specific action s
additionally additionally
- hostsdeny and route actions have been tested to be aware of v4 and v6 alre ady - hostsdeny and route actions have been tested to be aware of v4 and v6 alre ady
- pf action for *BSD systems has been improved and supports now also v4 and v6 - pf action for *BSD systems has been improved and supports now also v4 and v6
- name resolution is now working for either address type - name resolution is now working for either address type
- new conditional section functionality used in config resp. includes: - new conditional section functionality used in config resp. includes:
- [Init?family=inet4] - IPv4 qualified hosts only - [Init?family=inet4] - IPv4 qualified hosts only
- [Init?family=inet6] - IPv6 qualified hosts only - [Init?family=inet6] - IPv6 qualified hosts only
* Increment ban time (+ observer) functionality introduced.
Thanks Serg G. Brester (sebres)
* Database functionality extended with bad ips.
* New reload functionality (now totally without restart, unbanning/rebanning, et c.), * New reload functionality (now totally without restart, unbanning/rebanning, et c.),
see gh-1557 see gh-1557
* Several commands extended and new commands introduced: * Several commands extended and new commands introduced:
- `restart [--unban] [--if-exists] <JAIL>` - restarts the jail \<JAIL\> - `restart [--unban] [--if-exists] <JAIL>` - restarts the jail \<JAIL\>
(alias for `reload --restart ... <JAIL>`) (alias for `reload --restart ... <JAIL>`)
- `reload [--restart] [--unban] [--all]` - reloads the configuration without r estarting - `reload [--restart] [--unban] [--all]` - reloads the configuration without r estarting
of the server, the option `--restart` activates completely restarting of aff ected jails, of the server, the option `--restart` activates completely restarting of aff ected jails,
thereby can unban IP addresses (if option `--unban` specified) thereby can unban IP addresses (if option `--unban` specified)
- `reload [--restart] [--unban] [--if-exists] <JAIL>` - reloads the jail \<JAI L\>, - `reload [--restart] [--unban] [--if-exists] <JAIL>` - reloads the jail \<JAI L\>,
or restarts it (if option `--restart` specified), at the same time unbans al l IP addresses or restarts it (if option `--restart` specified), at the same time unbans al l IP addresses
 End of changes. 9 change blocks. 
26 lines changed or deleted 87 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)