"Fossies" - the Fresh Open Source Software Archive

Member "fail2ban-0.11.1/ChangeLog" (11 Jan 2020, 121585 Bytes) of package /linux/misc/fail2ban-0.11.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "ChangeLog": 0.10.5_vs_0.11.1.

    1                          __      _ _ ___ _
    2                         / _|__ _(_) |_  ) |__  __ _ _ _
    3                        |  _/ _` | | |/ /| '_ \/ _` | ' \
    4                        |_| \__,_|_|_/___|_.__/\__,_|_||_|
    5 
    6 Fail2Ban: Changelog
    7 ===================
    8 
    9 ver. 0.11.1 (2020/01/11) - this-is-the-way
   10 -----------
   11 
   12 ### Compatibility:
   13 * to v.0.10:
   14   - 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database
   15     got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you
   16     have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema)
   17     if you would need to downgrade to 0.10 for some reason.
   18 * to v.0.9:
   19   - Filter (or `failregex`) internal capture-groups:
   20 
   21     * If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
   22       rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
   23       (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
   24 
   25       Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
   26       ```
   27       testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
   28       fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
   29       ```
   30     * New internal groups (currently reserved for internal usage):
   31       `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
   32       mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
   33 
   34   - v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some
   35     user configurations resp. `datepattern`.
   36 
   37   - Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are
   38     IPv6-capable now.
   39 
   40 ### Fixes
   41 * purge database will be executed now (within observer).
   42 * restoring currently banned ip after service restart fixed 
   43   (now < timeofban + bantime), ignore old log failures (already banned)
   44 * upgrade database: update new created table `bips` with entries from table `bans` (allows restore
   45   current bans after upgrade from version <= 0.10)
   46 
   47 ### New Features
   48 * Increment ban time (+ observer) functionality introduced.
   49 * Database functionality extended with bad ips.
   50 * New tags (usable in actions):
   51   - `<bancount>` - ban count of this offender if known as bad (started by 1 for unknown)
   52   - `<bantime>` - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
   53 * Introduced new action command `actionprolong` to prolong ban-time (e. g. set new timeout if expected);
   54   Several actions (like ipset, etc.) rewritten using net logic with `actionprolong`.
   55   Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).
   56 
   57 ### Enhancements
   58 * algorithm of restore current bans after restart changed: update the restored ban-time (and therefore 
   59   end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater
   60   (or persistent); not affected if ban-time of the jail is unchanged between stop/start.
   61 * added new setup-option `--without-tests` to skip building and installing of tests files (gh-2287).
   62 * added new command `fail2ban-client get <JAIL> banip ?sep-char|--with-time?` to get the banned ip addresses (gh-1916).
   63 
   64 
   65 ver. 0.10.5 (2020/01/10) - deserve-more-respect-a-jedis-weapon-must
   66 -----------
   67 
   68 Yes, Hrrrm...
   69 
   70 ### Fixes
   71 * [compatibility] systemd backend: default flags changed to SYSTEM_ONLY(4), fixed in gh-2444 in order to ignore
   72   user session files per default, so could prevent "Too many open files" errors on a lot of user sessions (see gh-2392)
   73 * [grave] fixed parsing of multi-line filters (`maxlines` > 1) together with systemd backend,
   74   now systemd-filter replaces newlines in message from systemd journal with `\n` (otherwise 
   75   multi-line parsing may be broken, because removal of matched string from multi-line buffer window
   76   is confused by such extra new-lines, so they are retained and got matched on every followed 
   77   message, see gh-2431)
   78 * [stability] prevent race condition - no unban if the bans occur continuously (gh-2410);
   79   now an unban-check will happen not later than 10 tickets get banned regardless there are
   80   still active bans available (precedence of ban over unban-check is 10 now)
   81 * fixed read of included config-files (`.local` overwrites options of `.conf` for config-files 
   82   included with before/after)
   83 * `action.d/abuseipdb.conf`: switched to use AbuseIPDB API v2 (gh-2302)
   84 * `action.d/badips.py`: fixed start of banaction on demand (which may be IP-family related), gh-2390
   85 * `action.d/helpers-common.conf`: rewritten grep arguments, now options `-wF` used to match only
   86   whole words and fixed string (not as pattern), gh-2298
   87 * `filter.d/apache-auth.conf`:
   88   - ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548);
   89   - extended with option `mode` - `normal` (default) and `aggressive`
   90 * `filter.d/sshd.conf`:
   91   - matches `Bad protocol version identification` in `ddos` and `aggressive` modes (gh-2404).
   92   - captures `Disconnecting ...: Change of username or service not allowed` (gh-2239, gh-2279)
   93   - captures `Disconnected from ... [preauth]`, preauth phase only, different handling by `extra`
   94     (with supplied user only) and `ddos`/`aggressive` mode (gh-2115, gh-2239, gh-2279)
   95 * `filter.d/mysqld-auth.conf`: 
   96   - MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words
   97     enclosed in brackets after "[Note]" (gh-2314)
   98 * `filter.d/sendmail-reject.conf`:
   99   - `mode=extra` now captures port IDs of `TLSMTA` and `MSA` (defaults for ports 465 and 587 on some distros)
  100 * `files/fail2ban.service.in`: fixed systemd-unit template - missing nftables dependency (gh-2313)
  101 * several `action.d/mail*`: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341)
  102 * `filter.d/sendmail-reject.conf`: fixed journal usage for some systems (e. g. CentOS): if only identifier 
  103   set to `sm-mta` (no unit `sendmail`) for some messages (gh-2385)
  104 * `filter.d/asterisk.conf`: asterisk can log additional timestamp if logs into systemd-journal
  105   (regex extended with optional part matching this, gh-2383)
  106 * `filter.d/postfix.conf`:
  107     - regexp's accept variable suffix code in status of postfix for precise messages (gh-2442)
  108     - extended with new postfix filter mode `errors` to match "too many errors" (gh-2439),
  109       also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix
  110       parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`)
  111 * `filter.d/named-refused.conf`:
  112     - support BIND 9.11.0 log format (includes an additional field @0xXXX..., gh-2406);
  113     - `prefregex` extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
  114 * `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
  115   - ID in prefix can be longer as 14 characters (gh-2563);
  116 * all filters would accept square brackets around IPv4 addresses also (e. g. monit-filter, gh-2494)
  117 * avoids unhandled exception during flush (gh-2588)
  118 * fixes pass2allow-ftp jail - due to inverted handling, action should prohibit access per default for any IP,
  119   therefore reset start on demand parameter for this action (it will be started immediately by repair);
  120 * auto-detection of IPv6 subsystem availability (important for not on-demand actions or jails, like pass2allow);
  121 
  122 ### New Features
  123 * new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559):
  124   - `<CIDR>` - helper regex to match CIDR (simple integer form of net-mask);
  125   - `<SUBNET>` - regex to match sub-net adresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
  126 * grouped tags (`<ADDR>`, `<HOST>`, `<SUBNET>`) recognize IP addresses enclosed in square brackets
  127 * new failregex-flag tag `<F-MLFGAINED>` for failregex, signaled that the access to service was gained
  128   (ATM used similar to tag `<F-NOFAIL>`, but it does not add the log-line to matches, gh-2279)
  129 * filters: introduced new configuration parameter `logtype` (default `file` for file-backends, and 
  130   `journal` for journal-backends, gh-2387); can be also set to `rfc5424` to force filters (which include common.conf)
  131   to use RFC 5424 conform prefix-line per default (gh-2467);
  132 * for better performance and safety the option `logtype` can be also used to
  133   select short prefix-line for file-backends too for all filters using `__prefix_line` (`common.conf`),
  134   if message logged only with `hostname svc[nnnn]` prefix (often the case on several systems):
  135 ```ini
  136 [jail]
  137 backend = auto
  138 filter = flt[logtype=short]
  139 ```
  140 * `filter.d/common.conf`: differentiate `__prefix_line` for file/journal logtype's (speedup and fix parsing
  141   of systemd-journal);
  142 * `filter.d/traefik-auth.conf`: used to ban hosts, that were failed through traefik
  143 * `filter.d/znc-adminlog.conf`: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded
  144 
  145 ### Enhancements
  146 * introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf) to contol
  147   how many matches per ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118);
  148 * fail2ban.conf: introduced new section `[Thread]` and option `stacksize` to configure default size
  149   of the stack for threads running in fail2ban (gh-2356), it could be set in `fail2ban.local` to
  150   avoid runtime error "can't start new thread" (see gh-969);
  151 * jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations
  152   containing new-line);
  153 * fail2ban-client: extended to ban/unban multiple tickets (see gh-2351, gh-2349);
  154   Syntax:
  155   - `fail2ban-client set <jain> banip <ip1> ... <ipN>`
  156   - `fail2ban-client set <jain> unbanip [--report-absent] <ip1> ... <ipN>`
  157 * fail2ban-client: extended with new feature which allows to inform fail2ban about single or multiple
  158   attempts (failure) for IP (resp. failure-ID), see gh-2351;
  159   Syntax:
  160   - `fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-messageN>]`
  161 * `action.d/nftables.conf`:
  162   - isolate fail2ban rules into a dedicated table and chain (gh-2254)
  163   - `nftables-allports` supports multiple protocols in single rule now
  164   - combined nftables actions to single action `nftables`:
  165     * `nftables-common` is removed (replaced with single action `nftables` now)
  166     * `nftables-allports` is obsolete, superseded by `nftables[type=allports]`
  167     * `nftables-multiport` is obsolete, superseded by `nftables[type=multiport]`
  168   - allowed multiple protocols in `nftables[type=multiport]` action (single set with multiple rules
  169     in chain), following configuration in jail would replace 3 separate actions, see
  170     https://github.com/fail2ban/fail2ban/pull/2254#issuecomment-534684675
  171 * `action.d/badips.py`: option `loglevel` extended with level of summary message,
  172   following example configuration logging summary with NOTICE and rest with DEBUG log-levels:
  173   `action = badips.py[loglevel="debug, notice"]`
  174 * samplestestcase.py (testSampleRegexsFactory) extended:
  175   - allow coverage of journal logtype;
  176   - new option `fileOptions` to set common filter/test options for whole test-file;
  177 * large enhancement: auto-reban, improved invariant check and conditional operations (gh-2588):
  178   - improves invariant check and repair (avoid unhandled exception, consider family on conditional operations, etc),
  179     prepared for bulk re-ban in repair case (if bulk-ban becomes implemented);
  180   - automatic reban (repeat banning action) after repair/restore sane environment, if already logged ticket causes
  181     new failures (via new action operation `actionreban` or `actionban` if still not defined in action);
  182   * introduces banning epoch for actions and tickets (to distinguish or recognize removed set of the tickets);
  183   * invariant check avoids repair by unban/stop (unless parameter `actionrepair_on_unban` set to `true`);
  184   * better handling for all conditional operations (distinguish families for certain operations like 
  185     repair/flush/stop, prepared for other families, e. g. if different handling for subnets expected, etc);
  186   * partially implements gh-980 (more breakdown safe handling);
  187   * closes gh-1680 (better as large-scale banning implementation with on-demand reban by failure, 
  188     at least unless a bulk-ban gets implemented);
  189 * fail2ban-regex - several enhancements and fixes:
  190   - improved usage output (don't put a long help if an error occurs);
  191   - new option `--no-check-all` to avoid check of all regex's (first matched only);
  192   - new option `-o`, `--out` to set token only provided in output (disables check-all and outputs only expected data).
  193 
  194 
  195 ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four
  196 -----------
  197 
  198 ### Fixes
  199 * `filter.d/dovecot.conf`: 
  200   - failregex enhancement to catch sql password mismatch errors (gh-2153);
  201   - disconnected with "proxy dest auth failed" (gh-2184);
  202 * `filter.d/freeswitch.conf`:
  203   - provide compatibility for log-format from gh-2193:
  204     * extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
  205       `YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
  206     * more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
  207   - extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
  208     (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
  209     how to set it to mode `normal`.
  210 * `filter.d/domino-smtp.conf`:
  211   - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
  212   - failregex extended to catch connections rejected for policy reasons (gh-2228);
  213 * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected 
  214   and don't allowed in command-actions), see gh-2114;
  215 * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
  216   - fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
  217     `UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors;
  218   - actions: avoid possible conversion errors on wrong-chars by replace tags;
  219   - database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
  220     additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
  221   - logging in fail2ban is process-wide exception-safe now.
  222 * repaired start-time of initial seek to time (as well as other log-parsing related data), 
  223   if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
  224 * systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
  225 
  226 ### New Features
  227 * new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`, 
  228   `ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
  229 * `ignorecommand` extended to use actions-similar replacement (capable to interpolate 
  230   all possible tags like `<ip-host>`, `<family>`, `<fid>`, `F-USER` etc.)
  231 
  232 ### Enhancements
  233 * `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168)
  234 * since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info,
  235   additionally option `-V` can be used to get version in normalized machine-readable short format.
  236 
  237 
  238 ver. 0.10.3 (2018/04/04) - the-time-is-always-right-to-do-what-is-right
  239 -----------
  240 
  241 ### ver. 0.10.3.1:
  242 * fixed JSON serialization for the set-object within dump into database (gh-2103).
  243 
  244 ### Fixes
  245 * `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
  246 * `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
  247 * `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069;
  248 * `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :
  249   - fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064);
  250 * `filter.d/sshd.conf`:
  251   - failregex got an optional space in order to match new log-format (see gh-2061);
  252   - fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
  253   - fixed root login refused regex (optional port before preauth, gh-2080);
  254   - avoid banning of legitimate users when pam_unix used in combination with other password method, so
  255     bypass pam_unix failures if accepted available for this user gh-2070;
  256   - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly);
  257   - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
  258     it counts failure on closing connection within preauth-stage (gh-2085);
  259 * `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);
  260 * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
  261 * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
  262 * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
  263 
  264 ### New Features
  265 * several stability and performance optimizations, more effective filter parsing, etc;
  266 * stable runnable within python versions 3.6 (as well as within 3.7-dev);
  267 
  268 ### Enhancements
  269 * `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);
  270 * `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);
  271 * date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029);
  272 * possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038);
  273   the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line,
  274   e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line.
  275 * badips.py now uses https instead of plain http when requesting badips.com (gh-2057);
  276 * add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056);
  277 * Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG):
  278   Usage `logtarget = target[padding=on|off]`
  279 
  280 
  281 ver. 0.10.2 (2018/01/18) - nothing-burns-like-the-cold
  282 -----------
  283 
  284 ### Incompatibility list:
  285 * The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
  286   anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
  287   just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.
  288 
  289 ### Fixes
  290 * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid 
  291   write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
  292 * Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
  293 * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely 
  294   (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
  295 * config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
  296   in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
  297 * `action.d/pf.conf`: 
  298   - fixed syntax error in achnor definition (documentation, see gh-1919);
  299   - enclose ports in braces for multiport jails (see gh-1925);
  300 * `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
  301 * `filter.d/sshd.conf`:
  302   - extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
  303     forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", 
  304     see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
  305   - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
  306 
  307 ### New Features
  308 * datedetector: extended default date-patterns (allows extra space between the date and time stamps);
  309   introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
  310   - %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
  311     (corresponds %H, but allows space if not zero-padded).
  312   - %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
  313     (corresponds %I, but allows space if not zero-padded).
  314 * `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
  315 * New Actions:
  316   - `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
  317     nginx-location with map-file);
  318 
  319 ### Enhancements
  320 * jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
  321 * action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
  322 * Introduced new parameters for logging within fail2ban-server (gh-1980).
  323   Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
  324   - `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
  325      for the list of facilities);
  326   - `datetime` - add date-time to the message (default on, ignored if `format` specified);
  327   - `format` - specify own format how it will be logged, for example for short-log into STDOUT:
  328       `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
  329 * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 
  330   'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
  331   if repair fails - recreate new database (gh-1465, gh-2004).
  332 
  333 
  334 ver. 0.10.1 (2017/10/12) - succeeded-before-friday-the-13th
  335 -----------
  336 
  337 ### Fixes
  338 * fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891)
  339 * jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884)
  340 * avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables 
  341   'LANGUAGE', 'LC_ALL', 'LC_CTYPE', and 'LANG', see gh-1587).
  342 * action.d/pf.conf: several fixes for pf-action like anchoring, etc. (see gh-1866, gh-1867);
  343 * fixed ignoreself issue "Retrieving own IPs of localhost failed: inet_pton() argument 2 must be string, not int" (see gh-1865);
  344 * fixed tags `<fq-hostname>` and `<sh-hostname>`, could be used without ticket (a. g. in `actionstart` etc., gh-1859).
  345 
  346 * setup.py: fixed several setup facilities (gh-1874):
  347   - don't check return code by dry-run: returns 256 on some python/setuptool versions;
  348   - `files/fail2ban.service` renamed as template to `files/fail2ban.service.in`;
  349   - setup process generates `build/fail2ban.service` from `files/fail2ban.service.in` using distribution related bin-path;
  350   - bug-fixing by running setup with option `--dry-run`;
  351 
  352 ### New Features
  353 * introduced new command-line options `--dp`, `--dump-pretty` to dump the configuration using more
  354   human readable representation (opposite to `-d`);
  355 
  356 ### Enhancements
  357 * nftables actions are IPv6-capable now (gh-1893)
  358 * filter.d/dovecot.conf: introduced mode `aggressive` for cases like "disconnected before auth was ready" (gh-1880)
  359 
  360 
  361 ver. 0.10.0 (2017/08/09) - long-awaited 0.10th version
  362 -----------
  363 
  364 TODO: implementing of options resp. other tasks from PR #1346
  365       documentation should be extended (new options, etc)
  366       
  367 ### Fixes
  368 * `filter.d/apache-auth.conf`:
  369   - better failure recognition using short form of regex (url/referer are foreign inputs, see gh-1645)
  370 * `filter.d/apache-common.conf` (`filter.d/apache-*.conf`):
  371   - support of apache log-format if logging into syslog/systemd (gh-1695), using parameter `logging`,
  372     parameter usage for jail:
  373       filter = apache-auth[logging=syslog]
  374     parameter usage for `apache-common.local`:
  375       logging = syslog
  376 * `filter.d/pam-generic.conf`:
  377   - [grave] injection on user name to host fixed
  378 * `filter.d/sshd.conf`:
  379   - rewritten using `prefregex` and used MLFID-related multi-line parsing
  380     (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
  381   - optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all),
  382     see sshd for regex details)
  383 * `filter.d/sendmail-reject.conf`:
  384   - rewritten using `prefregex` and used MLFID-related multi-line parsing;
  385   - optional parameter `mode` introduced: normal (default), extra or aggressive
  386 * `filter.d/haproxy-http-auth`: do not mistake client port for part of an IPv6 address (gh-1745)
  387 * `filter.d/postfix.conf`:
  388     - updated to latest postfix formats
  389     - joined several postfix filter together (normalized and optimized version, gh-1825)
  390     - introduced new parameter `mode` (see gh-1825): more (default, combines normal and rbl), auth, normal,
  391       rbl, ddos, extra or aggressive (combines all)
  392     - postfix postscreen (resp. other RBL's compatibility fix, gh-1764, gh-1825)
  393 * `filter.d/postfix-rbl.conf`: removed (replaced with `postfix[mode=rbl]`)
  394 * `filter.d/postfix-sasl.conf`: removed (replaced with `postfix[mode=auth]`)
  395 * `filter.d/roundcube-auth.conf`:
  396     - fixed regex when `X-Real-IP` or/and `X-Forwarded-For` are present after host (gh-1303);
  397     - fixed regex when logging authentication errors to journal instead to a local file (gh-1159);
  398     - additionally fixed more complex injections on username (e. g. using dot after fake host).
  399 * `filter.d/ejabberd-auth.conf`: fixed failregex - accept new log-format (gh-993)
  400 * `action.d/complain.conf`
  401   - fixed using new tag `<ip-rev>` (sh/dash compliant now)
  402 * `action.d/sendmail-geoip-lines.conf`
  403   - fixed using new tag `<ip-host>` (without external command execution)
  404 * fail2ban-regex: fixed matched output by multi-line (buffered) parsing
  405 * fail2ban-regex: support for multi-line debuggex URL implemented (gh-422)
  406 * fixed ipv6-action errors on systems not supporting ipv6 and vice versa (gh-1741)
  407 * fixed directory-based log-rotate for pyinotify-backend (gh-1778)
  408 
  409 ### New Features
  410 * New Actions:
  411 
  412 * New Filters:
  413 
  414 ### Enhancements
  415 * Introduced new filter option `prefregex` for pre-filtering using single regular expression (gh-1698);
  416 * Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without 
  417   line buffering (scrolling of the buffer-window).
  418   Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs
  419   using single-line expressions:
  420   - tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same
  421     identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`,
  422     see sshd.conf for example);
  423   - tag `<F-MLFFORGET>`: can be used as mark to forget current multi-line MLFID (e. g. by connection 
  424     closed, reset or disconnect etc);
  425   - tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info, 
  426     e. g. from lines that contain IP-address);
  427   Opposite to obsolete multi-line parsing (using buffering with `maxlines`) it is more precise and 
  428   can recognize multiple failure attempts within the same connection (MLFID).
  429 * Several filters optimized with pre-filtering using new option `prefregex`, and multiline filter 
  430   using `<F-MLFID>` + `<F-NOFAIL>` combination;
  431 * Exposes filter group captures in actions (non-recursive interpolation of tags `<F-...>`, 
  432   see gh-1698, gh-1110)
  433 * Some filters extended with user name (can be used in gh-1243 to distinguish IP and user,
  434   resp. to remove after success login the user-related failures only);
  435 * Safer, more stable and faster replaceTag interpolation (switched from cycle over all tags
  436   to re.sub with callable)
  437 * substituteRecursiveTags optimization + moved in helpers facilities (because currently used 
  438   commonly in server and in client)
  439 * New tags (usable in actions):
  440   - `<fid>` - failure identifier (if raw resp. failures without IP address)
  441   - `<ip-rev>` - PTR reversed representation of IP address
  442   - `<ip-host>` - host name of the IP address
  443   - `<bancount>` - ban count of this offender if known as bad (started by 1 for unknown)
  444   - `<bantime>` - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
  445   - `<F-...>` - interpolates to the corresponding filter group capture `...`
  446   - `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`)
  447   - `<sh-hostname>` - short hostname (the same as `$(uname -n)`)
  448 * Introduced new action command `actionprolong` to prolong ban-time (e. g. set new timeout if expected);
  449   Several actions (like ipset, etc.) rewritten using net logic with `actionprolong`.
  450   Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).
  451 * Allow to use filter options by `fail2ban-regex`, example:
  452   fail2ban-regex text.log "sshd[mode=aggressive]"
  453 * Samples test case factory extended with filter options - dict in JSON to control 
  454   filter options (e. g. mode, etc.):
  455   # filterOptions: {"mode": "aggressive"}
  456 * Introduced new jail option "ignoreself", specifies whether the local resp. own IP addresses 
  457   should be ignored (default is true). Fail2ban will not ban a host which matches such addresses.
  458   Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS 
  459   resp. IPs of the host self.
  460 * Regex will be compiled as MULTILINE only if needed (buffering with `maxlines` > 1), that enables:
  461   - to improve performance by the single line parsing (see gh-1733);
  462   - make regex more precise (because distinguish between anchors `^`/`$` for the begin/end of string
  463     and the new-line character '\n', e. g. if coming from filters (like systemd journal) that allow
  464     the parsing of log-entries contain new-line chars (as single entry);
  465   - if multiline regex however expected (by single-line parsing without buffering) - prefix `(?m)` 
  466     could be used in regex to enable it;
  467 * Implemented execution of `actionstart` on demand (conditional), if action depends on `family` (gh-1742):
  468   - new action parameter `actionstart_on_demand` (bool) can be set to prevent/allow starting action
  469     on demand (default retrieved automatically, if some conditional parameter `param?family=...` 
  470     presents in action properties), see `action.d/pf.conf` for example;
  471   - additionally `actionstop` will be executed only for families previously executing `actionstart`
  472     (starting on demand only)
  473 * Introduced new command `actionflush`: executed in order to flush all bans at once 
  474   e. g. by unban all, reload with removing action, stop, shutdown the system (gh-1743),
  475   the actions having `actionflush` do not execute `actionunban` for each single ticket
  476 * Add new command `actionflush` default for several iptables/iptables-ipset actions (and common include);
  477 * Add new jail option `logtimezone` to force the timezone on log lines that don't have an explicit one (gh-1773)
  478 * Implemented zone abbreviations (like CET, CEST, etc.) and abbr+-offset functionality (accept zones
  479   like 'CET+0100'), for the list of abbreviations see strptime.TZ_STR;
  480 * Introduced new option `--timezone` (resp. `--TZ`) for `fail2ban-regex`.
  481 * Tokens `%z` and `%Z` are changed (more precise now);
  482 * Introduced new tokens `%Exz` and `%ExZ` that fully support zone abbreviations and/or offset-based
  483   zones (implemented as enhancement using custom `datepattern`, because may be too dangerous for default
  484   patterns and tokens like `%z`);
  485   Note: the extended tokens supported zone abbreviations, but it can parse 1 or 3-5 char(s) in lowercase.
  486         Don't use them in default date-patterns (if not anchored, few precise resp. optional).
  487         Because python currently does not support mixing of case-sensitive with case-insensitive matching,
  488 	the TZ (in uppercase) cannot be combined with `%a`/`%b` etc (that are currently case-insensitive),
  489 	to avoid invalid date-time recognition in strings like '11-Aug-2013 03:36:11.372 error ...' with
  490 	wrong TZ "error".
  491         Hence `%z` currently match literal Z|UTC|GMT only (and offset-based), and `%Exz` - all zone 
  492 	abbreviations.
  493 * `filter.d/courier-auth.conf`: support failed logins with method only
  494 * Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of
  495   python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is 
  496   like our another features like `%(known/option)s`, etc. (gh-1750)
  497 * Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now,
  498   but now the setting of parameter `backend` in default section of `jail.local` can overwrite default
  499   backend also (see gh-1750). In the future versions parameter `default_backend` can be removed (incompatibility, 
  500   possibly some distributions affected).
  501 
  502 
  503 ver. 0.10.0-alpha-1 (2016/07/14) - ipv6-support-etc
  504 -----------
  505 
  506 ### Fixes
  507 * [Grave] memory leak's fixed (gh-1277, gh-1234)
  508 * [Grave] Misleading date patterns defined more precisely (using extended syntax
  509   `%Ex[mdHMS]` for exact two-digit match or e. g. `%ExY` as more precise year 
  510   pattern, within same century of last year and the next 3 years)
  511 * [Grave] extends date detector template with distance (position of match in 
  512   log-line), to prevent grave collision using (re)ordered template list (e.g.
  513   find-spot of wrong date-match inside foreign input, misleading date patterns
  514   by ambiguous formats, etc.)
  515 * Distance collision check always prefers template with shortest distance
  516   (left for right) if date pattern is not anchored
  517 * Tricky bug fix: last position of log file will be never retrieved (gh-795),
  518   because of CASCADE all log entries will be deleted from logs table together with jail, 
  519   if used "INSERT OR REPLACE" statement
  520 * Asyncserver (asyncore) code fixed and test cases repaired (again gh-161)
  521 * testSocket: sporadical bug repaired - wait for server thread starts a socket (listener)
  522 * testExecuteTimeoutWithNastyChildren: sporadical bug repaired - wait for pid file inside bash,
  523   kill tree in any case (gh-1155)
  524 * purge database will be executed now (within observer).
  525 * restoring currently banned ip after service restart fixed 
  526   (now < timeofban + bantime), ignore old log failures (already banned)
  527 * Fixed high-load of pyinotify-backend,
  528   see https://github.com/fail2ban/fail2ban/issues/885#issuecomment-248964591
  529 * Database: stability fix - repack cursor iterator as long as locked
  530 * File filter backends: stability fix for sporadically errors - always close file
  531   handle, otherwise may be locked (prevent log-rotate, etc.)
  532 * Pyinotify-backend: stability fix for sporadically errors in multi-threaded
  533   environment (without lock)
  534 * Fixed sporadically error in testCymruInfoNxdomain, because of unsorted values
  535 * Misleading errors logged from ignorecommand in success case on retcode 1 (gh-1194)
  536 * fail2ban.service - systemd service updated (gh-1618):
  537   - starting service in normal mode (without forking)
  538   - does not restart if service exited normally (exit-code 0, e.g. stopped via fail2ban-client)
  539   - does not restart if service can not start (exit-code 255, e.g. wrong configuration, etc.)
  540   - service can be additionally started/stopped with commands (fail2ban-client, fail2ban-server)
  541   - automatically creates `/var/run/fail2ban` directory before start fail2ban 
  542     (systems with virtual resp. memory-based FS for `/var/run`), see gh-1531
  543   - if fail2ban running as systemd-service, for logging to the systemd-journal, 
  544     the `logtarget` could be set to STDOUT
  545   - value `logtarget` for system targets allowed also in lowercase (stdout, stderr, syslog, etc.)
  546 * Fixed UTC/GMT named time zone, using `%Z` and `%z` patterns 
  547   (special case with 0 zone offset, see gh-1575)
  548 * `filter.d/freeswitch.conf`
  549     - Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
  550     - User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)
  551 
  552 ### New Features
  553 * IPv6 support:
  554     - IP addresses are now handled as objects rather than strings capable for 
  555       handling both address types IPv4 and IPv6
  556     - iptables related actions have been amended to support IPv6 specific actions
  557       additionally
  558     - hostsdeny and route actions have been tested to be aware of v4 and v6 already
  559     - pf action for *BSD systems has been improved and supports now also v4 and v6
  560     - name resolution is now working for either address type
  561     - new conditional section functionality used in config resp. includes:
  562       - [Init?family=inet4] - IPv4 qualified hosts only
  563       - [Init?family=inet6] - IPv6 qualified hosts only
  564 * Increment ban time (+ observer) functionality introduced.
  565   Thanks Serg G. Brester (sebres)
  566 * Database functionality extended with bad ips.
  567 * New reload functionality (now totally without restart, unbanning/rebanning, etc.),
  568   see gh-1557
  569 * Several commands extended and new commands introduced:
  570   - `restart [--unban] [--if-exists] <JAIL>` - restarts the jail \<JAIL\>
  571     (alias for `reload --restart ... <JAIL>`)
  572   - `reload [--restart] [--unban] [--all]` - reloads the configuration without restarting
  573     of the server, the option `--restart` activates completely restarting of affected jails,
  574     thereby can unban IP addresses (if option `--unban` specified)
  575   - `reload [--restart] [--unban] [--if-exists] <JAIL>` - reloads the jail \<JAIL\>,
  576     or restarts it (if option `--restart` specified), at the same time unbans all IP addresses
  577     banned in this jail, if option `--unban` specified
  578   - `unban --all` - unbans all IP addresses (in all jails and database)
  579   - `unban <IP> ... <IP>` - unbans \<IP\> (in all jails and database) (see gh-1388)
  580   - introduced new option `-t` or `--test` to test configuration resp. start server only 
  581     if configuration is clean (fails by wrong configured jails if option `-t` specified)
  582 * New command action parameter `actionrepair` - command executed in order to restore
  583   sane environment in error case of `actioncheck`.
  584 * Reporting via abuseipdb.com:
  585   - Bans can now be reported to abuseipdb
  586   - Catagories must be set in the config
  587   - Relevant log lines included in report
  588 
  589 ### Enhancements
  590 * Huge increasing of fail2ban performance and especially test-cases performance (see gh-1109)
  591 * Datedetector: in-place reordering using hits and last used time: 
  592   matchTime, template list etc. rewritten because of performance degradation
  593 * Prevent out of memory situation if many IP's makes extremely many failures (maxEntries)
  594 * Introduced string to seconds (str2seconds) for configuration entries with time,
  595   use `1h` instead of `3600`, `1d` instead of `86400`, etc
  596 * seekToTime - prevent completely read of big files first time (after start of service), 
  597   initial seek to start time using half-interval search algorithm (see issue gh-795)
  598 * Ticket and some other modules prepared to easy merge with newest version of 'ban-time-incr'
  599 * Cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name,
  600   especially for wrong dns or lazy dns-system
  601 * FailManager memory-optimization: increases performance, 
  602   prevents memory leakage, because don't copy failures list on some operations
  603 * fail2ban-testcases - new options introduced:
  604     - `-f`, `--fast` to decrease wait intervals, avoid passive waiting, and skip
  605       few very slow test cases (implied memory database, see `-m` and no gamin tests `-g`)
  606     - `-g`, `--no-gamin` to prevent running of tests that require the gamin (slow)
  607     - `-m`, `--memory-db` - run database tests using memory instead of file
  608     - `-i`, `--ignore` - negate [regexps] filter to ignore tests matched specified regexps
  609 * Background servicing: prevents memory leak on some platforms/python versions, using forced GC
  610   in periodic intervals (latency and threshold)
  611 * executeCmd partially moved from action to new module utils
  612 * Several functionality of class `DNSUtils` moved to new class `IPAddr`, 
  613   both classes moved to new module `ipdns`
  614 * Pseudo-conditional section introduced, for conditional substitution resp. 
  615   evaluation of parameters for different family qualified hosts, 
  616   syntax `[Section?family=inet6]` (currently use for IPv6-support only).
  617 * All the backends were rewritten to get reload-possibility, performance increased,
  618   so fewer greedy regarding cpu- resp. system-load now
  619 * Numeric log-level allowed now in server (resp. fail2ban.conf);
  620 * Implemented better error handling in some multi-threaded routines; shutdown of jails
  621   rewritten (faster and safer, does not breaks shutdown process if some error occurred)
  622 * Possibility for overwriting some configuration options (read with config-readers)
  623   with command line option, e. g.:
  624 ```bash
  625 ## start server with DEBUG log-level (ignore level read from fail2ban.conf):
  626 fail2ban-client --loglevel DEBUG start
  627 ## or
  628 fail2ban-server -c /cfg/path --loglevel DEBUG start
  629 ## keep server log-level by reload (without restart it)
  630 fail2ban-client --loglevel DEBUG reload
  631 ## switch log-level back to INFO:
  632 fail2ban-client set loglevel INFO
  633 ```
  634 * Optimized BanManager: increase performance, fewer system load, try to prevent
  635   memory leakage:
  636   - better ban/unban handling within actions (e.g. used dict instead of list)
  637   - don't copy bans resp. its list on some operations;
  638   - added new unbantime handling to relieve unBanList (prevent permanent
  639     searching for tickets to unban)
  640   - prefer failure-ID as identifier of the ticket to its IP (most of the time
  641     the same, but it can be something else e.g. user name in some complex jails,
  642     as introduced in 0.10)
  643 * Regexp enhancements:
  644   - build replacement of `<HOST>` substitution corresponding parameter
  645     `usedns` - dns-part will be added only if `usedns` is not `no`,
  646     also using fail2ban-regex
  647   - new replacement for `<ADDR>` in opposition to `<HOST>`, for separate
  648     usage of 2 address groups only (regardless of `usedns`), `ip4` and `ip6`
  649     together, without host (dns)
  650 * Misconfigured jails don't prevent fail2ban from starting, server starts 
  651   nevertheless, as long as one jail was successful configured (gh-1619)
  652   Message about wrong jail configuration logged in client log (stdout, systemd
  653   journal etc.) and in server log with error level
  654 * More precise date template handling (WARNING: theoretically possible incompatibilities):
  655   - datedetector rewritten more strict as earlier;
  656   - default templates can be specified exacter using prefix/suffix syntax (via `datepattern`);
  657   - more as one date pattern can be specified using option `datepattern` now 
  658     (new-line separated);
  659   - some default options like `datepattern` can be specified directly in 
  660     section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]`
  661     section, because of performance (each extra section costs time);
  662   - option `datepattern` can be specified in jail also (e. g. jails without filters 
  663     or custom log-format, new-line separated for multiple patterns);
  664   - if first unnamed group specified in pattern, only this will be cut out from
  665     search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match 
  666     pattern, and leaves `date:[] ...` for searching in filter);
  667   - faster match and fewer searching of appropriate templates
  668     (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
  669   - several standard filters extended with exact prefixed or anchored date templates;
  670 * Added possibility to recognize restored state of the tickets (see gh-1669).
  671   New option `norestored` introduced, to ignore restored tickets (after restart).
  672   To avoid execution of ban/unban for the restored tickets, `norestored = true`
  673   could be added in definition section of action.
  674   For conditional usage in the shell-based actions an interpolation `<restored>` 
  675   could be used also. E. g. it is enough to add following script-piece at begin
  676   of `actionban` (or `actionunban`) to prevent execution:
  677   `if [ '<restored>' = '1' ]; then exit 0; fi;`
  678   Several actions extended now using `norestored` option:
  679   - complain.conf
  680   - dshield.conf
  681   - mail-buffered.conf
  682   - mail-whois-lines.conf
  683   - mail-whois.conf
  684   - mail.conf
  685   - sendmail-buffered.conf
  686   - sendmail-geoip-lines.conf
  687   - sendmail-whois-ipjailmatches.conf
  688   - sendmail-whois-ipmatches.conf
  689   - sendmail-whois-lines.conf
  690   - sendmail-whois-matches.conf
  691   - sendmail-whois.conf
  692   - sendmail.conf
  693   - smtp.py
  694   - xarf-login-attack.conf
  695 * fail2ban-testcases:
  696   - `assertLogged` extended with parameter wait (to wait up to specified timeout,
  697     before we throw assert exception) + test cases rewritten using that
  698   - added `assertDictEqual` for compatibility to early python versions (< 2.7);
  699   - new `with_foreground_server_thread` decorator to test several client/server commands
  700 
  701 
  702 ver. 0.9.8 (2016/XX/XXX) - wanna-be-released
  703 -----------
  704 
  705 0.9.x line is no longer heavily developed.  If you are interested in
  706 new features (e.g. IPv6 support), please consider 0.10 branch and its
  707 releases.
  708 
  709 
  710 ### Fixes
  711 * Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991.
  712   Partially back-ported from v.0.10.
  713 * action.d/bsd-ipfw.conf
  714     - Make the rule number, the action starts looking for a free slot to insert
  715       the new rule, configurable (gh-1689)
  716     - Replace not posix-compliant grep option: fgrep with `-q` option can cause 
  717       141 exit code in some cases (gh-1389)
  718 * filter.d/apache-overflows.conf:
  719     - Fixes resources greedy expression (see gh-1790);
  720     - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
  721 * filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882)
  722 * filter.d/asterisk.conf
  723     - fixed failregex AMI Asterisk authentification failed (see gh-1302)
  724     - removed invalid (vulnerable) regex blocking IPs using forign data (from header "from")
  725       thus not the IP-address that really originates the request (see gh-1927)
  726     - fixed failregex for the SQL-injection attempts with single-quotes in connect-string (see gh-2011)
  727 * filter.d/dovecot.conf:
  728     - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880)
  729     - extended to match pam_authenticate failures with "Permission denied" (gh-1897)
  730 * filter.d/exim.conf
  731     - fixed failregex for case of flood attempts with `D=0s` (gh-1887)
  732     - fixed failregex of "AUTH command used when not advertised" to better handle the foreign
  733       input SMTP command (lower/mixed case auth command, prevent injection) (gh-1979)
  734 * filter.d/postfix-*.conf - added optional port regex (gh-1902)
  735 * filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
  736 * filter.d/nginx-http-auth.conf - match usernames with spaces (gh-2015)
  737 
  738 ### New Features
  739 
  740 ### Enhancements
  741 * action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651)
  742 * action.d/firewallcmd-ipset.conf - new parameter `actiontype`, provides `allports` capability (gh-1167)
  743 * filter.d/kerio.conf - filter extended with new rules (see gh-1455)
  744 * filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging
  745 * filter.d/zoneminder.conf - new filter for ZoneMinder (gh-1376)
  746 
  747 
  748 ver. 0.9.7 (2017/05/11) - awaiting-victory
  749 -----------
  750 
  751 ### Fixes
  752 * Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
  753 * filter.d/sshd.conf
  754     - Fixed non-anchored part of failregex (misleading match of colon inside
  755       IPv6 address instead of `: ` in the reason-part by missing space, gh-1658)
  756       (0.10th resp. IPv6 relevant only, amend for gh-1479)
  757 * config/pathes-freebsd.conf
  758     - Fixed filenames for apache and nginx log files (gh-1667)
  759 * filter.d/exim.conf
  760     - optional part `(...)` after host-name before `[IP]` (gh-1751)
  761     - new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
  762     - match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh-1766)
  763 * filter.d/sshd.conf
  764     - new aggressive rules (gh-864):
  765       - Connection reset by peer (multi-line rule during authorization process)
  766       - No supported authentication methods available
  767     - single line and multi-line expression optimized, added optional prefixes
  768       and suffix (logged from several ssh versions), according to gh-1206;
  769     - fixed expression received disconnect auth fail (optional space after port
  770       part, gh-1652)
  771       and suffix (logged from several ssh versions), according to gh-1206;
  772 * filter.d/suhosin.conf
  773     - greedy catch-all before `<HOST>` fixed (potential vulnerability)
  774 * filter.d/cyrus-imap.conf
  775     - accept entries without login-info resp. hostname before IP address (gh-1707)
  776 * Filter tests extended with check of all config-regexp, that contains greedy catch-all
  777   before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`
  778 
  779 ### New Features
  780 * New Actions:
  781     - action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)
  782 
  783 * New Filters:
  784     - filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)
  785 
  786 ### Enhancements
  787 * Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
  788 
  789 
  790 ver. 0.9.6 (2016/12/10) - stretch-is-coming
  791 -----------
  792 
  793 ### Fixes
  794 * Misleading add resp. enable of (already available) jail in database, that
  795   induced a subsequent error: last position of log file will be never retrieved (gh-795)
  796 * Fixed a distribution related bug within testReadStockJailConfForceEnabled
  797   (e.g. test-cases faults on Fedora, see gh-1353)
  798 * Fixed pythonic filters and test scripts (running via wrong python version,
  799   uses "fail2ban-python" now);
  800 * Fixed test case "testSetupInstallRoot" for not default python version (also
  801   using direct call, out of virtualenv);
  802 * Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
  803 * FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
  804 * Monit config: scripting is not supported in path (gh-1556)
  805 * `filter.d/apache-modsecurity.conf`
  806     - Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
  807       replaced for safer match, unneeded catch-all anchoring removed, non-capturing
  808 * `filter.d/asterisk.conf`
  809     - Fixed to match different asterisk log prefix (source file: method:)
  810 * `filter.d/dovecot.conf`
  811     - Fixed failregex ignores failures through some not relevant info (gh-1623)
  812 * `filter.d/ignorecommands/apache-fakegooglebot`
  813     - Fixed error within apache-fakegooglebot, that will be called
  814       with wrong python version (gh-1506)
  815 * `filter.d/assp.conf`
  816     - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
  817 * `filter.d/postfix-sasl.conf`
  818     - Allow for having no trailing space after 'failed:' (gh-1497)
  819 * `filter.d/vsftpd.conf`
  820     - Optional reason part in message after FAIL LOGIN (gh-1543)
  821 * `filter.d/sendmail-reject.conf`
  822     - removed mandatory double space (if dns-host available, gh-1579)
  823 * filter.d/sshd.conf
  824     - recognized "Failed publickey for" (gh-1477);
  825     - optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479)
  826     - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
  827     - optional port part after host (see gh-1533, gh-1581)
  828 
  829 ### New Features
  830 * New Actions:
  831     - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
  832 * New Filters:
  833     - `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
  834       (gh-1586, gh-1606 and gh-1607)
  835 
  836 ### Enhancements
  837 * DateTemplate regexp extended with the word-end boundary, additionally to
  838   word-start boundary
  839 * Introduces new command "fail2ban-python", as automatically created symlink to
  840   python executable, where fail2ban currently installed (resp. its modules are located):
  841     - allows to use the same version, fail2ban currently running, e.g. in
  842       external scripts just via replace python with fail2ban-python:
  843       ```diff
  844       -#!/usr/bin/env python
  845       +#!/usr/bin/env fail2ban-python
  846       ```
  847     - always the same pickle protocol
  848     - the same (and also guaranteed available) fail2ban modules
  849     - simplified stand-alone install, resp. stand-alone installation possibility
  850       via setup (like gh-1487) is getting closer
  851 * Several test cases rewritten using new methods assertIn, assertNotIn
  852 * New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
  853   Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
  854   are test covered now
  855 * Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
  856   examples:
  857     - `backend = systemd[journalpath=/run/log/journal/machine-1]`
  858     - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
  859     - `backend = systemd[journalflags=2]`
  860 
  861 
  862 ver. 0.9.5 (2016/07/15) - old-not-obsolete
  863 -----------
  864 
  865 ### Fixes
  866 * `filter.d/monit.conf`
  867     - Extended failregex with new monit "access denied" version (gh-1355)
  868     - failregex of previous monit version merged as single expression
  869 * `filter.d/postfix.conf`, `filter.d/postfix-sasl.conf`
  870     - Extended failregex daemon part, matching also `postfix/smtps/smtpd`
  871       now (gh-1391)
  872 * Fixed a grave bug within tags substitutions because of incorrect
  873   detection of recursion in case of multiple inline substitutions
  874   of the same tag (affected actions: `bsd-ipfw`, etc).  Now tracks
  875   the actual list of the already substituted tags (per tag instead
  876   of single list)
  877 * `filter.d/common.conf`
  878     - Unexpected extra regex-space in generic `__prefix_line` (gh-1405)
  879     - All optional spaces normalized in `common.conf`, test covered now
  880     - Generic `__prefix_line` extended with optional brackets for the
  881      date ambit (gh-1421), added new parameter `__date_ambit`
  882 * `gentoo-initd` fixed `--pidfile` bug: `--pidfile` is option of
  883   `start-stop-daemon`, not argument of fail2ban (see gh-1434)
  884 * `filter.d/asterisk.conf`
  885     - Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
  886     - Improved log support for PJSIP and Asterisk 13+ with different
  887       callID (gh-1458)
  888 
  889 ### New Features
  890 * New Actions:
  891     - `action.d/firewallcmd-rich-rules` and `action.d/firewallcmd-rich-logging`
  892 	(gh-1367)
  893 * New filters:
  894     - slapd - ban hosts, that were failed to connect with invalid
  895 	credentials: error code 49 (gh-1478)
  896 
  897 
  898 ### Enhancements
  899 * Extreme speedup of all sqlite database operations (gh-1436),
  900   by using of following sqlite options:
  901     - (synchronous = OFF) write data through OS without syncing
  902     - (journal_mode = MEMORY) use memory for the transaction logging
  903     - (temp_store = MEMORY) temporary tables and indices are kept in memory
  904 * journald journalmatch for pure-ftpd (gh-1362)
  905 * Added additional regex filter for dovecot ldap authentication failures (gh-1370)
  906 * `filter.d/exim*conf`
  907     - Added additional regexes (gh-1371)
  908     - Made port entry optional
  909 
  910 
  911 ver. 0.9.4 (2016/03/08) - for-you-ladies
  912 -----------
  913 
  914 ### Fixes
  915 * `roundcube-auth` jail typo for logpath
  916 * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
  917 * `filter.d/apache-badbots.conf`
  918     - Updated useragent string regex adding escape for `+`
  919 * `filter.d/mysqld-auth.conf`
  920     - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
  921 * `filter.d/sshd.conf`
  922     - Updated "Auth fail" regex for OpenSSH 5.9 and later
  923 * Treat failed and killed execution of commands identically (only
  924   different log messages), which addresses different behavior on different
  925   exit codes of dash and bash (gh-1155)
  926 * Fix jail.conf.5 man's section (gh-1226)
  927 * Fixed default banaction for allports jails like pam-generic, recidive, etc
  928   with new default variable `banaction_allports` (gh-1216)
  929 * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
  930   for python version < 3.x (gh-1248)
  931 * Use postfix_log logpath for postfix-rbl jail
  932 * `filters.d/postfix.conf` - add 'Sender address rejected: Domain not found' failregex
  933 * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
  934 * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
  935 * Changed `filter.d/asterisk` regex for "Call from ..." (few vulnerable now)
  936 * Removed compression and rotation count from logrotate (inherit them from
  937   the global logrotate config)
  938 
  939 ### New Features
  940 * New interpolation feature for definition config readers - `<known/parameter>`
  941   (means last known init definition of filters or actions with name `parameter`).
  942   This interpolation makes possible to extend a parameters of stock filter or
  943   action directly in jail inside jail.local file, without creating a separately
  944   `filter.d/*.local` file.
  945   As extension to interpolation `%(known/parameter)s`, that does not works for
  946   filter and action init parameters
  947 * New actions:
  948     - `nftables-multiport` and `nftables-allports` - filtering using nftables
  949       framework. Note: it requires a pre-existing chain for the filtering rule.
  950 * New filters:
  951     - `openhab` - domotic software authentication failure with the
  952       rest api and web interface (gh-1223)
  953     - `nginx-limit-req` - ban hosts, that were failed through nginx by limit
  954       request processing rate (ngx_http_limit_req_module)
  955     - `murmur` - ban hosts that repeatedly attempt to connect to
  956       murmur/mumble-server with an invalid server password or certificate.
  957     - `haproxy-http-auth` - filter to match failed HTTP Authentications against a
  958       HAProxy server
  959 * New jails:
  960     - `murmur` - bans TCP and UDP from the bad host on the default murmur port.
  961 * `sshd` filter got new failregex to match "maximum authentication
  962   attempts exceeded" (introduced in openssh 6.8)
  963 * Added filter for Mac OS screen sharing (VNC) daemon
  964 
  965 ### Enhancements
  966 * Do not rotate empty log files
  967 * Added new date pattern with year after day (e.g. `Sun Jan 23 2005 21:59:59`)
  968   http://bugs.debian.org/798923
  969 * Added openSUSE path configuration (Thanks Johannes Weberhofer)
  970 * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
  971 * Added a timeout (3 sec) to urlopen within badips.py action
  972   (Thanks M. Maraun)
  973 * Added check against atacker's Googlebot PTR fake records
  974   (Thanks Pablo Rodriguez Fernandez)
  975 * Enhance filter against atacker's Googlebot PTR fake records
  976   (gh-1226)
  977 * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
  978 * Added filter for openhab domotic software authentication failure with the
  979   rest api and web interface (gh-1223)
  980 * Add `*_backend` options for services to allow distros to set the default
  981   backend per service, set default to systemd for Fedora as appropriate
  982 * Performance improvements while monitoring large number of files (gh-1265).
  983   Use associative array (dict) for monitored log files to speed up lookup
  984   operations. Thanks @kshetragia
  985 * Specified that fail2ban is PartOf iptables.service `firewalld.service` in
  986   `.service` file -- would reload fail2ban if those services are restarted
  987 * Provides new default `fail2ban_version` and interpolation variable
  988   `fail2ban_agent` in jail.conf
  989 * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
  990   and to support multiple instances of postfix having varying suffix (gh-1331)
  991   (Thanks Tom Hendrikx)
  992 * `files/gentoo-initd` to use `start-stop-daemon` to robustify restarting the service
  993 
  994 
  995 ver. 0.9.3 (2015/08/01) - lets-all-stay-friends
  996 ----------
  997 
  998 ### IMPORTANT incompatible changes
  999 * `filter.d/roundcube-auth.conf`
 1000     - Changed logpath to 'errors' log (was 'userlogins')
 1001 * `action.d/iptables-common.conf`
 1002     - All calls to iptables command now use -w switch introduced in
 1003       iptables 1.4.20 (some distribution could have patched their
 1004       earlier base version as well) to provide this locking mechanism
 1005       useful under heavy load to avoid contesting on iptables calls.
 1006       If you need to disable, define `action.d/iptables-common.local`
 1007       with empty value for 'lockingopt' in `[Init]` section.
 1008 * `mail-whois-lines`, `sendmail-geoip-lines` and `sendmail-whois-lines`
 1009   actions now include by default only the first 1000 log lines in
 1010   the emails.  Adjust `<grepopts>` to augment the behavior.
 1011 
 1012 ### Fixes
 1013 * reload in interactive mode appends all the jails twice (gh-825)
 1014 * reload server/jail failed if database used (but was not changed) and
 1015   some jail active (gh-1072)
 1016 * `filter.d/dovecot.conf` - also match unknown user in passwd-file.
 1017   Thanks Anton Shestakov
 1018 * Fix fail2ban-regex not parsing journalmatch correctly from filter config
 1019 * `filter.d/asterisk.conf` - fix security log support for Asterisk 12+
 1020 * `filter.d/roundcube-auth.conf`
 1021      - Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
 1022      - Added regex to work with 'userlogins' log
 1023 * `action.d/sendmail*.conf` - use LC_ALL (superseeding LC_TIME) to override
 1024   locale on systems with customized LC_ALL
 1025 * performance fix: minimizes connection overhead, close socket only at
 1026   communication end (gh-1099)
 1027 * unbanip always deletes ip from database (independent of bantime, also if
 1028   currently not banned or persistent)
 1029 * guarantee order of dbfile to be before dbpurgeage (gh-1048)
 1030 * always set 'dbfile' before other database options (gh-1050)
 1031 * kill the entire process group of the child process upon timeout (gh-1129).
 1032   Otherwise could lead to resource exhaustion due to hanging whois
 1033   processes.
 1034 * resolve `/var/run/fail2ban` path in setup.py to help installation
 1035   on platforms with `/var/run` -> /run symlink (gh-1142)
 1036 
 1037 ### New Features
 1038 * RETURN iptables target is now a variable: `<returntype>`
 1039 * New type of operation: pass2allow, use fail2ban for "knocking",
 1040   opening a closed port by swapping blocktype and returntype
 1041 * New filters:
 1042      - froxlor-auth - Thanks Joern Muehlencord
 1043      - apache-pass - filter Apache access log for successful authentication
 1044 * New actions:
 1045      - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
 1046 	   manual pre-configuration of the shorewall. See the action file for detail.
 1047 * New jails:
 1048      - pass2allow-ftp - allows FTP traffic after successful HTTP authentication
 1049 
 1050 ### Enhancements
 1051 * `action.d/cloudflare.conf` - improved documentation on how to allow
 1052   multiple CF accounts, and jail.conf got new compound action
 1053   definition action_cf_mwl to submit cloudflare report.
 1054 * Check access to socket for more detailed logging on error (gh-595)
 1055 * fail2ban-testcases man page
 1056 * `filter.d/apache-badbots.conf`, `filter.d/nginx-botsearch.conf` - add
 1057   HEAD method verb
 1058 * Revamp of Travis and coverage automated testing
 1059 * Added a space between IP address and the following colon
 1060   in notification emails for easier text selection
 1061 * Character detection heuristics for whois output via optional setting
 1062   in mail-whois*.conf. Thanks Thomas Mayer.
 1063   Not enabled by default, if _whois_command is set to be
 1064   %(_whois_convert_charset)s (e.g. in `action.d/mail-whois-common.local`),
 1065   it
 1066      - detects character set of whois output (which is undefined by
 1067        RFC 3912) via heuristics of the file command
 1068      - converts whois data to UTF-8 character set with iconv
 1069      - sends the whois output in UTF-8 character set to mail program
 1070      - avoids that heirloom mailx creates binary attachment for input with
 1071        unknown character set
 1072 
 1073 
 1074 ver. 0.9.2 (2015/04/29) - better-quick-now-than-later
 1075 ----------
 1076 
 1077 ### Fixes
 1078 * Fix ufw action commands
 1079 * infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
 1080   Thanks TonyThompson
 1081 * port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
 1082   (fnerdwq)
 1083 * $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
 1084 * grep'ing for IP in *mail-whois-lines.conf should now match also
 1085   at the beginning and EOL.  Thanks Dean Lee
 1086 * `jail.conf`
 1087      - `php-url-fopen`: separate logpath entries by newline
 1088 * failregex declared direct in jail was joined to single line (specifying of
 1089   multiple expressions was not possible).
 1090 * `filters.d/exim.conf` - cover different settings of exim logs
 1091   details. Thanks bes.internal
 1092 * `filter.d/postfix-sasl.conf` - failregex is now case insensitive
 1093 * `filters.d/postfix.conf` - add 'Client host rejected error message' failregex
 1094 * `fail2ban/__init__.py` - add strptime thread safety hack-around
 1095 * recidive uses `iptables-allports` banaction by default now.
 1096   Avoids problems with iptables versions not understanding 'all' for
 1097   protocols and ports
 1098 * `filter.d/dovecot.conf`
 1099      - match pam_authenticate line from EL7
 1100      - match unknown user line from EL7
 1101 * Use `use_poll=True` for Python 2.7 and >=3.4 to overcome "Bad file
 1102   descriptor" msgs issue (gh-161)
 1103 * `filter.d/postfix-sasl.conf` - tweak failregex and add ignoreregex to ignore
 1104   system authentication issues
 1105 * fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
 1106   (gh-954)
 1107 * firewallcmd-* actions: split output into separate lines for grepping (gh-908)
 1108 * Guard unicode encode/decode issues while storing records in the database.
 1109   Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
 1110   for reporting
 1111 * `filter.d/sshd` added regex for matching openSUSE ssh authentication failure
 1112 * `filter.d/asterisk.conf`:
 1113      - Dropped "Sending fake auth rejection" failregex since it incorrectly
 1114 	   targets the asterisk server itself
 1115      - match "hacking attempt detected" logs
 1116 
 1117 ### New Features
 1118 * New filters:
 1119     - postfix-rbl  Thanks Lee Clemens
 1120     - apache-fakegooglebot.conf  Thanks Lee Clemens
 1121     - nginx-botsearch  Thanks Frantisek Sumsal
 1122     - drupal-auth  Thanks Lee Clemens
 1123 * New recursive embedded substitution feature added:
 1124     - `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
 1125     - `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
 1126 * New interpolation feature for config readers - `%(known/parameter)s`.
 1127   (means last known option with name `parameter`). This interpolation makes
 1128   possible to extend a stock filter or jail regexp in .local file
 1129   (opposite to simply set failregex/ignoreregex that overwrites it),
 1130   see gh-867.
 1131 * Monit config for fail2ban in `files/monit/`
 1132 * New actions:
 1133     - `action.d/firewallcmd-multiport` and `action.d/firewallcmd-allports` Thanks Donald Yandt
 1134     - `action.d/sendmail-geoip-lines.conf`
 1135     - `action.d/nsupdate` to update DNSBL. Thanks Andrew St. Jean
 1136 * New status argument for fail2ban-client -- flavor:
 1137   `fail2ban-client status <jail> [flavor]`
 1138     - empty or "basic" works as-is
 1139     - "cymru" additionally prints (ASN, Country RIR) per banned IP
 1140       (requires dnspython or dnspython3)
 1141 * Flush log at USR1 signal
 1142 
 1143 ### Enhancements
 1144 * Enable multiport for firewallcmd-new action.  Closes gh-834
 1145 * files/debian-initd migrated from the debian branch and should be
 1146   suitable for manual installations now (thanks Juan Karlo de Guzman)
 1147 * Define empty ignoreregex in filters which didn't have it to avoid
 1148   warnings (gh-934)
 1149 * `action.d/{sendmail-*,xarf-login-attack}.conf` - report local
 1150   timezone not UTC time/zone. Closes gh-911
 1151 * Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
 1152 * Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
 1153 * Added syslogsocket configuration to fail2ban.conf
 1154 * Note in the `jail.conf` for the recidive jail to increase dbpurgeage (gh-964)
 1155 
 1156 
 1157 ver. 0.9.1 (2014/10/29) - better, faster, stronger
 1158 ----------
 1159 
 1160 ### Refactoring (IMPORTANT -- Please review your setup and configuration)
 1161 * `iptables-common.conf` replaced `iptables-blocktype.conf`
 1162   (`iptables-blocktype.local` should still be read) and now also
 1163   provides defaults for the chain, port, protocol and name tags
 1164 
 1165 ### Fixes
 1166 * start of file2ban aborted (on slow hosts, systemd considers the server has
 1167   been timed out and kills him), see gh-824
 1168 * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
 1169 * systemd backend error on bad utf-8 in python3
 1170 * badips.py action error when logging HTTP error raised with badips request
 1171 * fail2ban-regex failed to work in python3 due to space/tab mix
 1172 * recidive regex samples incorrect log level
 1173 * journalmatch for recidive incorrect PRIORITY
 1174 * loglevel couldn't be changed in fail2ban.conf
 1175 * Handle case when no sqlite library is available for persistent database
 1176 * Only reban once per IP from database on fail2ban restart
 1177 * Nginx filter to support missing server_name. Closes gh-676
 1178 * fail2ban-regex assertion error caused by miscount missed lines with
 1179   multiline regex
 1180 * Fix actions failing to execute for Python 3.4.0. Workaround for
 1181   http://bugs.python.org/issue21207
 1182 * Database now returns persistent bans on restart (bantime < 0)
 1183 * Recursive action tags now fully processed. Fixes issue with bsd-ipfw
 1184   action
 1185 * Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
 1186   Thanks Serg G. Brester
 1187 * Correct times for non-timezone date times formats during DST
 1188 * Pass a copy of, not original, aInfo into actions to avoid side-effects
 1189 * Per-distribution paths to the exim's main log
 1190 * Ignored IPs are no longer banned when being restored from persistent
 1191   database
 1192 * Manually unbanned IPs are now removed from persistent database, such they
 1193   wont be banned again when Fail2Ban is restarted
 1194 * Pass "bantime" parameter to the actions in default jail's action
 1195   definition(s)
 1196 * `filters.d/sieve.conf` - fixed typo in _daemon.  Thanks Jisoo Park
 1197 * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
 1198   Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
 1199   Debian bug #755173
 1200 * postfix-sasl - added journalmatch.  Thanks Luc Maisonobe
 1201 * postfix* - match with a new daemon string (postfix/submission/smtpd).
 1202   Closes gh-804 .  Thanks Paul Traina
 1203 * apache - added filter for AH01630 client denied by server configuration.
 1204 
 1205 ### New Features
 1206 * New filters:
 1207     - monit  Thanks Jason H Martin
 1208     - directadmin  Thanks niorg
 1209     - apache-shellshock  Thanks Eugene Hopkinson (SlowRiot)
 1210 * New actions:
 1211     - symbiosis-blacklist-allports  for Bytemark symbiosis firewall
 1212     - fail2ban-client can fetch the running server version
 1213     - Added Cloudflare API action
 1214 
 1215 ### Enhancements
 1216 * Start performance of fail2ban-client (and tests) increased, start time
 1217   and cpu usage rapidly reduced. Introduced a shared storage logic, to
 1218   bypass reading lots of config files (see gh-824).
 1219   Thanks to Joost Molenaar for good catch (reported gh-820).
 1220 * Fail2ban-regex - add print-all-matched option. Closes gh-652
 1221 * Suppress fail2ban-client warnings for non-critical config options
 1222 * Match non "Bye Bye" disconnect messages for sshd locked account regex
 1223 * courier-smtp filter:
 1224     - match lines with user names
 1225     - match lines containing "535 Authentication failed" attempts
 1226 * Add `<chain>` tag to iptables-ipsets
 1227 * Realign fail2ban log output with white space to improve readability. Does
 1228   not affect SYSLOG output
 1229 * Log unhandled exceptions
 1230 * cyrus-imap: catch "user not found" attempts
 1231 * Add support for Portsentry
 1232 
 1233 
 1234 ver. 0.9.0 (2014/03/14) - beta
 1235 ----------
 1236 
 1237 Carries all fixes, features and enhancements from 0.8.13 (unreleased) with
 1238 major changes.
 1239 
 1240 The minimum supported python version is now 2.6. If you have python-2.4 or 2.5
 1241 you can use the 0.8.12 version of fail2ban.
 1242 
 1243 Please take note of release notes:
 1244 https://github.com/fail2ban/fail2ban/releases/tag/0.9.0
 1245 
 1246 Please test your configuration before relying on it.
 1247 
 1248 Nearly all development is thanks to Steven Hiscocks (THANKS!), merging,
 1249 testcases and timezone support from Daniel Black, and code-review and minor
 1250 additions from Yaroslav Halchenko.
 1251 
 1252 ### Refactoring (IMPORTANT -- Please review your setup and configuration):
 1253 * [..bddbf1e] jail.conf was heavily refactored and now is similar
 1254   to how it looked on Debian systems:
 1255      - default action could be configured once for all jails
 1256      - jails definitions only provide customizations (port, logpath)
 1257      - no need to specify 'filter' if name matches jail name
 1258 * [..5aef036] Core functionality moved into fail2ban/ module.
 1259   Closes gh-26
 1260      - tests included in module to aid testing and debugging
 1261 * Added fail2ban persistent database
 1262      - default location at `/var/lib/fail2ban/fail2ban.sqlite3`
 1263      - allows active bans to be reinstated on restart
 1264      - log files read from last position after restart
 1265 * Added systemd journal backend
 1266      - Dependency on python-systemd
 1267      - New "journalmatch" option added to filter configs files
 1268      - New "systemd-journal" option added to fail2ban-regex
 1269 * Added python3 support
 1270 * Support %z (Timezone offset) and %f (sub-seconds) support for
 1271   datedetector. Enhanced existing date/time have been updated patterns to
 1272   support these. ISO8601 now defaults to localtime unless specified otherwise.
 1273   Some filters have been change as required to capture these elements in the
 1274   right timezone correctly.
 1275 * Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
 1276      - Log level INFO is now more verbose
 1277 * Optionally can read log files starting from "head" or "tail".
 1278      - See "logpath" option in jail.conf(5) man page.
 1279 * Can now set log encoding for files per jail.
 1280      - Default uses systemd locale.
 1281 
 1282 ### New Features
 1283 * [..c7ae460] Multiline failregex. Close gh-54
 1284 * [8af32ed] Guacamole filter and support for Apache Tomcat date
 1285   format
 1286 * [..b6059f4] 'timeout' option for actions Close gh-60 and Debian
 1287   bug #410077.  Also it would now capture and include stdout and stderr
 1288   into logging messages in case of error or at DEBUG loglevel.
 1289 * Added action xarf-login-attack to report formatted attack messages
 1290   according to the XARF standard (v0.2). Close gh-105
 1291 * Support PyPy
 1292 * Add filter for apache-botsearch
 1293 * Add filter for kerio. Thanks Tony Lawrence for blog of regexs and
 1294   providing samples. Close gh-120
 1295 * Filter for stunnel
 1296 * Filter for Counter Strike 1.6. Thanks to onorua for logs.
 1297   Close gh-347
 1298 * Filter for squirrelmail. Close gh-261
 1299 * Filter for tine20. Close gh-583
 1300 * Custom date formats (strptime) can now be set in filters and jail.conf
 1301 * Python based actions can now be created.
 1302      - SMTP action for sending emails on jail start, stop and ban.
 1303 * Added action to use badips.com reporting and blacklist
 1304      - Requires Python 2.7+
 1305 
 1306 ### Enhancements
 1307 * Fail2ban-regex - don't accumulate lines if not printing them.
 1308   add options to suppress output of missed/ignored lines. Close gh-644
 1309 * Asterisk now supports syslog format
 1310 * Jail names increased to 26 characters and iptables prefix reduced
 1311   from fail2ban- to f2b- as suggested by buanzo in gh-462.
 1312 * Multiline filter for sendmail-spam. Close gh-418
 1313 * Multiline regex for Disconnecting: Too many authentication failures for
 1314   root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]
 1315 * Multiline regex for Disconnecting: Connection from 61.XX.XX.XX port
 1316   51353\nToo many authentication failures for root [preauth]. Thanks
 1317   Helmut Grohne. Close gh-457
 1318 * Replacing use of deprecated API (.warning, .assertEqual, etc)
 1319 * [..a648cc2] Filters can have options now too which are substituted into
 1320   failregex / ignoreregex
 1321 * [..e019ab7] Multiple instances of the same action are allowed in the
 1322   same jail -- use actname option to disambiguate.
 1323 * Add honeypot email address to exim-spam filter as argument
 1324 * Properties and methods of actions accessible from fail2ban-client
 1325      - Use of properties replaces command actions "cinfo" interface
 1326 
 1327 ver. 0.8.13 (2014/03/15) - maintenance-only-from-now-on
 1328 -----------
 1329 
 1330 ### Fixes
 1331   - action firewallcmd-ipset had non-working actioncheck. Removed.
 1332     redhat bug #1046816.
 1333   - filter pureftpd - added _daemon which got removed. Added
 1334 
 1335 ### New Features
 1336   - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
 1337   - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
 1338 
 1339 ### Enhancements
 1340   - filter asterisk now supports syslog format
 1341   - filter pureftpd - added all translations of "Authentication failed for
 1342     user"
 1343   - filter dovecot - lip= was optional and extended TLS errors can occur.
 1344     Thanks Noel Butler.
 1345 
 1346 ver. 0.8.12 (2014/01/22) - things-can-only-get-better
 1347 ----------
 1348 
 1349 - IMPORTANT incompatible changes:
 1350   - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name
 1351     name length. As per gh-395
 1352   - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog.
 1353     Part of gh-447.
 1354 
 1355 ### Fixes
 1356   - allow for ",milliseconds" in the custom date format of proftpd.log
 1357   - allow for ", referer ..." in apache-* filter for apache error logs.
 1358   - allow for spaces at the beginning of kernel messages. Closes gh-448
 1359   - recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias
 1360   - smtps not a IANA standard and has been removed from Arch. Replaced with
 1361     465. Thanks Stefan. Closes gh-447
 1362   - add 'flushlogs' command to allow logrotation without clobbering logtarget
 1363     settings. Closes gh-458, Debian bug #697333, Redhat bug #891798.
 1364   - complain action - ensure where not matching other IPs in log sample.
 1365     Closes gh-467
 1366   - Fix firewall-cmd actioncheck - patch from Adam Tkac. Redhat Bug #979622
 1367   - Fix apache-common for apache-2.4 log file format. Thanks Mark White.
 1368     Closes gh-516
 1369   - Asynchat changed to use push method which verifys whether all data was
 1370     send. This ensures that all data is sent before closing the connection.
 1371   - Removed unnecessary reference to as yet undeclared $jail_name when checking
 1372     a specific jail in nagios script.
 1373   - Filter dovecot reordered session and TLS items in regex with wider scope
 1374     for session characters. Thanks Ivo Truxa. Closes gh-586
 1375   - A single bad failregex or command syntax in configuration files won't stop
 1376     fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585.
 1377 
 1378 ### Enhancements
 1379   - long names on jails documented based on iptables limit of 30 less
 1380     len("fail2ban-").
 1381   - remove indentation of name and loglevel while logging to SYSLOG to
 1382     resolve syslog(-ng) parsing problems. Closes Debian bug #730202.
 1383   - updated check_fail2ban to return performance data for all jails.
 1384   - filter apache-noscript now includes php cgi scripts.
 1385     Thanks dani. Closes gh-503
 1386   - exim-spam filter to match spamassassin log entry for option SAdevnull.
 1387     Thanks Ivo Truxa. Closes gh-533
 1388   - `filter.d/nsd.conf` -- also amended Unix date template to match nsd format
 1389   - Added to sshd filter expression for `Received disconnect from <HOST>: 3:
 1390     ...: Auth fail`. Thanks Marcel Dopita. Closes gh-289
 1391   - loglines now also report "[PID]" after the name portion
 1392   - Added `filter.d/ejabberd-auth`
 1393   - Improved ACL-handling for Asterisk
 1394   - loglines now also report "[PID]" after the name portion
 1395   - Added improper command pipelining to postfix filter.
 1396 
 1397 ### New Features
 1398 
 1399   - `filter.d/solid-pop3d` -- added thanks to Jacques Lav!gnotte on mailinglist.
 1400   - Add filter for apache-modsecurity.
 1401   - `filter.d/nsd.conf` -- also amended Unix date template to match nsd format
 1402   - Added openwebmail filter thanks Ivo Truxa. Closes gh-543
 1403   - Added filter for freeswitch. Thanks Jim and editors and authors of
 1404     http://wiki.freeswitch.org/wiki/Fail2ban
 1405   - Added groupoffice filter thanks to logs from Merijn Schering.
 1406     Closes gh-566
 1407   - Added filter for horde
 1408   - Added filter for squid. Thanks Roman Gelfand.
 1409   - Added filter for ejabberd-auth.
 1410   - Added `filter.d/openwebmail` filter thanks Ivo Truxa. Closes gh-543
 1411   - Added `filter.d/groupoffice` filter thanks to logs from Merijn Schering.
 1412     Closes gh-566
 1413   - Added `action.d/badips`. Thanks to Amy for making a nice API.
 1414   - Added firewallcmd-ipset action.
 1415   - Added ufw action. Thanks Guilhem Lettron. lp-#701522
 1416   - Added blocklist_de action.
 1417 
 1418 
 1419 ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes
 1420 ----------
 1421 
 1422 In light of CVE-2013-2178 that triggered our last release we have put
 1423 a significant effort into tightening all of the regexs of our filters
 1424 to avoid another similar vulnerability. All filters have been updated
 1425 and some to catch more login/authentication failures and to support
 1426 for newer application versions. There are test cases for most log
 1427 cases of failures now.
 1428 
 1429 As usual, if you have other examples that demonstrate that a filter is
 1430 insufficient, or if we have inadvertently introduced a regression,
 1431 please provide us with example log lines on the github issue tracker
 1432 http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in
 1433 some obscure corner of the Internet.
 1434 
 1435 Many thanks to our contributors for this release Daniel Black, Yaroslav
 1436 Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski,
 1437 Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François
 1438 Boulogne and others who have helped on IRC and mailing list, logged issues
 1439 and bug requests.
 1440 
 1441 ### IMPORTANT incompatible changes
 1442 
 1443 Filter name changes:
 1444     * 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
 1445     * 'sasl' has been renamed to 'postfix-sasl'
 1446     * 'exim' spam catching failregexes was split out into 'exim-spam'
 1447 These changes will require changing jail.{conf,local} if any of
 1448 those filters were used.
 1449 
 1450 ### Fixes
 1451 - Jonathan Lanning
 1452     * `filter.d/asterisk` -- identified another regex for blocking. Also channel
 1453       ID is hex not decimal as noted in sample logs provided.
 1454 - Daniel Black & Marcel Dopita
 1455     * `filter.d/apache-auth` -- fixed and apache auth samples provide. Closes gh-286
 1456 - Yaroslav Halchenko
 1457     * `filter.d/common.conf` -- make colon after [daemon] optional. Closes gh-267
 1458     * `filter.d/apache-common.conf` -- support apache 2.4 more detailed error
 1459       log format.  Closes gh-268
 1460     * Backends changes detection and parsing. Close gh-223 and gh-103:
 1461         - Polling backend: detect changes in the files not only based on
 1462           mtime, but also on the size and inode.  It should allow for
 1463           better detection of changes and log rotations on busy servers,
 1464           older python 2.4, and file systems with precision of mtime only
 1465           up to a second (e.g. ext3).
 1466         - All backends, possible race condition: do not read from a file
 1467           initially reported empty.  Originally could have lead to
 1468           accounting for detected log lines multiple times.
 1469         - Do not crash if executing a command in fail2ban-client interactive
 1470           mode has failed (e.g. due to incorrect syntax). Closes gh-353
 1471 - Daniel Black & Мернов Георгий
 1472     * `filter.d/dovecot.conf` -- Fix when no TLS enabled - line doesn't end in ,
 1473 - Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
 1474     * `filter.d/exim.conf` -- regex hardening and extra failure examples in
 1475       sample logs
 1476     * `filter.d/named-refused.conf` - BIND 9.9.3 regex changes
 1477 - Daniel Black & Sebastian Arcus
 1478     * `filter.d/asterisk` -- more regexes
 1479 - Daniel Black
 1480     * `action.d/hostsdeny` -- NOTE: new dependency 'ed'. Switched to use 'ed' across
 1481       all platforms to ensure permissions are the same before and after a ban.
 1482       Closes gh-266. hostsdeny supports daemon_list now too.
 1483     * `action.d/bsd-ipfw` - action option unused. Change blocktype to port unreach
 1484       instead of deny for consistancy.
 1485     * `filter.d/dovecot` - added to support different dovecot failure
 1486       "..disallowed plaintext auth". Closes Debian bug #709324
 1487     * `filter.d/roundcube-auth` - timezone offset can be positive or negative
 1488     * `action.d/bsd-ipfw` - action option unused. Fixed to blocktype for
 1489       consistency. default to port unreach instead of deny
 1490     * `filter.d/dropbear` - fix regexs to match standard dropbear and the patched
 1491       http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch
 1492       and add PAM is it in dropbear-2013.60 source code.
 1493     * `filter.d/{asterisk,assp,dovecot,proftpd}.conf` -- regex hardening
 1494       and extra failure examples in sample logs
 1495     * `filter.d/apache-auth` - added expressions for mod_authz, mod_auth and
 1496       mod_auth_digest failures.
 1497     * `filter.d/recidive` -- support f2b syslog target and anchor regex at start
 1498     * `filter.d/mysqld-auth.conf` - mysql can use syslog
 1499     * `filter.d/sshd` - regex enhancements to support openssh-6.3. Closes Debian
 1500       bug #722970. Thanks Colin Watson for the regex analysis.
 1501     * `filter.d/wuftpd` - regex enhancements to support pam and wuftpd. Closes
 1502       Debian bug #665925
 1503 - Rolf Fokkens
 1504     * `action.d/dshield.conf` and complain.conf -- reorder mailx arguments.
 1505       https://bugzilla.redhat.com/show_bug.cgi?id=998020
 1506 - John Doe (ache)
 1507     * `action.d/bsd-ipfw.conf` - invert actionstop logic to make exist status 0.
 1508       Closes gh-343.
 1509 - JP Espinosa (Reviewed by O.Poplawski)
 1510     * files/redhat-initd - rewritten to use stock init.d functions thus
 1511       avoiding problems with getpid.  Also $network and iptables moved
 1512       to Should- rc init fields
 1513 - Rick Mellor
 1514     * `filter.d/vsftp` - fix capture with tty=ftp
 1515 
 1516 ### New Features
 1517 - Edgar Hoch
 1518     * `action.d/firewall-cmd-direct-new.conf` - action for firewalld
 1519       from https://bugzilla.redhat.com/show_bug.cgi?id=979622
 1520       NOTE: requires firewalld-0.3.8+
 1521 - Andy Fragen and Daniel Black
 1522     * `filter.d/osx-ipfw.conf` - ipfw action for OSX based on random rule
 1523       numbers.
 1524 - Anonymous:
 1525     * `action.d/osx-afctl` - an action based on afctl for osx
 1526 - Daniel Black & ykimon
 1527     * `filter.d/3proxy.conf` -- filter added
 1528     * fail2ban-regex - now generates http://www.debuggex.com urls for debugging
 1529       regular expressions with the -D parameter.
 1530 - Daniel Black
 1531     * `filter.d/exim-spam.conf` -- a splitout of exim's spam regexes
 1532       with additions for greater control over filtering spam.
 1533     * add date expression for apache-2.4 - milliseconds
 1534     * `filter.d/nginx-http-auth` -- filter added for http basic authentication
 1535       failures in nginx. Partially fulfills gh-405.
 1536 - Christophe Carles & Daniel Black
 1537     * `filter.d/perdition.conf` -- filter added
 1538 - Mark McKinstry
 1539     * `action.d/apf.conf` - add action for Advanced Policy Firewall (apf)
 1540 - Amir Caspi and kjohnsonecl
 1541     * `filter.d/uwimap-auth` - filter for uwimap-auth IMAP/POP server
 1542 - Steven Hiscocks and Daniel Black
 1543     * `filter.d/selinux-{common,ssh`} -- add SELinux date and ssh filter
 1544 
 1545 ### Enhancements
 1546 - François Boulogne and Frédéric
 1547     * `filter.d/lighttpd` - auth regexs for lighttpd-1.4.31
 1548 - Daniel Black
 1549     * reorder parsing of jail.conf, `jail.d/*.conf`, `jail.local`, `jail.d/*.local`
 1550       and likewise for `fail2ban.{conf|local|d/*.conf|d/*.local`}. Closes gh-392
 1551     * jail.conf now has asterisk jail - no need for asterisk-tcp and
 1552       asterisk-udp. Users should replace existing jails with asterisk to
 1553       reduce duplicate parsing of the asterisk log file.
 1554     * `filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin`}- regex anchor at
 1555       start
 1556     * `filter.d/vsftpd` - anchored regex at start. disable old pam format regex
 1557     * `filter.d/pam-generic` - added syslog prefix. Disabled support for
 1558       linux-pam before version 0.99.2.0 (2005)
 1559     * `filter.d/postfix-sasl` - renamed from sasl, anchor at start and base on
 1560       syslog
 1561     * `filter.d/qmail` - rewrote regex to anchor at start. Added regex for
 1562       another "in the wild" patch to rblsmtp.
 1563 - Yaroslav Halchenko
 1564     * fail2ban-regex -- refactored to provide more details (missing and
 1565       ignored lines, control over logging, etc) while maintaining look&feel
 1566     * fail2ban-client -- log to standard error. Closes gh-264
 1567     * Fail to configure if not a single log file was found for an
 1568       enabled jail. Closes gh-63
 1569     * `<HOST>` is now enforced to end with an alphanumeric
 1570     * `filter.d/roundcube-auth.conf` -- anchored version
 1571     * date matching - for standard asctime formats prefer more detailed
 1572       first (thus use year if available)
 1573     * files/gen_badbots was added and `filter.d/apache-badbots.conf` was
 1574       regenerated to get updated (although now still an old) list of
 1575       "bad" bots
 1576 - Alexander Dietrich
 1577     * `action.d/sendmail-common.conf` -- added common sendmail settings file
 1578       and made the sender display name configurable
 1579 - Steven Hiscocks
 1580     * `filter.d/dovecot` - Addition of session, time values and possible blank
 1581       user
 1582 - Zurd and Daniel Black
 1583     * `filter.d/named-refused` - added refused on zone transfer
 1584     * `filter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd`} - General
 1585       regex improvements
 1586 - Zurd
 1587     * `filter.d/postfix` - add filter for VRFY failures. Closes gh-322.
 1588 - Orion Poplawski
 1589     * `fail2ban.d/` and `jail.d/` directories are added to `etc/fail2ban` to facilitate
 1590       their use
 1591 
 1592 ver. 0.8.10 (2013/06/12) - wanna-be-secure
 1593 -----------
 1594 
 1595 Primarily bugfix and enhancements release, triggered by "bugs" in
 1596 apache- filters.  If you are relying on listed below apache- filters,
 1597 upgrade asap and seek your distributions to patch their fail2ban
 1598 distribution with [6ccd5781].
 1599 
 1600 ### Fixes
 1601 - Yaroslav Halchenko
 1602     * [6ccd5781] `filter.d/apache-{auth,nohome,noscript,overflows`} - anchor
 1603       failregex at the beginning (and where applicable at the end).
 1604       Addresses a possible DoS. Closes gh-248
 1605     * `action.d/{route,shorewall}.conf` - blocktype must be defined
 1606       within [Init].  Closes gh-232
 1607 ### Enhancements
 1608 - Yaroslav Halchenko
 1609     * jail.conf -- assure all jails have actions and remove unused
 1610       ports specifications
 1611 - Terence Namusonge
 1612     * `filter.d/roundcube-auth.conf` -- support roundcube 0.9+
 1613 - Daniel Black
 1614     * `files/suse-initd` -- update to the copy from stock SUSE
 1615       silviogarbes & Daniel Black
 1616     * Updates to asterisk filter. Closes gh-227/gh-230.
 1617 - Carlos Alberto Lopez Perez
 1618     * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
 1619 
 1620 ver. 0.8.9 (2013/05/13) - wanna-be-stable
 1621 ----------
 1622 
 1623 Originally targeted as a bugfix release, it incorporated many new
 1624 enhancements, few new features, and more importantly -- quite extended
 1625 tests battery with current 94% coverage (from 56% of 0.8.8).
 1626 
 1627 This release introduces over 200 of non-merge commits from 16
 1628 contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
 1629 Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki,
 1630 ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
 1631 Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.
 1632 
 1633 Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
 1634 Hendrikx, Yehuda Katz and other TBN heroes supporting users on
 1635 fail2ban-users mailing list and IRC.
 1636 
 1637 ### Fixes
 1638 - Yaroslav Halchenko
 1639     * [6f4dad46] python-2.4 is the minimal version.
 1640     * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
 1641       on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
 1642     * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
 1643       insight. Closes gh-103.
 1644     * [ab044b75] delay check for the existence of config directory until read.
 1645     * [3b4084d4] fixing up for handling of TAI64N timestamps.
 1646     * [154aa38e] do not shutdown logging until all jails stop.
 1647     * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes gh-184.
 1648       Thanks to Jon Foster for report and troubleshooting.
 1649 - Orion Poplawski
 1650     * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
 1651       newly created directories.
 1652 - Nicolas Collignon
 1653     * [39667ff6] Avoid leaking file descriptors. Closes gh-167.
 1654 - Sergey Brester
 1655     * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
 1656       sorting template list.
 1657 - Steven Hiscocks
 1658     * [7a442f07] When changing log target with python2.{4,5} handle KeyError.
 1659       Closes gh-147, gh-148.
 1660     * [b6a68f51] Fix delaction on server side. Closes gh-124.
 1661 - Daniel Black
 1662     * [f0610c01] Allow more that a one word command when changing and Action via
 1663       the fail2ban-client. Closes gh-134.
 1664     * [945ad3d9] Fix dates on email actions to work in different locals. Closes
 1665       gh-70. Thanks to iGeorgeX for the idea.
 1666 - blotus
 1667     * [96eb8986] ' and " should also be escaped in action tags Closes gh-109
 1668 - Christoph Theis, Nick Hilliard, Daniel Black
 1669     * [b3bd877d,cde71080] Make `syslog -v` and `syslog -vv` formats work on FreeBSD
 1670 
 1671 ### New Features
 1672 - Yaroslav Halchenko
 1673     * [9ba27353] Add support for `jail.d/{confilefile}` and `fail2ban.d/{configfile}`
 1674       to provide additional flexibility to system adminstrators. Thanks to
 1675       beilber for the idea. Closes gh-114.
 1676     * [3ce53e87] Add exim filter.
 1677 - Erwan Ben Souiden
 1678     * [d7d5228] add nagios integration documentation and script to ensure
 1679       fail2ban is running. Closes gh-166.
 1680 - Artur Penttinen
 1681     * [29d0df5] Add mysqld filter. Closes gh-152.
 1682 - ArndRaphael Brandes
 1683     * [bba3fd8] Add Sogo filter. Closes gh-117.
 1684 - Michael Gebetsriother
 1685     * [f9b78ba] Add action route to block at routing level.
 1686 - Teodor Micu & Yaroslav Halchenko
 1687     * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
 1688 - Daniel Black
 1689     * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
 1690 - Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
 1691     * [b6d0e8a] Add and enhance the bsd-ipfw action from
 1692       FreeBSD ports.
 1693 - Soulard Morgan
 1694     * [f336d9f] Add filter for webmin. Closes gh-99.
 1695 - Steven Hiscocks
 1696     * [..746c7d9] bash interactive shell completions for fail2ban-*'s
 1697 - Nick Hilliard
 1698     * [0c5a9c5] Add pf action.
 1699 
 1700 ### Enhancements
 1701 - Enrico Labedzki
 1702     * [24a8d07] Added new date format for ASSP SMTP Proxy.
 1703 - Steven Hiscocks
 1704     * [3d6791f] Ensure restart of Actions after a check fails occurs
 1705       consistently. Closes gh-172.
 1706     * [MANY] Improvements to test cases, travis, and code coverage (coveralls).
 1707     * [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
 1708     * [ce3ab34] Added ability to specify PID file.
 1709 - Orion Poplawski
 1710     * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
 1711       Closes gh-142.
 1712 - Yaroslav Halchenko
 1713     * [MANY] Lots of improvements to log messages, man pages and test cases.
 1714     * [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
 1715       Closes gh-126. Bug report by Michael Heuberger.
 1716     * [40c5a2d] adding more of diagnostic messages into -client while starting
 1717       the daemon.
 1718     * [8e63d4c] Compare against None with 'is' instead of '=='.
 1719     * [6fef85f] Strip CR and LF while analyzing the log line
 1720 - Daniel Black
 1721     * [3aeb1a9] Add jail.conf manual page. Closes gh-143.
 1722     * [MANY] man page edits.
 1723     * [7cd6dab] Added help command to fail2ban-client.
 1724     * [c8c7b0b,23bbc60] Better logging of log file read errors.
 1725     * [3665e6d] Added code coverage to development process.
 1726     * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
 1727       source. Also include BSD changes.
 1728     * [1d9abd1] Action files can have tags in definition that refer to other
 1729       tags.
 1730     * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
 1731       unreachable rather than just a drop of the packet.
 1732 - Pascal Borreli
 1733     * [a2b29b4] Fixed lots of typos in config files and documentation.
 1734 - hamilton5
 1735     * [7ede1e8] Update dovecot filter config.
 1736 - Romain Riviere
 1737     * [0ac8746] Enhance named-refused filter for views.
 1738 - James Stout
 1739     * [..2143cdf] Solaris support enhancements:
 1740         - `README.Solaris`
 1741         - failregex'es tune ups (`sshd.conf`)
 1742         - hostsdeny: do not rely on support of '-i' in sed
 1743 
 1744 ver. 0.8.8 (2012/12/06) - stable
 1745 ----------
 1746 ### Fixes
 1747 - Alan Jenkins
 1748     * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
 1749       banning due to misconfigured DNS. Closes gh-64
 1750 - Yaroslav Halchenko
 1751     * [83109bc] IMPORTANT: escape the content of <matches> (if used in
 1752       custom action files) since its value could contain arbitrary
 1753       symbols.  Thanks for discovery go to the NBS System security
 1754       team
 1755     * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83
 1756     * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
 1757     * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
 1758       in the console. Closes gh-91
 1759 
 1760 ### New Features
 1761 - David Engeset
 1762     * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
 1763       the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86
 1764 
 1765 ### Enhancements
 1766 * [2d66f31] replaced uninformative "Invalid command" message with warning log
 1767   exception why command actually failed
 1768 * [958a1b0] improved failregex to "support" auth.backend = "htdigest"
 1769 * [9e7a3b7] until we make it proper module -- adjusted sys.path only if
 1770   system-wide run
 1771 * [f52ba99] downgraded "already banned" from WARN to INFO level. Closes gh-79
 1772 * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00
 1773   for this gh-87)
 1774 * Various others: travis-ci integration, script to run tests
 1775   against all available Python versions, etc
 1776 
 1777 ver. 0.8.7.1 (2012/07/31) - stable
 1778 ----------
 1779 
 1780 ### Fixes
 1781 * [e9762f3] Removed sneaked in comment on sys.path.insert
 1782 
 1783 ver. 0.8.7 (2012/07/31) - stable
 1784 ----------
 1785 
 1786 ### Fixes
 1787 - Tom Hendrikx & Jeremy Olexa
 1788     * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated.
 1789       See http://forums.gentoo.org/viewtopic-t-899018.html
 1790 - Chris Reffett
 1791     * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban,
 1792       rather than just one failure.
 1793 - Yaroslav Halchenko
 1794     * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf
 1795     * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf
 1796     * [ed16ecc] enforce "ip" field returned as str, not unicode so that log
 1797       message stays non-unicode. Close gh-32
 1798     * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if
 1799       already present in the pattern
 1800     * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be
 1801       friend to developers stuck with Windows (Closes gh-66)
 1802     * [80b191c] anchor grep regexp in actioncheck to not match partial names
 1803       of the jails (Closes: #672228) (Thanks Szépe Viktor for the report)
 1804 ### New Features
 1805 - François Boulogne
 1806     * [a7cb20e..] add lighttpd-auth filter/jail
 1807 - Lee Clemens & Yaroslav Halchenko
 1808     * [e442503] pyinotify backend (default if backend='auto' and pyinotify
 1809       is available)
 1810     * [d73a71f,3989d24] usedns parameter for the jails to allow disabling
 1811       use of DNS
 1812 - Tom Hendrikx
 1813     * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban
 1814       repeated offenders. Close gh-19
 1815 - Xavier Devlamynck
 1816     * [7d465f9..] Add asterisk support
 1817 - Zbigniew Jędrzejewski-Szmek
 1818     * [de502cf..] allow running fail2ban as non-root user (disabled by
 1819       default) via xt_recent. See doc/run-rootless.txt
 1820 ### Enhancements
 1821 - Lee Clemens
 1822     * [47c03a2] files/nagios - spelling/grammar fixes
 1823     * [b083038] updated Free Software Foundation's address
 1824     * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606
 1825     * [642d9af,3282f86] reformated printing of jail's name to be consistent
 1826       with init's info messages
 1827     * [3282f86] uniform use of capitalized Jail in the messages
 1828 - Leonardo Chiquitto
 1829     * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf
 1830       to reflect code
 1831     * [a7d47e8] Update Free Software Foundation's address
 1832 - Petr Voralek
 1833     * [4007751] catch failed ssh logins due to being listed in DenyUsers.
 1834       Close gh-47 (Closes: #669063)
 1835 - Yaroslav Halchenko
 1836     * [MANY]    extended and robustified unittests: test different backends
 1837     * [d9248a6] refactored Filter's to avoid duplicate functionality
 1838     * [7821174] direct users to issues on github
 1839     * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by
 1840       default with -v to control verbosity
 1841     * [b4099da] adjusted header for config/*.conf to mention .local and way
 1842       to comment (Thanks Stefano Forli for the note)
 1843     * [6ad55f6] added failregex for wu-ftpd to match against syslog instead
 1844       of DoS-prone auth.log's rhost (Closes: #514239)
 1845     * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for
 1846       sshd filter (Closes: #648020)
 1847 - Yehuda Katz & Yaroslav Halchenko
 1848     * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers
 1849 
 1850 ver. 0.8.6 (2011/11/28) - stable
 1851 ----------
 1852 ### Fixes
 1853 - Markos Chandras & Yaroslav Halchenko
 1854     * [492d8e5,bd658fc] Use hashlib (instead of deprecated md5) where available
 1855 - Robert Trace & Michael Lorant
 1856     * [c48c2b1] gentoo-initd cleanup and fixes: assure `/var/run` + remove stale
 1857       sock file
 1858 - Michael Saavedra
 1859     * [3a58d0e] Lock server's executeCmd to prevent racing among iptables calls:
 1860       see http://bugs.debian.org/554162
 1861 - Yaroslav Halchenko
 1862     * [3eb5e3b] Allow for trailing spaces in sasl logs
 1863     * [1632244] Stop server-side communication before stopping the
 1864       jails (prevents lockup if actions use fail2ban-client upon
 1865       unban): see https://github.com/fail2ban/fail2ban/issues/7
 1866     * [5a2d518] Various changes to reincarnate unittests
 1867 - Yehuda Katz
 1868     * Wiki was cleaned from SPAM
 1869 
 1870 ### Enhancements
 1871 - Adam Spiers
 1872     * [3152afb] Recognise time-stamped kernel messages
 1873 - Guido Bozzetto
 1874     * [713fea6] Added ipmasq rule file to restart fail2ban when iptables are
 1875       wiped out: see http://bugs.debian.org/461417
 1876 - Łukasz
 1877     * [5f23542] Matching of month names in Polish (thanks michaelberg79
 1878       for QA)
 1879 - Tom Hendrikx
 1880     * [9fa54cf] Added Date: header for sendmail*.conf actions
 1881 - Yaroslav Halchenko & Tom Hendrikx
 1882     * [b52d420..22b7007] <matches> in action files now can be used
 1883       to provide matched loglines which triggered action
 1884 - Yaroslav Halchenko
 1885     * [ed0bf3a] Removed duplicate entry for DataCha0s/2\.0 in badbots:
 1886       see http://bugs.debian.org/519557
 1887     * [dad91f7] sshd.conf: allow user names to have spaces and
 1888       trailing spaces in the line
 1889     * [a9be451] removed expansions for few Date and Revision SVN keywords
 1890     * [a33135c] set/getFile for ticket.py -- found in source distribution
 1891       of 0.8.4
 1892     * [fbce415] additional logging while stopping the jails
 1893 
 1894 ver. 0.8.5 (2011/07/28) - stable
 1895 ----------
 1896 - Fix: use addfailregex instead of failregex while processing per-jail
 1897   "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to
 1898   Marat Khayrullin for the patch and Daniel T Chen for forwarding to
 1899   Debian.
 1900 - Fix: use os.path.join to generate full path - fixes includes in configs
 1901   given local filename (5 weeks ago) [yarikoptic]
 1902 - Fix: allowed for trailing spaces in proftpd logs
 1903 - Fix: escaped () in pure-ftpd filter. Thanks to Teodor
 1904 - Fix: allowed space in the trailing of failregex for sasl.conf:
 1905   see http://bugs.debian.org/573314
 1906 - Fix: use `/var/run/fail2ban` instead of `/tmp` for temp files in actions:
 1907   see http://bugs.debian.org/544232
 1908 - Fix: Tai64N stores time in GMT, needed to convert to local time before
 1909   returning
 1910 - Fix: disabled named-refused-udp jail entirely with a big fat warning
 1911 - Fix: added time module. Bug reported in buanzo's blog:
 1912   see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
 1913 - Fix: Patch to make log file descriptors cloexec to stop leaking file
 1914   descriptors on fork/exec. Thanks to Jonathan Underwood:
 1915   see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24
 1916 - Enhancement: added author for dovecot filter and pruned unneeded space
 1917   in the regexp
 1918 - Enhancement: proftpd filter -- if login failed -- count regardless of the
 1919   reason for failure
 1920 - Enhancement: added <chain> to `action.d/iptables*`. Thanks to Matthijs Kooijman:
 1921   see http://bugs.debian.org/515599
 1922 - Enhancement: added `filter.d/dovecot.conf` from Martin Waschbuesch
 1923 - Enhancement: made `filter.d/apache-overflows.conf` catch more:
 1924   see http://bugs.debian.org/574182
 1925 - Enhancement: added dropbear filter from Francis Russell and Zak B. Elep:
 1926   see http://bugs.debian.org/546913
 1927 - Enhancement: changed default ignoreip to ignore entire loopback zone (/8):
 1928   see http://bugs.debian.org/598200
 1929 - Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer
 1930 - Few minor cosmetic changes
 1931 
 1932 ver. 0.8.4 (2009/09/07) - stable
 1933 ----------
 1934 - Check the inode number for rotation in addition to checking the first line of
 1935   the file. Thanks to Jonathan Kamens. Red Hat #503852. Tracker #2800279.
 1936 - Moved the shutdown of the logging subsystem out of Server.quit() to
 1937   the end of Server.start(). Fixes the 'cannot release un-acquired lock'
 1938   error.
 1939 - Added "Ban IP" command. Thanks to Arturo 'Buanzo' Busleiman.
 1940 - Added two new filters: lighttpd-fastcgi and php-url-fopen.
 1941 - Fixed the 'unexpected communication error' problem by means of
 1942   use_poll=False in Python >= 2.6.
 1943 - Merged patches from Debian package. Thanks to Yaroslav Halchenko.
 1944 - Use current day and month instead of Jan 1st if both are not available in the
 1945   log. Thanks to Andreas Itzchak Rehberg.
 1946 - Try to match the regex even if the line does not contain a valid date/time.
 1947   Described in Debian #491253. Thanks to Yaroslav Halchenko.
 1948 - Added/improved filters and date formats.
 1949 - Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to
 1950   Russell Odom.
 1951 - Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to
 1952   Detlef Reichelt.
 1953 - Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
 1954 - Added nagios script. Thanks to Sebastian Mueller.
 1955 - Added CPanel date format. Thanks to David Collins. Tracker #1967610.
 1956 - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
 1957 - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115.
 1958 - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
 1959 - Changed `<HOST>` template to be more restrictive. Debian bug #514163.
 1960 - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct
 1961   fix but seems to work. Tracker #2500276.
 1962 - Made the named-refused regex a bit less restrictive in order to match logs
 1963   with "view". Thanks to Stephen Gildea.
 1964 - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714
 1965 
 1966 ver. 0.8.3 (2008/07/17) - stable
 1967 ----------
 1968 - Process failtickets as long as failmanager is not empty.
 1969 - Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav
 1970   Halchenko.
 1971 - Fixed socket path in redhat and suse init script. Thanks to Jim Wight.
 1972 - Fixed PID file while started in daemon mode. Thanks to Christian Jobic who
 1973   submitted a similar patch.
 1974 - Fixed `fail2ban-client get <jail> logpath`. Bug #1916986.
 1975 - Added gssftpd filter. Thanks to Kevin Zembower.
 1976 - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis
 1977   Winter.
 1978 - Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber.
 1979 - Added ISO 8601 date/time format.
 1980 - Added and changed some logging level and messages.
 1981 - Added missing ignoreregex to filters. Thanks to Klaus Lehmann.
 1982 - Use poll instead of select in asyncore.loop. This should solve the "Unknown
 1983   error 514". Thanks to Michael Geiger and Klaus Lehmann.
 1984 
 1985 ver. 0.8.2 (2008/03/06) - stable
 1986 ----------
 1987 - Fixed named filter. Thanks to Yaroslav Halchenko
 1988 - Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines
 1989 - Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann
 1990 - Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be
 1991   possible to create stronger failregex against log injection
 1992 - Fixed ipfw action script. Thanks to Nick Munger
 1993 - Removed date from logging message when using SYSLOG. Thanks to Iain Lea
 1994 - Fixed "ignore IPs". Only the first value was taken into account. Thanks to
 1995   Adrien Clerc
 1996 - Moved socket to `/var/run/fail2ban`.
 1997 - Rewrote the communication server.
 1998 - Refactoring. Reduced number of files.
 1999 - Removed Python 2.4. Minimum required version is now Python 2.3.
 2000 - New log rotation detection algorithm.
 2001 - Print monitored files in status.
 2002 - Create a PID file in `/var/run/fail2ban/`. Thanks to Julien Perez.
 2003 - Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks
 2004   to Yaroslav Halchenko for the fix.
 2005 - `reload <jail>` reloads a single jail and the parameters in fail2ban.conf.
 2006 - Added Mac OS/X startup script. Thanks to Bill Heaton.
 2007 - Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
 2008 - Replaced "echo" with "printf" in actions. Fix #1839673
 2009 - Replaced "reject" with "drop" in shorwall action. Fix #1854875
 2010 - Fixed Debian bug #456567, #468477, #462060, #461426
 2011 - readline is now optional in fail2ban-client (not needed in fail2ban-server).
 2012 
 2013 ver. 0.8.1 (2007/08/14) - stable
 2014 ----------
 2015 - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
 2016 - Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
 2017 - Improved regular expressions. Thanks to Yaroslav Halchenko and others
 2018 - Added sendmail actions. The action started with "mail" are now deprecated.
 2019   Thanks to Raphaël Marichez
 2020 - Added "ignoreregex" support to fail2ban-regex
 2021 - Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch
 2022 - Tightening up the pid check in redhat-initd. Thanks to David Nutter
 2023 - Added webmin authentication filter. Thanks to Guillaume Delvit
 2024 - Removed textToDns() which is not required anymore. Thanks to Yaroslav
 2025   Halchenko
 2026 - Added new action iptables-allports. Thanks to Yaroslav Halchenko
 2027 - Added "named" date format to date detector. Thanks to Yaroslav Halchenko
 2028 - Added filter file for named (bind9). Thanks to Yaroslav Halchenko
 2029 - Fixed vsftpd filter. Thanks to Yaroslav Halchenko
 2030 
 2031 ver. 0.8.0 (2007/05/03) - stable
 2032 ----------
 2033 - Fixed RedHat init script. Thanks to Jonathan Underwood
 2034 - Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner
 2035 
 2036 ver. 0.7.9 (2007/04/19) - release candidate
 2037 ----------
 2038 - Close opened handlers. Thanks to Yaroslav Halchenko
 2039 - Fixed "reload" bug. Many many thanks to Yaroslav Halchenko
 2040 - Added date format for asctime without year
 2041 - Modified filters config. Thanks to Michael C. Haller
 2042 - Fixed a small bug in mail-buffered.conf
 2043 
 2044 ver. 0.7.8 (2007/03/21) - release candidate
 2045 ----------
 2046 - Fixed asctime pattern in datedetector.py
 2047 - Added new filters/actions. Thanks to Yaroslav Halchenko
 2048 - Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch
 2049 - Moved every locking statements in a try..finally block
 2050 
 2051 ver. 0.7.7 (2007/02/08) - release candidate
 2052 ----------
 2053 - Added signal handling in fail2ban-client
 2054 - Added a wonderful visual effect when waiting on the server
 2055 - fail2ban-client returns an error code if configuration is not valid
 2056 - Added new filters/actions. Thanks to Yaroslav Halchenko
 2057 - Call Python interpreter directly (instead of using "env")
 2058 - Added file support to fail2ban-regex. Benchmark feature has been removed
 2059 - Added cacti script and template.
 2060 - Added IP list in "status <JAIL>". Thanks to Eric Gerbier
 2061 
 2062 ver. 0.7.6 (2007/01/04) - beta
 2063 ----------
 2064 - Added a "sleep 1" in redhat-initd. Thanks to Jim Wight
 2065 - Use `/dev/log` for SYSLOG output. Thanks to Joerg Sommrey
 2066 - Use numeric output for iptables in "actioncheck"
 2067 - Fixed removal of host in hosts.deny. Thanks to René Berber
 2068 - Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI
 2069 - Several "failregex" and "ignoreregex" are now accepted. Creation of rules
 2070   should be easier now.
 2071 - Added license in COPYING. Thanks to Axel Thimm
 2072 - Allow comma in action options. The value of the option must be escaped with "
 2073   or '. Thanks to Yaroslav Halchenko
 2074 - Now Fail2ban goes in `/usr/share/fail2ban` instead of `/usr/lib/fail2ban`. This is
 2075   more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko
 2076 
 2077 ver. 0.7.5 (2006/12/07) - beta
 2078 ----------
 2079 - Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko
 2080 - The supported tags in "action(un)ban" are `<ip>`, `<failures>` and `<time>`
 2081 - Fixed refactoring bug (getLastcommand -> getLastAction)
 2082 - Added option "ignoreregex" in filter scripts and `jail.conf`.
 2083   Feature Request #1283304
 2084 - Fixed a bug in user defined time regex/pattern
 2085 - Improved documentation
 2086 - Moved `version.py` and `protocol.py` to `common/`
 2087 - Merged "maxtime" option with "findtime"
 2088 - Added `<HOST>` tag support in failregex which matches default IP
 2089   address/hostname. `(?P<host>\S)` is still valid and supported
 2090 - Fixed exception when calling fail2ban-server with unknown option
 2091 - Fixed Debian bug 400162. The "socket" option is now handled correctly by
 2092   `fail2ban-client`
 2093 - Fixed RedHat init script. Thanks to Justin Shore
 2094 - Changed timeout to 30 secondes before assuming the server cannot be started.
 2095   Thanks to Joël Bertrand
 2096 
 2097 ver. 0.7.4 (2006/11/01) - beta
 2098 ----------
 2099 - Improved configuration files. Thanks to Yaroslav Halchenko
 2100 - Added man page for "fail2ban-regex"
 2101 - Moved ban/unban messages from "info" level to "warn"
 2102 - Added "-s" option to specify the socket path and "socket" option in
 2103   "fail2ban.conf"
 2104 - Added "backend" option in "jail.conf"
 2105 - Added more filters/actions and jail samples. Thanks to Nick Munger, Christoph
 2106   Haas
 2107 - Improved testing framework
 2108 - Fixed a bug in the return code handling of the executed commands. Thanks to
 2109   Yaroslav Halchenko
 2110 - Signal handling. There is a bug with join() and signal in Python
 2111 - Better debugging output for "fail2ban-regex"
 2112 - Added support for more date format
 2113 - cPickle does not work with Python 2.5. Use pickle instead (performance is not
 2114   a problem in our case)
 2115 
 2116 ver. 0.7.3 (2006/09/28) - beta
 2117 ----------
 2118 - Added man pages. Thanks to Yaroslav Halchenko
 2119 - Added wildcard support for "logpath"
 2120 - Added Gamin (file and directory monitoring system) support
 2121 - (Re)added "ignoreip" option
 2122 - Added more concurrency protection
 2123 - First attempt at solving bug #1457620 (locale issue)
 2124 - Performance improvements
 2125 - (Re)added permanent banning with banTime < 0
 2126 - Added DNS support to "ignoreip". Feature Request #1285859
 2127 
 2128 ver. 0.7.2 (2006/09/10) - beta
 2129 ----------
 2130 - Refactoring and code cleanup
 2131 - Improved client output
 2132 - Added more get/set commands
 2133 - Added more configuration templates
 2134 - Removed "logpath" and "maxretry" from filter templates. They must be defined
 2135   in jail.conf now
 2136 - Added interactive mode. Use "-i"
 2137 - Added a date detector. "timeregex" and "timepattern" are no more needed
 2138 - Added "fail2ban-regex". This is a tool to help finding "failregex"
 2139 - Improved server communication. Start a new thread for each incoming request.
 2140   Fail2ban is not really thread-safe yet
 2141 
 2142 ver. 0.7.1 (2006/08/23) - alpha
 2143 ----------
 2144 - Fixed daemon mode bug
 2145 - Added Gentoo init.d script
 2146 - Fixed path bug when trying to start "fail2ban-server"
 2147 - Fixed reload command
 2148 
 2149 ver. 0.7.0 (2006/08/23) - alpha
 2150 ----------
 2151 - Almost a complete rewrite :) Fail2ban design is really better (IMHO). There is
 2152   a lot of new features
 2153 - Client/Server architecture
 2154 - Multithreading. Each jail has its own threads: one for the log reading and
 2155   another for the actions
 2156 - Execute several actions
 2157 - Split configuration files. They are more readable and easy to use
 2158 - failregex uses group (<host>) now. This feature was already present in the
 2159   Debian package
 2160 - lots of things...
 2161 
 2162 ver. 0.6.1 (2006/03/16) - stable
 2163 ----------
 2164 - Added permanent banning. Set banTime to a negative value to enable this
 2165   feature (-1 is perfect). Thanks to Mannone
 2166 - Fixed locale bug. Thanks to Fernando José
 2167 - Fixed crash when time format does not match data
 2168 - Propagated patch from Debian to fix fail2ban search path addition to the path
 2169   search list: now it is added first. Thanks to Nick Craig-Wood
 2170 - Added SMTP authentification for mail notification. Thanks to Markus Hoffmann
 2171 - Removed debug mode as it is confusing for people
 2172 - Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark
 2173   Edgington
 2174 - Added patch #1382936 (Default formatted syslog logging). Thanks to Patrick
 2175   Börjesson
 2176 - Removed 192.168.0.0/16 from ignoreip. Attacks could also come from the local
 2177   network.
 2178 - Robust startup: if iptables module does not get fully initialized after
 2179   startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its
 2180   own firewall. It will sleep between attempts for "polltime" number of seconds
 2181   (closes Debian: #334272). Thanks to Yaroslav Halchenko
 2182 - Added "interpolations" in fail2ban.conf. This is provided by the ConfigParser
 2183   module. Old configuration files still work. Thanks to Yaroslav Halchenko
 2184 - Added initial support for hosts.deny and shorewall. Need more testing. Please
 2185   test. Thanks to kojiro from Gentoo forum for hosts.deny support
 2186 - Added support for vsftpd. Thanks to zugeschmiert
 2187 
 2188 ver. 0.6.0 (2005/11/20) - stable
 2189 ----------
 2190 - Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
 2191   * Added an option to report local time (including timezone) or GMT in mail
 2192     notification.
 2193 
 2194 ver. 0.5.5 (2005/10/26) - beta
 2195 ----------
 2196 - Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
 2197   * Introduced fwcheck option to verify consistency of the chains. Implemented
 2198     automatic restart of fail2ban main function in case check of fwban or
 2199     fwunban command failed (closes: #329163, #331695). (Introduced patch was
 2200     further adjusted by upstream author).
 2201   * Added -f command line parameter for [findtime].
 2202   * Added a cleanup of firewall rules on emergency shutdown when unknown
 2203     exception is catched.
 2204   * Fail2ban should not crash now if a wrong file name is specified in config.
 2205   * reordered code a bit so that log targets are setup right after background
 2206     and then only loglevel (verbose, debug) is processed, so the warning could
 2207     be seen in the logs
 2208   * Added a keyword `<section>` in parsing of the subject and the body of an email
 2209     sent out by fail2ban (closes: #330311)
 2210 
 2211 ver. 0.5.4 (2005/09/13) - beta
 2212 ----------
 2213 - Fixed bug #1286222.
 2214 - Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
 2215   * Fixed handling of SYSLOG logging target. Now it can log to any SYSLOG target
 2216     and facility as directed by the config
 2217   * Format of SYSLOG entries fixed to look closer to standard
 2218   * Fixed errata in config/gentoo-confd
 2219   * Introduced findtime configuration variable to control the lifetime of caught
 2220     "failed" log entries
 2221 
 2222 ver. 0.5.3 (2005/09/08) - beta
 2223 ----------
 2224 - Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav
 2225   Halchenko
 2226 - Added more debug output if an error occurs when sending mail. Thanks to
 2227   Stephen Gildea
 2228 - Renamed "maxretry" to "maxfailures" and changed default value to 5. Thanks to
 2229   Stephen Gildea
 2230 - Hopefully fixed bug #1256075
 2231 - Fixed bug #1262345
 2232 - Fixed exception handling in PIDLock
 2233 - Removed warning when using "-V" or "-h" with no config file. Thanks to
 2234   Yaroslav Halchenko
 2235 - Removed "-i eth0" from config file. Thanks to Yaroslav Halchenko
 2236 
 2237 ver. 0.5.2 (2005/08/06) - beta
 2238 ----------
 2239 - Better PID lock file handling. Should close #1239562
 2240 - Added man pages
 2241 - Removed log4py dependency. Use logging module instead
 2242 - "maxretry" and "bantime" can be overridden in each section
 2243 - Fixed bug #1246278 (excessive memory usage)
 2244 - Fixed crash on wrong option value in configuration file
 2245 - Changed custom chains to lowercase
 2246 
 2247 ver. 0.5.1 (2005/07/23) - beta
 2248 ----------
 2249 - Fixed bugs #1241756, #1239557
 2250 - Added log targets in configuration file. Removed -l option
 2251 - Changed iptables rules in order to create a separated chain for each section
 2252 - Fixed static banList in firewall.py
 2253 - Added an initd script for Debian. Thanks to Yaroslav Halchenko
 2254 - Check for obsolete files after install
 2255 
 2256 ver. 0.5.0 (2005/07/12) - beta
 2257 ----------
 2258 - Added support for CIDR mask in ignoreip
 2259 - Added mail notification support
 2260 - Fixed bug #1234699
 2261 - Added tags replacement in rules definition. Should allow a clean solution for
 2262   Feature Request #1229479
 2263 - Removed "interface" and "firewall" options
 2264 - Added start and end commands in the configuration file. Thanks to Yaroslav
 2265   Halchenko
 2266 - Added firewall rules definition in the configuration file
 2267 - Cleaned fail2ban.py
 2268 - Added an initd script for RedHat/Fedora. Thanks to Andrey G. Grozin
 2269 
 2270 ver. 0.4.1 (2005/06/30) - stable
 2271 ----------
 2272 - Fixed textToDNS method which generated wrong matches for "rhost=12-xyz...".
 2273   Thanks to Tom Pike
 2274 - `fail2ban.conf` modified for readability. Thanks to Iain Lea
 2275 - Added an initd script for Gentoo
 2276 - Changed default PID lock file location from `/tmp` to `/var/run`
 2277 
 2278 ver. 0.4.0 (2005/04/24) - stable
 2279 ----------
 2280 - Fixed textToDNS which did not recognize strings like
 2281   "12-345-67-890.abcd.mnopqr.xyz"
 2282 
 2283 ver. 0.3.1 (2005/03/31) - beta
 2284 ----------
 2285 - Corrected level of messages
 2286 - Added DNS lookup support
 2287 - Improved parsing speed. Only parse the new log messages
 2288 - Added a second verbose level (-vv)
 2289 
 2290 ver. 0.3.0 (2005/02/24) - beta
 2291 ----------
 2292 - Re-writting of parts of the code in order to handle several log files with
 2293   different rules
 2294 - Removed `sshd.py` because it is no more needed
 2295 - Fixed a bug when exiting with IP in the ban list
 2296 - Added PID lock file
 2297 - Improved some parts of the code
 2298 - Added `ipfw-start-rule` option (thanks to Robert Edeker)
 2299 - Added -k option which kills a currently running Fail2Ban
 2300 
 2301 ver. 0.1.2 (2004/11/21) - beta
 2302 ----------
 2303 - Add ipfw and ipfwadm support. The rules are taken from BlockIt. Thanks to
 2304   Robert Edeker
 2305 - Add -e option which allows to set the interface. Thanks to Robert Edeker who
 2306   reminded me this
 2307 - Small code cleaning
 2308 
 2309 ver. 0.1.1 (2004/10/23) - beta
 2310 ----------
 2311 - Add SIGTERM handler in order to exit nicely when in daemon mode
 2312 - Add -r option which allows to set the maximum number of login failures
 2313 - Remove the Metalog class as the log file are not so syslog daemon specific
 2314 - Rewrite log reader to be service centered. Sshd support added. Match "Failed
 2315   password" and "Illegal user"
 2316 - Add `/etc/fail2ban.conf` configuration support
 2317 - Code documentation
 2318 
 2319 ver. 0.1.0 (2004/10/12) - alpha
 2320 ----------
 2321 - Initial release