Difference between revisions of "ChangeLog"

From Fail2ban
Jump to: navigation, search
(Updated)
(0.8.1)
Line 1: Line 1:
 
This is the complete [[ChangeLog]] which contains changes to the stable and unstable branches.
 
This is the complete [[ChangeLog]] which contains changes to the stable and unstable branches.
  
                __      _ _ ___ _
+
<pre>
              / _|__ _(_) |_  ) |__  __ _ _ _
+
              __      _ _ ___ _
              |  _/ _` | | |/ /| '_ \/ _` | ' \
+
              / _|__ _(_) |_  ) |__  __ _ _ _
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
+
            |  _/ _` | | |/ /| '_ \/ _` | ' \
+
            |_| \__,_|_|_/___|_.__/\__,_|_||_|
=============================================================
+
 
Fail2Ban (version 0.8.0)                          2007/05/03
+
=============================================================
=============================================================
+
Fail2Ban (version 0.8.1)                          2007/08/14
+
=============================================================
ver. 0.8.0 (2007/05/03) - stable
+
 
----------
+
ver. 0.8.1 (2007/08/14) - stable
- Fixed RedHat init script. Thanks to Jonathan Underwood
+
----------
- Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner
+
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
+
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
ver. 0.7.9 (2007/04/19) - release candidate
+
- Improved regular expressions. Thanks to Yaroslav Halchenko
----------
+
  and others
- Close opened handlers. Thanks to Yaroslav Halchenko
+
- Added sendmail actions. The action started with "mail" are
- Fixed "reload" bug. Many many thanks to Yaroslav Halchenko
+
  now deprecated. Thanks to Raphaël Marichez
- Added date format for asctime without year
+
- Added "ignoreregex" support to fail2ban-regex
- Modified filters config. Thanks to Michael C. Haller
+
- Updated suse-initd and added it to MANIFEST. Thanks to
- Fixed a small bug in mail-buffered.conf
+
  Christian Rauch
+
- Tightening up the pid check in redhat-initd. Thanks to
ver. 0.7.8 (2007/03/21) - release candidate
+
  David Nutter
----------
+
- Added webmin authentication filter. Thanks to Guillaume
- Fixed asctime pattern in datedetector.py
+
  Delvit
- Added new filters/actions. Thanks to Yaroslav Halchenko
+
- Removed textToDns() which is not required anymore. Thanks
- Added Suse init script and modified gentoo-initd. Thanks to
+
  to Yaroslav Halchenko
  Christian Rauch
+
- Added new action iptables-allports. Thanks to Yaroslav
- Moved every locking statements in a try..finally block
+
  Halchenko
+
- Added "named" date format to date detector. Thanks to
ver. 0.7.7 (2007/02/08) - release candidate
+
  Yaroslav Halchenko
----------
+
- Added filter file for named (bind9). Thanks to Yaroslav
- Added signal handling in fail2ban-client
+
  Halchenko
- Added a wonderful visual effect when waiting on the server
+
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko
- fail2ban-client returns an error code if configuration is
+
 
  not valid
+
ver. 0.8.0 (2007/05/03) - stable
- Added new filters/actions. Thanks to Yaroslav Halchenko
+
----------
- Call Python interpreter directly (instead of using "env")
+
- Fixed RedHat init script. Thanks to Jonathan Underwood
- Added file support to fail2ban-regex. Benchmark feature has
+
- Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner
  been removed
+
 
- Added cacti script and template.
+
ver. 0.7.9 (2007/04/19) - release candidate
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier
+
----------
+
- Close opened handlers. Thanks to Yaroslav Halchenko
ver. 0.7.6 (2007/01/04) - beta
+
- Fixed "reload" bug. Many many thanks to Yaroslav Halchenko
----------
+
- Added date format for asctime without year
- Added a "sleep 1" in redhat-initd. Thanks to Jim Wight
+
- Modified filters config. Thanks to Michael C. Haller
- Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey
+
- Fixed a small bug in mail-buffered.conf
- Use numeric output for iptables in "actioncheck"
+
 
- Fixed removal of host in hosts.deny. Thanks to René Berber
+
ver. 0.7.8 (2007/03/21) - release candidate
- Added new date format (2006-12-21 06:43:20) and Exim4
+
----------
  filter. Thanks to mEDI
+
- Fixed asctime pattern in datedetector.py
- Several "failregex" and "ignoreregex" are now accepted.
+
- Added new filters/actions. Thanks to Yaroslav Halchenko
  Creation of rules should be easier now.
+
- Added Suse init script and modified gentoo-initd. Thanks to
- Added license in COPYING. Thanks to Axel Thimm
+
  Christian Rauch
- Allow comma in action options. The value of the option must
+
- Moved every locking statements in a try..finally block
  be escaped with " or '. Thanks to Yaroslav Halchenko
+
 
- Now Fail2ban goes in /usr/share/fail2ban instead of
+
ver. 0.7.7 (2007/02/08) - release candidate
  /usr/lib/fail2ban. This is more compliant with FHS. Thanks
+
----------
  to Axel Thimm and Yaroslav Halchenko
+
- Added signal handling in fail2ban-client
+
- Added a wonderful visual effect when waiting on the server
ver. 0.7.5 (2006/12/07) - beta
+
- fail2ban-client returns an error code if configuration is
----------
+
  not valid
- Do not ban a host that is currently banned. Thanks to
+
- Added new filters/actions. Thanks to Yaroslav Halchenko
  Yaroslav Halchenko
+
- Call Python interpreter directly (instead of using "env")
- The supported tags in "action(un)ban" are <ip>, <failures>
+
- Added file support to fail2ban-regex. Benchmark feature has
  and <time>
+
  been removed
- Fixed refactoring bug (getLastcommand -> getLastAction)
+
- Added cacti script and template.
- Added option "ignoreregex" in filter scripts and jail.conf.
+
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier
  Feature Request #1283304
+
 
- Fixed a bug in user defined time regex/pattern
+
ver. 0.7.6 (2007/01/04) - beta
- Improved documentation
+
----------
- Moved version.py and protocol.py to common/
+
- Added a "sleep 1" in redhat-initd. Thanks to Jim Wight
- Merged "maxtime" option with "findtime"
+
- Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey
- Added "<HOST>" tag support in failregex which matches
+
- Use numeric output for iptables in "actioncheck"
  default IP address/hostname. "(?P<host>\S)" is still valid
+
- Fixed removal of host in hosts.deny. Thanks to René Berber
  and supported
+
- Added new date format (2006-12-21 06:43:20) and Exim4
- Fixed exception when calling fail2ban-server with unknown
+
  filter. Thanks to mEDI
  option
+
- Several "failregex" and "ignoreregex" are now accepted.
- Fixed Debian bug 400162. The "socket" option is now handled
+
  Creation of rules should be easier now.
  correctly by fail2ban-client
+
- Added license in COPYING. Thanks to Axel Thimm
- Fixed RedHat init script. Thanks to Justin Shore
+
- Allow comma in action options. The value of the option must
- Changed timeout to 30 secondes before assuming the server
+
  be escaped with " or '. Thanks to Yaroslav Halchenko
  cannot be started. Thanks to Joël Bertrand
+
- Now Fail2ban goes in /usr/share/fail2ban instead of
+
  /usr/lib/fail2ban. This is more compliant with FHS. Thanks
ver. 0.7.4 (2006/11/01) - beta
+
  to Axel Thimm and Yaroslav Halchenko
----------
+
 
- Improved configuration files. Thanks to Yaroslav Halchenko
+
ver. 0.7.5 (2006/12/07) - beta
- Added man page for "fail2ban-regex"
+
----------
- Moved ban/unban messages from "info" level to "warn"
+
- Do not ban a host that is currently banned. Thanks to
- Added "-s" option to specify the socket path and "socket"
+
  Yaroslav Halchenko
  option in "fail2ban.conf"
+
- The supported tags in "action(un)ban" are <ip>, <failures>
- Added "backend" option in "jail.conf"
+
  and <time>
- Added more filters/actions and jail samples. Thanks to Nick
+
- Fixed refactoring bug (getLastcommand -> getLastAction)
  Munger, Christoph Haas
+
- Added option "ignoreregex" in filter scripts and jail.conf.
- Improved testing framework
+
  Feature Request #1283304
- Fixed a bug in the return code handling of the executed
+
- Fixed a bug in user defined time regex/pattern
  commands. Thanks to Yaroslav Halchenko
+
- Improved documentation
- Signal handling. There is a bug with join() and signal in
+
- Moved version.py and protocol.py to common/
  Python
+
- Merged "maxtime" option with "findtime"
- Better debugging output for "fail2ban-regex"
+
- Added "<HOST>" tag support in failregex which matches
- Added support for more date format
+
  default IP address/hostname. "(?P<host>\S)" is still valid
- cPickle does not work with Python 2.5. Use pickle instead
+
  and supported
  (performance is not a problem in our case)
+
- Fixed exception when calling fail2ban-server with unknown
+
  option
ver. 0.7.3 (2006/09/28) - beta
+
- Fixed Debian bug 400162. The "socket" option is now handled
----------
+
  correctly by fail2ban-client
- Added man pages. Thanks to Yaroslav Halchenko
+
- Fixed RedHat init script. Thanks to Justin Shore
- Added wildcard support for "logpath"
+
- Changed timeout to 30 secondes before assuming the server
- Added Gamin (file and directory monitoring system) support
+
  cannot be started. Thanks to Joël Bertrand
- (Re)added "ignoreip" option
+
 
- Added more concurrency protection
+
ver. 0.7.4 (2006/11/01) - beta
- First attempt at solving bug #1457620 (locale issue)
+
----------
- Performance improvements
+
- Improved configuration files. Thanks to Yaroslav Halchenko
- (Re)added permanent banning with banTime < 0
+
- Added man page for "fail2ban-regex"
- Added DNS support to "ignoreip". Feature Request #1285859
+
- Moved ban/unban messages from "info" level to "warn"
+
- Added "-s" option to specify the socket path and "socket"
ver. 0.7.2 (2006/09/10) - beta
+
  option in "fail2ban.conf"
----------
+
- Added "backend" option in "jail.conf"
- Refactoring and code cleanup
+
- Added more filters/actions and jail samples. Thanks to Nick
- Improved client output
+
  Munger, Christoph Haas
- Added more get/set commands
+
- Improved testing framework
- Added more configuration templates
+
- Fixed a bug in the return code handling of the executed
- Removed "logpath" and "maxretry" from filter templates.
+
  commands. Thanks to Yaroslav Halchenko
  They must be defined in jail.conf now
+
- Signal handling. There is a bug with join() and signal in
- Added interactive mode. Use "-i"
+
  Python
- Added a date detector. "timeregex" and "timepattern" are no
+
- Better debugging output for "fail2ban-regex"
  more needed
+
- Added support for more date format
- Added "fail2ban-regex". This is a tool to help finding
+
- cPickle does not work with Python 2.5. Use pickle instead
  "failregex"
+
  (performance is not a problem in our case)
- Improved server communication. Start a new thread for each
+
 
  incoming request. Fail2ban is not really thread-safe yet
+
ver. 0.7.3 (2006/09/28) - beta
+
----------
ver. 0.7.1 (2006/08/23) - alpha
+
- Added man pages. Thanks to Yaroslav Halchenko
----------
+
- Added wildcard support for "logpath"
- Fixed daemon mode bug
+
- Added Gamin (file and directory monitoring system) support
- Added Gentoo init.d script
+
- (Re)added "ignoreip" option
- Fixed path bug when trying to start "fail2ban-server"
+
- Added more concurrency protection
- Fixed reload command
+
- First attempt at solving bug #1457620 (locale issue)
+
- Performance improvements
ver. 0.7.0 (2006/08/23) - alpha
+
- (Re)added permanent banning with banTime < 0
----------
+
- Added DNS support to "ignoreip". Feature Request #1285859
- Almost a complete rewrite :) Fail2ban design is really
+
 
  better (IMHO). There is a lot of new features
+
ver. 0.7.2 (2006/09/10) - beta
- Client/Server architecture
+
----------
- Multithreading. Each jail has its own threads: one for the
+
- Refactoring and code cleanup
  log reading and another for the actions
+
- Improved client output
- Execute several actions
+
- Added more get/set commands
- Split configuration files. They are more readable and easy
+
- Added more configuration templates
  to use
+
- Removed "logpath" and "maxretry" from filter templates.
- failregex uses group (<host>) now. This feature was already
+
  They must be defined in jail.conf now
  present in the Debian package
+
- Added interactive mode. Use "-i"
- lots of things...
+
- Added a date detector. "timeregex" and "timepattern" are no
+
  more needed
ver. 0.6.2 (2006/12/11) - stable
+
- Added "fail2ban-regex". This is a tool to help finding
----------
+
  "failregex"
- Fixed UTF-8 log file parsing
+
- Improved server communication. Start a new thread for each
- Propagated patches introduced by Debian maintainer  
+
  incoming request. Fail2ban is not really thread-safe yet
  (Yaroslav Halchenko):
+
 
  * Made locale configurable
+
ver. 0.7.1 (2006/08/23) - alpha
  * Fixed warning if ignoreip is empty
+
----------
- Added named group "host" for "failregex". Fixed security
+
- Fixed daemon mode bug
  vulnerability CVE-2006-6302
+
- Added Gentoo init.d script
+
- Fixed path bug when trying to start "fail2ban-server"
ver. 0.6.1 (2006/03/16) - stable
+
- Fixed reload command
----------
+
 
- Added permanent banning. Set banTime to a negative value to
+
ver. 0.7.0 (2006/08/23) - alpha
  enable this feature (-1 is perfect). Thanks to Mannone
+
----------
- Fixed locale bug. Thanks to Fernando José
+
- Almost a complete rewrite :) Fail2ban design is really
- Fixed crash when time format does not match data
+
  better (IMHO). There is a lot of new features
- Propagated patch from Debian to fix fail2ban search path
+
- Client/Server architecture
  addition to the path search list: now it is added first.
+
- Multithreading. Each jail has its own threads: one for the
  Thanks to Nick Craig-Wood
+
  log reading and another for the actions
- Added SMTP authentification for mail notification. Thanks
+
- Execute several actions
  to Markus Hoffmann
+
- Split configuration files. They are more readable and easy
- Removed debug mode as it is confusing for people
+
  to use
- Added parsing of timestamp in TAI64N format (#1275325).
+
- failregex uses group (<host>) now. This feature was already
  Thanks to Mark Edgington
+
  present in the Debian package
- Added patch #1382936 (Default formatted syslog logging).
+
- lots of things...
  Thanks to Patrick Börjesson
+
 
- Removed 192.168.0.0/16 from ignoreip. Attacks could also
+
ver. 0.6.2 (2006/12/11) - stable
  come from the local network.
+
----------
- Robust startup: if iptables module does not get fully
+
- Fixed UTF-8 log file parsing
  initialized after startup of fail2ban, fail2ban will do
+
- Propagated patches introduced by Debian maintainer  
  "maxreinit" attempts to initialize its own firewall. It
+
  (Yaroslav Halchenko):
  will sleep between attempts for "polltime" number of
+
  * Made locale configurable
  seconds (closes Debian: #334272). Thanks to Yaroslav
+
  * Fixed warning if ignoreip is empty
  Halchenko
+
- Added named group "host" for "failregex". Fixed security
- Added "interpolations" in fail2ban.conf. This is provided
+
  vulnerability CVE-2006-6302
  by the ConfigParser module. Old configuration files still
+
 
  work. Thanks to Yaroslav Halchenko
+
ver. 0.6.1 (2006/03/16) - stable
- Added initial support for hosts.deny and shorewall. Need
+
----------
  more testing. Please test. Thanks to kojiro from Gentoo
+
- Added permanent banning. Set banTime to a negative value to
  forum for hosts.deny support
+
  enable this feature (-1 is perfect). Thanks to Mannone
- Added support for vsftpd. Thanks to zugeschmiert
+
- Fixed locale bug. Thanks to Fernando José
+
- Fixed crash when time format does not match data
ver. 0.6.0 (2005/11/20) - stable
+
- Propagated patch from Debian to fix fail2ban search path
----------
+
  addition to the path search list: now it is added first.
- Propagated patches introduced by Debian maintainer
+
  Thanks to Nick Craig-Wood
  (Yaroslav Halchenko):
+
- Added SMTP authentification for mail notification. Thanks
  * Added an option to report local time (including timezone)
+
  to Markus Hoffmann
    or GMT in mail notification.
+
- Removed debug mode as it is confusing for people
+
- Added parsing of timestamp in TAI64N format (#1275325).
ver. 0.5.5 (2005/10/26) - beta
+
  Thanks to Mark Edgington
----------
+
- Added patch #1382936 (Default formatted syslog logging).
- Propagated patches introduced by Debian maintainer
+
  Thanks to Patrick Börjesson
  (Yaroslav Halchenko):
+
- Removed 192.168.0.0/16 from ignoreip. Attacks could also
  * Introduced fwcheck option to verify consistency of the
+
  come from the local network.
    chains. Implemented automatic restart of fail2ban main
+
- Robust startup: if iptables module does not get fully
    function in case check of fwban or fwunban command failed
+
  initialized after startup of fail2ban, fail2ban will do
    (closes: #329163, #331695). (Introduced patch was further
+
  "maxreinit" attempts to initialize its own firewall. It
    adjusted by upstream author).
+
  will sleep between attempts for "polltime" number of
  * Added -f command line parameter for [findtime].
+
  seconds (closes Debian: #334272). Thanks to Yaroslav
  * Added a cleanup of firewall rules on emergency shutdown
+
  Halchenko
    when unknown exception is catched.
+
- Added "interpolations" in fail2ban.conf. This is provided
  * Fail2ban should not crash now if a wrong file name is
+
  by the ConfigParser module. Old configuration files still
    specified in config.
+
  work. Thanks to Yaroslav Halchenko
  * reordered code a bit so that log targets are setup right
+
- Added initial support for hosts.deny and shorewall. Need
    after background and then only loglevel (verbose, debug)
+
  more testing. Please test. Thanks to kojiro from Gentoo
    is processed, so the warning could be seen in the logs
+
  forum for hosts.deny support
  * Added a keyword <section> in parsing of the subject and
+
- Added support for vsftpd. Thanks to zugeschmiert
    the body of an email sent out by fail2ban (closes:
+
 
    #330311)
+
ver. 0.6.0 (2005/11/20) - stable
+
----------
ver. 0.5.4 (2005/09/13) - beta
+
- Propagated patches introduced by Debian maintainer
----------
+
  (Yaroslav Halchenko):
- Fixed bug #1286222.
+
  * Added an option to report local time (including timezone)
- Propagated patches introduced by Debian maintainer
+
    or GMT in mail notification.
  (Yaroslav Halchenko):
+
 
  * Fixed handling of SYSLOG logging target. Now it can log
+
ver. 0.5.5 (2005/10/26) - beta
    to any SYSLOG target and facility as directed by the
+
----------
    config
+
- Propagated patches introduced by Debian maintainer
  * Format of SYSLOG entries fixed to look closer to standard
+
  (Yaroslav Halchenko):
  * Fixed errata in config/gentoo-confd
+
  * Introduced fwcheck option to verify consistency of the
  * Introduced findtime configuration variable to control the
+
    chains. Implemented automatic restart of fail2ban main
    lifetime of caught "failed" log entries
+
    function in case check of fwban or fwunban command failed
+
    (closes: #329163, #331695). (Introduced patch was further
ver. 0.5.3 (2005/09/08) - beta
+
    adjusted by upstream author).
----------
+
  * Added -f command line parameter for [findtime].
- Fixed a bug when overriding "maxfailures" or "bantime".
+
  * Added a cleanup of firewall rules on emergency shutdown
  Thanks to Yaroslav Halchenko
+
    when unknown exception is catched.
- Added more debug output if an error occurs when sending
+
  * Fail2ban should not crash now if a wrong file name is
  mail. Thanks to Stephen Gildea
+
    specified in config.
- Renamed "maxretry" to "maxfailures" and changed default
+
  * reordered code a bit so that log targets are setup right
  value to 5. Thanks to Stephen Gildea
+
    after background and then only loglevel (verbose, debug)
- Hopefully fixed bug #1256075
+
    is processed, so the warning could be seen in the logs
- Fixed bug #1262345
+
  * Added a keyword <section> in parsing of the subject and
- Fixed exception handling in PIDLock
+
    the body of an email sent out by fail2ban (closes:
- Removed warning when using "-V" or "-h" with no config
+
    #330311)
  file. Thanks to Yaroslav Halchenko
+
 
- Removed "-i eth0" from config file. Thanks to Yaroslav
+
ver. 0.5.4 (2005/09/13) - beta
  Halchenko
+
----------
+
- Fixed bug #1286222.
ver. 0.5.2 (2005/08/06) - beta
+
- Propagated patches introduced by Debian maintainer
----------
+
  (Yaroslav Halchenko):
- Better PID lock file handling. Should close #1239562
+
  * Fixed handling of SYSLOG logging target. Now it can log
- Added man pages
+
    to any SYSLOG target and facility as directed by the
- Removed log4py dependency. Use logging module instead
+
    config
- "maxretry" and "bantime" can be overridden in each section
+
  * Format of SYSLOG entries fixed to look closer to standard
- Fixed bug #1246278 (excessive memory usage)
+
  * Fixed errata in config/gentoo-confd
- Fixed crash on wrong option value in configuration file
+
  * Introduced findtime configuration variable to control the
- Changed custom chains to lowercase
+
    lifetime of caught "failed" log entries
+
 
ver. 0.5.1 (2005/07/23) - beta
+
ver. 0.5.3 (2005/09/08) - beta
----------
+
----------
- Fixed bugs #1241756, #1239557
+
- Fixed a bug when overriding "maxfailures" or "bantime".
- Added log targets in configuration file. Removed -l option
+
  Thanks to Yaroslav Halchenko
- Changed iptables rules in order to create a separated chain
+
- Added more debug output if an error occurs when sending
  for each section
+
  mail. Thanks to Stephen Gildea
- Fixed static banList in firewall.py
+
- Renamed "maxretry" to "maxfailures" and changed default
- Added an initd script for Debian. Thanks to Yaroslav
+
  value to 5. Thanks to Stephen Gildea
  Halchenko
+
- Hopefully fixed bug #1256075
- Check for obsolete files after install
+
- Fixed bug #1262345
+
- Fixed exception handling in PIDLock
ver. 0.5.0 (2005/07/12) - beta
+
- Removed warning when using "-V" or "-h" with no config
----------
+
  file. Thanks to Yaroslav Halchenko
- Added support for CIDR mask in ignoreip
+
- Removed "-i eth0" from config file. Thanks to Yaroslav
- Added mail notification support
+
  Halchenko
- Fixed bug #1234699
+
 
- Added tags replacement in rules definition. Should allow a
+
ver. 0.5.2 (2005/08/06) - beta
  clean solution for Feature Request #1229479
+
----------
- Removed "interface" and "firewall" options
+
- Better PID lock file handling. Should close #1239562
- Added start and end commands in the configuration file.
+
- Added man pages
  Thanks to Yaroslav Halchenko
+
- Removed log4py dependency. Use logging module instead
- Added firewall rules definition in the configuration file
+
- "maxretry" and "bantime" can be overridden in each section
- Cleaned fail2ban.py
+
- Fixed bug #1246278 (excessive memory usage)
- Added an initd script for RedHat/Fedora. Thanks to Andrey
+
- Fixed crash on wrong option value in configuration file
  G. Grozin
+
- Changed custom chains to lowercase
+
 
ver. 0.4.1 (2005/06/30) - stable
+
ver. 0.5.1 (2005/07/23) - beta
----------
+
----------
- Fixed textToDNS method which generated wrong matches for
+
- Fixed bugs #1241756, #1239557
  "rhost=12-xyz...". Thanks to Tom Pike
+
- Added log targets in configuration file. Removed -l option
- fail2ban.conf modified for readability. Thanks to Iain Lea
+
- Changed iptables rules in order to create a separated chain
- Added an initd script for Gentoo
+
  for each section
- Changed default PID lock file location from /tmp to
+
- Fixed static banList in firewall.py
  /var/run
+
- Added an initd script for Debian. Thanks to Yaroslav
+
  Halchenko
ver. 0.4.0 (2005/04/24) - stable
+
- Check for obsolete files after install
----------
+
 
- Fixed textToDNS which did not recognize strings like
+
ver. 0.5.0 (2005/07/12) - beta
  "12-345-67-890.abcd.mnopqr.xyz"
+
----------
+
- Added support for CIDR mask in ignoreip
ver. 0.3.1 (2005/03/31) - beta
+
- Added mail notification support
----------
+
- Fixed bug #1234699
- Corrected level of messages
+
- Added tags replacement in rules definition. Should allow a
- Added DNS lookup support
+
  clean solution for Feature Request #1229479
- Improved parsing speed. Only parse the new log messages
+
- Removed "interface" and "firewall" options
- Added a second verbose level (-vv)
+
- Added start and end commands in the configuration file.
+
  Thanks to Yaroslav Halchenko
ver. 0.3.0 (2005/02/24) - beta
+
- Added firewall rules definition in the configuration file
----------
+
- Cleaned fail2ban.py
- Re-writting of parts of the code in order to handle several
+
- Added an initd script for RedHat/Fedora. Thanks to Andrey
  log files with different rules
+
  G. Grozin
- Removed sshd.py because it is no more needed
+
 
- Fixed a bug when exiting with IP in the ban list
+
ver. 0.4.1 (2005/06/30) - stable
- Added PID lock file
+
----------
- Improved some parts of the code
+
- Fixed textToDNS method which generated wrong matches for
- Added ipfw-start-rule option (thanks to Robert Edeker)
+
  "rhost=12-xyz...". Thanks to Tom Pike
- Added -k option which kills a currently running Fail2Ban
+
- fail2ban.conf modified for readability. Thanks to Iain Lea
+
- Added an initd script for Gentoo
ver. 0.1.2 (2004/11/21) - beta
+
- Changed default PID lock file location from /tmp to
----------
+
  /var/run
- Add ipfw and ipfwadm support. The rules are taken from
+
 
  BlockIt. Thanks to Robert Edeker
+
ver. 0.4.0 (2005/04/24) - stable
- Add -e option which allows to set the interface. Thanks to
+
----------
  Robert Edeker who reminded me this
+
- Fixed textToDNS which did not recognize strings like
- Small code cleaning
+
  "12-345-67-890.abcd.mnopqr.xyz"
+
 
ver. 0.1.1 (2004/10/23) - beta
+
ver. 0.3.1 (2005/03/31) - beta
----------
+
----------
- Add SIGTERM handler in order to exit nicely when in daemon
+
- Corrected level of messages
  mode
+
- Added DNS lookup support
- Add -r option which allows to set the maximum number of
+
- Improved parsing speed. Only parse the new log messages
  login failures
+
- Added a second verbose level (-vv)
- Remove the Metalog class as the log file are not so syslog
+
 
  daemon specific
+
ver. 0.3.0 (2005/02/24) - beta
- Rewrite log reader to be service centered. Sshd support
+
----------
  added. Match "Failed password" and "Illegal user"
+
- Re-writting of parts of the code in order to handle several
- Add /etc/fail2ban.conf configuration support
+
  log files with different rules
- Code documentation
+
- Removed sshd.py because it is no more needed
+
- Fixed a bug when exiting with IP in the ban list
+
- Added PID lock file
ver. 0.1.0 (2004/10/12) - alpha
+
- Improved some parts of the code
----------
+
- Added ipfw-start-rule option (thanks to Robert Edeker)
- Initial release
+
- Added -k option which kills a currently running Fail2Ban
 +
 
 +
ver. 0.1.2 (2004/11/21) - beta
 +
----------
 +
- Add ipfw and ipfwadm support. The rules are taken from
 +
  BlockIt. Thanks to Robert Edeker
 +
- Add -e option which allows to set the interface. Thanks to
 +
  Robert Edeker who reminded me this
 +
- Small code cleaning
 +
 
 +
ver. 0.1.1 (2004/10/23) - beta
 +
----------
 +
- Add SIGTERM handler in order to exit nicely when in daemon
 +
  mode
 +
- Add -r option which allows to set the maximum number of
 +
  login failures
 +
- Remove the Metalog class as the log file are not so syslog
 +
  daemon specific
 +
- Rewrite log reader to be service centered. Sshd support
 +
  added. Match "Failed password" and "Illegal user"
 +
- Add /etc/fail2ban.conf configuration support
 +
- Code documentation
 +
 
 +
 
 +
ver. 0.1.0 (2004/10/12) - alpha
 +
----------
 +
- Initial release
 +
</pre>

Revision as of 23:11, 14 August 2007

This is the complete ChangeLog which contains changes to the stable and unstable branches.

               __      _ _ ___ _
              / _|__ _(_) |_  ) |__  __ _ _ _
             |  _/ _` | | |/ /| '_ \/ _` | ' \
             |_| \__,_|_|_/___|_.__/\__,_|_||_|

=============================================================
Fail2Ban (version 0.8.1)                           2007/08/14
=============================================================

ver. 0.8.1 (2007/08/14) - stable
----------
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
- Improved regular expressions. Thanks to Yaroslav Halchenko
  and others
- Added sendmail actions. The action started with "mail" are
  now deprecated. Thanks to Raphaël Marichez
- Added "ignoreregex" support to fail2ban-regex
- Updated suse-initd and added it to MANIFEST. Thanks to
  Christian Rauch
- Tightening up the pid check in redhat-initd. Thanks to
  David Nutter
- Added webmin authentication filter. Thanks to Guillaume
  Delvit
- Removed textToDns() which is not required anymore. Thanks
  to Yaroslav Halchenko
- Added new action iptables-allports. Thanks to Yaroslav
  Halchenko
- Added "named" date format to date detector. Thanks to
  Yaroslav Halchenko
- Added filter file for named (bind9). Thanks to Yaroslav
  Halchenko
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko

ver. 0.8.0 (2007/05/03) - stable
----------
- Fixed RedHat init script. Thanks to Jonathan Underwood
- Added Solaris 10 files. Thanks to Hanno 'Rince' Wagner

ver. 0.7.9 (2007/04/19) - release candidate
----------
- Close opened handlers. Thanks to Yaroslav Halchenko
- Fixed "reload" bug. Many many thanks to Yaroslav Halchenko
- Added date format for asctime without year
- Modified filters config. Thanks to Michael C. Haller
- Fixed a small bug in mail-buffered.conf

ver. 0.7.8 (2007/03/21) - release candidate
----------
- Fixed asctime pattern in datedetector.py
- Added new filters/actions. Thanks to Yaroslav Halchenko
- Added Suse init script and modified gentoo-initd. Thanks to
  Christian Rauch
- Moved every locking statements in a try..finally block

ver. 0.7.7 (2007/02/08) - release candidate
----------
- Added signal handling in fail2ban-client
- Added a wonderful visual effect when waiting on the server
- fail2ban-client returns an error code if configuration is
  not valid
- Added new filters/actions. Thanks to Yaroslav Halchenko
- Call Python interpreter directly (instead of using "env")
- Added file support to fail2ban-regex. Benchmark feature has
  been removed
- Added cacti script and template.
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier

ver. 0.7.6 (2007/01/04) - beta
----------
- Added a "sleep 1" in redhat-initd. Thanks to Jim Wight
- Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey
- Use numeric output for iptables in "actioncheck"
- Fixed removal of host in hosts.deny. Thanks to René Berber
- Added new date format (2006-12-21 06:43:20) and Exim4
  filter. Thanks to mEDI
- Several "failregex" and "ignoreregex" are now accepted.
  Creation of rules should be easier now.
- Added license in COPYING. Thanks to Axel Thimm
- Allow comma in action options. The value of the option must
  be escaped with " or '. Thanks to Yaroslav Halchenko
- Now Fail2ban goes in /usr/share/fail2ban instead of
  /usr/lib/fail2ban. This is more compliant with FHS. Thanks
  to Axel Thimm and Yaroslav Halchenko

ver. 0.7.5 (2006/12/07) - beta
----------
- Do not ban a host that is currently banned. Thanks to
  Yaroslav Halchenko
- The supported tags in "action(un)ban" are <ip>, <failures>
  and <time>
- Fixed refactoring bug (getLastcommand -> getLastAction)
- Added option "ignoreregex" in filter scripts and jail.conf.
  Feature Request #1283304
- Fixed a bug in user defined time regex/pattern
- Improved documentation
- Moved version.py and protocol.py to common/
- Merged "maxtime" option with "findtime"
- Added "<HOST>" tag support in failregex which matches
  default IP address/hostname. "(?P<host>\S)" is still valid
  and supported
- Fixed exception when calling fail2ban-server with unknown
  option
- Fixed Debian bug 400162. The "socket" option is now handled
  correctly by fail2ban-client
- Fixed RedHat init script. Thanks to Justin Shore
- Changed timeout to 30 secondes before assuming the server
  cannot be started. Thanks to Joël Bertrand

ver. 0.7.4 (2006/11/01) - beta
----------
- Improved configuration files. Thanks to Yaroslav Halchenko
- Added man page for "fail2ban-regex"
- Moved ban/unban messages from "info" level to "warn"
- Added "-s" option to specify the socket path and "socket"
  option in "fail2ban.conf"
- Added "backend" option in "jail.conf"
- Added more filters/actions and jail samples. Thanks to Nick
  Munger, Christoph Haas
- Improved testing framework
- Fixed a bug in the return code handling of the executed
  commands. Thanks to Yaroslav Halchenko
- Signal handling. There is a bug with join() and signal in
  Python
- Better debugging output for "fail2ban-regex"
- Added support for more date format
- cPickle does not work with Python 2.5. Use pickle instead
  (performance is not a problem in our case)

ver. 0.7.3 (2006/09/28) - beta
----------
- Added man pages. Thanks to Yaroslav Halchenko
- Added wildcard support for "logpath"
- Added Gamin (file and directory monitoring system) support
- (Re)added "ignoreip" option
- Added more concurrency protection
- First attempt at solving bug #1457620 (locale issue)
- Performance improvements
- (Re)added permanent banning with banTime < 0
- Added DNS support to "ignoreip". Feature Request #1285859

ver. 0.7.2 (2006/09/10) - beta
----------
- Refactoring and code cleanup
- Improved client output
- Added more get/set commands
- Added more configuration templates
- Removed "logpath" and "maxretry" from filter templates.
  They must be defined in jail.conf now
- Added interactive mode. Use "-i"
- Added a date detector. "timeregex" and "timepattern" are no
  more needed
- Added "fail2ban-regex". This is a tool to help finding
  "failregex"
- Improved server communication. Start a new thread for each
  incoming request. Fail2ban is not really thread-safe yet

ver. 0.7.1 (2006/08/23) - alpha
----------
- Fixed daemon mode bug
- Added Gentoo init.d script
- Fixed path bug when trying to start "fail2ban-server"
- Fixed reload command

ver. 0.7.0 (2006/08/23) - alpha
----------
- Almost a complete rewrite :) Fail2ban design is really
  better (IMHO). There is a lot of new features
- Client/Server architecture
- Multithreading. Each jail has its own threads: one for the
  log reading and another for the actions
- Execute several actions
- Split configuration files. They are more readable and easy
  to use
- failregex uses group (<host>) now. This feature was already
  present in the Debian package
- lots of things...

ver. 0.6.2 (2006/12/11) - stable
----------
- Fixed UTF-8 log file parsing
- Propagated patches introduced by Debian maintainer 
  (Yaroslav Halchenko):
  * Made locale configurable
  * Fixed warning if ignoreip is empty
- Added named group "host" for "failregex". Fixed security
  vulnerability CVE-2006-6302

ver. 0.6.1 (2006/03/16) - stable
----------
- Added permanent banning. Set banTime to a negative value to
  enable this feature (-1 is perfect). Thanks to Mannone
- Fixed locale bug. Thanks to Fernando José
- Fixed crash when time format does not match data
- Propagated patch from Debian to fix fail2ban search path
  addition to the path search list: now it is added first.
  Thanks to Nick Craig-Wood
- Added SMTP authentification for mail notification. Thanks
  to Markus Hoffmann
- Removed debug mode as it is confusing for people
- Added parsing of timestamp in TAI64N format (#1275325).
  Thanks to Mark Edgington
- Added patch #1382936 (Default formatted syslog logging).
  Thanks to Patrick Börjesson
- Removed 192.168.0.0/16 from ignoreip. Attacks could also
  come from the local network.
- Robust startup: if iptables module does not get fully
  initialized after startup of fail2ban, fail2ban will do
  "maxreinit" attempts to initialize its own firewall. It
  will sleep between attempts for "polltime" number of
  seconds (closes Debian: #334272). Thanks to Yaroslav
  Halchenko
- Added "interpolations" in fail2ban.conf. This is provided
  by the ConfigParser module. Old configuration files still
  work. Thanks to Yaroslav Halchenko
- Added initial support for hosts.deny and shorewall. Need
  more testing. Please test. Thanks to kojiro from Gentoo
  forum for hosts.deny support
- Added support for vsftpd. Thanks to zugeschmiert

ver. 0.6.0 (2005/11/20) - stable
----------
- Propagated patches introduced by Debian maintainer
  (Yaroslav Halchenko):
  * Added an option to report local time (including timezone)
    or GMT in mail notification.

ver. 0.5.5 (2005/10/26) - beta
----------
- Propagated patches introduced by Debian maintainer
  (Yaroslav Halchenko):
  * Introduced fwcheck option to verify consistency of the
    chains. Implemented automatic restart of fail2ban main
    function in case check of fwban or fwunban command failed
    (closes: #329163, #331695). (Introduced patch was further
    adjusted by upstream author).
  * Added -f command line parameter for [findtime].
  * Added a cleanup of firewall rules on emergency shutdown
    when unknown exception is catched.
  * Fail2ban should not crash now if a wrong file name is
    specified in config.
  * reordered code a bit so that log targets are setup right
    after background and then only loglevel (verbose, debug)
    is processed, so the warning could be seen in the logs
  * Added a keyword <section> in parsing of the subject and
    the body of an email sent out by fail2ban (closes:
    #330311)

ver. 0.5.4 (2005/09/13) - beta
----------
- Fixed bug #1286222.
- Propagated patches introduced by Debian maintainer
  (Yaroslav Halchenko):
  * Fixed handling of SYSLOG logging target. Now it can log
    to any SYSLOG target and facility as directed by the
    config
  * Format of SYSLOG entries fixed to look closer to standard
  * Fixed errata in config/gentoo-confd
  * Introduced findtime configuration variable to control the
    lifetime of caught "failed" log entries

ver. 0.5.3 (2005/09/08) - beta
----------
- Fixed a bug when overriding "maxfailures" or "bantime".
  Thanks to Yaroslav Halchenko
- Added more debug output if an error occurs when sending
  mail. Thanks to Stephen Gildea
- Renamed "maxretry" to "maxfailures" and changed default
  value to 5. Thanks to Stephen Gildea
- Hopefully fixed bug #1256075
- Fixed bug #1262345
- Fixed exception handling in PIDLock
- Removed warning when using "-V" or "-h" with no config
  file. Thanks to Yaroslav Halchenko
- Removed "-i eth0" from config file. Thanks to Yaroslav
  Halchenko

ver. 0.5.2 (2005/08/06) - beta
----------
- Better PID lock file handling. Should close #1239562
- Added man pages
- Removed log4py dependency. Use logging module instead
- "maxretry" and "bantime" can be overridden in each section
- Fixed bug #1246278 (excessive memory usage)
- Fixed crash on wrong option value in configuration file
- Changed custom chains to lowercase

ver. 0.5.1 (2005/07/23) - beta
----------
- Fixed bugs #1241756, #1239557
- Added log targets in configuration file. Removed -l option
- Changed iptables rules in order to create a separated chain
  for each section
- Fixed static banList in firewall.py
- Added an initd script for Debian. Thanks to Yaroslav
  Halchenko
- Check for obsolete files after install

ver. 0.5.0 (2005/07/12) - beta
----------
- Added support for CIDR mask in ignoreip
- Added mail notification support
- Fixed bug #1234699
- Added tags replacement in rules definition. Should allow a
  clean solution for Feature Request #1229479
- Removed "interface" and "firewall" options
- Added start and end commands in the configuration file.
  Thanks to Yaroslav Halchenko
- Added firewall rules definition in the configuration file
- Cleaned fail2ban.py
- Added an initd script for RedHat/Fedora. Thanks to Andrey
  G. Grozin

ver. 0.4.1 (2005/06/30) - stable
----------
- Fixed textToDNS method which generated wrong matches for
  "rhost=12-xyz...". Thanks to Tom Pike
- fail2ban.conf modified for readability. Thanks to Iain Lea
- Added an initd script for Gentoo
- Changed default PID lock file location from /tmp to
  /var/run

ver. 0.4.0 (2005/04/24) - stable
----------
- Fixed textToDNS which did not recognize strings like
  "12-345-67-890.abcd.mnopqr.xyz"

ver. 0.3.1 (2005/03/31) - beta
----------
- Corrected level of messages
- Added DNS lookup support
- Improved parsing speed. Only parse the new log messages
- Added a second verbose level (-vv)

ver. 0.3.0 (2005/02/24) - beta
----------
- Re-writting of parts of the code in order to handle several
  log files with different rules
- Removed sshd.py because it is no more needed
- Fixed a bug when exiting with IP in the ban list
- Added PID lock file
- Improved some parts of the code
- Added ipfw-start-rule option (thanks to Robert Edeker)
- Added -k option which kills a currently running Fail2Ban

ver. 0.1.2 (2004/11/21) - beta
----------
- Add ipfw and ipfwadm support. The rules are taken from
  BlockIt. Thanks to Robert Edeker
- Add -e option which allows to set the interface. Thanks to
  Robert Edeker who reminded me this
- Small code cleaning

ver. 0.1.1 (2004/10/23) - beta
----------
- Add SIGTERM handler in order to exit nicely when in daemon
  mode
- Add -r option which allows to set the maximum number of
  login failures
- Remove the Metalog class as the log file are not so syslog
  daemon specific
- Rewrite log reader to be service centered. Sshd support
  added. Match "Failed password" and "Illegal user"
- Add /etc/fail2ban.conf configuration support
- Code documentation


ver. 0.1.0 (2004/10/12) - alpha
----------
- Initial release