backend
, filter
and action
parameters (if they
are partially incorrect), because fail2ban could throw an error now (doesn't silently bypass it anymore).-E 'set escape'
(e. g. with mailcmd
parameter), see gh-3059--disable-2to3
anymore,
./fail2ban-2to3
should be called outside before setupactioncheck
behavior (gh-488), some actions can be incompatible as regards
the invariant check, if actionban
or actionunban
would not throw an error (exit code
different from 0) in case of unsane environment.<ip>
(instead of <fid>
or <F-ID>
) to get failure-ID may become
incompatible, if filter uses IP-related tags (like <ADDR>
or <HOST>
) additionally to <F-ID>
and the values are different (gh-3217)systemd
:<matches>
) between timestamp and host if the message read from systemd journal, gh-3293pyinotify
: fixes sporadic runtime error "dictionary changed size during iteration"paths-debian.conf
:action.d/firewallcmd-*.conf
(multiport only): fixed port range selector, replacing :
with -
;"
reverted the incompatibility gh-3047 introduced in a038fd5, gh-2821, because this depends now on firewalld backend
(e. g. -
vs. :
related to iptables
vs. nftables
)action.d/nginx-block-map.conf
: reload nginx only if it is running (also avoid error in nginx-errorlog, gh-2949)action.d/ufw.conf
:filter.d/apache-fakegooglebot.conf
:filter.d/ignorecommands/apache-fakegooglebot
- added timeout parameter (default 55 seconds), avoid fail with timeout
(default 1 minute) by reverse lookup on some slow DNS services (googlebots must be resolved fast), gh-2951filter.d/apache-overflows.conf
- extended to match AH00126 error (Invalid URI ...), gh-2908filter.d/asterisk.conf
- add transport to asterisk RE: call rejection messages can have the transport prefixed to the IP address, gh-2913filter.d/courier-auth.conf
:filter.d/dovecot.conf
:read(size=...)
in message (gh-3210)conn unix:auth-worker (uid=143): auth-worker<13247>:
(authenticate from external service like exim), gh-2553filter.d/drupal-auth.conf
- more strict regex, extended to match "Login attempt failed from" (gh-2742)filter.d/exim-common.conf
- pid-prefix extended to match mx1 exim[...]:
(gh-2553)filter.d/lighttpd-auth.conf
- adjusted to the current source code + avoiding catch-all's, etc (gh-3116)filter.d/named-refused.conf
:filter.d/nginx-*.conf
- added journalmatch to nginx filters, gh-2935filter.d/nsd.conf
- support for current log format, gh-2965filter.d/postfix.conf
: fixes and new vectors, review and combining several regex to single RE:ddos
(and aggressive
) extended:exre-user=
supplied in filter parameters[A-Z]{4}
, e. g. no matter what a command is supplied now
(RCPT, EHLO, VRFY, DATA, BDAT or something else)filter.d/sendmail-auth.conf
:filter.d/sendmail-reject.conf
:filter.d/sshd.conf
:ddos
extended - recognizes messages "kex_exchange_identification: Connection closed / reset by pear", gh-3086
(fixed possible regression of f77398c)ddos
extended - recognizes new message "banner exchange: invalid format" generated by port scanner
(https payload on ssh port), gh-3169filter.d/zoneminder.conf
- support new log format (ERR instead of WAR), add detection of non-existent user login attempts, gh-2984--dump-pretty
option which did never work (only --dp
was working)actioncheck
behavior is changed now (gh-488), so invariant check as well as restore or repair
of sane environment (in case of recognized unsane state) would only occur on action errors (e. g.
if ban or unban operations are exiting with other code as 0)%Z
must recognize zone abbreviation Z
(GMT/UTC) also (similar to %z
)%Z
recognizes all known zone abbreviation besides Z, GMT, UTC correctly, if it is matching
(%z
remains unchanged for backwards-compatibility, see comment in code)%ExY
and %Exy
accept every year from 19xx up to current century (+3 years) in fail2ban-regex
%ExY
and %Exy
<ip>
and <fid>
(<F-ID>
), if IP-address deviates from ID then the value
of <ip>
is not equal <fid>
anymore (gh-3217)<jail.found>
, <jail.found_total>
- current and total found failures<jail.banned>
, <jail.banned_total>
- current and total bansfilter.d/monitorix.conf
- added new filter and jail for Monitorix, gh-2679filter.d/mssql-auth.conf
- new filter and jail for Microsoft SQL Server, gh-2642filter.d/nginx-bad-request.conf
- added filter to find bad requests (400), gh-2750filter.d/nginx-http-auth.conf
- extended with parameter mode, so additionally to auth
(or normal
)
mode fallback
(or combined as aggressive
) can find SSL errors while SSL handshaking, gh-2881filter.d/scanlogd.conf
- new filter and jail, add support for filtering out detected port scans via scanlogd, gh-2950action.d/apprise.conf
- added Apprise support (50+ Notifications), gh-2565action.d/badips.*
- removed actions, badips.com is no longer active, gh-2889action.d/cloudflare.conf
- better IPv6 capability, gh-2891action.d/cloudflare-token.conf
- added support for Cloudflare Token APIs. This method is more restrictive and therefore safter than using API Keys.action.d/ipthreat.conf
- new action for IPThreat integration, gh-3349action.d/ufw.conf
(gh-3018):add
(default prepend
), can be supplied as insert 1
for ufw versions before v.0.36 (gh-2331, gh-3018)kill-mode
and kill
to drop established connections of intruder (see action for details, gh-3018)iptables
and iptables-ipset
actions extended to support multiple protocols with single action
for multiport or oneport type (back-ported from nftables action);iptables
actions are more breakdown-safe: start wouldn't fail if chain or rule already exists
(e. g. created by previous instance and doesn't get purged properly); ultimately closes gh-980ipset
actions are more breakdown-safe: start wouldn't fail if set with this name already exists
(e. g. created by previous instance and don't deleted properly)iptables
and iptables-ipset
actions using internals of iptables include:-C
, option --check
is available long time);iptables-ipset-proto6-*
now (which become obsolete now);allowipv6
(default auto
), can be used to allow or disallow IPv6
interface in fail2ban immediately by start (e. g. if fail2ban starts before network interfaces), gh-2804%(fail2ban_confpath)s
(automatically substituted from config-reader path,
default /etc/fail2ban
or /usr/local/etc/fail2ban
depending on distribution); ignorecommands_dir
is unneeded anymore,
thus removed from paths-common.conf
, fixes gh-3005fail2ban-regex
: accepts filter parameters containing new-lineUpdates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2022-955a27c4a0
Please login to add feedback.
This update has been submitted for testing by hobbes1069.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by hobbes1069.
This update has been pushed to stable.