diff options
author | sebres <serg.brester@sebres.de> | 2017-10-12 14:11:39 +0200 |
---|---|---|
committer | sebres <serg.brester@sebres.de> | 2017-10-12 14:11:39 +0200 |
commit | 017a1bc039aa6ab688810b8c27a9e181b20bdf8d (patch) | |
tree | 2875f8b366dbd85ca9d98474358df250942f5748 | |
parent | 028f32b74b50ae163cbfb1d228d9a8c09ed51ed8 (diff) | |
parent | abb2feafe7e186833221e27fe2ddeb87d7080ef0 (diff) | |
download | fail2ban-017a1bc039aa6ab688810b8c27a9e181b20bdf8d.tar.gz |
Merge remote-tracking branch 'remotes/gh-upstream/debian' into debian-0.10debian-0.10
30 files changed, 2126 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 00000000..3d436fc6 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,79 @@ +fail2ban (0.9.0+git48-gabcab00-1) experimental; urgency=low + + [ Yaroslav Halchenko ] + * This version went through big refactoring which allowed to gain new + features such as multiline matching (see upstream's changelog for more + information). + * Although .local files are still supported, customizations are advised + to be provided under corresponding .d/ directories. E.g. see + /etc/fail2ban/jail.d/defaults-debian.conf which is where now sshd + jail is enabled by default to match previous behavior of Fail2Ban in + Debian. + + [ Daniel Schaal ] + * All jails definitions were rewritten to become more concise and uniform. + From this version on log paths are defined in distro specific files, + for Debian this is in /etc/fail2ban/paths-debian.conf. + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 25 Mar 2014 08:38:31 -0400 + +fail2ban (0.8.11-1) unstable; urgency=low + + * retroactive for 0.8.9: by default iptables-* actions do not simply + DROP packets from offending IP but rather reject with + icmp-port-unreachable. If DROP behaviour is preferable, provide + config/action.d/iptables-blocktype.local with [Init] section defining + blocktype = DROP or override action definition to provide + blocktype=DROP option in jail.local + * Many failregex's were tight-up in this release which could + theoretically effect operation in comparison to previous release(s). + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 16 Nov 2013 22:27:50 -0500 + +fail2ban (0.8.4-3) unstable; urgency=low + + * Jail named-refused-udp is unsafe and opens possibility for easy DoS, + thus discouraged to be used, and commented out (see #583364 for more + information). + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 28 Jun 2010 22:12:22 -0400 + +fail2ban (0.7.1-0.2) unstable; urgency=low + + fail2ban 0.7 is a complete rewrite of the 0.6 version, and if you + customized any of provided configuration or startup files + (/etc/default/fail2ban, /etc/fail2ban.conf, /etc/init.d/fail2ban), + please read further. The configuration scheme has changed upstream: + 0.7 ignores /etc/fail2ban.conf and instead uses a split configuration + under /etc/fail2ban/. To retain your customizations, for example to + monitor anything other than sshd, you will need to set them under that + new directory; use *.local files for customizations. Please see + /usr/share/doc/fail2ban/README.Debian.gz and + http://fail2ban.sourceforge.net for further description of new + configuration scheme. Detailed documentation is under development (see + #400416). When you are satisfied with the new settings, please delete + /etc/fail2ban.conf to avoid confusion. + + Fail2ban 0.7 uses client/server architecture and fail2ban-client is to + substitute fail2ban command to provide an interface between the user and + fail2ban-server. That is why some command line parameters present in + fail2ban 0.6 are invalid in fail2ban-client. Such change affects + /etc/default/fail2ban; you should review that file if you customized it. + Please enable sections as directed in README.Debian.gz mentioned above. + You must use newly shipped init.d/fail2ban, or otherwise fail2ban will + not start. + + This note was rewritten in release 0.7.5-2 to clarify its meaning. + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 9 Dec 2006 18:24:36 -0500 + +fail2ban (0.6.0-4) unstable; urgency=low + + In this version the new section ApacheAttacks was introduced to ban IPs + which are found to run some known attack on the host. For now it captures + just awstats and mambo related attacks. To make this feature work, the bug of + wrongly specified timeregexp for Apache's access.log file was fixed. + Besides that group of log files has changed to be adm, and now they are + readable by the group. + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 10 Feb 2006 13:05:07 -0500 diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 00000000..a8922861 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,234 @@ +fail2ban (>=0.7.0) for Debian +----------------------------- + +This package is ~99% identical to the upstream version. Few features +could have been added but not yet propagated into upstream version and +some modifications might be Debian-specific. Debian specific jail.conf +file is shipped. Original upstream file is available from +/usr/share/doc/fail2ban/examples/jail.conf + +Currently, the major difference with upstream: python libraries are +placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to +comply with policy regarding architecture independent resources. + +Upgrade from 0.6 versions: +------------------------- + +* New Config Files Format: + +If you had introduced your own sections in /etc/fail2ban.conf, you +would need manually to convert them into a new format. At minimum you +need to create /etc/fail2ban/filter.d/NAME.local (leave .conf files +for me and upstream please to avoid any conflicts -- introduce your +changes in .local) with failregex in [Definition] section. And provide +appropriate jail definition in /etc/fail2ban/jail.local + + +* Enabled Sections: + +Only handling of ssh files is enabled by default. If you want to use +fail2ban with apache, please enable apache section manually in +/etc/fail2ban/jail.local by including next lines: + +[apache] +enabled = true + +NOTE: -e command line parameter is non existent in 0.7.x + + +* Interpolations vs actions/filters parameters: + +For details see #398739 or wait for a closure of #400416 + +Every pair of .conf and then .local (if exists) files is read +separately from any other configuration file, so interpolations cannot +penetrate from jail.* into actions.d/*. To overcome this, it is +necessary to create a PARAMETER which can be substituted in actions +[Definition] section, if it is also defined in the [Init] section of +that file and is used in place of necessary allocation as <PARAMETER> +tag. Parameters can be specified in the definitions within +jail.{conf,local}. For instance, 1 lengthy example, where the same +name "fwchain" is used both as interpolation (in jail.local) and as a +parameter (in iptables-flex.local) (from #398739) + +==> /etc/fail2ban/jail.local <== +[DEFAULT] +action = iptables-flex[name=%(__name__)s, port=%(port)s, fwchain=%(fwchain)s, post_start_commands=%(post_start_commands)s, pre_end_commands=%(pre_end_commands)s] +fwchain = INPUT +[ssh] +fwchain = ssh-tarpit +==> /etc/fail2ban/action.d/iptables-flex.local <== +[Definition] +actionstart = iptables -N fail2ban-<name> + iptables -I <fwchain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> + iptables -I <fwchain> -j <whitelist> +actionstop = iptables -D <fwchain> -j <whitelist> + iptables -D <fwchain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> + iptables -F fail2ban-<name> + iptables -X fail2ban-<name> +actioncheck = iptables -n -L <fwchain> | grep -q fail2ban-<name> +actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP +actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP +[Init] +whitelist = ssh-whitelist +fwchain = INPUT +name = default +port = ssh +protocol = tcp + + +* Multiport banning: Comment for #373592, #545971 + +iptables-multiport action is now default banaction (file jail.conf, to +be customized within jail.local). Therefore assure that you have built +multiport module if you use custom kernel. + +If you would like to ban all ports for that host, just redefine +fwban/fwunban commands to don't have --dport %(port)s statement at +all, or use shorewall, where actionban bans whole IP. + +* Blocking of NEW connections only +Comment for the wishlist #350746. + +It might be benefitial in some cases to ban only new connections. For +that just use iptables-new action instead of default banaction + +/etc/fail2ban/jail.local: + +[DEFAULT] +banaction=iptables-new + +(you can override banaction within interesting for you section). + Also you can redefine the whole action parameter if you like. + + +* Interaction with ipmasq + Comment to #461417 + +Although fail2ban should detect and recreate missing chains if the external +command wipes out iptables, it is better to explicitly to force-reload +fail2ban. For this reason there is examples/ipmasq-ZZZzzz|fail2ban.rul file is +shipped along to be installed under name ZZZzzz|fail2ban.rul within +/etc/ipmasq. + +* Interaction with logrotate with custom logtarget + Comment to #631917 + +if you use an alternative logtarget (e.g. SYSLOG) thus not using +/var/log/fail2ban.log you should divert logrotate configuration into +a disabled state, e.g. + +sudo dpkg-divert --rename --divert \ + /etc/logrotate.d/fail2ban.disabled /etc/logrotate.d/fail2ban + + +Troubleshooting: +--------------- + +* Updated failregex: + +To resolve the security bug #330827 [1] failregex expressions must +provide a named group (?P<host>...) as a placeholder of the abuser's +host. Alternative tag (since 0.7.5) can be "<HOST>". The naming of the +group was introduced to capture possible future generalizations of +failregex to provide even more information. + +[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827 + +You might benefit from using fail2ban-regex command shipped along to +construct and debug your failregex statements. + +* "Interpolations" in the config file: + +Since version 0.6.0-3 to reduce duplication, thus to improve +readability of the config file, interpolations provided by the module +ConfigParser are used. If you had custom sections defined before, you +might benefit from updating config file and adding appropriate +information for the new sections. + +N.B. If you have some nice additional sections defined, I would really +appreciate if you share them with me or upstream author, so they could +be eventually included in the fail2ban package for general use by the +rest of the community. + + +* Mailing: + +Since actions.d/mail*.conf commands rely on presence of "mail" +command, mailx package (or another package providing mailx +functionality such as mailutils) is required if those actions are +activated in jail.{conf,local}. + + +* Dirty exit: + +If firewall rules gets cleaned out before fail2ban exits (like was +happening with firestarter), errors get reported during the exit of +fail2ban, but they are "safe" and can be ignored. + + +** SSHD Configuration Specific Problems + +* Ban "Not allowed" attempts: + +Make sure that you have +ChallengeResponseAuthentication no +PasswordAuthentication yes + +Details from the bug report #350980 [2] + +[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350980 + + +* Not caught attempts to login as root + +On the boxes running older versions of openssh (e.g. sarge +distribution) in the case when PermitRootLogin is set to something +else than "yes" and iff AllowUsers is active, failed root logins do +not confirm to the standard logging message -- they omit the source +IP, thus allowing attack to persist since such messages are not caught +by fail2ban. + + +* Bantime: + +An IP is banned for "bantime" not since the last failed login attempt +from the IP, but rather since the moment when failed login was +detected by fail2ban. Thus, if fail2ban gets [re]started, any IP which +had enough of failed logins with durations less than "findtime" between +them prior to the [re]start moment, will be banned for +"bantime" since [re]start moment, not since the last failed login +time. + +* Findtime: + +"Findtime" option of a jail actually defines a duration to reset the +counter of failed login attempts, if no new attempt was detected within +that time frame (i.e. within "findtime"). + +See +http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options +for more information on jail options. + + +* Syslog entries can be 'forged' by a regular user + +From +http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Possibility_of_DOS_attack_by_a_local_user + +Especially on systems which provide ssh/CGI/PHP services to unknown +users it is possible to block other users from ssh and probably other +access as a unprivileged user may issue: + +logger -p auth.warning -t 'sshd[123]' 'Illegal user user1 from 1.2.3.4' + +N.B. chmod o-x /usr/bin/logger should provide at least obfuscation +solution + +Or the malicious user may write via PHP's openlog()/syslog() to syslog. + +P.S. Anyone is welcome to recommend proper security solution to this +issue, such as an alternative to sysklogd which allows better control +over users logging to specific facilities (such as AUTH) + + -- Yaroslav Halchenko <debian@onerussian.com>, Fri, 15 Jul 2016 08:59:10 -0400 diff --git a/debian/TODO b/debian/TODO new file mode 100644 index 00000000..e96d3b23 --- /dev/null +++ b/debian/TODO @@ -0,0 +1,10 @@ +* completions installation + +W: fail2ban: package-installs-into-obsolete-dir etc/bash_completion.d/ : ^etc/bash_completion.d/ -> usr/share/bash-completion/completions (see also https://bugs.debian.org/776954) +W: fail2ban: package-installs-into-obsolete-dir etc/bash_completion.d/fail2ban : ^etc/bash_completion.d/ -> usr/share/bash-completion/completions (see also https://bugs.debian.org/776954) + +* Find proper answer to "Syslog entries can be 'forged' by a regular + user" mentioned in README.Debian + + -- Yaroslav O. Halchenko <debian@onerussian.com> Wed, 6 Dec 2006 22:14:26 -0500 + diff --git a/debian/backports/00list.sarge-backports b/debian/backports/00list.sarge-backports new file mode 100644 index 00000000..6d099e10 --- /dev/null +++ b/debian/backports/00list.sarge-backports @@ -0,0 +1 @@ +nopycentral.patch diff --git a/debian/backports/nopycentral.patch b/debian/backports/nopycentral.patch new file mode 100644 index 00000000..e4ac805d --- /dev/null +++ b/debian/backports/nopycentral.patch @@ -0,0 +1,40 @@ +diff -x '*~' -x .svn -Naur trunk/debian/control trunk.backports/debian/control +--- trunk/debian/control 2006-10-23 00:57:02.000000000 -0400 ++++ trunk.backports/debian/control 2006-12-04 08:45:25.000000000 -0500 +@@ -4,13 +4,13 @@ + Maintainer: Yaroslav Halchenko <debian@onerussian.com> + Uploaders: Barak Pearlmutter <bap@debian.org> + Build-Depends: debhelper (>= 5.0.37.2), dpatch +-Build-Depends-Indep: python, python-dev, help2man, python-central (>= 0.5.6) ++Build-Depends-Indep: python, python2.4, python2.4-dev, help2man + XS-Python-Version: current, >= 2.4 + Standards-Version: 3.7.2 + + Package: fail2ban + Architecture: all +-Depends: ${python:Depends}, iptables, lsb-base (>=2.0-7) ++Depends: python2.4, iptables, lsb-base (>=2.0-7) + Suggests: python-gamin + XB-Python-Version: ${python:Versions} + Description: bans IPs that cause multiple authentication errors +diff -x '*~' -x .svn -Naur trunk/debian/rules trunk.backports/debian/rules +--- trunk/debian/rules 2006-11-11 21:19:14.000000000 -0500 ++++ trunk.backports/debian/rules 2006-12-04 08:45:45.000000000 -0500 +@@ -39,7 +39,7 @@ + dh_installdirs + + # Add here commands to install the package into debian/fail2ban. +- python setup.py install --root=$(DESTDIR) --no-compile ++ python2.4 setup.py install --root=$(DESTDIR) --no-compile + #X Evil - must be removed after Debian switches over to 2.4, now + # distutils.setup will override the enterpreter line to /usr/bin/python + install fail2ban-server fail2ban-client $(DESTDIR)/usr/bin +@@ -62,7 +62,7 @@ + dh_installlogrotate + dh_installinit -- defaults 99 + dh_installman man/*.1 +- dh_pycentral ++ dh_python + dh_link + dh_compress + dh_fixperms diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000..462687b5 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,1267 @@ +fail2ban (0.9.7-1) experimental; urgency=medium + + * Fresh upstream release, primarily bugfix but includes some enhancements + to regexes and new filters + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 10 May 2017 21:40:16 -0400 + +fail2ban (0.9.6-2) unstable; urgency=medium + + * debian/patches/changeset_a639f0b083c213bde4ff3dcfbbb9fbcab0dd55f8.diff + to resolve occasional FTBFSs if tzdata is not available (Closes: #855920) + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 17 Apr 2017 10:27:28 -0400 + +fail2ban (0.9.6-1) unstable; urgency=medium + + * Fresh upstream release + - should resolve outstanding FTBFS (Closes: #835707) + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 09 Dec 2016 09:37:54 -0500 + +fail2ban (0.9.5-1) unstable; urgency=medium + + * Fresh upstream release + * debian/watch -- not using githubredir service any longer + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 14 Jul 2016 21:37:03 -0400 + +fail2ban (0.9.4-1) unstable; urgency=medium + + * Fresh upstream release. + Debian's release codename if-only-someone-helped-to-triage-DBTS + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 07 Mar 2016 21:50:50 -0500 + +fail2ban (0.9.3-1) unstable; urgency=medium + + * Fresh upstream release + * debian/control -- adjusted description to mention what Recommends + and Suggests are good for (Closes: #767114) + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 31 Jul 2015 21:34:10 -0400 + +fail2ban (0.9.2-1) unstable; urgency=medium + + * Fresh release to celebrate jessie release and upload to unstable + * Moved python3-systemd to Recommends from Suggests given that systemd is + the default init system now. Should help people upgrading on Ubuntu 15.04 + as well + * Added regular python to Recommends since apache-fakegooglebot still python2 + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 29 Apr 2015 00:00:07 -0400 + +fail2ban (0.9.1+git44-gd65c4f8-1) experimental; urgency=medium + + [ Christoph Anton Mitterer ] + * Do not install the following configuration files which are not used within + the Debian package of fail2ban: + /etc/fail2ban/paths-fedora.conf + /etc/fail2ban/paths-freebsd.conf + /etc/fail2ban/paths-osx.conf + Closes: #767123 + + [ Yaroslav Halchenko ] + * New upstream snapshot from 0.9.1-44-gd65c4f8 + - carries a lot of fixes and improvements. Consult upstream ChangeLog + - debian's init file is now maintained in upstream codebase (for manual + deployments) + - provides monit (now Suggest'ed) file which is now gets installed + but not enabled by default: ln -s /etc/monit/{monitrc,conf}.d/fail2ban + to assure that fail2ban process is running + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 30 Dec 2014 18:32:16 -0500 + +fail2ban (0.9.1-1) unstable; urgency=medium + + * To become fresh upstream release (Closes: #742976) + - 0.9 series is quite a big leap in development, especially since 0.8.6 + which made it to previous Debian stable wheezy. Please consult upstream + ChangeLog about changes + * debian/control + - boost policy to 3.9.6 + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 27 Oct 2014 21:52:56 -0400 + +fail2ban (0.9.0+git252-g47441d1-1) experimental; urgency=medium + + [ Yaroslav Halchenko ] + * New upstream snapshot from 0.9.0a2-814-g98dc084. + + [ Daniel Schaal ] + * debian/{control,rules} + - switching to python3 as the interpreter for Fail2Ban so we could use + python3-systemd which is N/A for Python2 any longer + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 12 Oct 2014 16:45:36 -0400 + +fail2ban (0.9.0+git48-gabcab00-1) experimental; urgency=medium + + [ Daniel Schaal ] + * debian/ updated for 0.9 release + 0.9 release introduced big changes in internal organization (Python + module now), and new features, and stock jail.conf now follows + Debian's style, thus custom Debian jail.conf was deprecated. See NEWS + file and upstream ChangeLog for further details. + + [ Yaroslav Halchenko ] + * Post 0.9 release snapshot. + * debian/rules + - do not ignore tests failures + - run only tests not requiring network access + - nagios and cacti examples get installed + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 25 Mar 2014 00:43:46 -0400 + +fail2ban (0.8.13-1) unstable; urgency=low + + * New upstream bug-fix release: but consider 0.9.0 (to be uploaded to + experimental) + * debian/jail: + - new jail definitions: apache-modsecurity, apache-nohome, freeswitch, + ejabberd-auth, ssh-blocklist, nagios + - new configuration option: ignorecommand + * debian/post{inst,rm},preinst: + - [thanks to Daniel Schaal]: take care about renaming config files + - firewall-cmd-direct-new.conf to firewallcmd-new.conf which happened + in 0.8.11-29-g56b6bf7 + - lighttpd-fastcgi.conf to suhosin.conf and + sasl.conf to postfix-sasl.conf in the past 0.8.11 release + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 18 Mar 2014 23:13:35 -0400 + +fail2ban (0.8.12-1) UNRELEASED; urgency=low + + * New upstream release + - provides "fail2ban-client flushlogs" command, debian/fail2ban.logrotate + was adjusted to use it. Helps to mitigate #697333 + - removes indentation of name and loglevel while logging to SYSLOG + (Closes: #730202) + - fixes apache-common.conf (Closes: #739364) + * /etc/default/fail2ban -- minor typo. Thanks Vincent Lefevre for report + (Closes: #734421) + * debian/patches: + - dropping cherry-picked changeset* + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 07 Feb 2014 00:45:38 -0500 + +fail2ban (0.8.11-1) unstable; urgency=low + + * Fresh upstream release + - this release tightens all shipped filters to preclude + possible injections leading to targetted DoS attacks. + - omitted entry for ~pre release changelog: + - asterisk filter was fixed (Closes: #719662), + - nginx filter/jail added (Closes: #668064) + - better detection of log rotation in polling backend (Closes: #696087) + - includes sever name (uname -n) into subject of sendmail actions + (Closes: #709196) + * debian/jail.conf + - dropbear jail: use dropbear filter (instead of ssh) and monitor + auth.log instead of non-existing /var/log/dropbear (Closes: #620760) + * debian/NEWS + - information for change of default iptables action to REJECT now + (Closes: #711463) + * debian/patches + - changeset_d4f6ca4f8531f332bcb7ce3a89102f60afaaa08e.diff + post-release change to support native proftpd date format which + includes milliseconds (Closes: #648276) + - changeset_ac061155f093464fb6cd2329d3d513b15c68e256.diff + absorbed upstream + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 17 Nov 2013 17:29:06 -0500 + +fail2ban (0.8.11~pre1+git29-gccd2657-1) unstable; urgency=low + + * Snapshot of the upcoming new release candidate + - improves dovecot (Closes: #709324), wuftpd (Closes: #665925) + failregex'es + - provides support for OpenSSH 6.3 (Closes: #722970) + * debian/watch + - restrict version matching only to numbers and period (to exclude + alpha releases of 0.9 series) + * debian/jail.conf + - slightly adjusted for changes in master (suhosin replaced + lighttpd-auth filer name, and postfix-sasl for sasl) + - added nginx-http-auth. More jails to be adopted from upsream. + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 10 Nov 2013 12:16:51 -0800 + +fail2ban (0.8.10-3) unstable; urgency=low + + * debian/jail.conf + - added "submission" (port 587) to all SMTP-related jails (Closes: + #714632). Thanks Tony den Haan for the report + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 01 Jul 2013 14:36:24 -0400 + +fail2ban (0.8.10-2) unstable; urgency=low + + * debian/fail2ban.init: + - fixed handling of the return code from do_start/do_stop + - status calls would dump all output to /dev/null + * debian/jail.conf: + - pure-ftpd jail should monitor syslog not auth.log. Thanks Laurent + LĂ©onard for the report + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 21 Jun 2013 10:47:56 -0400 + +fail2ban (0.8.10-1) unstable; urgency=high + + * New upstream release + - addresses possible DoS for anyone enabling many of apache- filters + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 12 Jun 2013 13:31:29 -0400 + +fail2ban (0.8.9-1) unstable; urgency=low + + * New upstream release + - significant improvements in documentation (Closes: #400416) + - roundcube auth filter (Closes: #699442) + - enforces C locale for dates (Closes: #686341) + - provides bash_completion.d/fail2ban + * debian/jail.conf: + - added findtime and documentation on those basic options from jail.conf + (Closes: #704568) + - added new sample jails definitions for ssh-route, ssh-iptables-ipset{4,6}, + roundcube-auth, sogo-auth, mysqld-auth + * debian/control: + - suggest system-log-daemon (Closes: #691001) + - boost policy compliance to 3.9.4 + * debian/rules: + - run fail2ban's unittests at build time but ignore the failures + (there are still some known issues to fix up to guarantee robust testing + in clean chroots etc). + Only pyinotify was added to build-depends since gamin might still be + buggy on older releases and get stuck, which would complicate + backporting + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 13 May 2013 11:58:56 -0400 + +fail2ban (0.8.8-1+lucid0) UNRELEASED; urgency=low + + * Added lucid-dsc-patch to use pycentral on systems without dh_python2 + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 06 Dec 2012 12:52:30 -0500 + +fail2ban (0.8.8-1) experimental; urgency=low + + * Primarily a bugfix upstream release + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 05 Dec 2012 22:53:15 -0500 + +fail2ban (0.8.7.1-1) experimental; urgency=low + + * Minor upstream bugfix release + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 31 Jul 2012 21:46:19 -0400 + +fail2ban (0.8.7-1) experimental; urgency=low + + * New upstream release: + - inotify backend is supported (and the default if pyinotify is present). + It should bring number of wakeups to minimum (Closes: #481265) + - usedns jail.conf parameter to disable reverse DNS mapping to + avoid of DoS (see #588431, #514239 for related discussions) + - enforces non-unicode logging (Closes: #657286) + - new jail "recidive" to ban repeated offenders (Closes: #333557) + - catch failed ssh logins due to being listed in DenyUsers (Closes: #669063) + - document in config/*.conf on how to inline comments (Closes: #676146) + - match possibly present "pam_unix(sshd:auth):" portion for sshd + (Closes: #648020) + - wu-ftpd: added failregex for use against syslog. Switch to monitor syslog + (instead of auth.log) by default (Closes: #514239) + - anchor chain name in actioncheck's for iptables actions (Closes: #672228) + * debian/jail.conf: + - adopted few jails from "upstreams" jail.conf: asterisk, recidive, + lighttpd, php-url-open + - provide instructions in jail.conf on how to comment (Closes: #676146) + Thanks Stefano Forli for a report + * debian/fail2ban.init: + - Should-(start|stop): iptables-persistent (Closes: #598109), + ferm (Closes: #604843) + - 'status' exits with code 3 if fail2ban is not running (Closes: #653074) + Thanks Glenn Aaldering for the patch + * debian/source: + - switch to 3.0 (quilt) format + * debian/control,rules: + - switch to use dh_python2 (Closes: #616803) + - boost policy compliance to 3.9.3 + - recommend python-pyinotify and only suggest python-gamin + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 31 Jul 2012 16:51:40 -0400 + +fail2ban (0.8.6-3) unstable; urgency=low + + * Added dovecot section to Debian's jail.conf. Thanks to Laurent + LĂ©onard (Closes: #655182) + * init.d script now returns non-0 exit codes upon status command + with not running / failed to connect server. Thanks to + Glenn Aaldering for the patch + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 08 Jan 2012 21:46:24 -0500 + +fail2ban (0.8.6-2) unstable; urgency=low + + * Added pure-ftpd section to Debian's jail.conf. Thanks to Laurent + LĂ©onard (Closes: #654412) + * Enhancement: action to use /proc/net/xt_recent and run f2b as a normal + user. Many many thanks to Zbyszek Szmek (Closes: #602016) + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 03 Jan 2012 10:36:24 -0500 + +fail2ban (0.8.6-1) unstable; urgency=low + + * [1efe1bc] Fresh upstream release (Closes: #648324) + * Boosted policy compliance to 3.9.2 -- no changes + * Adjusted debian/watch to fetch tarballs from github + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 28 Nov 2011 22:27:18 -0500 + +fail2ban (0.8.5-2) unstable; urgency=low + + * [5242e73] BF: (cherry-picked from upstream, DEP-3 yet TODO) Lock + server's executeCmd to prevent racing among iptables calls (Closes: + #554162) Many kudos go to Michael Saavedra for the patch + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 23 Sep 2011 22:12:08 -0400 + +fail2ban (0.8.5-1) unstable; urgency=low + + * [de95777] Fresh upstream release FAIL2BAN-0_8_5: + - [00e1827] BF: use addfailregex instead of failregex while processing + per-jail "failregex" parameter (Closes: #635830) (LP: #635036) + Thanks Marat Khayrullin for the patch and Daniel T Chen for forwarding to + Debian. + * [1cbdafc] Set backend to auto and recommends python-gamin (Closes: #524425) + * [ef449f4] Added a note on diverting logrotate configuration for custom + logtarget=SYSLOG (Closes: #631917). Thanks Kenyon Ralph for report + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 28 Jul 2011 23:20:55 -0400 + +fail2ban (0.8.4+svn20110323-1) unstable; urgency=low + + * Fresh upstream snapshot which absorbed some of the patches from Debian + and + - [c6d64e9] debug entry for lines ignored due to falling below + findtime (v2) + - [fc20f12] Tai64N stores time in GMT, we need to convert to + local time before returning + - [b0331bb] default ignoreip to ignore entire loopback zone (/8) + (Closes: #598200) + - [b9f15f6] ENH: dovecot filter + - [69165b1] ENH: add <chain> to action.d/iptables*. Thanks + Matthijs Kooijman + - [8330a20] ENH: make filter.d/apache-overflows.conf catch more + (Closes: #574182) + - [66cc6cb] BF: allow space in the trailing of failregex for sasl.conf + (Closes: #573314) + - [2714019] ENH: dropbear filter (Closes: #546913) + - [ea7d352] BF: Use /var/run/fail2ban instead of /tmp for temp files in + actions (Closes: #544232) + * debian/jail.conf: + - [bc8e22d] spellcheck (Closes: #598206). Thanks Christoph Anton Mitterer + - [d7f3e23] adjusted description for sasl jail (Closes: #615952) + - [92fb484] debian/jail.conf: closing " for protocol specification + - [f828c31] debian/jail.conf: got 'chain' parameter to be specified for + iptables actions (Closes: #515599) + * debian/control: + - [858af30] slight rewordings of the long description (Closes: #588176) + - [167dfd4] Boosted policy compliance version to 3.9.1 (no changes seems + to be due) + * [4e1e845] debian/copyright: updated copyright years + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 23 Mar 2011 17:04:56 -0400 + +fail2ban (0.8.4-3) unstable; urgency=low + + * Commenting out named-refused-udp jail and providing even fatter + WARNING against using it (Closes: #583364) + * Merging upstream's commit for fixing missing import + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 28 Jun 2010 21:50:20 -0400 + +fail2ban (0.8.4-2) unstable; urgency=low + + * Merged few upstream patches (svn rev ) which fixed: + - Patch to make log file descriptors cloexec to stop leaking file + descriptors on fork/exec. + * debian/rules,control: -install-layout=deb for setup.py + python (>= + 2.5.4-1~) to fix install with python2.6 (Closes: #571213). + * Boosted policy to 3.8.4 (no changes seems to be due). + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 25 Feb 2010 00:17:07 -0500 + +fail2ban (0.8.4-1) unstable; urgency=low + + * New upstream release. Fixes compatibility issue with python2.6 + * Yet only in Debian fixes: + - escaping () in pure-ftpd. Thanks Teodor (Closes: #544744) + - use "set logtarget" instead of "reload" while logrotate. Thanks + J.M.Roth (Closes: #537773) + - be able to detect time for VNC recording only 2 letters of year + (Closes: #537610) + - proftpd filter: count all failed logins regardless of the reason + * Debian-specific changes: + - adjusted README.Debian - multiport is default (closes: #545971) + - Boosted policy to 3.8.3 (no changes seems to be due) + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 10 Sep 2009 11:16:51 -0400 + +fail2ban (0.8.3-6) unstable; urgency=low + + * Time to shake the ground with upload to unstable. + * Merged upstream's development as of SVN revision 732: + - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. + Tracker #2019714. + - Made the named-refused regex a bit less restrictive in order to match + logs with "view". Thanks to Stephen Gildea. + - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% + correct fix but seems to work. Tracker #2500276. + - Changed <HOST> template to be more restrictive (closes: #514163). + - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. (closes: + #513953). + - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh + log (closes: #512193). + - Added missing semi-colon in the bind9 example. Thanks to Yaroslav + Halchenko. + - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker + #2484115. + - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410. + (closes: #507990) + - Added CPanel date format. Thanks to David Collins. Tracker #1967610. + - Added nagios script. Thanks to Sebastian Mueller. + - Removed print. + - Removed begin-line anchor for "standard" timestamp (closes: #500824) + - Remove socket file on startup is fail2ban crashed. Thanks to Detlef + Reichelt. + * Added a comment into Debian-shipped jail.conf about sasl logpath -- it + might preferable to monitor warn.log in case of postfix (To complete react + to #507990) (git branch up/fixes). Also added sasl example log file (git + branch up/log_examples). + * Removing minor bashism in ipmasq example file (closes: #530078). + Thanks Raphael Geissert (git branch up/ipmasq) + * Allow for trailing spaces in proftpd logs (closes: #507986) + (git branch up/fixes). + * Removed duplicate entry for DataCha0s/2\.0 in badbots (closes: #519557) + (git branch up/fixes). + * Adjusted Git-vcs field to point to git:// . + * Thanks lintian fixes: + - Boosted policy to 3.8.2 (no changes are due). + - Boosted debhelper compatibility to 5. + - Misspell in README.Debian + - Removing stale /var/run/fail2ban from dirs -- should be created by + init script + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 09 Jul 2009 01:08:40 -0400 + +fail2ban (0.8.3-5) experimental; urgency=low + + * BF: anchoring regex for IP with " *$" at the end + adjust regexp for + <HOST> (closes: #514163) + * NF: adding unittests for previous BF + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 05 Feb 2009 09:51:45 -0500 + +fail2ban (0.8.3-4) experimental; urgency=low + + * BF: added missing semicolon in a logging template for bind within + jail.conf (thanks to anonymous on www.debian-administration.org) + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 02 Feb 2009 23:02:56 -0500 + +fail2ban (0.8.3-3) experimental; urgency=low + + * BF: addressed added bang to ssh log (closes: #512193). + Thanks Silvestre Zabala. + * Adjusted description of bantime/findtime in README.Debian (closes: + #507771) + * Synced current debian revision to FAIL2BAN-0_8@717 of upstream, + since it includes fixes to some forwarded bugs. Total list of + functional changes + - Added actions to report abuse to ISP, DShield and myNetWatchman. + Thanks to Russell Odom. + - Added apache-nohome.conf. Thanks to Yaroslav Halchenko. + - Added new time format. No idea from where it comes... + - Added new regex. Thanks to Tobias Offermann. + - Try to match the regex even if the line does not contain a valid + date/time. Described in Debian #491253. Thanks to Yaroslav + Halchenko. + - Removed "timeregex" and "timepattern" stuff that is not needed + anymore. + - Added date template for Day-Month-Year Hour:Minute:Second + (closes: #491253) + - Added date pattern for Hour:Minute:Second. Thanks to Andreas + Itzchak Rehberg. + - Use current day and month instead of Jan 1st if both are not + available in the log. Thanks to Andreas Itzchak Rehberg. + - Improved pattern. Thanks to Yaroslav Halchenko. + - Merged patches from Debian package. Thanks to Yaroslav Halchenko. + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 18 Jan 2009 11:31:01 -0500 + +fail2ban (0.8.3-2) unstable; urgency=low + + * BF in apache-noscript.conf - regexp matched in referer (Closes: #492319). + Thanks Bernd Zeimetz. + * BF: extended apache-noscript with additional regexp + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 25 Jul 2008 13:33:56 -0400 + +fail2ban (0.8.3-1) unstable; urgency=low + + * Fresh upstream release + * Boosted policy compliance to 3.8.0 (no changes needed) + * Specify explicitely facilities in "Failed .. for". Thanks Dean + Gaudet. (closes: #481760) + * Added failregex for "User not known" in sshd.conf. thanks Alexander + Gerasiov (closes: #479966) + + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 21 Jul 2008 10:27:12 -0400 + +fail2ban (0.8.2-3) unstable; urgency=low + + * Changes propagated from upstream trunk (future 0.8.3): + - Fixed "fail2ban-client get <jail> logpath". Bug #1916986. + - Changed some log level. + - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to + Dennis Winter. + - Fixed PID file while started in daemon mode. Thanks to Christian + Jobic who submitted a similar patch (closes: #479703) + - Added gssftpd filter. Thanks to Kevin Zembower. + - Process failtickets as long as failmanager is not empty. + * Assure that /var/run/fail2ban exists upon start (LP: #222804, #223706) + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 06 May 2008 10:49:34 -0400 + +fail2ban (0.8.2-2) unstable; urgency=low + + * BF: Recommends whois, which is used in some actions (LP: #213227) + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 07 Apr 2008 10:25:52 -0400 + +fail2ban (0.8.2-1) unstable; urgency=low + + * New upstream release! Divergence from Debian version descreased + considerably, Major changes: + - "full line failregex" + - Moved socket to /var/run/fail2ban. + - Removed Python 2.4. Minimum required version is now Python 2.3. + - New log rotation detection algorithm. + - Some wishlists got accepted (closes: #456567, #468477, #462060, + #461426) + - Leap year issue (closes: #468452) + * debian/watch: switched to git-import-orig + * 2 new jails: xinetd-fail, apache-overflows added to jails.conf + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 05 Mar 2008 23:30:56 -0500 + +fail2ban (0.8.1-5) unstable; urgency=low + + * manually "cherry picked" f6639981: Fixed "Feb 29" bug. Thanks to + James Andrewartha who pointed this out. Thanks to Yaroslav Halchenko + for the fix (closes: #468382) + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 28 Feb 2008 19:51:53 -0500 + +fail2ban (0.8.1-4) unstable; urgency=low + + * Debian packaging switched from git+dpatch into pure git way via + feature-branches. That revealed the true amount of accumulated patching + done of top of vanilla upstream, thus this is the last Debian release + prior 0.8.2 upstream release which will hopefully absorb most of the + patches + * vsftp filter anchoring + * Fix/extension of proftpd failrexes (Closes: #461412). Thanks Guido + Bozzetto + * Added ipmasq rule file (in the examples) to restart fail2ban when + iptables are wiped out (closes: #461417). Thanks Guido Bozzetto + * Extended apache-noscript filter with more file extensions and to + react to "script not found or unable to stat" log message (closes: + #456565). Thanks Tim Connors + * Fixed == bashism (Closes: #464647). Thanks Raphael Geisser + * Confirms to policy 3.7.3 (no changes) + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 09 Feb 2008 22:08:55 -0500 + +fail2ban (0.8.1-3) unstable; urgency=low + + * Added Vcs- fields, moved Homepage into source header's field + * Propagated patch from 0.9 upstream branch: "Replaced ssocket.py with + asyncore/asynchat implementation. Correct fix for bug #1769616. That is + supposed to resolve spontaneous 100% CPU utilization by fail2ban-server." + * BF: removed sftp from ssh jails (closes: #436053) + * NF: new filter for 'refused connect' (closes: #451093). Thanks Guido + Bozzetto + * Moved iptables into recommends since fail2ban can work without iptables + using some other action (e.g hosts.deny) + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 23 Nov 2007 11:42:24 -0500 + +fail2ban (0.8.1-2) unstable; urgency=low + + * Fixed named-refused filter. + * Added force-start action to init script, so it could be forced + to start if previous run crashed and left a socket file. Must to be + used with caution. + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 18 Oct 2007 18:31:58 -0400 + +fail2ban (0.8.1-1) unstable; urgency=low + + * New upstream release. + Patches absorbed upstream: + 00_daemon_pids.dpatch + 00_iptables_allports.dpatch + 00_vsftp_filter_spaces.dpatch + 00_resolve_all_names.dpatch + 00_HOST_ignoreregex.dpatch + Patches which needed some tune-up: + 00_ssh_strong_re.dpatch + 00_mail-whois-lines.dpatch + 00_named_refused.dpatch + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 14 Aug 2007 23:15:21 -0400 + +fail2ban (0.8.0-5~pre1) UNRELEASED; urgency=low + + * Added optional spaces at the end of failregex for vsftpd. + * Resolve all "names" which became a part of <HOST>. Previousely only fqdn's + were resolved + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 05 Aug 2007 21:38:44 -0400 + +fail2ban (0.8.0-4) unstable; urgency=low + + * Moved <HOST> expansion into regex.py (closes: #429263). Thanks James + Andrewartha. + * Added optional regexp entry for process PID in some entries (closes: + #426050). Thanks Roderick Schertler. + * Added a filter pam_generic to catch any login errors. + * Added iptables-allports. + * Use /var/run to keep socket file (closes: #425746) + * Added a filter for named to catch refused/denied queries + * Added new time template matching named log entries + * jail.conf has specification of protocol (default to tcp) to be provided to + banaction + * Adjusted failregex for sshd filter: + - anchored properly at the end of line, and source code has .examples + files to perform testing of the rules. + - added new explicit rule for users not in the AllowUsers lists + + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 19 Jun 2007 23:04:02 -0400 + +fail2ban (0.8.0-2) unstable; urgency=low + + * Manually changing the order of debhelper inserted scripts in prerm + (Closes: #422655) + * Removed obsolete hack to have /bin/env invocation of python for + fail2ban-* scripts + * Applied changes submitted by Bernd Zeimetz (thanks Bernd): + - Removed obsolete Build-Depends-Indep on help2man, python-dev + - Explicit removal of *.pyc files compiled during build + - Invoke 'python setup.py clean' in clean target, which required also + to move python into Build-Depends + * Minor clean up of debian/rules + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 16 May 2007 14:13:57 -0400 + +fail2ban (0.8.0-1) unstable; urgency=low + + * New stable upstream release + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 05 May 2007 12:35:02 -0400 + +fail2ban (0.7.9-1) unstable; urgency=low + + * New upstream release + * Updated copyright to include current year + * Removed patches absorbed upstream + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 19 Apr 2007 21:44:28 -0400 + +fail2ban (0.7.8-1) unstable; urgency=low + + * New upstream release + * Applied post-release upstream changes to resolve issues with + - Fix to close opened handlers to log file + - Tentative incomplete gamin fix + - Fix to "reload" bug + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 26 Mar 2007 17:52:23 -0400 + +fail2ban (0.7.7-1) unstable; urgency=low + + * New upstream release (included most of the debian-provided patches -- new + filters and actions) + * Refreshed and made verbatim homepage in description + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 8 Feb 2007 22:20:49 -0500 + +fail2ban (0.7.6-3) unstable; urgency=low + + * Synchronized action.d/iptables-* rules from upstream SVN (closes: + #407561) + * Minor: options renames in the comments to be in sync with upstream + * Use /usr/bin/python interpreter instead of wrapped call to python by + /usr/bin/env + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 19 Jan 2007 10:43:59 -0500 + +fail2ban (0.7.6-2) unstable; urgency=low + + * iptables-multiport is default action to take since Debian kernel arrives + with multiport module. That is to address the fact that most services + listen on multiple port (for encrypted and non-encrypted connections) + * Added [courierauth] jail (First 2 items are to partially address #407404 + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 18 Jan 2007 10:35:36 -0500 + +fail2ban (0.7.6-1) unstable; urgency=low + + * New upstream release, which incorporates fixes introduced in 3~pre + non-released versions (which were suggested to the users to overcome + problems reported in bug reports). In particular attention should be paid + to upstream changelog entries + - Several "failregex" and "ignoreregex" are now accepted. + Creation of rules should be easier now. + This is an alternative solution to 'multiple <HOST>' entries fix, + which is not applied to this shipped version - pay caution if upgrading + from 0.7.5-3~pre? + - Allow comma in action options. The value of the option must + be escaped with " or '. + That allowed to implement requested ability to ban multiple ports + at once (See 373592). README.Debian and jail.conf adjusted to reflect + possible use of iptables-mport + - Now Fail2ban goes in /usr/share/fail2ban instead of + /usr/lib/fail2ban. This is more compliant with FHS. + Patch 00_share_insteadof_lib no longer applied + * Refactored installed by debian package jail.conf: + - Added option banaction which is to incorporate banning agent + (usually some flavor of iptables rule), which can then be easily + overriden globally or per section + - Multiple actions are defined as action_* to serve as shortcuts + * Initd script was modified to inform about present socket file which + would forbid fail2ban-server from starting + * Adjusted default log file for postfix to be /var/log/mail.log + (Closes: #404921) + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 4 Jan 2007 15:24:52 -0500 + +fail2ban (0.7.5-3~pre6) unstable; urgency=low + + * Fail2ban now bans vsftpd logins (corrected logfile path and failregex) + (Closes: #404060) + * Made fail2ban-server tollerate multiple <HOST> entries in failregex + * Moved call to dh_pycentral before dh_installinit + * Removed unnecessary call of dh_shlibdeps + * Added filter ssh-ddos to fight DDOS attacks. Must be used with caution + if there is a possibility of valid clients accessing through + unreliable connection or faulty firewall (Closes: #404487) + * Not applying patch any more for rigid python2.4 - it is default now in + sid/etch + * Moving waiting loop for fail2ban-server to stop under do_stop + function, so it gets invoked by both 'restart' and 'stop' commands + * do_status action of init script is now using 'fail2ban-client ping' + instead of '... status' since we don't really use returned status + information, besides the return error code + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 26 Dec 2006 21:56:58 -0500 + +fail2ban (0.7.5-2) unstable; urgency=low + + * NEWS.Debian confusions - the latest NEWS entry and postinst message were + rephrased (Closes: #402350) + * Added mail-whois-lines action, which emails log lines containing abuser + IP. Those lines are often required for proper abuse reports sent to the + Internet providers. Forwarding of such received emails to the email + addresses of abuse departments present in the output of whois is a + tentative solution for semi-automatic abuse reporting (Closes: #358810) + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 10 Dec 2006 18:55:37 -0500 + +fail2ban (0.7.5-1) unstable; urgency=low + + * New upstream release which fixes next issues + + Socket parameter not work with other path (Closes: #400162) + + fail2ban does not start with /etc/init.d/fail2ban start but + with fail2ban-client start (Closes: #400278) + * Removed obsolete patches left from 0.6 + * Adjusted wsftpd patch to use <HOST> tag to be in line with the other + filter definitions + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 7 Dec 2006 20:19:09 -0500 + +fail2ban (0.7.4-5) unstable; urgency=low + + * Added Suggests on mailx and relevant comments in README.Debian about + invoking mail actions (closes: #396668) + * Removed obsolete entries in TODO and README + * README.Debian describes the use of interpolations vs parameters passed + from jail.{conf,local} into an action definitions (closes: + #398739) + * Initial version of postfix filter has been present in 0.7 (closes: + #377711) + * Removed Uploaded field from control since I am a DD now. Big thanks to + Barak Pearlmutter for being the sponsor of my packages for few years. + + -- Yaroslav O. Halchenko <debian@onerussian.com> Wed, 6 Dec 2006 22:14:26 -0500 + +fail2ban (0.7.4-4) unstable; urgency=low + + * Added debian/backports to contain patches necessary for backporting. It + gets used by pbuilder-ssh to create package for backports.org + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 4 Dec 2006 08:55:48 -0500 + +fail2ban (0.7.4-3) unstable; urgency=low + + * Reincarnated logrotate configuration (Closes: #397878) + * Only block new connects by using a new action iptables-new instead of + iptables (Closes: #350746) + * Updated README.Debian to reflect transition over to 0.7 branch and to + comment on 350746 + * "Clean" target removes generated .pyc files now (Closes: #398146) + * Cleaned up debian/rules a bit + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 11 Nov 2006 21:00:18 -0500 + +fail2ban (0.7.4-2) unstable; urgency=low + + * Added reload/force-reload actions to init script + * Adjusted jail.conf a bit + * Warning NEWS entry for 0.7.1 was not shown during installation on test + boxes, thus postinst was adjusted accordingly to inform the user about the + changes in the configuration files since 0.6. + * no logrotation anymore? (Closes: #397878) + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 10 Nov 2006 10:53:23 -0500 + +fail2ban (0.7.4-1) experimental; urgency=low + + * New upstream release + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 1 Nov 2006 20:54:14 -0500 + +fail2ban (0.7.4~pre20061023.2-3) experimental; urgency=low + + * Corrected init.d script to properly perform restart due to server delay to + react to client command to stop. Handling of status was adjusted as well + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 29 Oct 2006 22:29:27 -0500 + +fail2ban (0.7.4~pre20061023.2-2) experimental; urgency=low + + * Added apache-noscript to jail.conf + * Default action does not send emails to be inline with previous (0.6.x) + behavior + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 26 Oct 2006 13:27:20 -0400 + +fail2ban (0.7.4~pre20061023.2-1) experimental; urgency=low + + * Fresh upstream: fixed a bug with not handling error producing + actioncheck call + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 23 Oct 2006 17:00:03 -0400 + +fail2ban (0.7.4~pre2006102-1) experimental; urgency=low + + * Currrent snapshot of trunk + * Removed outdated (applied in 0.7.4 or specific for 0.6.?) patches + from debian/patches + * Adjusted rule to install man pages -- only .1 files since there are also + h2m sources + * debian/{rules,control} adjusted to conform all points in recent python + policy changes + * install under /usr/share instead of /usr/lib + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 23 Oct 2006 00:17:55 -0400 + +fail2ban (0.7.3-2) experimental; urgency=low + + * Added wuftpd section + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 18 Oct 2006 01:15:00 -0400 + +fail2ban (0.7.3-1) experimental; urgency=low + + * New upstream release + * Debian shipped jail.conf + * Refreshen init.d script + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 28 Sep 2006 22:17:16 -0400 + +fail2ban (0.7.1-0.2) experimental; urgency=low + + * New upstream release (closes: #370095,#366307) + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 5 Sep 2006 00:26:08 -0400 + +fail2ban (0.6.1-11) unstable; urgency=low + + * Adjusted manpage for fail2ban.conf to point to shipped examples of + configuration files as the source of details about available configuration + options (closes: #382403) + * Changes in man/fail2ban.conf.5 are managed via dpatch now + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 16 Aug 2006 00:18:59 +0300 + +fail2ban (0.6.1-10) unstable; urgency=low + + * Adjusted to comply with recent changes in debian python policy and use + pycentral to byte compile modules + * Filtered out empty entries for ignoreip to reduce confusing WARNING log + message + * Added configuration parameter "locale" to specify LC_TIME for time + pattern matching (closes: #367990,363391) + * Verbosity is chosen to be max between cmdline parameters and config file + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 6 Jul 2006 20:19:54 -0400 + +fail2ban (0.6.1-9) unstable; urgency=low + + * Adjusted rm commands in init script to don't use -r for removal of + the pidfile (thanks Stephen Gran) + * Added clarification about multiport banning to README.Debian + (closes: #373592) + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 14 Jun 2006 12:05:44 -0400 + +fail2ban (0.6.1-8) unstable; urgency=low + + * Removed bashism (arrays) from init.d script to make it POSIX shell + complient (closes: #368218) + * Added new proftpd section + * Added new saslauthd section. Thanks to martin f krafft + <madduck@debian.org> (closes: #369483) + * Mentioned apache2 log file in Other. comment field for FILE in + apache section. Nothing has to be changed besides the logfile path to + work with apache2 (closes: #342144) + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 22 May 2006 15:37:17 -0400 + +fail2ban (0.6.1-5) unstable; urgency=low + + * Further fixed debian packaging: to comply with policy empty target + binary-arch was provided + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 16 May 2006 16:43:37 -0400 + +fail2ban (0.6.1-4) unstable; urgency=low + + * Adjusted debian packaging: + - Clean up of debian/rules: removed commented out dh_ scripts which + definetly will never be used + - debhelper and dpatch moved to Build-Depends + - added --no-compile for python setup.py install, and removed explicit + cleaning of .pyc's + - fixed separation binary-indep and binary-arch in debian/rules + - restricted depends on python >= 2.3 + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 16 May 2006 15:53:06 -0400 + +fail2ban (0.6.1-3) unstable; urgency=low + + * Fixed vsftpd failregexp (closes: #366687) + * Started to use dpatch + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 10 May 2006 11:45:57 -0400 + +fail2ban (0.6.1-2) unstable; urgency=low + + * Assigned maxreinits to 1000 to be reasonable since otherwise logfile grows + indefinetly if there is a real problem on the system (closes: #359218) + * Adjusted debian/{copyright,watch} + * New version of init.d script (Thanks to Aaron Isotton) (closes: #364278) + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 27 Mar 2006 12:55:39 -0500 + +fail2ban (0.6.1-1) unstable; urgency=low + + * New upstream release + * In config file added fwchain to ease switching to another input chain + (closes: #357164) + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 18 Mar 2006 23:11:53 -0500 + +fail2ban (0.6.0-8) unstable; urgency=low + + * Minor adjustments to reduce the deviation from the upstream code + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 11 Mar 2006 00:48:14 -0500 + +fail2ban (0.6.0-7) unstable; urgency=low + + * Fixed a typo in failregex for SSH section (closes: #356112) + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 9 Mar 2006 15:13:48 -0500 + +fail2ban (0.6.0-6) unstable; urgency=low + + * Updated README.Debian with information about some cases with + not-as-shipped configurations of sshd on the boxes running older versions + of openssh server + * Included regexps for SSH in case iff authentication as root using keys was + attempted whenever PermitRootLogin is set to something else than "yes" and + key authentication fails + * Included postrm script to remove log files during purge to comply with + policy 10.8 (closes: #355443) + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 3 Mar 2006 16:32:38 -0500 + +fail2ban (0.6.0-5) unstable; urgency=low + + * Fixed Apache section: changed filepath to point at error.log, thus I had + to revert timeregex and timepattern to user RFC 2822 format (closes: + #354346) + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 25 Feb 2006 19:56:46 -0500 + +fail2ban (0.6.0-4) unstable; urgency=low + + * Modifications in README.Debian to reflect a "finding" on + not-AllowedUsers banning which requires default Debian configuration + of "ChallengeResponseAuthentication no" and "PasswordAuthentication + yes" + * Fixed Apache timeregex and timepattern to confirm + the fomat of time stamp used in Debian's acccess.log (error.log uses + RFC 2822 format) + * Added section ApacheAttacks to specify some common patterns of attacks on + a webserver (awstats.pl as a try). This section stays split from Apache + since it is of different nature and might be not appropriate for some + users + * Forced owner/permissions of log file to be root:adm/640 in postinst and + logrotate (closes: #352053) + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 16 Jan 2006 04:05:19 -0500 + +fail2ban (0.6.0-3) unstable; urgency=low + + * ignoreip is now empty by default (closes: #347766) + * increased verbosity in verbose=2 mode: now prints options accepted + from the config file + * to make fail2ban.conf more compact, thus to improve its readability, + fail2ban.conf was converted to use "interpolations" provided by + ConfigParser class. fw{start,end,{,un}ban} options were moved into + DEFAULT section and required options (port, protocol) were added + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 12 Jan 2006 18:32:14 -0500 + +fail2ban (0.6.0-2) unstable; urgency=low + + * fail2ban path is inserted first in the list to avoid a conflict with + existing elsewhere modules with the same names. (Thanks for report and + patch to Nick Craig-Wood) (closes: #343821) + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 19 Dec 2005 17:44:58 +0200 + +fail2ban (0.6.0-1) unstable; urgency=low + + * Merged with the latest stable upstream release. That incure some + changes for the Debian configuration of the package to be more + upstream-like. Visible one is: subject in the sent email includes + section outside of "[Fail2Ban]" + * Updated README.Debian to answer possible question regarding effective + bantime starting moment + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 20 Nov 2005 14:56:41 -0500 + +fail2ban (0.5.4-10) unstable; urgency=low + + * Fixed the order of ssh and apache rules to avoid possible race + condition (Thanks to Jefferson Cowart for the bug report) (closes: + #339133) + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 14 Nov 2005 23:44:45 -0500 + +fail2ban (0.5.4-9) unstable; urgency=low + + * Fixed init.d script so it doesn't return non-0 status if fail2ban is not + running. That fixes issues with purging the package and leaving garbage in + /usr/share/fail2ban (Thanx to Justin Pryzby for the insight) + (closes: #337223) + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 3 Nov 2005 17:05:20 -0500 + +fail2ban (0.5.4-8) unstable; urgency=low + + * Added config option MAIL.localtime (closes: #336449) + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 31 Oct 2005 16:53:19 -0500 + +fail2ban (0.5.4-7) unstable; urgency=low + + * Adjusted init.d script so it is resistant to delayed shutdowns of + fail2ban and in general more stable + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 20 Oct 2005 21:22:03 -0400 + +fail2ban (0.5.4-6.2) unstable; urgency=low + + * Fixed typos (thanx to Ross Boylan). + * Robust startup: if iptables module gets fully initialized after + startup of fail2ban, fail2ban will do "maxreinit" attempts to + initialize its own firewall. It will sleep between attempts for + "polltime" number of seconds (closes: #334272). + * To overcome possible conflict with other firewall solutions and as a + secondary solution for the bug 334272, fail2ban startup is moved + during bootup to the latest (S99) sequenece position. That should not + cause any discomfort I believe. + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 18 Oct 2005 15:54:38 -0400 + +fail2ban (0.5.4-5.14) unstable; urgency=low + + * Added a notification regarding the importance of 0.5.4-5 change of + failregex in the config file. + * Adjusted address to FSF. + * Adjusted failregex for SSH so it bans "Illegal user" entries as well, and + restricted full failregex more to include ":" at the beginning, because + otherwise it might not be sufficient and would revive bug 330827 (closes: + #333056). + * Adjusted failregex for SSH to accommodate recent changes in logging of + SSH: Illegal -> Invalid. Should match both now. + * Fixed a problem of raise AttributeError exception reported as a side + effect of crash during parsing of the config file. + * Introduced fwcheck option to verify consistency of the + chains. Implemented automatic restart of fail2ban main function in + case check of fwban or fwunban command failed (closes: #329163, #331695). + (Introduced patch was further adjusted by upstream author). + * Added -f command line parameter for [findtime]. + * Fixed the issue of not respecting command line parameters for parameters + within sections. + * Added -e command line parameter to provide enabled sections from command + line. + * Added a cleanup of firewall rules on emergency shutdown when unknown + exception is catched. + * Fail2ban should not crash now if a wrong file name is specified in + config. + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 3 Oct 2005 22:26:28 -1000 + +fail2ban (0.5.4-5) unstable; urgency=low + + * Made failregex'es more specific to don't allow usernames to be used as a + tool for denial of service attacks. Config files (or at least + failregex'es) must be updated from this package, otherwise the security + breach would remain open and only warning gets issued (closes: #330827) + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 1 Oct 2005 02:42:23 -1000 + +fail2ban (0.5.4-4) unstable; urgency=low + + * On a request from Calum Mackay added reporting of the enabled sections + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 29 Sep 2005 11:20:43 -1000 + +fail2ban (0.5.4-3) unstable; urgency=low + + * Resolved the mystery of debug mode in which commands are not really + executed: added verbose option to config file, removed -v from + /etc/default/fail2ban, reordered code a bit so that log targets are + setup right after background and then only loglevel (verbose,debug) is + processed, so the warning could be seen in the logs + + -- Yaroslav Halchenko <debian@onerussian.com> Thu, 29 Sep 2005 00:20:43 -1000 + +fail2ban (0.5.4-2) unstable; urgency=low + + * Now exporting PATH explicitely in init.d/fail2ban script, to avoid + problems finding iptables in the cases when PATH was not exported outside + (cfengine, broken shell environment) (closes: #329304) + * Removed -b from start-stop-daemon because fail2ban detahes on its own + * Added @localhost to MAIL:from and MAIL:to in fail2ban.conf and placed + a note to README.Debian regarding necessity to specify full email + address in MAIL:from (closes: #329722) + * Added a keyword <section> in parsing of the subject and the body of an + email sent out by fail2ban (closes: #330311) + + -- Yaroslav Halchenko <debian@onerussian.com> Wed, 27 Sep 2005 08:09:06 -0400 + +fail2ban (0.5.4-1) unstable; urgency=low + + * New upstream release + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 20 Sep 2005 12:19:19 -0400 + +fail2ban (0.5.3-2) unstable; urgency=low + + * Refined comments in README.Debian + * Reindented init.d script + P.S. Was not released + + -- Yaroslav Halchenko <debian@onerussian.com> Sun, 11 Sep 2005 15:19:44 -0400 + +fail2ban (0.5.3-1) unstable; urgency=low + + * New upstream release + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 9 Sep 2005 16:55:00 -0400 + +fail2ban (0.5.2-5) unstable; urgency=low + + * Included a patch from Stephen Gildea to provide "status" report by + init.d script + * Included a note in README.Debian regarding the fail2ban iptable's + chains + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 9 Sep 2005 14:52:24 -0400 + +fail2ban (0.5.2-4) unstable; urgency=low + + * Format of SYSLOG entries is up to the standard now + + -- Yaroslav Halchenko <debian@onerussian.com> Fri, 19 Aug 2005 00:06:44 -1000 + +fail2ban (0.5.2-3) unstable; urgency=low + + * Fixed errata in /etc/default/fail2ban (closes: #323451) + * Fixed handling of SYSLOG logging target. Now it can log to any syslog + target and facility as directed by the config (revisions 160:166 patch + from syslog branch) (closes: #323543) + * Included upstream README and TODO + * Mentioned in README.Debian that apache section is disabled by default + * Adjusted man pages to cross-reference each other + * Moved fail2ban man page under section 8 as in upstream + * Introduced findtime configuration variable to control the lifetime + of caught "failed" log entries (closes: #323840) + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 16 Aug 2005 11:23:28 -1000 + +fail2ban (0.5.2-2) unstable; urgency=low + + * Updated description to reflect flexibility in application of fail2ban + * Included logrotate (Thanks to Baruch Even) + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 13 Aug 2005 04:51:57 -0400 + +fail2ban (0.5.2-1) unstable; urgency=low + + * New upstream release + * No log4py any more + * removed -i eth0 from config + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 6 Aug 2005 09:21:07 -1000 + +fail2ban (0.5.1-1) unstable; urgency=low + + * New upstream release + + -- Yaroslav Halchenko <debian@onerussian.com> Sat, 23 Jul 2005 08:50:00 -1000 + +fail2ban (0.5.0-1) unstable; urgency=low + + * New upstream release + * Libraries placed under /usr/share/fail2ban instead of /usr/lib/fail2ban + * Corrections to the description of the package + + -- Yaroslav Halchenko <debian@onerussian.com> Tue, 12 Jul 2005 23:33:20 -1000 + +fail2ban (0.4.1-1) unstable; urgency=low + + * First upstream release of a Debian package + + -- Yaroslav Halchenko <debian@onerussian.com> Mon, 04 Jul 2005 11:47:23 +0300 diff --git a/debian/compat b/debian/compat new file mode 100644 index 00000000..ec635144 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 00000000..f9111fe4 --- /dev/null +++ b/debian/control @@ -0,0 +1,38 @@ +Source: fail2ban +Section: net +Priority: optional +Maintainer: Yaroslav Halchenko <debian@onerussian.com> +Build-Depends: debhelper (>= 9), python3, python3-pyinotify, dh-systemd +Homepage: http://www.fail2ban.org +Vcs-Git: git://github.com/fail2ban/fail2ban.git +Vcs-Browser: http://github.com/fail2ban/fail2ban +Standards-Version: 3.9.7 + + +Package: fail2ban +Architecture: all +Depends: ${python3:Depends}, ${misc:Depends}, lsb-base (>=2.0-7) +Recommends: python, iptables, whois, python3-pyinotify, python3-systemd +Suggests: mailx, system-log-daemon, monit +Description: ban hosts that cause multiple authentication errors + Fail2ban monitors log files (e.g. /var/log/auth.log, + /var/log/apache/access.log) and temporarily or persistently bans + failure-prone addresses by updating existing firewall rules. Fail2ban + allows easy specification of different actions to be taken such as to ban + an IP using iptables or hostsdeny rules, or simply to send a notification + email. + . + By default, it comes with filter expressions for various services + (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be + easily extended for monitoring any other text file. All filters and + actions are given in the config files, thus fail2ban can be adopted + to be used with a variety of files and firewalls. Following recommends + are listed: + . + - iptables -- default installation uses iptables for banning. You most + probably need it + - whois -- used by a number of *mail-whois* actions to send notification + emails with whois information about attacker hosts. Unless you will use + those you don't need whois + - python3-pyinotify -- unless you monitor services logs via systemd, you + need pyinotify for efficient monitoring for log files changes diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000..99d64846 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,31 @@ +This package was originally debianized by Yaroslav Halchenko +<debian@onerussian.com> on Mon Jul 4 14:41:34 HST 2005 + +It was downloaded from http://www.sourceforge.net/projects/fail2ban + +Author: Cyril Jaquier: <cyril.jaquier@fail2ban.org> + http://fail2ban.sourceforge.net + +Copyright: 2004-2009 Cyril Jaquier + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the +Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, +MA 02110-1301, USA. + +On Debian systems, the complete text of the GNU General Public +License, version 2, can be found in /usr/share/common-licenses/GPL-2. + +The Debian packaging is (C) 2006-2011, Yaroslav Halchenko <debian@onerussian.com> +and is licensed under the GPL, see above. + diff --git a/debian/debian-files/jail.d_defaults-debian.conf b/debian/debian-files/jail.d_defaults-debian.conf new file mode 100644 index 00000000..9eb356c8 --- /dev/null +++ b/debian/debian-files/jail.d_defaults-debian.conf @@ -0,0 +1,2 @@ +[sshd] +enabled = true diff --git a/debian/docs b/debian/docs new file mode 100644 index 00000000..c8d7c600 --- /dev/null +++ b/debian/docs @@ -0,0 +1,3 @@ +README.md +TODO +doc/run-rootless.txt diff --git a/debian/fail2ban.default b/debian/fail2ban.default new file mode 100644 index 00000000..35bb3771 --- /dev/null +++ b/debian/fail2ban.default @@ -0,0 +1,39 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Author: Cyril Jaquier +# +# $Revision$ + +# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for +# valid options. +FAIL2BAN_OPTS="" + +# Run fail2ban as a different user. If not set, fail2ban +# will run as root. +# +# The user is not created automatically. +# The user can be created e.g. with +# useradd --system --no-create-home --home-dir / --groups adm fail2ban +# Log files are readable by group adm by default. Adding the fail2ban +# user to this group allows it to read the logfiles. +# +# Another manual step that needs to be taken is to allow write access +# for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban +# script will change the ownership when starting fail2ban. Logrotate +# needs to be configured separately, see /etc/logrotate.d/fail2ban. +# +# FAIL2BAN_USER="fail2ban" diff --git a/debian/fail2ban.logrotate b/debian/fail2ban.logrotate new file mode 100644 index 00000000..ea464284 --- /dev/null +++ b/debian/fail2ban.logrotate @@ -0,0 +1,17 @@ +/var/log/fail2ban.log { + + weekly + rotate 4 + compress + + delaycompress + missingok + postrotate + fail2ban-client flushlogs 1>/dev/null + endscript + + # If fail2ban runs as non-root it still needs to have write access + # to logfiles. + # create 640 fail2ban adm + create 640 root adm +} diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 00000000..fadf1e99 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,18 @@ +[DEFAULT] +# the default branch for upstream sources: +upstream-branch = upstream +# the default branch for the debian patch: +debian-branch = debian-releases/experimental +# use pristine-tar +# pristine-tar = True +# the default tag formats used: +upstream-tag = %(version)s +debian-tag = debian/%(version)s + + +# Options only affecting git-buildpackage +[git-buildpackage] +# use this for more svn-buildpackage like bahaviour: +export-dir = ../build-area/ +tarball-dir = ../tarballs/ + diff --git a/debian/patches/deb_init_paths b/debian/patches/deb_init_paths new file mode 100644 index 00000000..f39df27c --- /dev/null +++ b/debian/patches/deb_init_paths @@ -0,0 +1,11 @@ +--- a/files/debian-initd ++++ b/files/debian-initd +@@ -28,7 +28,7 @@ NAME=fail2ban + + # fail2ban-client is not a daemon itself but starts a daemon and + # loads its with configuration +-DAEMON=/usr/local/bin/$NAME-client ++DAEMON=/usr/bin/$NAME-client + SCRIPTNAME=/etc/init.d/$NAME + + # Ad-hoc way to parse out socket file name diff --git a/debian/patches/deb_manpages_reportbug b/debian/patches/deb_manpages_reportbug new file mode 100644 index 00000000..2f3e543f --- /dev/null +++ b/debian/patches/deb_manpages_reportbug @@ -0,0 +1,26 @@ +From: Yaroslav Halchenko <debian@onerussian.com> +Date: Fri, 8 Feb 2008 00:40:57 -0500 +Subject: tune ups in upstream manpages to direct users to use reportbug + +--- a/man/fail2ban-client.1 ++++ b/man/fail2ban-client.1 +@@ -380,7 +380,7 @@ the action <ACT> for <JAIL> + Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. + Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. + .SH "REPORTING BUGS" +-Report bugs to https://github.com/fail2ban/fail2ban/issues ++Report bugs via Debian bug tracking system \fIhttp://www.debian.org/Bugs/\fR . + .SH COPYRIGHT + Copyright \(co 2004\-2008 Cyril Jaquier, 2008\- Fail2Ban Contributors + .br +--- a/man/fail2ban-server.1 ++++ b/man/fail2ban-server.1 +@@ -38,7 +38,7 @@ print the version + Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. + Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. + .SH "REPORTING BUGS" +-Report bugs to https://github.com/fail2ban/fail2ban/issues ++Report bugs via Debian bug tracking system \fIhttp://www.debian.org/Bugs/\fR . + .SH COPYRIGHT + Copyright \(co 2004\-2008 Cyril Jaquier, 2008\- Fail2Ban Contributors + .br diff --git a/debian/patches/deb_path_to_common b/debian/patches/deb_path_to_common new file mode 100644 index 00000000..46a4d04c --- /dev/null +++ b/debian/patches/deb_path_to_common @@ -0,0 +1,11 @@ +--- a/fail2ban/tests/config/filter.d/zzz-generic-example.conf ++++ b/fail2ban/tests/config/filter.d/zzz-generic-example.conf +@@ -8,7 +8,7 @@ + # Read common prefixes. If any customizations available -- read them from + # common.local. common.conf is a symlink to the original common.conf and + # should be copied (dereferenced) during installation +-before = ../../../../config/filter.d/common.conf ++before = ../../../../../../../config/filter.d/common.conf + + [Definition] + diff --git a/debian/patches/neurodebian-backport.series b/debian/patches/neurodebian-backport.series new file mode 100644 index 00000000..c98bf485 --- /dev/null +++ b/debian/patches/neurodebian-backport.series @@ -0,0 +1 @@ +neurodebian_use_python2 diff --git a/debian/patches/neurodebian_use_python2 b/debian/patches/neurodebian_use_python2 new file mode 100644 index 00000000..df46230b --- /dev/null +++ b/debian/patches/neurodebian_use_python2 @@ -0,0 +1,53 @@ +--- a/debian/control ++++ b/debian/control +@@ -2,7 +2,7 @@ Source: fail2ban + Section: net + Priority: optional + Maintainer: Yaroslav Halchenko <debian@onerussian.com> +-Build-Depends: debhelper (>= 9), python3, python3-pyinotify, dh-systemd ++Build-Depends: debhelper (>= 9), python (>= 2.6.6-3~), python-pyinotify, dh-python + Homepage: http://www.fail2ban.org + Vcs-Git: git://github.com/fail2ban/fail2ban.git + Vcs-Browser: http://github.com/fail2ban/fail2ban +@@ -11,9 +11,9 @@ Standards-Version: 3.9.6 + + Package: fail2ban + Architecture: all +-Depends: ${python3:Depends}, ${misc:Depends}, lsb-base (>=2.0-7) +-Recommends: python, iptables, whois, python3-pyinotify, python3-systemd +-Suggests: mailx, system-log-daemon, monit ++Depends: ${python:Depends}, ${misc:Depends}, lsb-base (>=2.0-7) ++Recommends: iptables, whois, python-pyinotify ++Suggests: mailx, system-log-daemon, monit, python-systemd + Description: ban hosts that cause multiple authentication errors + Fail2ban monitors log files (e.g. /var/log/auth.log, + /var/log/apache/access.log) and temporarily or persistently bans +--- a/debian/rules ++++ b/debian/rules +@@ -9,13 +9,13 @@ + # Uncomment this to turn on verbose mode. + #export DH_VERBOSE=1 + +-export PYBUILD_DISABLE_python2=1 ++export PYBUILD_DISABLE_python3=1 + + %: +- dh $@ --with python3,systemd --buildsystem pybuild ++ dh $@ --with python2 --buildsystem pybuild + + DESTDIR=$(CURDIR)/debian/fail2ban +-PYVERSION=$(shell py3versions -dv) ++PYVERSION=$(shell pyversions -dv) + + override_dh_clean: + rm -rf fail2ban.egg-info +@@ -37,7 +37,8 @@ override_dh_install: + : # Install bash completion + install -d $(DESTDIR)/etc/bash_completion.d + install -m 644 files/bash-completion $(DESTDIR)/etc/bash_completion.d/fail2ban +- : # Install systemd files ++ : # Install systemd files, even in backport version just in case even though ++ : # other systemd preparation activities are not carried out + install -d $(DESTDIR)/lib/systemd/system + install -d $(DESTDIR)/usr/lib/tmpfiles.d + install -m 644 files/fail2ban.service $(DESTDIR)/lib/systemd/system diff --git a/debian/patches/saucy-dsc-patch b/debian/patches/saucy-dsc-patch new file mode 120000 index 00000000..093e2109 --- /dev/null +++ b/debian/patches/saucy-dsc-patch @@ -0,0 +1 @@ +neurodebian_use_python2
\ No newline at end of file diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..72c26109 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +deb_path_to_common +deb_init_paths +deb_manpages_reportbug diff --git a/debian/patches/trusty-dsc-patch b/debian/patches/trusty-dsc-patch new file mode 120000 index 00000000..093e2109 --- /dev/null +++ b/debian/patches/trusty-dsc-patch @@ -0,0 +1 @@ +neurodebian_use_python2
\ No newline at end of file diff --git a/debian/patches/utopic-dsc-patch b/debian/patches/utopic-dsc-patch new file mode 120000 index 00000000..093e2109 --- /dev/null +++ b/debian/patches/utopic-dsc-patch @@ -0,0 +1 @@ +neurodebian_use_python2
\ No newline at end of file diff --git a/debian/patches/wheezy-dsc-patch b/debian/patches/wheezy-dsc-patch new file mode 120000 index 00000000..093e2109 --- /dev/null +++ b/debian/patches/wheezy-dsc-patch @@ -0,0 +1 @@ +neurodebian_use_python2
\ No newline at end of file diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 00000000..9e2fd2fb --- /dev/null +++ b/debian/postinst @@ -0,0 +1,98 @@ +#! /bin/sh +# postinst script for fail2ban +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# +preversion=$2 + +case "$1" in + configure) + # To fix the bug in generated by previous version files permissions + # also closes #352053 + + LOG=/var/log/fail2ban.log + touch $LOG + chown root:adm ${LOG}* + chmod 640 ${LOG}* + + # Note regarding changed configuration file + # Note regarding changed configuration file + if [ ! -z $preversion ]; then + if dpkg --compare-versions $preversion lt 0.7.1-1; then + cat <<EOF +WARNING! + + Fail2ban 0.7 is a complete rewrite of the 0.6 version, and if you + customized any of provided configuration or startup files + (/etc/default/fail2ban, /etc/fail2ban.conf, /etc/init.d/fail2ban), please + read relevant entry in /usr/share/doc/fail2ban/NEWS.Debian.gz. + +EOF + fi + if dpkg --compare-versions $preversion lt 0.5.4-5.14; then + cat <<EOF +WARNING! + + Configuration file /etc/fail2ban.conf, failregex configuration + parameter specificly, were changed in 0.5.4-5 to close reported + security breach, and in 0.5.4-5.14 to close few other bugs. + +updating from <0.5.4-5 + Unless configuration file (or corresponding failregex'es) gets updated, + security breach is not closed and corresponding warning will be reported + by the fail2ban (in the log files). + +updating from <0.5.4-5.14 + Bugs #329163, #331695 dealing with changed iptables rules + outside of fail2ban were fixed in 0.5.4-5.14, and require upgrade of the + configuration file (fwcheck option was introduced) to take full + advantage of the problem solution (otherwise some problems might + persist) + + Please review the configuration file and make appropriate changes. +ENJOY! + +EOF + fi + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +if dpkg-maintscript-helper supports mv_conffile 2>/dev/null; then + dpkg-maintscript-helper mv_conffile /etc/fail2ban/action.d/firewall-cmd-direct-new.conf /etc/fail2ban/action.d/firewallcmd-new.conf 0.8.13-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/lighttpd-fastcgi.conf /etc/fail2ban/filter.d/suhosin.conf 0.8.13-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf 0.8.13-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/couriersmtp.conf /etc/fail2ban/filter.d/courier-smtp.conf 0.9.0-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/courier-auth.conf 0.9.0-1~ -- "$@" +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + diff --git a/debian/postrm b/debian/postrm new file mode 100755 index 00000000..5ff30129 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,52 @@ +#! /bin/sh +# postrm script for fail2ban +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postrm> `remove' +# * <postrm> `purge' +# * <old-postrm> `upgrade' <new-version> +# * <new-postrm> `failed-upgrade' <old-version> +# * <new-postrm> `abort-install' +# * <new-postrm> `abort-install' <old-version> +# * <new-postrm> `abort-upgrade' <old-version> +# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version> +# for details, see /usr/doc/packaging-manual/ + + +case "$1" in + purge|disappear) + + # Remove configuration + rm -f /etc/fail2ban.conf + + # Remove logs + rm -f /var/log/fail2ban* + + # Remove sqlite db + rm -f /var/lib/fail2ban/fail2ban.sqlite3 + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade) + # nothing + # We may not delete the user fail2ban, as there may be + # files owned by it in /var/log/ and /etc/. + ;; +esac + +if dpkg-maintscript-helper supports mv_conffile 2>/dev/null; then + dpkg-maintscript-helper mv_conffile /etc/fail2ban/action.d/firewall-cmd-direct-new.conf /etc/fail2ban/action.d/firewallcmd-new.conf 0.8.13-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/lighttpd-fastcgi.conf /etc/fail2ban/filter.d/suhosin.conf 0.8.13-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf 0.8.13-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/couriersmtp.conf /etc/fail2ban/filter.d/courier-smtp.conf 0.9.0-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/courier-auth.conf 0.9.0-1~ -- "$@" +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + + diff --git a/debian/preinst b/debian/preinst new file mode 100755 index 00000000..dc6f46ca --- /dev/null +++ b/debian/preinst @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + +if dpkg-maintscript-helper supports mv_conffile 2>/dev/null; then + dpkg-maintscript-helper mv_conffile /etc/fail2ban/action.d/firewall-cmd-direct-new.conf /etc/fail2ban/action.d/firewallcmd-new.conf 0.8.13-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/lighttpd-fastcgi.conf /etc/fail2ban/filter.d/suhosin.conf 0.8.13-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/sasl.conf /etc/fail2ban/filter.d/postfix-sasl.conf 0.8.13-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/couriersmtp.conf /etc/fail2ban/filter.d/courier-smtp.conf 0.9.0-1~ -- "$@" + dpkg-maintscript-helper mv_conffile /etc/fail2ban/filter.d/courierlogin.conf /etc/fail2ban/filter.d/courier-auth.conf 0.9.0-1~ -- "$@" +fi + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000..e04b9962 --- /dev/null +++ b/debian/rules @@ -0,0 +1,65 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +export PYBUILD_DISABLE_python2=1 + +%: + dh $@ --with python3,systemd --buildsystem pybuild + +DESTDIR=$(CURDIR)/debian/fail2ban +PYVERSION=$(shell py3versions -dv) + +override_dh_clean: + rm -rf fail2ban.egg-info + -rm debian/fail2ban.init + dh_clean + : # auto generated + -rm bin/fail2ban-python + +override_dh_install: + rm -f $(DESTDIR)/usr/share/doc/fail2ban/README.Solaris + rm -f $(DESTDIR)/etc/fail2ban/paths-fedora.conf + rm -f $(DESTDIR)/etc/fail2ban/paths-freebsd.conf + rm -f $(DESTDIR)/etc/fail2ban/paths-osx.conf + : # Remove explicitely created /var/run/fail2ban + : # just to please lintian since init file will + : # take care about it anyways + rm -rf $(DESTDIR)/var/run/ $(DESTDIR)/run/ + : # Install monit configuration + install -d $(DESTDIR)/etc/monit/monitrc.d + install -m 644 files/monit/fail2ban $(DESTDIR)/etc/monit/monitrc.d/fail2ban + : # Install bash completion + install -d $(DESTDIR)/etc/bash_completion.d + install -m 644 files/bash-completion $(DESTDIR)/etc/bash_completion.d/fail2ban + : # Install systemd files + install -d $(DESTDIR)/lib/systemd/system + install -d $(DESTDIR)/usr/lib/tmpfiles.d + install -m 644 files/fail2ban.service $(DESTDIR)/lib/systemd/system + install -m 644 files/fail2ban-tmpfiles.conf $(DESTDIR)/usr/lib/tmpfiles.d + install -d $(DESTDIR)/lib/systemd/system + : # Install default jail enabler + install -m 644 debian/debian-files/jail.d_defaults-debian.conf $(DESTDIR)/etc/fail2ban/jail.d/defaults-debian.conf + dh_install + +override_dh_auto_test: +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) + cd build && LC_ALL=C.UTF-8 FAIL2BAN_CONFIG_DIR="$(CURDIR)/config" PYTHONPATH="$(CURDIR)/.pybuild/pythonX.Y_$(PYVERSION)/build/" scripts-*/fail2ban-testcases --no-network +endif + +override_dh_installexamples: + dh_installexamples files/ipmasq-* files/nagios files/cacti + +override_dh_installinit: + cp -p files/debian-initd debian/fail2ban.init + dh_installinit -- defaults 99 + +override_dh_installman: + dh_installman man/*.[15] diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/watch b/debian/watch new file mode 100644 index 00000000..84421431 --- /dev/null +++ b/debian/watch @@ -0,0 +1,6 @@ +# watch control file for uscan +# Run the "uscan" command to check for upstream updates and more. +# Site Directory Pattern Version Script +version=3 +opts="filenamemangle=s/.*\/(.*)/fail2ban-$1\.tar\.gz/" \ + http://github.com/fail2ban/fail2ban/tags .*archive/(\d[\d\.]+).tar.gz |