Upgraded to fresh upstream 0.8.1sdist/0.8.1

32 files changed, 843 insertions, 98 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 94a7b411..6d05c5c8 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,9 +4,34 @@
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 =============================================================
-Fail2Ban (version 0.8.0)                           2007/05/03
+Fail2Ban (version 0.8.1)                           2007/08/14
 =============================================================
 
+ver. 0.8.1 (2007/08/14) - stable
+----------
+- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
+- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
+- Improved regular expressions. Thanks to Yaroslav Halchenko
+  and others
+- Added sendmail actions. The action started with "mail" are
+  now deprecated. Thanks to Raphaël Marichez
+- Added "ignoreregex" support to fail2ban-regex
+- Updated suse-initd and added it to MANIFEST. Thanks to
+  Christian Rauch
+- Tightening up the pid check in redhat-initd. Thanks to
+  David Nutter
+- Added webmin authentication filter. Thanks to Guillaume
+  Delvit
+- Removed textToDns() which is not required anymore. Thanks
+  to Yaroslav Halchenko
+- Added new action iptables-allports. Thanks to Yaroslav
+  Halchenko
+- Added "named" date format to date detector. Thanks to
+  Yaroslav Halchenko
+- Added filter file for named (bind9). Thanks to Yaroslav
+  Halchenko
+- Fixed vsftpd filter. Thanks to Yaroslav Halchenko
+
 ver. 0.8.0 (2007/05/03) - stable
 ----------
 - Fixed RedHat init script. Thanks to Jonathan Underwood
diff --git a/PKG-INFO b/PKG-INFO
index f1c670ae..d05c8004 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: fail2ban
-Version: 0.8.0
+Version: 0.8.1
 Summary: Ban IPs that make too many password failure
 Home-page: http://fail2ban.sourceforge.net
 Author: Cyril Jaquier
diff --git a/README b/README
index 7a4aa86f..5cece798 100644
--- a/README
+++ b/README
@@ -4,7 +4,7 @@
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 =============================================================
-Fail2Ban (version 0.8.0)                           2007/05/03
+Fail2Ban (version 0.8.1)                           2007/08/14
 =============================================================
 
 Fail2Ban scans log files like /var/log/pwdfail and bans IP
@@ -28,8 +28,8 @@ Optional:
 
 To install, just do:
 
-> tar xvfj fail2ban-0.8.0.tar.bz2
-> cd fail2ban-0.8.0
+> tar xvfj fail2ban-0.8.1.tar.bz2
+> cd fail2ban-0.8.1
 > python setup.py install
 
 This will install Fail2Ban into /usr/share/fail2ban. The
@@ -73,7 +73,9 @@ Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
 Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler,
 Nick Munger, Christoph Haas, Justin Shore, Joël Bertrand,
 René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch,
-Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner
+Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner,
+Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
+Delvit, Vaclav Misek
 
 License:
 --------
diff --git a/common/version.py b/common/version.py
index 952236c6..8b2a3d84 100644
--- a/common/version.py
+++ b/common/version.py
@@ -16,12 +16,12 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 578 $
+# $Revision: 614 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 578 $"
-__date__ = "$Date: 2007-05-03 22:30:28 +0200 (Thu, 03 May 2007) $"
+__version__ = "$Revision: 614 $"
+__date__ = "$Date: 2007-08-14 23:39:15 +0200 (Tue, 14 Aug 2007) $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-version = "0.8.0"
+version = "0.8.1"
diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf
new file mode 100644
index 00000000..a3c82af7
--- /dev/null
+++ b/config/action.d/iptables-allports.conf
@@ -0,0 +1,65 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+# 			made active on all ports from original iptables.conf
+#
+# $Revision: 606 $
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I INPUT -p <protocol> -j fail2ban-<name>
+
+# Option:  actionend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf
index 973d48ec..a39ca2b2 100644
--- a/config/action.d/mail-buffered.conf
+++ b/config/action.d/mail-buffered.conf
@@ -12,7 +12,7 @@
 # Values:  CMD
 #
 actionstart = echo -en "Hi,\n
-              The jail <name> has been started successfuly.\n
+              The jail <name> has been started successfully.\n
               Output will be buffered until <lines> lines are available.\n
               Regards,\n
               Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
index db1278df..a26306c9 100644
--- a/config/action.d/mail-whois-lines.conf
+++ b/config/action.d/mail-whois-lines.conf
@@ -2,7 +2,7 @@
 #
 # Author: Cyril Jaquier
 # Modified-By: Yaroslav Halchenko to include grepping on IP over log files
-# $Revision: 520 $
+# $Revision: 595 $
 #
 
 [Definition]
@@ -12,7 +12,7 @@
 # Values:  CMD
 #
 actionstart = echo -en "Hi,\n
-              The jail <name> has been started successfuly.\n
+              The jail <name> has been started successfully.\n
               Regards,\n
               Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
 
diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf
index 4be4af1a..d92447de 100644
--- a/config/action.d/mail-whois.conf
+++ b/config/action.d/mail-whois.conf
@@ -2,7 +2,7 @@
 #
 # Author: Cyril Jaquier
 #
-# $Revision: 510 $
+# $Revision: 595 $
 #
 
 [Definition]
@@ -12,7 +12,7 @@
 # Values:  CMD
 #
 actionstart = echo -en "Hi,\n
-              The jail <name> has been started successfuly.\n
+              The jail <name> has been started successfully.\n
               Regards,\n
               Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
 
diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf
index f702d23b..905b3672 100644
--- a/config/action.d/mail.conf
+++ b/config/action.d/mail.conf
@@ -2,7 +2,7 @@
 #
 # Author: Cyril Jaquier
 #
-# $Revision: 510 $
+# $Revision: 595 $
 #
 
 [Definition]
@@ -12,7 +12,7 @@
 # Values:  CMD
 #
 actionstart = echo -en "Hi,\n
-              The jail <name> has been started successfuly.\n
+              The jail <name> has been started successfully.\n
               Regards,\n
               Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
 
diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf
new file mode 100644
index 00000000..8fc53cde
--- /dev/null
+++ b/config/action.d/sendmail-buffered.conf
@@ -0,0 +1,105 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 604 $
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = echo -en "Subject: [Fail2Ban] <name>: started
+              From: Fail2Ban <<sender>>
+              To: <dest>\n
+              Hi,\n
+              The jail <name> has been started successfully.\n
+              Output will be buffered until <lines> lines are available.\n
+              Regards,\n
+              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = if [ -f <tmpfile> ]; then
+                 echo -en "Subject: [Fail2Ban] <name>: summary
+                 From: Fail2Ban <<sender>>
+                 To: <dest>\n
+                 Hi,\n
+                 These hosts have been banned by Fail2Ban.\n
+                 `cat <tmpfile>`
+                 Regards,\n
+                 Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+                 rm <tmpfile>
+             fi
+             echo -en "Subject: [Fail2Ban] <name>: stopped
+             From: Fail2Ban <<sender>>
+             To: <dest>\n
+             Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = echo `date`": <ip> (<failures> failures)" >> <tmpfile>
+            LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
+            if [ $LINE -eq <lines> ]; then
+                echo -en "Subject: [Fail2Ban] <name>: summary
+                From: Fail2Ban <<sender>>
+                To: <dest>\n
+                Hi,\n
+                These hosts have been banned by Fail2Ban.\n
+                `cat <tmpfile>`
+                Regards,\n
+                Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+                rm <tmpfile>
+            fi
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
+# Sender of the mail
+#
+sender = fail2ban
+
+# Default number of lines that are buffered
+#
+lines = 5
+
+# Default temporary file
+#
+tmpfile = /tmp/fail2ban-mail.txt
+
diff --git a/config/action.d/sendmail-whois-lines.conf b/config/action.d/sendmail-whois-lines.conf
new file mode 100644
index 00000000..4a75d8bf
--- /dev/null
+++ b/config/action.d/sendmail-whois-lines.conf
@@ -0,0 +1,88 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 595 $
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = echo -en "Subject: [Fail2Ban] <name>: started
+              From: Fail2Ban <<sender>>
+              To: <dest>\n
+              Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
+             From: Fail2Ban <<sender>>
+             To: <dest>\n
+             Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
+            From: Fail2Ban <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n\n
+            Here are more information about <ip>:\n
+            `/usr/bin/whois <ip>`\n\n
+            Lines containing IP:<ip> in <logpath>\n
+            `/bin/grep '\<<ip>\>' <logpath>`\n\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
+# Sender of the mail
+#
+sender = fail2ban
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
+
diff --git a/config/action.d/sendmail-whois.conf b/config/action.d/sendmail-whois.conf
new file mode 100644
index 00000000..04f523ae
--- /dev/null
+++ b/config/action.d/sendmail-whois.conf
@@ -0,0 +1,82 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 595 $
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = echo -en "Subject: [Fail2Ban] <name>: started
+              From: Fail2Ban <<sender>>
+              To: <dest>\n
+              Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
+             From: Fail2Ban <<sender>>
+             To: <dest>\n
+             Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
+            From: Fail2Ban <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n\n
+            Here are more information about <ip>:\n
+            `/usr/bin/whois <ip>`\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
+# Sender of the mail
+#
+sender = fail2ban
+
diff --git a/config/action.d/sendmail.conf b/config/action.d/sendmail.conf
new file mode 100644
index 00000000..57ac41a5
--- /dev/null
+++ b/config/action.d/sendmail.conf
@@ -0,0 +1,80 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 595 $
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = echo -en "Subject: [Fail2Ban] <name>: started
+              From: Fail2Ban <<sender>>
+              To: <dest>\n
+              Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
+             From: Fail2Ban <<sender>>
+             To: <dest>\n
+             Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
+            From: Fail2Ban <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
+# Sender of the mail
+#
+sender = fail2ban
+
diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf
new file mode 100644
index 00000000..435a2e70
--- /dev/null
+++ b/config/filter.d/named-refused.conf
@@ -0,0 +1,34 @@
+# Fail2Ban configuration file for named (bind9). Trying to generalize the
+#          structure which is general to capture general patterns in log
+#          lines to cover different configurations/distributions
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision: 608 $
+#
+
+[Definition]
+
+# if you want to catch only login erros from specific daemons, use smth like
+#_named_rcodes=(?:REFUSED|SERVFAIL)
+# To catch all REFUSED queries only
+_named_rcodes=REFUSED
+_daemon=named
+
+#
+# Shortcuts for easier comprehension of the failregex
+__pid_re=(?:\[\d+\])
+__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
+__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
+#       hostname       daemon_id         spaces
+# this can be optional (for instance if we match named native log files)
+__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile.
+# Values: TEXT
+#
+failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': <HOST>#\S+$
+		    %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
+
+
diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf
index ec20d492..331849b7 100644
--- a/config/filter.d/proftpd.conf
+++ b/config/filter.d/proftpd.conf
@@ -2,7 +2,7 @@
 #
 # Author: Yaroslav Halchenko
 #
-# $Revision: 510 $
+# $Revision: 603 $
 #
 
 [Definition]
@@ -15,6 +15,7 @@
 # Values: TEXT
 #
 failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
+            \(\S*\[<HOST>\]\) - USER \S+ \(Login failed\): Incorrect password.$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf
index 31557468..1933d6e0 100644
--- a/config/filter.d/pure-ftpd.conf
+++ b/config/filter.d/pure-ftpd.conf
@@ -19,7 +19,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut
 #         (?:::f{4,6}:)?(?P<host>\S+)
 # Values: TEXT
 #
-failregex = pure-ftpd: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
+failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/sshd-ddos.conf b/config/filter.d/sshd-ddos.conf
index 433ef877..ea0e0956 100644
--- a/config/filter.d/sshd-ddos.conf
+++ b/config/filter.d/sshd-ddos.conf
@@ -2,7 +2,7 @@
 #
 # Author: Yaroslav Halchenko
 #
-# $Revision: 510 $
+# $Revision: 592 $
 #
 
 [Definition]
@@ -14,7 +14,7 @@
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = sshd\[\S*\]: Did not receive identification string from <HOST>
+failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index b24e34f0..96a3ae6a 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -2,7 +2,7 @@
 #
 # Author: Cyril Jaquier
 #
-# $Revision: 551 $
+# $Revision: 613 $
 #
 
 [Definition]
@@ -14,10 +14,12 @@
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = Authentication failure for .* from <HOST>
-            Failed [-/\w]+ for .* from <HOST>
-            ROOT LOGIN REFUSED .* FROM <HOST>
-            [iI](?:llegal|nvalid) user .* from <HOST>
+failregex = (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
+            Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
+            ROOT LOGIN REFUSED.* FROM <HOST>\s*$
+            [iI](?:llegal|nvalid) user .* from <HOST>\s*$
+            User .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+            User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf
index 06941689..3775e803 100644
--- a/config/filter.d/vsftpd.conf
+++ b/config/filter.d/vsftpd.conf
@@ -2,7 +2,7 @@
 #
 # Author: Cyril Jaquier
 #
-# $Revision: 534 $
+# $Revision: 610 $
 #
 
 [Definition]
@@ -14,8 +14,8 @@
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values: TEXT
 #
-failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$
-            \[.+\] FAIL LOGIN: Client "<HOST>"$
+failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=<HOST>\s*$
+            \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/webmin-auth.conf b/config/filter.d/webmin-auth.conf
new file mode 100644
index 00000000..042e5bc4
--- /dev/null
+++ b/config/filter.d/webmin-auth.conf
@@ -0,0 +1,28 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Rule by : Delvit Guillaume
+#
+# $Revision: 601 $
+#
+
+[Definition]
+
+# patern :      webmin[15673]: Non-existent login as toto from 86.0.6.217
+#               webmin[29544]: Invalid login as root from 86.0.6.217
+#
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+failregex = webmin.* Non-existent login as .+ from <HOST>$
+            webmin.* Invalid login as .+ from <HOST>$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
diff --git a/config/filter.d/wuftpd.conf b/config/filter.d/wuftpd.conf
index e7981e1e..7c2a8acb 100644
--- a/config/filter.d/wuftpd.conf
+++ b/config/filter.d/wuftpd.conf
@@ -2,7 +2,7 @@
 #
 # Author: Yaroslav Halchenko
 #
-# $Revision:  $
+# $Revision: 592 $
 #
 
 [Definition]
@@ -11,4 +11,4 @@
 # Notes.: regex to match the password failures messages in the logfile.
 # Values: TEXT
 #
-failregex = wu-ftpd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>
+failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$
diff --git a/config/jail.conf b/config/jail.conf
index d381bcaa..f7f134f2 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -2,7 +2,7 @@
 #
 # Author: Cyril Jaquier
 #
-# $Revision: 552 $
+# $Revision: 611 $
 #
 
 # The DEFAULT allows a global definition of the options. They can be override
@@ -45,7 +45,7 @@ backend = auto
 enabled  = false
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
-           mail-whois[name=SSH, dest=yourmail@mail.com]
+           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
 logpath  = /var/log/sshd.log
 maxretry = 5
 
@@ -54,7 +54,7 @@ maxretry = 5
 enabled  = false
 filter   = proftpd
 action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
-           mail-whois[name=ProFTPD, dest=yourmail@mail.com]
+           sendmail-whois[name=ProFTPD, dest=you@mail.com]
 logpath  = /var/log/proftpd/proftpd.log
 maxretry = 6
 
@@ -66,7 +66,7 @@ enabled  = false
 filter   = sasl
 backend  = polling
 action   = iptables[name=sasl, port=smtp, protocol=tcp]
-           mail-whois[name=sasl, dest=yourmail@mail.com]
+           sendmail-whois[name=sasl, dest=you@mail.com]
 logpath  = /var/log/mail.log
 
 # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
@@ -77,7 +77,7 @@ logpath  = /var/log/mail.log
 enabled     = false
 filter      = sshd
 action      = hostsdeny
-              mail-whois[name=SSH, dest=yourmail@mail.com]
+              sendmail-whois[name=SSH, dest=you@mail.com]
 ignoreregex = for myuser from
 logpath     = /var/log/sshd.log
 
@@ -101,7 +101,7 @@ maxretry = 6
 enabled  = false
 filter   = postfix
 action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
-           mail[name=Postfix, dest=yourmail@mail.com]
+           sendmail[name=Postfix, dest=you@mail.com]
 logpath  = /var/log/postfix.log
 bantime  = 300
 
@@ -112,7 +112,7 @@ bantime  = 300
 
 enabled  = false
 filter   = vsftpd
-action   = mail-whois[name=VSFTPD, dest=yourmail@mail.com]
+action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
@@ -124,7 +124,7 @@ bantime  = 1800
 enabled  = false
 filter   = vsftpd
 action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
-           mail-whois[name=VSFTPD, dest=yourmail@mail.com]
+           sendmail-whois[name=VSFTPD, dest=you@mail.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
@@ -137,7 +137,7 @@ bantime  = 1800
 enabled  = false
 filter   = apache-badbots
 action   = iptables-multiport[name=BadBots, port="http,https"]
-           mail-buffered[name=BadBots, lines=5, dest=yourmail@mail.com]
+           sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
 logpath  = /var/www/*/logs/access_log
 bantime  = 172800
 maxretry = 1
@@ -149,7 +149,7 @@ maxretry = 1
 enabled  = false
 filter   = apache-noscript
 action   = shorewall
-           mail[name=Postfix, dest=yourmail@mail.com]
+           sendmail[name=Postfix, dest=you@mail.com]
 logpath  = /var/log/apache2/error_log
 
 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
@@ -162,6 +162,44 @@ logpath  = /var/log/apache2/error_log
 enabled  = false
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
-           mail-whois[name="SSH,IPFW", dest=yourmail@mail.com]
+           sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
 logpath  = /var/log/auth.log
 ignoreip = 168.192.0.1
+
+# These jails block attacks against named (bind9). By default, logging is off
+# with bind9 installation. You will need something like this:
+#
+# logging {
+#     channel lame-servers_file {
+#         file "/var/log/named/lame-servers.log" versions 3 size 30m;
+#         severity dynamic;
+#         print-time yes;
+#     };
+#     category lame-servers {
+#         lame-servers_file;
+#     };
+# }
+#
+# in your named.conf to provide proper logging.
+# This jail blocks UDP traffic for DNS requests.
+
+[named-refused-udp]
+
+enabled  = false
+filter   = named-refused
+action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+           sendmail-whois[name=Named, dest=you@mail.com]
+logpath  = /var/log/named/lame-servers.log
+ignoreip = 168.192.0.1
+
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused-tcp]
+
+enabled  = false
+filter   = named-refused
+action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
+           sendmail-whois[name=Named, dest=you@mail.com]
+logpath  = /var/log/named/lame-servers.log
+ignoreip = 168.192.0.1
+
diff --git a/fail2ban-regex b/fail2ban-regex
index 59d17fdf..7c14611a 100755
--- a/fail2ban-regex
+++ b/fail2ban-regex
@@ -17,11 +17,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 530 $
+# $Revision: 596 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 530 $"
-__date__ = "$Date: 2007-01-29 21:31:04 +0100 (Mon, 29 Jan 2007) $"
+__version__ = "$Revision: 596 $"
+__date__ = "$Date: 2007-07-10 21:54:01 +0200 (Tue, 10 Jul 2007) $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -68,6 +68,7 @@ class Fail2banRegex:
 	
 	def __init__(self):
 		self.__filter = Filter(None)
+		self.__ignoreregex = list()
 		self.__failregex = list()
 		# Setup logging
 		logging.getLogger("fail2ban").handlers = []
@@ -92,7 +93,7 @@ class Fail2banRegex:
 	
 	@staticmethod
 	def dispUsage():
-		print "Usage: "+sys.argv[0]+" [OPTIONS] <LOG> <REGEX>"
+		print "Usage: "+sys.argv[0]+" [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]"
 		print
 		print "Fail2Ban v" + version + " reads log file that contains password failure report"
 		print "and bans the corresponding IP addresses using firewall rules."
@@ -111,6 +112,10 @@ class Fail2banRegex:
 		print "    string                  a string representing a 'failregex'"
 		print "    filename                path to a filter file (filter.d/sshd.conf)"
 		print
+		print "IgnoreRegex:"
+		print "    string                  a string representing an 'ignoreregex'"
+		print "    filename                path to a filter file (filter.d/sshd.conf)"
+		print
 		print "Report bugs to <lostcontrol@users.sourceforge.net>"
 	
 	def getCmdLineOptions(self, optList):
@@ -128,6 +133,35 @@ class Fail2banRegex:
 	def logIsFile(value):
 		return os.path.isfile(value)
 
+	def readIgnoreRegex(self, value):
+		if os.path.isfile(value):
+			reader = SafeConfigParser()
+			try:
+				reader.read(value)
+				print "Use ignoreregex file : " + value
+				self.__ignoreregex = [RegexStat(m)
+									for m in reader.get("Definition", "ignoreregex").split('\n')]
+			except NoSectionError:
+				print "No [Definition] section in " + value
+				print
+				return False
+			except NoOptionError:
+				print "No failregex option in " + value
+				print
+				return False
+			except MissingSectionHeaderError:
+				print "No section headers in " + value
+				print
+				return False
+		else:
+			if len(value) > 53:
+				stripReg = value[0:50] + "..."
+			else:
+				stripReg = value
+			print "Use ignoreregex line : " + stripReg
+			self.__ignoreregex = [RegexStat(value)]
+		return True
+
 	def readRegex(self, value):
 		if os.path.isfile(value):
 			reader = SafeConfigParser()
@@ -157,8 +191,27 @@ class Fail2banRegex:
 			self.__failregex = [RegexStat(value)]
 		return True
 	
+	def testIgnoreRegex(self, line):
+		found = False
+		for regex in self.__ignoreregex:
+			logging.getLogger("fail2ban").setLevel(logging.DEBUG)
+			try:
+				self.__filter.addIgnoreRegex(regex.getFailRegex())
+				try:
+					ret = self.__filter.ignoreLine(line)
+					if ret:
+						regex.inc()
+				except RegexException, e:
+					print e
+					return False
+			finally:
+				self.__filter.delIgnoreRegex(0)
+				logging.getLogger("fail2ban").setLevel(logging.CRITICAL)
+	
 	def testRegex(self, line):
 		found = False
+		for regex in self.__ignoreregex:
+			self.__filter.addIgnoreRegex(regex.getFailRegex())
 		for regex in self.__failregex:
 			logging.getLogger("fail2ban").setLevel(logging.DEBUG)
 			try:
@@ -182,6 +235,8 @@ class Fail2banRegex:
 			finally:
 				self.__filter.delFailRegex(0)
 				logging.getLogger("fail2ban").setLevel(logging.CRITICAL)
+		for regex in self.__ignoreregex:
+					self.__filter.delIgnoreRegex(0)
 	
 	def printStats(self):
 		print
@@ -191,25 +246,51 @@ class Fail2banRegex:
 		
 		# Print title
 		cnt = 1
-		print "Failregex:"
+		print "Failregex"
+		print "|- Regular expressions:"
 		for failregex in self.__failregex:
-			print "[" + str(cnt) + "] " + failregex.getFailRegex()
+			print "|  [" + str(cnt) + "] " + failregex.getFailRegex()
 			cnt += 1
+		cnt = 1
 		
-		print
+		print "|"
 		
 		# Print stats
 		cnt = 1
 		total = 0
-		print "Number of matches:"
+		print "`- Number of matches:"
 		for failregex in self.__failregex:
 			match = failregex.getStats()
 			total += match
-			print "[" + str(cnt) + "] " + str(match) + " match(es)"
+			print "   [" + str(cnt) + "] " + str(match) + " match(es)"
 			cnt += 1
 		
 		print
 		
+		# Print title
+		cnt = 1
+		print "Ignoreregex"
+		print "|- Regular expressions:"
+		for failregex in self.__ignoreregex:
+			print "|  [" + str(cnt) + "] " + failregex.getFailRegex()
+			cnt += 1
+		cnt = 1
+		
+		print "|"
+		
+		# Print stats
+		cnt = 1
+		print "`- Number of matches:"
+		for failregex in self.__ignoreregex:
+			match = failregex.getStats()
+			print "   [" + str(cnt) + "] " + str(match) + " match(es)"
+			cnt += 1
+		
+		print
+		print "Summary"
+		print "======="
+		print
+		
 		if total == 0:
 			print "Sorry, no match"
 			print
@@ -236,7 +317,7 @@ class Fail2banRegex:
 			
 			print "Date template hits:"
 			for template in self.__filter.dateDetector.getTemplates():
-				print `template.getHits()` + " hit: " + template.getName()
+				print `template.getHits()` + " hit(s): " + template.getName()
 			
 			print
 			
@@ -260,7 +341,7 @@ if __name__ == "__main__":
 	# Process command line
 	fail2banRegex.getCmdLineOptions(optList)
 	# We need exactly 3 parameters
-	if not len(sys.argv) == 3:
+	if not len(sys.argv) in (3, 4):
 		fail2banRegex.dispUsage()
 		sys.exit(-1)
 	else:
@@ -269,6 +350,10 @@ if __name__ == "__main__":
 		print "============="
 		print
 
+		if len(sys.argv) == 4:
+			if fail2banRegex.readIgnoreRegex(sys.argv[3]) == False:
+				sys.exit(-1)
+
 		if fail2banRegex.readRegex(sys.argv[2]) == False:
 			sys.exit(-1)
 
@@ -278,6 +363,7 @@ if __name__ == "__main__":
 				print "Use log file   : " + sys.argv[1]
 				print
 				for line in hdlr:
+					fail2banRegex.testIgnoreRegex(line)
 					fail2banRegex.testRegex(line)
 			except IOError, e:
 				print e
@@ -290,6 +376,7 @@ if __name__ == "__main__":
 				stripLog = sys.argv[1]
 			print "Use single line: " + stripLog
 			print
+			fail2banRegex.testIgnoreRegex(sys.argv[1])
 			fail2banRegex.testRegex(sys.argv[1])
 		
 		if fail2banRegex.printStats():
diff --git a/files/redhat-initd b/files/redhat-initd
index 205294cf..529aef25 100755
--- a/files/redhat-initd
+++ b/files/redhat-initd
@@ -20,7 +20,7 @@ FAIL2BAN="/usr/bin/fail2ban-client"
 RETVAL=0
 
 getpid() {
-    pid=`ps -ef | grep fail2ban-|grep -v grep|awk '{print $2}'`
+    pid=`ps -eo pid,comm | grep fail2ban- | awk '{ print $1 }'`
 }
 
 start() {
diff --git a/files/suse-initd b/files/suse-initd
new file mode 100755
index 00000000..bbd679aa
--- /dev/null
+++ b/files/suse-initd
@@ -0,0 +1,96 @@
+#!/bin/sh
+#
+# /etc/init.d/fail2ban
+#   and its symbolic link
+# /usr/sbin/rcfail2ban
+#
+### BEGIN INIT INFO
+# Provides:          fail2ban
+# Required-Start:    $syslog $remote_fs sendmail
+# Required-Stop:     $syslog $remote_fs
+# Should-Stop: $time ypbind sendmail
+# Default-Start:     3 5
+# Default-Stop:      0 1 2 6
+# Description:       startup Fail2Ban
+### END INIT INFO
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/sbin:/usr/bin:/bin
+FAIL2BAN_BIN=/usr/local/bin/fail2ban-client
+FAIL2BAN_SERVER=/usr/local/bin/fail2ban-server
+FAIL2BAN_SOCKET=/tmp/fail2ban.sock
+test -x $FAIL2BAN_BIN || { echo "$FAIL2BAN_BIN not installed";
+        if [ "$1" = "stop" ]; then exit 0;
+        else exit 5; fi; }
+
+# Check for existence of needed config file and read it
+FAIL2BAN_CONFIG=/etc/fail2ban/fail2ban.conf
+test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing";
+        if [ "$1" = "stop" ]; then exit 0;
+        else exit 6; fi; }
+
+. /etc/rc.status
+
+# Reset status of this service
+rc_reset
+
+case "$1" in
+    start)
+        echo -n "Starting Fail2Ban "
+        /sbin/startproc $FAIL2BAN_BIN start &>/dev/null
+        rc_status -v
+        ;;
+    stop)
+        echo -n "Shutting down Fail2ban "
+        /sbin/startproc $FAIL2BAN_BIN -q stop
+        rc_status -v
+        ;;
+    try-restart|condrestart)
+        if test "$1" = "condrestart"; then
+                echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
+        fi
+        $0 status
+        if test $? = 0; then
+                $0 restart
+        else
+                rc_reset        # Not running is not a failure.
+        fi
+        rc_status
+        ;;
+    restart)
+        $0 stop
+        echo -n "-wait a minute "
+        i=60
+        while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do
+                sleep 1
+                i=$[$i-1]
+                echo -n "."
+        done
+        echo "."
+        $0 start
+
+        # Remember status and be quiet
+        rc_status
+        ;;
+    force-reload)
+        echo -n "Reload service Fail2ban "
+        /sbin/startproc $FAIL2BAN_BIN -q reload
+        rc_status -v
+        ;;
+    reload)
+        echo -n "Reload service Fail2ban "
+        /sbin/startproc $FAIL2BAN_BIN -q reload
+        rc_status -v
+        ;;
+    status)
+        echo -n "Checking for service Fail2ban "
+        /sbin/checkproc $FAIL2BAN_SERVER
+        rc_status -v
+        ;;
+    probe)
+        test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban.pid && echo reload
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
+        exit 1
+        ;;
+esac
+rc_exit
\ No newline at end of file
diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1
index 3dd4111b..719ad7f8 100644
--- a/man/fail2ban-client.1
+++ b/man/fail2ban-client.1
@@ -1,11 +1,11 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.36.
-.TH FAIL2BAN-CLIENT "1" "May 2007" "fail2ban-client v0.8.0" "User Commands"
+.TH FAIL2BAN-CLIENT "1" "August 2007" "fail2ban-client v0.8.1" "User Commands"
 .SH NAME
 fail2ban-client \- configure and control the server
 .SH DESCRIPTION
 [?1034hUsage: ../fail2ban\-client [OPTIONS] <COMMAND>
 .PP
-Fail2Ban v0.8.0 reads log file that contains password failure report
+Fail2Ban v0.8.1 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .SH OPTIONS
 .TP
diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1
index a7fae822..2556162e 100644
--- a/man/fail2ban-regex.1
+++ b/man/fail2ban-regex.1
@@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.36.
-.TH FAIL2BAN-REGEX "1" "May 2007" "fail2ban-regex v0.8.0" "User Commands"
+.TH FAIL2BAN-REGEX "1" "August 2007" "fail2ban-regex v0.8.1" "User Commands"
 .SH NAME
 fail2ban-regex \- test Fail2ban "failregex" option
 .SH SYNOPSIS
 .B fail2ban-regex
-[\fIOPTIONS\fR] \fI<LOG> <REGEX>\fR
+[\fIOPTIONS\fR] \fI<LOG> <REGEX> \fR[\fIIGNOREREGEX\fR]
 .SH DESCRIPTION
-Fail2Ban v0.8.0 reads log file that contains password failure report
+Fail2Ban v0.8.1 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .PP
 This tools can test regular expressions for "fail2ban".
@@ -31,6 +31,13 @@ a string representing a 'failregex'
 .TP
 \fBfilename\fR
 path to a filter file (filter.d/sshd.conf)
+.SS "IgnoreRegex:"
+.TP
+\fBstring\fR
+a string representing an 'ignoreregex'
+.TP
+\fBfilename\fR
+path to a filter file (filter.d/sshd.conf)
 .SH AUTHOR
 Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
 Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1
index d8ed93cd..dfa3b185 100644
--- a/man/fail2ban-server.1
+++ b/man/fail2ban-server.1
@@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.36.
-.TH FAIL2BAN-SERVER "1" "May 2007" "fail2ban-server v0.8.0" "User Commands"
+.TH FAIL2BAN-SERVER "1" "August 2007" "fail2ban-server v0.8.1" "User Commands"
 .SH NAME
 fail2ban-server \- start the server
 .SH SYNOPSIS
 .B fail2ban-server
 [\fIOPTIONS\fR]
 .SH DESCRIPTION
-Fail2Ban v0.8.0 reads log file that contains password failure report
+Fail2Ban v0.8.1 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .PP
 Only use this command for debugging purpose. Start the server with
diff --git a/server/datedetector.py b/server/datedetector.py
index 127dc2c2..b02154e5 100644
--- a/server/datedetector.py
+++ b/server/datedetector.py
@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 568 $
+# $Revision: 607 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 568 $"
-__date__ = "$Date: 2007-04-01 22:42:05 +0200 (Sun, 01 Apr 2007) $"
+__version__ = "$Revision: 607 $"
+__date__ = "$Date: 2007-08-09 00:16:22 +0200 (Thu, 09 Aug 2007) $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -80,6 +80,12 @@ class DateDetector:
 			template.setRegex("\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
 			template.setPattern("%Y-%m-%d %H:%M:%S")
 			self.__templates.append(template)
+			# named 26-Jul-2007 15:20:52.252 
+			template = DateStrptime()
+			template.setName("Day-Month-Year Hour:Minute:Second[.Millisecond]")
+			template.setRegex("\d{2}-\S{3}-\d{4} \d{2}:\d{2}:\d{2}")
+			template.setPattern("%d-%b-%Y %H:%M:%S")
+			self.__templates.append(template)
 			# TAI64N
 			template = DateTai64n()
 			template.setName("TAI64N")
diff --git a/server/failregex.py b/server/failregex.py
index 2a373da5..e7d2b81b 100644
--- a/server/failregex.py
+++ b/server/failregex.py
@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 503 $
+# $Revision: 589 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 503 $"
-__date__ = "$Date: 2006-12-23 17:31:00 +0100 (Sat, 23 Dec 2006) $"
+__version__ = "$Revision: 589 $"
+__date__ = "$Date: 2007-06-25 23:43:25 +0200 (Mon, 25 Jun 2007) $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -40,9 +40,7 @@ class FailRegex(Regex):
 	# avoid construction of invalid object.
 	# @param value the regular expression
 	
-	def __init__(self, value):
-		# Replace "<HOST>" with default regular expression for host.
-		regex = value.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
+	def __init__(self, regex):
 		# Initializes the parent.
 		Regex.__init__(self, regex)
 		# Check for group "host"
diff --git a/server/filter.py b/server/filter.py
index f3330938..e3504f97 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 567 $
+# $Revision: 605 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 567 $"
-__date__ = "$Date: 2007-03-26 23:17:31 +0200 (Mon, 26 Mar 2007) $"
+__version__ = "$Revision: 605 $"
+__date__ = "$Date: 2007-08-08 00:11:34 +0200 (Wed, 08 Aug 2007) $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -414,6 +414,20 @@ class Filter(JailThread):
 		return True
 
 	##
+	# Returns true if the line should be ignored.
+	#
+	# Uses ignoreregex.
+	# @param line: the line
+	# @return: a boolean
+
+	def ignoreLine(self, line):
+		for ignoreRegex in self.__ignoreRegex:
+			ignoreRegex.search(line)
+			if ignoreRegex.hasMatched():
+				return True
+		return False
+
+	##
 	# Finds the failure in a line.
 	#
 	# Uses the failregex pattern to find it and timeregex in order
@@ -423,12 +437,9 @@ class Filter(JailThread):
 	def findFailure(self, line):
 		failList = list()
 		# Checks if we must ignore this line.
-		for ignoreRegex in self.__ignoreRegex:
-			ignoreRegex.search(line)
-			if ignoreRegex.hasMatched():
-				# The ignoreregex matched. Return.
-				logSys.debug("Ignoring this line")
-				return failList
+		if self.ignoreLine(line):
+			# The ignoreregex matched. Return.
+			return failList
 		# Iterates over all the regular expressions.
 		for failRegex in self.__failRegex:
 			failRegex.search(line)
@@ -493,17 +504,6 @@ class DNSUtils:
 			return list()
 	
 	@staticmethod
-	def textToDns(text):
-		""" Search for possible DNS in an arbitrary text.
-			Thanks to Tom Pike.
-		"""
-		match = DNSUtils.DNS_CRE.match(text)
-		if match:
-			return match
-		else:
-			return None
-	
-	@staticmethod
 	def searchIP(text):
 		""" Search if an IP address if directly available and return
 			it.
@@ -538,11 +538,9 @@ class DNSUtils:
 				ipList.append(plainIPStr)
 		if not ipList:
 			# Try to get IP from possible DNS
-			dns = DNSUtils.textToDns(text)
-			if not dns == None:
-				ip = DNSUtils.dnsToIp(dns.group(0))
-				for e in ip:
-					ipList.append(e)
+			ip = DNSUtils.dnsToIp(text)
+			for e in ip:
+				ipList.append(e)
 		return ipList
 	
 	@staticmethod
diff --git a/server/regex.py b/server/regex.py
index dc5d2b83..d7592f5a 100644
--- a/server/regex.py
+++ b/server/regex.py
@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 505 $
+# $Revision: 589 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 505 $"
-__date__ = "$Date: 2006-12-24 00:20:16 +0100 (Sun, 24 Dec 2006) $"
+__version__ = "$Revision: 589 $"
+__date__ = "$Date: 2007-06-25 23:43:25 +0200 (Mon, 25 Jun 2007) $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -42,6 +42,9 @@ class Regex:
 	
 	def __init__(self, regex):
 		self._matchCache = None
+		# Perform shortcuts expansions.
+		# Replace "<HOST>" with default regular expression for host.
+		regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
 		if regex.lstrip() == '':
 			raise RegexException("Cannot add empty regex")
 		try: