FEDORA-2016-478f5063bc created by orion 4 years ago for Fedora 24
stable

Update to 0.9.4:

Fixes:
    roundcube-auth jail typo for logpath
    Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
    filter.d/apache-badbots.conf
        Updated useragent string regex adding escape for +
    filter.d/mysqld-auth.conf
        Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
    filter.d/sshd.conf
        Updated "Auth fail" regex for OpenSSH 5.9 and later
    Treat failed and killed execution of commands identically (only different log messages), which addresses different behavior on different exit codes of dash and bash (gh-1155)
    Fix jail.conf.5 man's section (gh-1226)
    Fixed default banaction for allports jails like pam-generic, recidive, etc with new default variable banaction_allports (gh-1216)
    Fixed fail2ban-regex stops working on invalid (wrong encoded) character for python version < 3.x (gh-1248)
    Use postfix_log logpath for postfix-rbl jail
    filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
    use fail2ban_agent as user-agent in actions badips, blocklist_de, etc (gh-1271)
    Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
    Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
    Removed compression and rotation count from logrotate (inherit them from the global logrotate config)

New Features:
    New interpolation feature for definition config readers - <known/parameter> (means last known init definition of filters or actions with name parameter). This interpolation makes possible to extend a parameters of stock filter or action directly in jail inside jail.local file, without creating a separately filter.d/*.local file. As extension to interpolation %(known/parameter)s, that does not works for filter and action init parameters
    New actions:
        nftables-multiport and nftables-allports - filtering using nftables framework. Note: it requires a pre-existing chain for the filtering rule.
    New filters:
        openhab - domotic software authentication failure with the rest api and web interface (gh-1223)
        nginx-limit-req - ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module)
        murmur - ban hosts that repeatedly attempt to connect to murmur/mumble-server with an invalid server password or certificate.
        haproxy-http-auth - filter to match failed HTTP Authentications against a HAProxy server
    New jails:
        murmur - bans TCP and UDP from the bad host on the default murmur port.
    sshd filter got new failregex to match "maximum authentication attempts exceeded" (introduced in openssh 6.8)
    Added filter for Mac OS screen sharing (VNC) daemon

Enhancements:
    Do not rotate empty log files
    Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59) http://bugs.debian.org/798923
    Added openSUSE path configuration (Thanks Johannes Weberhofer)
    Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
    Added a timeout (3 sec) to urlopen within badips.py action (Thanks M. Maraun)
    Added check against atacker's Googlebot PTR fake records (Thanks Pablo Rodriguez Fernandez)
    Enhance filter against atacker's Googlebot PTR fake records (gh-1226)
    Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
    Added filter for openhab domotic software authentication failure with the rest api and web interface (gh-1223)
    Add *_backend options for services to allow distros to set the default backend per service, set default to systemd for Fedora as appropriate
    Performance improvements while monitoring large number of files (gh-1265). Use associative array (dict) for monitored log files to speed up lookup operations. Thanks @kshetragia
    Specified that fail2ban is PartOf iptables.service firewalld.service in .service file -- would reload fail2ban if those services are restarted
    Provides new default fail2ban_version and interpolation variable fail2ban_agent in jail.conf
    Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, and to support multiple instances of postfix having varying suffix (gh-1331) (Thanks Tom Hendrikx)
    files/gentoo-initd to use start-stop-daemon to robustify restarting the service

How to install

sudo dnf upgrade --advisory=FEDORA-2016-478f5063bc

This update has been submitted for testing by orion.

4 years ago

orion edited this update.

4 years ago

This update has been pushed to testing.

4 years ago

This update has reached 6 days in testing and can be pushed to stable now if the maintainer wishes

4 years ago

orion edited this update.

New build(s):

  • fail2ban-0.9.4-5.fc24

Removed build(s):

  • fail2ban-0.9.4-2.fc24
4 years ago

This update has been submitted for testing by orion.

4 years ago

This update has been pushed to testing.

4 years ago
User Icon raj550 commented & provided feedback 4 years ago
karma

LGTM

User Icon linuxmodder commented & provided feedback 4 years ago
karma

wfm no issues seen

User Icon xake commented & provided feedback 4 years ago

Failed to restart firewalld.service: Transaction contains conflicting jobs 'restart' and 'stop' for fail2ban.service. Probably contradicting requirement dependencies configured.

BZ#1266512 Restarting firewalld.service should restart fail2ban.service

This update has been submitted for stable by bodhi.

4 years ago
User Icon gbcox commented & provided feedback 4 years ago
karma

Works for me

This update has been pushed to stable.

4 years ago

Please login to add feedback.

Metadata
Type
enhancement
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
modified
4 years ago
BZ#1266512 Restarting firewalld.service should restart fail2ban.service
-1
0
BZ#1324113 fail2ban: fail2ban-server requires both Python 2 and Python 3
0
0

Automated Test Results