stable

fail2ban-0.11.1-6.fc31

FEDORA-2020-caae9d7741 created by hobbes1069 4 years ago for Fedora 31

Change default from firewalld-ipset to firewalld-rich-rules, fixes #1823746.


ver. 0.11.1 (2020/01/11) - this-is-the-way

Compatibility:

  • to v.0.10:
  • 0.11 is totally compatible to 0.10 (configuration- and API-related stuff), but the database got some new tables and fields (auto-converted during the first start), so once updated to 0.11, you have to remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10 schema) if you would need to downgrade to 0.10 for some reason.
  • to v.0.9:
  • Filter (or failregex) internal capture-groups:

    • If you've your own failregex or custom filters using conditional match (?P=host), you should rewrite the regex like in example below resp. using (?:(?P=ip4)|(?P=ip6) instead of (?P=host) (or (?:(?P=ip4)|(?P=ip6)|(?P=dns)) corresponding your usedns and raw settings).

    Of course you can always define your own capture-group (like below _cond_ip_) to do this. testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$" * New internal groups (currently reserved for internal usage): ip4, ip6, dns, fid, fport, additionally user and another captures in lower case if mapping from tag <F-*> used in failregex (e. g. user by <F-USER>).

  • v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some user configurations resp. datepattern.

  • Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now.

Fixes

  • purge database will be executed now (within observer).
  • restoring currently banned ip after service restart fixed (now < timeofban + bantime), ignore old log failures (already banned)
  • upgrade database: update new created table bips with entries from table bans (allows restore current bans after upgrade from version <= 0.10)

New Features

  • Increment ban time (+ observer) functionality introduced.
  • Database functionality extended with bad ips.
  • New tags (usable in actions):
  • <bancount> - ban count of this offender if known as bad (started by 1 for unknown)
  • <bantime> - current ban-time of the ticket (prolongation can be retarded up to 10 sec.)
  • Introduced new action command actionprolong to prolong ban-time (e. g. set new timeout if expected); Several actions (like ipset, etc.) rewritten using net logic with actionprolong. Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).

Enhancements

  • algorithm of restore current bans after restart changed: update the restored ban-time (and therefore end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater (or persistent); not affected if ban-time of the jail is unchanged between stop/start.
  • added new setup-option --without-tests to skip building and installing of tests files (gh-2287).
  • added new command fail2ban-client get <JAIL> banip ?sep-char|--with-time? to get the banned ip addresses (gh-1916).

Include selinux policy in package

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2020-caae9d7741

This update has been submitted for testing by hobbes1069.

4 years ago

This update's test gating status has been changed to 'waiting'.

4 years ago

This update has obsoleted fail2ban-0.11.1-1.fc31, and has inherited its bugs and notes.

4 years ago

This update's test gating status has been changed to 'ignored'.

4 years ago

This update has been pushed to testing.

4 years ago

This update can be pushed to stable now if the maintainer wishes

4 years ago

This update has been submitted for stable by bodhi.

4 years ago

This update has been pushed to stable.

4 years ago
User Icon robbiethek commented & provided feedback 4 years ago

With recidive jail enabled with bantime = -1 I see these failures with banaction = firewallcmd-rich-rules in [DEFAULT]

2020-04-30 11:42:06,772 fail2ban.actions [941370]: NOTICE [recidive] Restore Ban 106.13.58.170

2020-04-30 11:42:07,232 fail2ban.utils [941370]: ERROR 7f52537d2580 -- exec: ports="0:65535"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='106.13.58.170' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done

2020-04-30 11:42:07,232 fail2ban.utils [941370]: ERROR 7f52537d2580 -- stderr: 'Error: INVALID_PORT: 0:65535'

2020-04-30 11:42:07,232 fail2ban.utils [941370]: ERROR 7f52537d2580 -- returned 102

2020-04-30 11:42:07,232 fail2ban.actions [941370]: ERROR Failed to execute ban jail 'recidive' action 'firewallcmd-rich-rules' info 'ActionInfo({'ip': '106.13.58.170', 'family': 'inet4', 'fid': <function Actions.ActionInfo.\<lambda> at 0x7f52537e2680>, 'raw-ticket': <function Actions.ActionInfo.\<lambda> at 0x7f52537e2d40>})': Error banning 106.13.58.170

2020-04-30 11:42:07,233 fail2ban.actions [941370]: NOTICE [recidive] Restore Ban 106.13.70.85

2020-04-30 11:42:07,695 fail2ban.utils [941370]: ERROR 7f52537d2580 -- exec: ports="0:65535"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='106.13.70.85' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done 2020-04-30 11:42:07,696 fail2ban.utils [941370]: ERROR 7f52537d2580 -- stderr: 'Error: INVALID_PORT: 0:65535'

2020-04-30 11:42:07,696 fail2ban.utils [941370]: ERROR 7f52537d2580 -- returned 102

2020-04-30 11:42:07,696 fail2ban.actions [941370]: ERROR Failed to execute ban jail 'recidive' action 'firewallcmd-rich-rules' info 'ActionInfo({'ip': '106.13.70.85', 'family': 'inet4', 'fid': <function Actions.ActionInfo.\<lambda> at 0x7f52537e2680>, 'raw-ticket': <function Actions.ActionInfo.\<lambda> at 0x7f52537e2d40>})': Error banning 106.13.70.85 2020-04-30 11:42:07,696 fail2ban.actions [941370]: NOTICE [recidive] Restore Ban 106.51.44.4

fail2ban-client get sshd banip ?sep-char|--with-time?

-bash: --with-time?: command not found

2020-04-30 11:48:31,235 fail2ban [944560]: ERROR [Errno 32] Broken pipe Traceback (most recent call last):

File "/usr/bin/fail2ban-client", line 37, in <module> exec_command_line(sys.argv)

File "/usr/lib/python3.7/site-packages/fail2ban/client/fail2banclient.py", line 502, in exec_command_line exit(255)

File "/usr/lib/python3.7/site-packages/fail2ban/client/fail2bancmdline.py", line 317, in exit sys.stdout.flush()

BrokenPipeError: [Errno 32] Broken pipe

Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>

BrokenPipeError: [Errno 32] Broken pipe

User Icon robbiethek commented & provided feedback 4 years ago
karma

As noted in the BZ entry https://bugzilla.redhat.com/show_bug.cgi?id=1823746#c19, you can use port = 0-65535 for the port option.

However I could not get the recidive jail to work with this and had to use the iptables options.


Please login to add feedback.

Metadata
Type
bugfix
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
BZ#1823746 fail2ban-firewalld default action uses unsupport direct rule, should use rich-rule
0
0

Automated Test Results