Change default from firewalld-ipset to firewalld-rich-rules, fixes #1823746.
Filter (or failregex
) internal capture-groups:
failregex
or custom filters using conditional match (?P=host)
, you should
rewrite the regex like in example below resp. using (?:(?P=ip4)|(?P=ip6)
instead of (?P=host)
(or (?:(?P=ip4)|(?P=ip6)|(?P=dns))
corresponding your usedns
and raw
settings).Of course you can always define your own capture-group (like below _cond_ip_
) to do this.
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
* New internal groups (currently reserved for internal usage):
ip4
, ip6
, dns
, fid
, fport
, additionally user
and another captures in lower case if
mapping from tag <F-*>
used in failregex (e. g. user
by <F-USER>
).
v.0.10 and 0.11 use more precise date template handling, that can be theoretically incompatible to some
user configurations resp. datepattern
.
Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now.
bips
with entries from table bans
(allows restore
current bans after upgrade from version <= 0.10)<bancount>
- ban count of this offender if known as bad (started by 1 for unknown)<bantime>
- current ban-time of the ticket (prolongation can be retarded up to 10 sec.)actionprolong
to prolong ban-time (e. g. set new timeout if expected);
Several actions (like ipset, etc.) rewritten using net logic with actionprolong
.
Note: because ban-time is dynamic, it was removed from jail.conf as timeout argument (check jail.local).--without-tests
to skip building and installing of tests files (gh-2287).fail2ban-client get <JAIL> banip ?sep-char|--with-time?
to get the banned ip addresses (gh-1916).Include selinux policy in package
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2020-caae9d7741
Please login to add feedback.
This update has been submitted for testing by hobbes1069.
This update's test gating status has been changed to 'waiting'.
This update has obsoleted fail2ban-0.11.1-1.fc31, and has inherited its bugs and notes.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by bodhi.
This update has been pushed to stable.
With recidive jail enabled with bantime = -1 I see these failures with
banaction = firewallcmd-rich-rules
in [DEFAULT]2020-04-30 11:42:06,772 fail2ban.actions [941370]: NOTICE [recidive] Restore Ban 106.13.58.170
2020-04-30 11:42:07,232 fail2ban.utils [941370]: ERROR 7f52537d2580 -- exec: ports="0:65535"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='106.13.58.170' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done
2020-04-30 11:42:07,232 fail2ban.utils [941370]: ERROR 7f52537d2580 -- stderr: 'Error: INVALID_PORT: 0:65535'
2020-04-30 11:42:07,232 fail2ban.utils [941370]: ERROR 7f52537d2580 -- returned 102
2020-04-30 11:42:07,232 fail2ban.actions [941370]: ERROR Failed to execute ban jail 'recidive' action 'firewallcmd-rich-rules' info 'ActionInfo({'ip': '106.13.58.170', 'family': 'inet4', 'fid': <function Actions.ActionInfo.\<lambda> at 0x7f52537e2680>, 'raw-ticket': <function Actions.ActionInfo.\<lambda> at 0x7f52537e2d40>})': Error banning 106.13.58.170
2020-04-30 11:42:07,233 fail2ban.actions [941370]: NOTICE [recidive] Restore Ban 106.13.70.85
2020-04-30 11:42:07,695 fail2ban.utils [941370]: ERROR 7f52537d2580 -- exec: ports="0:65535"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='106.13.70.85' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done 2020-04-30 11:42:07,696 fail2ban.utils [941370]: ERROR 7f52537d2580 -- stderr: 'Error: INVALID_PORT: 0:65535'
2020-04-30 11:42:07,696 fail2ban.utils [941370]: ERROR 7f52537d2580 -- returned 102
2020-04-30 11:42:07,696 fail2ban.actions [941370]: ERROR Failed to execute ban jail 'recidive' action 'firewallcmd-rich-rules' info 'ActionInfo({'ip': '106.13.70.85', 'family': 'inet4', 'fid': <function Actions.ActionInfo.\<lambda> at 0x7f52537e2680>, 'raw-ticket': <function Actions.ActionInfo.\<lambda> at 0x7f52537e2d40>})': Error banning 106.13.70.85 2020-04-30 11:42:07,696 fail2ban.actions [941370]: NOTICE [recidive] Restore Ban 106.51.44.4
fail2ban-client get sshd banip ?sep-char|--with-time?
-bash: --with-time?: command not found
2020-04-30 11:48:31,235 fail2ban [944560]: ERROR [Errno 32] Broken pipe Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 37, in <module> exec_command_line(sys.argv)
File "/usr/lib/python3.7/site-packages/fail2ban/client/fail2banclient.py", line 502, in exec_command_line exit(255)
File "/usr/lib/python3.7/site-packages/fail2ban/client/fail2bancmdline.py", line 317, in exit sys.stdout.flush()
BrokenPipeError: [Errno 32] Broken pipe
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
BrokenPipeError: [Errno 32] Broken pipe
As noted in the BZ entry https://bugzilla.redhat.com/show_bug.cgi?id=1823746#c19, you can use
port = 0-65535
for theport
option.However I could not get the
recidive
jail to work with this and had to use theiptables
options.