openSUSE-RU-2015:1710-1: moderate: Recommended update for fail2ban
openSUSE Recommended Update: Recommended update for fail2ban ______________________________________________________________________________ Announcement ID: openSUSE-RU-2015:1710-1 Rating: moderate References: #917818 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: fail2ban received a major version update to 0.9.3. The changes are listed in /usr/share/doc/packages/fail2ban/ChangeLog It also fixes a small systemd related issue (bnc#917818) Upstream changes: - Update to version 0.9.3 - IMPORTANT incompatible changes: * filter.d/roundcube-auth.conf - Changed logpath to 'errors' log (was 'userlogins') * action.d/iptables-common.conf - All calls to iptables command now use -w switch introduced in iptables 1.4.20 (some distribution could have patched their earlier base version as well) to provide this locking mechanism useful under heavy load to avoid contesting on iptables calls. If you need to disable, define 'action.d/iptables-common.local' with empty value for 'lockingopt' in `[Init]` section. * mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines actions now include by default only the first 1000 log lines in the emails. Adjust <grepopts> to augment the behavior. - Fixes: * reload in interactive mode appends all the jails twice (gh-825) * reload server/jail failed if database used (but was not changed) and some jail active (gh-1072) * filter.d/dovecot.conf - also match unknown user in passwd-file. Thanks Anton Shestakov * Fix fail2ban-regex not parsing journalmatch correctly from filter config * filter.d/asterisk.conf - fix security log support for Asterisk 12+ * filter.d/roundcube-auth.conf - Updated regex to work with 'errors' log (1.0.5 and 1.1.1) - Added regex to work with 'userlogins' log * action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override locale on systems with customized LC_ALL * performance fix: minimizes connection overhead, close socket only at communication end (gh-1099) * unbanip always deletes ip from database (independent of bantime, also if currently not banned or persistent) * guarantee order of dbfile to be before dbpurgeage (gh-1048) * always set 'dbfile' before other database options (gh-1050) * kill the entire process group of the child process upon timeout (gh-1129). Otherwise could lead to resource exhaustion due to hanging whois processes. * resolve /var/run/fail2ban path in setup.py to help installation on platforms with /var/run -> /run symlink (gh-1142) - New Features: * RETURN iptables target is now a variable: <returntype> * New type of operation: pass2allow, use fail2ban for "knocking", opening a closed port by swapping blocktype and returntype * New filters: - froxlor-auth - Thanks Joern Muehlencord - apache-pass - filter Apache access log for successful authentication * New actions: - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires manual pre-configuration of the shorewall. See the action file for detail. * New jails: - pass2allow-ftp - allows FTP traffic after successful HTTP authentication - Enhancements: * action.d/cloudflare.conf - improved documentation on how to allow multiple CF accounts, and jail.conf got new compound action definition action_cf_mwl to submit cloudflare report. * Check access to socket for more detailed logging on error (gh-595) * fail2ban-testcases man page * filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add HEAD method verb * Revamp of Travis and coverage automated testing * Added a space between IP address and the following colon in notification emails for easier text selection * Character detection heuristics for whois output via optional setting in mail-whois*.conf. Thanks Thomas Mayer. Not enabled by default, if _whois_command is set to be %(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local), it - detects character set of whois output (which is undefined by RFC 3912) via heuristics of the file command - converts whois data to UTF-8 character set with iconv - sends the whois output in UTF-8 character set to mail program - avoids that heirloom mailx creates binary attachment for input with unknown character set - Update to version 0.9.2 (requested in boo#917818) * jail.conf was heavily refactored and now is similar to how it looked on Debian systems: - default action could be configured once for all jails - jails definitions only provide customizations (port, logpath) - no need to specify 'filter' if name matches jail name * Added fail2ban persistent database - default location at /var/lib/fail2ban/fail2ban.sqlite3 - allows active bans to be reinstated on restart - log files read from last position after restart * Added systemd journal backend - Dependency on python-systemd - New "journalmatch" option added to filter configs files - New "systemd-journal" option added to fail2ban-regex * Support %z (Timezone offset) and %f (sub-seconds) support for datedetector. Enhanced existing date/time have been updated patterns to support these. ISO8601 now defaults to localtime unless specified otherwise. Some filters have been change as required to capture these elements in the right timezone correctly. * Log levels are now set by Syslog style strings e.g. DEBUG, ERROR. * Optionally can read log files starting from "head" or "tail". See "logpath" option in jail.conf(5) man page. * Can now set log encoding for files per jail.Default uses systemd locale. * iptables-common.conf replaced iptables-blocktype.conf (iptables-blocktype.local should still be read) and now also provides defaults for the chain, port, protocol and name tags - Update to version 0.9.1 - Refactoring (IMPORTANT -- Please review your setup and configuration): * iptables-common.conf replaced iptables-blocktype.conf (iptables-blocktype.local should still be read) and now also provides defaults for the chain, port, protocol and name tags - Fixes: * start of file2ban aborted (on slow hosts, systemd considers the server has been timed out and kills him), see gh-824 * UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806. * systemd backend error on bad utf-8 in python3 * badips.py action error when logging HTTP error raised with badips request * fail2ban-regex failed to work in python3 due to space/tab mix * recidive regex samples incorrect log level * journalmatch for recidive incorrect PRIORITY * loglevel couldn't be changed in fail2ban.conf * Handle case when no sqlite library is available for persistent database * Only reban once per IP from database on fail2ban restart * Nginx filter to support missing server_name. Closes gh-676 * fail2ban-regex assertion error caused by miscount missed lines with multiline regex * Fix actions failing to execute for Python 3.4.0. Workaround for http://bugs.python.org/issue21207 * Database now returns persistent bans on restart (bantime < 0) * Recursive action tags now fully processed. Fixes issue with bsd-ipfw action * Fixed TypeError with "ipfailures" and "ipjailfailures" action tags. Thanks Serg G. Brester * Correct times for non-timezone date times formats during DST * Pass a copy of, not original, aInfo into actions to avoid side-effects * Per-distribution paths to the exim's main log * Ignored IPs are no longer banned when being restored from persistent database * Manually unbanned IPs are now removed from persistent database, such they wont be banned again when Fail2Ban is restarted * Pass "bantime" parameter to the actions in default jail's action definition(s) * filters.d/sieve.conf - fixed typo in _daemon. Thanks Jisoo Park * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s). Regression was introduced while strengthening failregex in 0.8.11 (bd175f) Debian bug #755173 * postfix-sasl - added journalmatch. Thanks Luc Maisonobe * postfix* - match with a new daemon string (postfix/submission/smtpd). Closes gh-804 . Thanks Paul Traina * apache - added filter for AH01630 client denied by server configuration. - New features: - New filters: - monit Thanks Jason H Martin - directadmin Thanks niorg - apache-shellshock Thanks Eugene Hopkinson (SlowRiot) - New actions: - symbiosis-blacklist-allports for Bytemark symbiosis firewall - fail2ban-client can fetch the running server version - Added Cloudflare API action - Enhancements * Start performance of fail2ban-client (and tests) increased, start time and cpu usage rapidly reduced. Introduced a shared storage logic, to bypass reading lots of config files (see gh-824). Thanks to Joost Molenaar for good catch (reported gh-820). * Fail2ban-regex - add print-all-matched option. Closes gh-652 * Suppress fail2ban-client warnings for non-critical config options * Match non "Bye Bye" disconnect messages for sshd locked account regex * courier-smtp filter: - match lines with user names - match lines containing "535 Authentication failed" attempts * Add <chain> tag to iptables-ipsets * Realign fail2ban log output with white space to improve readability. Does not affect SYSLOG output * Log unhandled exceptions * cyrus-imap: catch "user not found" attempts * Add support for Portsentry - Update to version 0.9.0 Carries all fixes, features and enhancements from 0.8.13 (unreleased) with major changes. Please take note of release notes: https://github.com/fail2ban/fail2ban/releases/tag/0.9.0 Please test your configuration before relying on it. Nearly all development is thanks to Steven Hiscocks (THANKS!), merging, testcases and timezone support from Daniel Black, and code-review and minor additions from Yaroslav Halchenko. - Refactoring (IMPORTANT -- Please review your setup and configuration): * [..bddbf1e] jail.conf was heavily refactored and now is similar to how it looked on Debian systems: - default action could be configured once for all jails - jails definitions only provide customizations (port, logpath) - no need to specify 'filter' if name matches jail name * [..5aef036] Core functionality moved into fail2ban/ module. Closes gh-26 - tests included in module to aid testing and debugging * Added fail2ban persistent database - default location at /var/lib/fail2ban/fail2ban.sqlite3 - allows active bans to be reinstated on restart - log files read from last position after restart * Added systemd journal backend - Dependency on python-systemd - New "journalmatch" option added to filter configs files - New "systemd-journal" option added to fail2ban-regex * Added python3 support * Support %z (Timezone offset) and %f (sub-seconds) support for datedetector. Enhanced existing date/time have been updated patterns to support these. ISO8601 now defaults to localtime unless specified otherwise. Some filters have been change as required to capture these elements in the right timezone correctly. * Log levels are now set by Syslog style strings e.g. DEBUG, ERROR. - Log level INFO is now more verbose * Optionally can read log files starting from "head" or "tail". - See "logpath" option in jail.conf(5) man page. * Can now set log encoding for files per jail. - Default uses systemd locale. - New features: * [..c7ae460] Multiline failregex. Close gh-54 * [8af32ed] Guacamole filter and support for Apache Tomcat date format * [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug #410077. Also it would now capture and include stdout and stderr into logging messages in case of error or at DEBUG loglevel. * Added action xarf-login-attack to report formatted attack messages according to the XARF standard (v0.2). Close gh-105 * Support PyPy * Add filter for apache-botsearch * Add filter for kerio. Thanks Tony Lawrence for blog of regexs and providing samples. Close gh-120 * Filter for stunnel * Filter for Counter Strike 1.6. Thanks to onorua for logs. Close gh-347 * Filter for squirrelmail. Close gh-261 * Filter for tine20. Close gh-583 * Custom date formats (strptime) can now be set in filters and jail.conf * Python based actions can now be created. - SMTP action for sending emails on jail start, stop and ban. * Added action to use badips.com reporting and blacklist - Requires Python 2.7+ - Enhancements * Fail2ban-regex - don't accumulate lines if not printing them. add options to suppress output of missed/ignored lines. Close gh-644 * Asterisk now supports syslog format * Jail names increased to 26 characters and iptables prefix reduced from fail2ban- to f2b- as suggested by buanzo in gh-462. * Multiline filter for sendmail-spam. Close gh-418 * Multiline regex for Disconnecting: Too many authentication failures for root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth] * Multiline regex for Disconnecting: Connection from 61.XX.XX.XX port 51353\nToo many authentication failures for root [preauth]. Thanks Helmut Grohne. Close gh-457 * Replacing use of deprecated API (.warning, .assertEqual, etc) * [..a648cc2] Filters can have options now too which are substituted into failregex / ignoreregex * [..e019ab7] Multiple instances of the same action are allowed in the same jail -- use actname option to disambiguate. * Add honeypot email address to exim-spam filter as argument * Properties and methods of actions accessible from fail2ban-client - Use of properties replaces command actions "cinfo" interface - Whereever possible, path-definitions have been moved paths-opensuse.conf which has been submittet upstream - Use default fail2ban.service including fail2ban-opensuse-service.patch - Use default suse-initd from upstream - Tests have been moved to a seperate page Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-642=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-642=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libipa_hbac-devel-1.12.2-3.9.1 libipa_hbac0-1.12.2-3.9.1 libipa_hbac0-debuginfo-1.12.2-3.9.1 libnfsidmap-sss-1.12.2-3.9.1 libnfsidmap-sss-debuginfo-1.12.2-3.9.1 libsss_idmap-devel-1.12.2-3.9.1 libsss_idmap0-1.12.2-3.9.1 libsss_idmap0-debuginfo-1.12.2-3.9.1 libsss_nss_idmap-devel-1.12.2-3.9.1 libsss_nss_idmap0-1.12.2-3.9.1 libsss_nss_idmap0-debuginfo-1.12.2-3.9.1 libsss_simpleifp-devel-1.12.2-3.9.1 libsss_simpleifp0-1.12.2-3.9.1 libsss_simpleifp0-debuginfo-1.12.2-3.9.1 libsss_sudo-1.12.2-3.9.1 libsss_sudo-debuginfo-1.12.2-3.9.1 python-ipa_hbac-1.12.2-3.9.1 python-ipa_hbac-debuginfo-1.12.2-3.9.1 python-sss_nss_idmap-1.12.2-3.9.1 python-sss_nss_idmap-debuginfo-1.12.2-3.9.1 python-sssd-config-1.12.2-3.9.1 python-sssd-config-debuginfo-1.12.2-3.9.1 sssd-1.12.2-3.9.1 sssd-ad-1.12.2-3.9.1 sssd-ad-debuginfo-1.12.2-3.9.1 sssd-dbus-1.12.2-3.9.1 sssd-dbus-debuginfo-1.12.2-3.9.1 sssd-debuginfo-1.12.2-3.9.1 sssd-debugsource-1.12.2-3.9.1 sssd-ipa-1.12.2-3.9.1 sssd-ipa-debuginfo-1.12.2-3.9.1 sssd-krb5-1.12.2-3.9.1 sssd-krb5-common-1.12.2-3.9.1 sssd-krb5-common-debuginfo-1.12.2-3.9.1 sssd-krb5-debuginfo-1.12.2-3.9.1 sssd-ldap-1.12.2-3.9.1 sssd-ldap-debuginfo-1.12.2-3.9.1 sssd-proxy-1.12.2-3.9.1 sssd-proxy-debuginfo-1.12.2-3.9.1 sssd-tools-1.12.2-3.9.1 sssd-tools-debuginfo-1.12.2-3.9.1 sssd-wbclient-1.12.2-3.9.1 sssd-wbclient-debuginfo-1.12.2-3.9.1 sssd-wbclient-devel-1.12.2-3.9.1 - openSUSE 13.2 (x86_64): sssd-32bit-1.12.2-3.9.1 sssd-debuginfo-32bit-1.12.2-3.9.1 - openSUSE 13.2 (noarch): SuSEfirewall2-fail2ban-0.9.3-2.18.1 fail2ban-0.9.3-2.18.1 fail2ban-tests-0.9.3-2.18.1 nagios-plugins-fail2ban-0.9.3-2.18.1 - openSUSE 13.1 (noarch): SuSEfirewall2-fail2ban-0.9.3-2.27.1 fail2ban-0.9.3-2.27.1 fail2ban-tests-0.9.3-2.27.1 nagios-plugins-fail2ban-0.9.3-2.27.1 References: https://bugzilla.suse.com/917818
participants (1)
-
maintenance@opensuse.org