--- fail2ban-0.8.4.orig/debian/watch
+++ fail2ban-0.8.4/debian/watch
@@ -0,0 +1,6 @@
+# watch control file for uscan
+# Run the "uscan" command to check for upstream updates and more.
+# Site Directory Pattern Version Script
+version=3
+
+http://sf.net/fail2ban/ fail2ban-(.*)\.tar\.bz2 debian git-import-orig
--- fail2ban-0.8.4.orig/debian/changelog
+++ fail2ban-0.8.4/debian/changelog
@@ -0,0 +1,904 @@
+fail2ban (0.8.4-3+squeeze1) stable; urgency=low
+
+ [ Jonathan Wiltshire ]
+ * [e2232fc] Backport patch to fix CVE-2009-5023: Insecure creation of
+ tempfile (Closes: #544232, #635746)
+
+ [ Yaroslav Halchenko ]
+ * [6fc6c7b] Backport patch: Lock server's executeCmd to prevent racing
+ among iptables calls (Closes: #650678)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 16 Feb 2012 10:29:08 -0500
+
+fail2ban (0.8.4-3) unstable; urgency=low
+
+ * Commenting out named-refused-udp jail and providing even fatter
+ WARNING against using it (Closes: #583364)
+ * Merging upstream's commit for fixing missing import
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 28 Jun 2010 21:50:20 -0400
+
+fail2ban (0.8.4-2) unstable; urgency=low
+
+ * Merged few upstream patches (svn rev ) which fixed:
+ - Patch to make log file descriptors cloexec to stop leaking file
+ descriptors on fork/exec.
+ * debian/rules,control: -install-layout=deb for setup.py + python (>=
+ 2.5.4-1~) to fix install with python2.6 (Closes: #571213).
+ * Boosted policy to 3.8.4 (no changes seems to be due).
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 25 Feb 2010 00:17:07 -0500
+
+fail2ban (0.8.4-1) unstable; urgency=low
+
+ * New upstream release. Fixes compatibility issue with python2.6
+ * Yet only in Debian fixes:
+ - escaping () in pure-ftpd. Thanks Teodor (Closes: #544744)
+ - use "set logtarget" instead of "reload" while logrotate. Thanks
+ J.M.Roth (Closes: #537773)
+ - be able to detect time for VNC recording only 2 letters of year
+ (Closes: #537610)
+ - proftpd filter: count all failed logins regardless of the reason
+ * Debian-specific changes:
+ - adjusted README.Debian - multiport is default (closes: #545971)
+ - Boosted policy to 3.8.3 (no changes seems to be due)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 10 Sep 2009 11:16:51 -0400
+
+fail2ban (0.8.3-6) unstable; urgency=low
+
+ * Time to shake the ground with upload to unstable.
+ * Merged upstream's development as of SVN revision 732:
+ - Fixed maxretry/findtime rate. Many thanks to Christos Psonis.
+ Tracker #2019714.
+ - Made the named-refused regex a bit less restrictive in order to match
+ logs with "view". Thanks to Stephen Gildea.
+ - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100%
+ correct fix but seems to work. Tracker #2500276.
+ - Changed <HOST> template to be more restrictive (closes: #514163).
+ - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. (closes:
+ #513953).
+ - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh
+ log (closes: #512193).
+ - Added missing semi-colon in the bind9 example. Thanks to Yaroslav
+ Halchenko.
+ - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker
+ #2484115.
+ - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
+ (closes: #507990)
+ - Added CPanel date format. Thanks to David Collins. Tracker #1967610.
+ - Added nagios script. Thanks to Sebastian Mueller.
+ - Removed print.
+ - Removed begin-line anchor for "standard" timestamp (closes: #500824)
+ - Remove socket file on startup is fail2ban crashed. Thanks to Detlef
+ Reichelt.
+ * Added a comment into Debian-shipped jail.conf about sasl logpath -- it
+ might preferable to monitor warn.log in case of postfix (To complete react
+ to #507990) (git branch up/fixes). Also added sasl example log file (git
+ branch up/log_examples).
+ * Removing minor bashism in ipmasq example file (closes: #530078).
+ Thanks Raphael Geissert (git branch up/ipmasq)
+ * Allow for trailing spaces in proftpd logs (closes: #507986)
+ (git branch up/fixes).
+ * Removed duplicate entry for DataCha0s/2\.0 in badbots (closes: #519557)
+ (git branch up/fixes).
+ * Adjusted Git-vcs field to point to git:// .
+ * Thanks lintian fixes:
+ - Boosted policy to 3.8.2 (no changes are due).
+ - Boosted debhelper compatibility to 5.
+ - Misspell in README.Debian
+ - Removing stale /var/run/fail2ban from dirs -- should be created by
+ init script
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 09 Jul 2009 01:08:40 -0400
+
+fail2ban (0.8.3-5) experimental; urgency=low
+
+ * BF: anchoring regex for IP with " *$" at the end + adjust regexp for
+ <HOST> (closes: #514163)
+ * NF: adding unittests for previous BF
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 05 Feb 2009 09:51:45 -0500
+
+fail2ban (0.8.3-4) experimental; urgency=low
+
+ * BF: added missing semicolon in a logging template for bind within
+ jail.conf (thanks to anonymous on www.debian-administration.org)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 02 Feb 2009 23:02:56 -0500
+
+fail2ban (0.8.3-3) experimental; urgency=low
+
+ * BF: addressed added bang to ssh log (closes: #512193).
+ Thanks Silvestre Zabala.
+ * Adjusted description of bantime/findtime in README.Debian (closes:
+ #507771)
+ * Synced current debian revision to FAIL2BAN-0_8@717 of upstream,
+ since it includes fixes to some forwarded bugs. Total list of
+ functional changes
+ - Added actions to report abuse to ISP, DShield and myNetWatchman.
+ Thanks to Russell Odom.
+ - Added apache-nohome.conf. Thanks to Yaroslav Halchenko.
+ - Added new time format. No idea from where it comes...
+ - Added new regex. Thanks to Tobias Offermann.
+ - Try to match the regex even if the line does not contain a valid
+ date/time. Described in Debian #491253. Thanks to Yaroslav
+ Halchenko.
+ - Removed "timeregex" and "timepattern" stuff that is not needed
+ anymore.
+ - Added date template for Day-Month-Year Hour:Minute:Second
+ (closes: #491253)
+ - Added date pattern for Hour:Minute:Second. Thanks to Andreas
+ Itzchak Rehberg.
+ - Use current day and month instead of Jan 1st if both are not
+ available in the log. Thanks to Andreas Itzchak Rehberg.
+ - Improved pattern. Thanks to Yaroslav Halchenko.
+ - Merged patches from Debian package. Thanks to Yaroslav Halchenko.
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sun, 18 Jan 2009 11:31:01 -0500
+
+fail2ban (0.8.3-2) unstable; urgency=low
+
+ * BF in apache-noscript.conf - regexp matched in referer (Closes: #492319).
+ Thanks Bernd Zeimetz.
+ * BF: extended apache-noscript with additional regexp
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Fri, 25 Jul 2008 13:33:56 -0400
+
+fail2ban (0.8.3-1) unstable; urgency=low
+
+ * Fresh upstream release
+ * Boosted policy compliance to 3.8.0 (no changes needed)
+ * Specify explicitely facilities in "Failed .. for". Thanks Dean
+ Gaudet. (closes: #481760)
+ * Added failregex for "User not known" in sshd.conf. thanks Alexander
+ Gerasiov (closes: #479966)
+
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 21 Jul 2008 10:27:12 -0400
+
+fail2ban (0.8.2-3) unstable; urgency=low
+
+ * Changes propagated from upstream trunk (future 0.8.3):
+ - Fixed "fail2ban-client get <jail> logpath". Bug #1916986.
+ - Changed some log level.
+ - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to
+ Dennis Winter.
+ - Fixed PID file while started in daemon mode. Thanks to Christian
+ Jobic who submitted a similar patch (closes: #479703)
+ - Added gssftpd filter. Thanks to Kevin Zembower.
+ - Process failtickets as long as failmanager is not empty.
+ * Assure that /var/run/fail2ban exists upon start (LP: #222804, #223706)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 06 May 2008 10:49:34 -0400
+
+fail2ban (0.8.2-2) unstable; urgency=low
+
+ * BF: Recommends whois, which is used in some actions (LP: #213227)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 07 Apr 2008 10:25:52 -0400
+
+fail2ban (0.8.2-1) unstable; urgency=low
+
+ * New upstream release! Divergence from Debian version descreased
+ considerably, Major changes:
+ - "full line failregex"
+ - Moved socket to /var/run/fail2ban.
+ - Removed Python 2.4. Minimum required version is now Python 2.3.
+ - New log rotation detection algorithm.
+ - Some wishlists got accepted (closes: #456567, #468477, #462060,
+ #461426)
+ - Leap year issue (closes: #468452)
+ * debian/watch: switched to git-import-orig
+ * 2 new jails: xinetd-fail, apache-overflows added to jails.conf
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Wed, 05 Mar 2008 23:30:56 -0500
+
+fail2ban (0.8.1-5) unstable; urgency=low
+
+ * manually "cherry picked" f6639981: Fixed "Feb 29" bug. Thanks to
+ James Andrewartha who pointed this out. Thanks to Yaroslav Halchenko
+ for the fix (closes: #468382)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 28 Feb 2008 19:51:53 -0500
+
+fail2ban (0.8.1-4) unstable; urgency=low
+
+ * Debian packaging switched from git+dpatch into pure git way via
+ feature-branches. That revealed the true amount of accumulated patching
+ done of top of vanilla upstream, thus this is the last Debian release
+ prior 0.8.2 upstream release which will hopefully absorb most of the
+ patches
+ * vsftp filter anchoring
+ * Fix/extension of proftpd failrexes (Closes: #461412). Thanks Guido
+ Bozzetto
+ * Added ipmasq rule file (in the examples) to restart fail2ban when
+ iptables are wiped out (closes: #461417). Thanks Guido Bozzetto
+ * Extended apache-noscript filter with more file extensions and to
+ react to "script not found or unable to stat" log message (closes:
+ #456565). Thanks Tim Connors
+ * Fixed == bashism (Closes: #464647). Thanks Raphael Geisser
+ * Confirms to policy 3.7.3 (no changes)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 09 Feb 2008 22:08:55 -0500
+
+fail2ban (0.8.1-3) unstable; urgency=low
+
+ * Added Vcs- fields, moved Homepage into source header's field
+ * Propagated patch from 0.9 upstream branch: "Replaced ssocket.py with
+ asyncore/asynchat implementation. Correct fix for bug #1769616. That is
+ supposed to resolve spontaneous 100% CPU utilization by fail2ban-server."
+ * BF: removed sftp from ssh jails (closes: #436053)
+ * NF: new filter for 'refused connect' (closes: #451093). Thanks Guido
+ Bozzetto
+ * Moved iptables into recommends since fail2ban can work without iptables
+ using some other action (e.g hosts.deny)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Fri, 23 Nov 2007 11:42:24 -0500
+
+fail2ban (0.8.1-2) unstable; urgency=low
+
+ * Fixed named-refused filter.
+ * Added force-start action to init script, so it could be forced
+ to start if previous run crashed and left a socket file. Must to be
+ used with caution.
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 18 Oct 2007 18:31:58 -0400
+
+fail2ban (0.8.1-1) unstable; urgency=low
+
+ * New upstream release.
+ Patches absorbed upstream:
+ 00_daemon_pids.dpatch
+ 00_iptables_allports.dpatch
+ 00_vsftp_filter_spaces.dpatch
+ 00_resolve_all_names.dpatch
+ 00_HOST_ignoreregex.dpatch
+ Patches which needed some tune-up:
+ 00_ssh_strong_re.dpatch
+ 00_mail-whois-lines.dpatch
+ 00_named_refused.dpatch
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 14 Aug 2007 23:15:21 -0400
+
+fail2ban (0.8.0-5~pre1) UNRELEASED; urgency=low
+
+ * Added optional spaces at the end of failregex for vsftpd.
+ * Resolve all "names" which became a part of <HOST>. Previousely only fqdn's
+ were resolved
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sun, 05 Aug 2007 21:38:44 -0400
+
+fail2ban (0.8.0-4) unstable; urgency=low
+
+ * Moved <HOST> expansion into regex.py (closes: #429263). Thanks James
+ Andrewartha.
+ * Added optional regexp entry for process PID in some entries (closes:
+ #426050). Thanks Roderick Schertler.
+ * Added a filter pam_generic to catch any login errors.
+ * Added iptables-allports.
+ * Use /var/run to keep socket file (closes: #425746)
+ * Added a filter for named to catch refused/denied queries
+ * Added new time template matching named log entries
+ * jail.conf has specification of protocol (default to tcp) to be provided to
+ banaction
+ * Adjusted failregex for sshd filter:
+ - anchored properly at the end of line, and source code has .examples
+ files to perform testing of the rules.
+ - added new explicit rule for users not in the AllowUsers lists
+
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 19 Jun 2007 23:04:02 -0400
+
+fail2ban (0.8.0-2) unstable; urgency=low
+
+ * Manually changing the order of debhelper inserted scripts in prerm
+ (Closes: #422655)
+ * Removed obsolete hack to have /bin/env invocation of python for
+ fail2ban-* scripts
+ * Applied changes submitted by Bernd Zeimetz (thanks Bernd):
+ - Removed obsolete Build-Depends-Indep on help2man, python-dev
+ - Explicit removal of *.pyc files compiled during build
+ - Invoke 'python setup.py clean' in clean target, which required also
+ to move python into Build-Depends
+ * Minor clean up of debian/rules
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Wed, 16 May 2007 14:13:57 -0400
+
+fail2ban (0.8.0-1) unstable; urgency=low
+
+ * New stable upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 05 May 2007 12:35:02 -0400
+
+fail2ban (0.7.9-1) unstable; urgency=low
+
+ * New upstream release
+ * Updated copyright to include current year
+ * Removed patches absorbed upstream
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 19 Apr 2007 21:44:28 -0400
+
+fail2ban (0.7.8-1) unstable; urgency=low
+
+ * New upstream release
+ * Applied post-release upstream changes to resolve issues with
+ - Fix to close opened handlers to log file
+ - Tentative incomplete gamin fix
+ - Fix to "reload" bug
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 26 Mar 2007 17:52:23 -0400
+
+fail2ban (0.7.7-1) unstable; urgency=low
+
+ * New upstream release (included most of the debian-provided patches -- new
+ filters and actions)
+ * Refreshed and made verbatim homepage in description
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 8 Feb 2007 22:20:49 -0500
+
+fail2ban (0.7.6-3) unstable; urgency=low
+
+ * Synchronized action.d/iptables-* rules from upstream SVN (closes:
+ #407561)
+ * Minor: options renames in the comments to be in sync with upstream
+ * Use /usr/bin/python interpreter instead of wrapped call to python by
+ /usr/bin/env
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Fri, 19 Jan 2007 10:43:59 -0500
+
+fail2ban (0.7.6-2) unstable; urgency=low
+
+ * iptables-multiport is default action to take since Debian kernel arrives
+ with multiport module. That is to address the fact that most services
+ listen on multiple port (for encrypted and non-encrypted connections)
+ * Added [courierauth] jail (First 2 items are to partially address #407404
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 18 Jan 2007 10:35:36 -0500
+
+fail2ban (0.7.6-1) unstable; urgency=low
+
+ * New upstream release, which incorporates fixes introduced in 3~pre
+ non-released versions (which were suggested to the users to overcome
+ problems reported in bug reports). In particular attention should be paid
+ to upstream changelog entries
+ - Several "failregex" and "ignoreregex" are now accepted.
+ Creation of rules should be easier now.
+ This is an alternative solution to 'multiple <HOST>' entries fix,
+ which is not applied to this shipped version - pay caution if upgrading
+ from 0.7.5-3~pre?
+ - Allow comma in action options. The value of the option must
+ be escaped with " or '.
+ That allowed to implement requested ability to ban multiple ports
+ at once (See 373592). README.Debian and jail.conf adjusted to reflect
+ possible use of iptables-mport
+ - Now Fail2ban goes in /usr/share/fail2ban instead of
+ /usr/lib/fail2ban. This is more compliant with FHS.
+ Patch 00_share_insteadof_lib no longer applied
+ * Refactored installed by debian package jail.conf:
+ - Added option banaction which is to incorporate banning agent
+ (usually some flavor of iptables rule), which can then be easily
+ overriden globally or per section
+ - Multiple actions are defined as action_* to serve as shortcuts
+ * Initd script was modified to inform about present socket file which
+ would forbid fail2ban-server from starting
+ * Adjusted default log file for postfix to be /var/log/mail.log
+ (Closes: #404921)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 4 Jan 2007 15:24:52 -0500
+
+fail2ban (0.7.5-3~pre6) unstable; urgency=low
+
+ * Fail2ban now bans vsftpd logins (corrected logfile path and failregex)
+ (Closes: #404060)
+ * Made fail2ban-server tollerate multiple <HOST> entries in failregex
+ * Moved call to dh_pycentral before dh_installinit
+ * Removed unnecessary call of dh_shlibdeps
+ * Added filter ssh-ddos to fight DDOS attacks. Must be used with caution
+ if there is a possibility of valid clients accessing through
+ unreliable connection or faulty firewall (Closes: #404487)
+ * Not applying patch any more for rigid python2.4 - it is default now in
+ sid/etch
+ * Moving waiting loop for fail2ban-server to stop under do_stop
+ function, so it gets invoked by both 'restart' and 'stop' commands
+ * do_status action of init script is now using 'fail2ban-client ping'
+ instead of '... status' since we don't really use returned status
+ information, besides the return error code
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 26 Dec 2006 21:56:58 -0500
+
+fail2ban (0.7.5-2) unstable; urgency=low
+
+ * NEWS.Debian confusions - the latest NEWS entry and postinst message were
+ rephrased (Closes: #402350)
+ * Added mail-whois-lines action, which emails log lines containing abuser
+ IP. Those lines are often required for proper abuse reports sent to the
+ Internet providers. Forwarding of such received emails to the email
+ addresses of abuse departments present in the output of whois is a
+ tentative solution for semi-automatic abuse reporting (Closes: #358810)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sun, 10 Dec 2006 18:55:37 -0500
+
+fail2ban (0.7.5-1) unstable; urgency=low
+
+ * New upstream release which fixes next issues
+ + Socket parameter not work with other path (Closes: #400162)
+ + fail2ban does not start with /etc/init.d/fail2ban start but
+ with fail2ban-client start (Closes: #400278)
+ * Removed obsolete patches left from 0.6
+ * Adjusted wsftpd patch to use <HOST> tag to be in line with the other
+ filter definitions
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 7 Dec 2006 20:19:09 -0500
+
+fail2ban (0.7.4-5) unstable; urgency=low
+
+ * Added Suggests on mailx and relevant comments in README.Debian about
+ invoking mail actions (closes: #396668)
+ * Removed obsolete entries in TODO and README
+ * README.Debian describes the use of interpolations vs parameters passed
+ from jail.{conf,local} into an action definitions (closes:
+ #398739)
+ * Initial version of postfix filter has been present in 0.7 (closes:
+ #377711)
+ * Removed Uploaded field from control since I am a DD now. Big thanks to
+ Barak Pearlmutter for being the sponsor of my packages for few years.
+
+ -- Yaroslav O. Halchenko <debian@onerussian.com> Wed, 6 Dec 2006 22:14:26 -0500
+
+fail2ban (0.7.4-4) unstable; urgency=low
+
+ * Added debian/backports to contain patches necessary for backporting. It
+ gets used by pbuilder-ssh to create package for backports.org
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 4 Dec 2006 08:55:48 -0500
+
+fail2ban (0.7.4-3) unstable; urgency=low
+
+ * Reincarnated logrotate configuration (Closes: #397878)
+ * Only block new connects by using a new action iptables-new instead of
+ iptables (Closes: #350746)
+ * Updated README.Debian to reflect transition over to 0.7 branch and to
+ comment on 350746
+ * "Clean" target removes generated .pyc files now (Closes: #398146)
+ * Cleaned up debian/rules a bit
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 11 Nov 2006 21:00:18 -0500
+
+fail2ban (0.7.4-2) unstable; urgency=low
+
+ * Added reload/force-reload actions to init script
+ * Adjusted jail.conf a bit
+ * Warning NEWS entry for 0.7.1 was not shown during installation on test
+ boxes, thus postinst was adjusted accordingly to inform the user about the
+ changes in the configuration files since 0.6.
+ * no logrotation anymore? (Closes: #397878)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Fri, 10 Nov 2006 10:53:23 -0500
+
+fail2ban (0.7.4-1) experimental; urgency=low
+
+ * New upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Wed, 1 Nov 2006 20:54:14 -0500
+
+fail2ban (0.7.4~pre20061023.2-3) experimental; urgency=low
+
+ * Corrected init.d script to properly perform restart due to server delay to
+ react to client command to stop. Handling of status was adjusted as well
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sun, 29 Oct 2006 22:29:27 -0500
+
+fail2ban (0.7.4~pre20061023.2-2) experimental; urgency=low
+
+ * Added apache-noscript to jail.conf
+ * Default action does not send emails to be inline with previous (0.6.x)
+ behavior
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 26 Oct 2006 13:27:20 -0400
+
+fail2ban (0.7.4~pre20061023.2-1) experimental; urgency=low
+
+ * Fresh upstream: fixed a bug with not handling error producing
+ actioncheck call
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 23 Oct 2006 17:00:03 -0400
+
+fail2ban (0.7.4~pre2006102-1) experimental; urgency=low
+
+ * Currrent snapshot of trunk
+ * Removed outdated (applied in 0.7.4 or specific for 0.6.?) patches
+ from debian/patches
+ * Adjusted rule to install man pages -- only .1 files since there are also
+ h2m sources
+ * debian/{rules,control} adjusted to conform all points in recent python
+ policy changes
+ * install under /usr/share instead of /usr/lib
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 23 Oct 2006 00:17:55 -0400
+
+fail2ban (0.7.3-2) experimental; urgency=low
+
+ * Added wuftpd section
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Wed, 18 Oct 2006 01:15:00 -0400
+
+fail2ban (0.7.3-1) experimental; urgency=low
+
+ * New upstream release
+ * Debian shipped jail.conf
+ * Refreshen init.d script
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 28 Sep 2006 22:17:16 -0400
+
+fail2ban (0.7.1-0.2) experimental; urgency=low
+
+ * New upstream release (closes: #370095,#366307)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 5 Sep 2006 00:26:08 -0400
+
+fail2ban (0.6.1-11) unstable; urgency=low
+
+ * Adjusted manpage for fail2ban.conf to point to shipped examples of
+ configuration files as the source of details about available configuration
+ options (closes: #382403)
+ * Changes in man/fail2ban.conf.5 are managed via dpatch now
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Wed, 16 Aug 2006 00:18:59 +0300
+
+fail2ban (0.6.1-10) unstable; urgency=low
+
+ * Adjusted to comply with recent changes in debian python policy and use
+ pycentral to byte compile modules
+ * Filtered out empty entries for ignoreip to reduce confusing WARNING log
+ message
+ * Added configuration parameter "locale" to specify LC_TIME for time
+ pattern matching (closes: #367990,363391)
+ * Verbosity is chosen to be max between cmdline parameters and config file
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 6 Jul 2006 20:19:54 -0400
+
+fail2ban (0.6.1-9) unstable; urgency=low
+
+ * Adjusted rm commands in init script to don't use -r for removal of
+ the pidfile (thanks Stephen Gran)
+ * Added clarification about multiport banning to README.Debian
+ (closes: #373592)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Wed, 14 Jun 2006 12:05:44 -0400
+
+fail2ban (0.6.1-8) unstable; urgency=low
+
+ * Removed bashism (arrays) from init.d script to make it POSIX shell
+ complient (closes: #368218)
+ * Added new proftpd section
+ * Added new saslauthd section. Thanks to martin f krafft
+ <madduck@debian.org> (closes: #369483)
+ * Mentioned apache2 log file in Other. comment field for FILE in
+ apache section. Nothing has to be changed besides the logfile path to
+ work with apache2 (closes: #342144)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 22 May 2006 15:37:17 -0400
+
+fail2ban (0.6.1-5) unstable; urgency=low
+
+ * Further fixed debian packaging: to comply with policy empty target
+ binary-arch was provided
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 16 May 2006 16:43:37 -0400
+
+fail2ban (0.6.1-4) unstable; urgency=low
+
+ * Adjusted debian packaging:
+ - Clean up of debian/rules: removed commented out dh_ scripts which
+ definetly will never be used
+ - debhelper and dpatch moved to Build-Depends
+ - added --no-compile for python setup.py install, and removed explicit
+ cleaning of .pyc's
+ - fixed separation binary-indep and binary-arch in debian/rules
+ - restricted depends on python >= 2.3
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 16 May 2006 15:53:06 -0400
+
+fail2ban (0.6.1-3) unstable; urgency=low
+
+ * Fixed vsftpd failregexp (closes: #366687)
+ * Started to use dpatch
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Wed, 10 May 2006 11:45:57 -0400
+
+fail2ban (0.6.1-2) unstable; urgency=low
+
+ * Assigned maxreinits to 1000 to be reasonable since otherwise logfile grows
+ indefinetly if there is a real problem on the system (closes: #359218)
+ * Adjusted debian/{copyright,watch}
+ * New version of init.d script (Thanks to Aaron Isotton) (closes: #364278)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 27 Mar 2006 12:55:39 -0500
+
+fail2ban (0.6.1-1) unstable; urgency=low
+
+ * New upstream release
+ * In config file added fwchain to ease switching to another input chain
+ (closes: #357164)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 18 Mar 2006 23:11:53 -0500
+
+fail2ban (0.6.0-8) unstable; urgency=low
+
+ * Minor adjustments to reduce the deviation from the upstream code
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 11 Mar 2006 00:48:14 -0500
+
+fail2ban (0.6.0-7) unstable; urgency=low
+
+ * Fixed a typo in failregex for SSH section (closes: #356112)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 9 Mar 2006 15:13:48 -0500
+
+fail2ban (0.6.0-6) unstable; urgency=low
+
+ * Updated README.Debian with information about some cases with
+ not-as-shipped configurations of sshd on the boxes running older versions
+ of openssh server
+ * Included regexps for SSH in case iff authentication as root using keys was
+ attempted whenever PermitRootLogin is set to something else than "yes" and
+ key authentication fails
+ * Included postrm script to remove log files during purge to comply with
+ policy 10.8 (closes: #355443)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Fri, 3 Mar 2006 16:32:38 -0500
+
+fail2ban (0.6.0-5) unstable; urgency=low
+
+ * Fixed Apache section: changed filepath to point at error.log, thus I had
+ to revert timeregex and timepattern to user RFC 2822 format (closes:
+ #354346)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 25 Feb 2006 19:56:46 -0500
+
+fail2ban (0.6.0-4) unstable; urgency=low
+
+ * Modifications in README.Debian to reflect a "finding" on
+ not-AllowedUsers banning which requires default Debian configuration
+ of "ChallengeResponseAuthentication no" and "PasswordAuthentication
+ yes"
+ * Fixed Apache timeregex and timepattern to confirm
+ the fomat of time stamp used in Debian's acccess.log (error.log uses
+ RFC 2822 format)
+ * Added section ApacheAttacks to specify some common patterns of attacks on
+ a webserver (awstats.pl as a try). This section stays split from Apache
+ since it is of different nature and might be not appropriate for some
+ users
+ * Forced owner/permissions of log file to be root:adm/640 in postinst and
+ logrotate (closes: #352053)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 16 Jan 2006 04:05:19 -0500
+
+fail2ban (0.6.0-3) unstable; urgency=low
+
+ * ignoreip is now empty by default (closes: #347766)
+ * increased verbosity in verbose=2 mode: now prints options accepted
+ from the config file
+ * to make fail2ban.conf more compact, thus to improve its readability,
+ fail2ban.conf was converted to use "interpolations" provided by
+ ConfigParser class. fw{start,end,{,un}ban} options were moved into
+ DEFAULT section and required options (port, protocol) were added
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 12 Jan 2006 18:32:14 -0500
+
+fail2ban (0.6.0-2) unstable; urgency=low
+
+ * fail2ban path is inserted first in the list to avoid a conflict with
+ existing elsewhere modules with the same names. (Thanks for report and
+ patch to Nick Craig-Wood) (closes: #343821)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 19 Dec 2005 17:44:58 +0200
+
+fail2ban (0.6.0-1) unstable; urgency=low
+
+ * Merged with the latest stable upstream release. That incure some
+ changes for the Debian configuration of the package to be more
+ upstream-like. Visible one is: subject in the sent email includes
+ section outside of "[Fail2Ban]"
+ * Updated README.Debian to answer possible question regarding effective
+ bantime starting moment
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sun, 20 Nov 2005 14:56:41 -0500
+
+fail2ban (0.5.4-10) unstable; urgency=low
+
+ * Fixed the order of ssh and apache rules to avoid possible race
+ condition (Thanks to Jefferson Cowart for the bug report) (closes:
+ #339133)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 14 Nov 2005 23:44:45 -0500
+
+fail2ban (0.5.4-9) unstable; urgency=low
+
+ * Fixed init.d script so it doesn't return non-0 status if fail2ban is not
+ running. That fixes issues with purging the package and leaving garbage in
+ /usr/share/fail2ban (Thanx to Justin Pryzby for the insight)
+ (closes: #337223)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 3 Nov 2005 17:05:20 -0500
+
+fail2ban (0.5.4-8) unstable; urgency=low
+
+ * Added config option MAIL.localtime (closes: #336449)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 31 Oct 2005 16:53:19 -0500
+
+fail2ban (0.5.4-7) unstable; urgency=low
+
+ * Adjusted init.d script so it is resistant to delayed shutdowns of
+ fail2ban and in general more stable
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 20 Oct 2005 21:22:03 -0400
+
+fail2ban (0.5.4-6.2) unstable; urgency=low
+
+ * Fixed typos (thanx to Ross Boylan).
+ * Robust startup: if iptables module gets fully initialized after
+ startup of fail2ban, fail2ban will do "maxreinit" attempts to
+ initialize its own firewall. It will sleep between attempts for
+ "polltime" number of seconds (closes: #334272).
+ * To overcome possible conflict with other firewall solutions and as a
+ secondary solution for the bug 334272, fail2ban startup is moved
+ during bootup to the latest (S99) sequenece position. That should not
+ cause any discomfort I believe.
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 18 Oct 2005 15:54:38 -0400
+
+fail2ban (0.5.4-5.14) unstable; urgency=low
+
+ * Added a notification regarding the importance of 0.5.4-5 change of
+ failregex in the config file.
+ * Adjusted address to FSF.
+ * Adjusted failregex for SSH so it bans "Illegal user" entries as well, and
+ restricted full failregex more to include ":" at the beginning, because
+ otherwise it might not be sufficient and would revive bug 330827 (closes:
+ #333056).
+ * Adjusted failregex for SSH to accommodate recent changes in logging of
+ SSH: Illegal -> Invalid. Should match both now.
+ * Fixed a problem of raise AttributeError exception reported as a side
+ effect of crash during parsing of the config file.
+ * Introduced fwcheck option to verify consistency of the
+ chains. Implemented automatic restart of fail2ban main function in
+ case check of fwban or fwunban command failed (closes: #329163, #331695).
+ (Introduced patch was further adjusted by upstream author).
+ * Added -f command line parameter for [findtime].
+ * Fixed the issue of not respecting command line parameters for parameters
+ within sections.
+ * Added -e command line parameter to provide enabled sections from command
+ line.
+ * Added a cleanup of firewall rules on emergency shutdown when unknown
+ exception is catched.
+ * Fail2ban should not crash now if a wrong file name is specified in
+ config.
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 3 Oct 2005 22:26:28 -1000
+
+fail2ban (0.5.4-5) unstable; urgency=low
+
+ * Made failregex'es more specific to don't allow usernames to be used as a
+ tool for denial of service attacks. Config files (or at least
+ failregex'es) must be updated from this package, otherwise the security
+ breach would remain open and only warning gets issued (closes: #330827)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 1 Oct 2005 02:42:23 -1000
+
+fail2ban (0.5.4-4) unstable; urgency=low
+
+ * On a request from Calum Mackay added reporting of the enabled sections
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 29 Sep 2005 11:20:43 -1000
+
+fail2ban (0.5.4-3) unstable; urgency=low
+
+ * Resolved the mystery of debug mode in which commands are not really
+ executed: added verbose option to config file, removed -v from
+ /etc/default/fail2ban, reordered code a bit so that log targets are
+ setup right after background and then only loglevel (verbose,debug) is
+ processed, so the warning could be seen in the logs
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Thu, 29 Sep 2005 00:20:43 -1000
+
+fail2ban (0.5.4-2) unstable; urgency=low
+
+ * Now exporting PATH explicitely in init.d/fail2ban script, to avoid
+ problems finding iptables in the cases when PATH was not exported outside
+ (cfengine, broken shell environment) (closes: #329304)
+ * Removed -b from start-stop-daemon because fail2ban detahes on its own
+ * Added @localhost to MAIL:from and MAIL:to in fail2ban.conf and placed
+ a note to README.Debian regarding necessity to specify full email
+ address in MAIL:from (closes: #329722)
+ * Added a keyword <section> in parsing of the subject and the body of an
+ email sent out by fail2ban (closes: #330311)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Wed, 27 Sep 2005 08:09:06 -0400
+
+fail2ban (0.5.4-1) unstable; urgency=low
+
+ * New upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 20 Sep 2005 12:19:19 -0400
+
+fail2ban (0.5.3-2) unstable; urgency=low
+
+ * Refined comments in README.Debian
+ * Reindented init.d script
+ P.S. Was not released
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sun, 11 Sep 2005 15:19:44 -0400
+
+fail2ban (0.5.3-1) unstable; urgency=low
+
+ * New upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Fri, 9 Sep 2005 16:55:00 -0400
+
+fail2ban (0.5.2-5) unstable; urgency=low
+
+ * Included a patch from Stephen Gildea to provide "status" report by
+ init.d script
+ * Included a note in README.Debian regarding the fail2ban iptable's
+ chains
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Fri, 9 Sep 2005 14:52:24 -0400
+
+fail2ban (0.5.2-4) unstable; urgency=low
+
+ * Format of SYSLOG entries is up to the standard now
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Fri, 19 Aug 2005 00:06:44 -1000
+
+fail2ban (0.5.2-3) unstable; urgency=low
+
+ * Fixed errata in /etc/default/fail2ban (closes: #323451)
+ * Fixed handling of SYSLOG logging target. Now it can log to any syslog
+ target and facility as directed by the config (revisions 160:166 patch
+ from syslog branch) (closes: #323543)
+ * Included upstream README and TODO
+ * Mentioned in README.Debian that apache section is disabled by default
+ * Adjusted man pages to cross-reference each other
+ * Moved fail2ban man page under section 8 as in upstream
+ * Introduced findtime configuration variable to control the lifetime
+ of caught "failed" log entries (closes: #323840)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 16 Aug 2005 11:23:28 -1000
+
+fail2ban (0.5.2-2) unstable; urgency=low
+
+ * Updated description to reflect flexibility in application of fail2ban
+ * Included logrotate (Thanks to Baruch Even)
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 13 Aug 2005 04:51:57 -0400
+
+fail2ban (0.5.2-1) unstable; urgency=low
+
+ * New upstream release
+ * No log4py any more
+ * removed -i eth0 from config
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 6 Aug 2005 09:21:07 -1000
+
+fail2ban (0.5.1-1) unstable; urgency=low
+
+ * New upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 23 Jul 2005 08:50:00 -1000
+
+fail2ban (0.5.0-1) unstable; urgency=low
+
+ * New upstream release
+ * Libraries placed under /usr/share/fail2ban instead of /usr/lib/fail2ban
+ * Corrections to the description of the package
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Tue, 12 Jul 2005 23:33:20 -1000
+
+fail2ban (0.4.1-1) unstable; urgency=low
+
+ * First upstream release of a Debian package
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 04 Jul 2005 11:47:23 +0300
--- fail2ban-0.8.4.orig/debian/README.Debian
+++ fail2ban-0.8.4/debian/README.Debian
@@ -0,0 +1,224 @@
+fail2ban (>=0.7.0) for Debian
+-----------------------------
+
+This package is ~99% identical to the upstream version. Few features
+could have been added but not yet propagated into upstream version and
+some modifications might be Debian-specific. Debian specific jail.conf
+file is shipped. Original upstream file is available from
+/usr/share/doc/fail2ban/examples/jail.conf
+
+Currently, the major difference with upstream: python libraries are
+placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to
+comply with policy regarding architecture independent resources.
+
+Upgrade from 0.6 versions:
+-------------------------
+
+* New Config Files Format:
+
+If you had introduced your own sections in /etc/fail2ban.conf, you
+would need manually to convert them into a new format. At minimum you
+need to create /etc/fail2ban/filter.d/NAME.local (leave .conf files
+for me and upstream please to avoid any conflicts -- introduce your
+changes in .local) with failregex in [Definition] section. And provide
+appropriate jail definition in /etc/fail2ban/jail.local
+
+
+* Enabled Sections:
+
+Only handling of ssh files is enabled by default. If you want to use
+fail2ban with apache, please enable apache section manually in
+/etc/fail2ban/jail.local by including next lines:
+
+[apache]
+enabled = true
+
+NOTE: -e command line parameter is non existant in 0.7.x
+
+
+* Interpolations vs actions/filters parameters:
+
+For details see #398739 or wait for a closure of #400416
+
+Every pair of .conf and then .local (if exists) files is read
+separately from any other configuration file, so interpolations cannot
+penetrate from jail.* into actions.d/*. To overcome this, it is
+necessary to create a PARAMETER which can be substituted in actions
+[Definition] section, if it is also defined in the [Init] section of
+that file and is used in place of necessary allocation as <PARAMETER>
+tag. Parameters can be specified in the definitions within
+jail.{conf,local}. For instance, 1 lengthy example, where the same
+name "fwchain" is used both as interpolation (in jail.local) and as a
+parameter (in iptables-flex.local) (from #398739)
+
+==> /etc/fail2ban/jail.local <==
+[DEFAULT]
+action = iptables-flex[name=%(__name__)s, port=%(port)s, fwchain=%(fwchain)s, post_start_commands=%(post_start_commands)s, pre_end_commands=%(pre_end_commands)s]
+fwchain = INPUT
+[ssh]
+fwchain = ssh-tarpit
+==> /etc/fail2ban/action.d/iptables-flex.local <==
+[Definition]
+actionstart = iptables -N fail2ban-<name>
+ iptables -I <fwchain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+ iptables -I <fwchain> -j <whitelist>
+actionstop = iptables -D <fwchain> -j <whitelist>
+ iptables -D <fwchain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+ iptables -F fail2ban-<name>
+ iptables -X fail2ban-<name>
+actioncheck = iptables -n -L <fwchain> | grep -q fail2ban-<name>
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+[Init]
+whitelist = ssh-whitelist
+fwchain = INPUT
+name = default
+port = ssh
+protocol = tcp
+
+
+* Multiport banning: Comment for #373592, #545971
+
+iptables-multiport action is now default banaction (file jail.conf, to
+be customized within jail.local). Therefore assure that you have built
+multiport module if you use custom kernel.
+
+If you would like to ban all ports for that host, just redefine
+fwban/fwunban commands to don't have --dport %(port)s statement at
+all, or use shorewall, where actionban bans whole IP.
+
+* Blocking of NEW connections only
+Comment for the wishlist #350746.
+
+It might be benefitial in some cases to ban only new connections. For
+that just use iptables-new action instead of default banaction
+
+/etc/fail2ban/jail.local:
+
+[DEFAULT]
+banaction=iptables-new
+
+(you can override banaction within interesting for you section).
+ Also you can redefine the whole action parameter if you like.
+
+
+* Interaction with ipmasq
+ Comment to #461417
+
+Although fail2ban should detect and recreate missing chains if the external
+command wipes out iptables, it is better to explicitly to force-reload
+fail2ban. For this reason there is examples/ipmasq-ZZZzzz|fail2ban.rul file is
+shipped along to be installed under name ZZZzzz|fail2ban.rul within
+/etc/ipmasq.
+
+
+Troubleshooting:
+---------------
+
+* Updated failregex:
+
+To resolve the security bug #330827 [1] failregex expressions must
+provide a named group (?P<host>...) as a placeholder of the abuser's
+host. Alternative tag (since 0.7.5) can be "<HOST>". The naming of the
+group was introduced to capture possible future generalizations of
+failregex to provide even more information.
+
+[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
+
+You might benefit from using fail2ban-regex command shipped along to
+construct and debug your failregex statements.
+
+* "Interpolations" in the config file:
+
+Since version 0.6.0-3 to reduce duplication, thus to improve
+readability of the config file, interpolations provided by the module
+ConfigParser are used. If you had custom sections defined before, you
+might benefit from updating config file and adding appropriate
+information for the new sections.
+
+N.B. If you have some nice additional sections defined, I would really
+appreciate if you share them with me or upstream author, so they could
+be eventually included in the fail2ban package for general use by the
+rest of the community.
+
+
+* Mailing:
+
+Since actions.d/mail*.conf commands rely on presence of "mail"
+command, mailx package (or another package providing mailx
+functionality such as mailutils) is required if those actions are
+activated in jail.{conf,local}.
+
+
+* Dirty exit:
+
+If firewall rules gets cleaned out before fail2ban exits (like was
+happening with firestarter), errors get reported during the exit of
+fail2ban, but they are "safe" and can be ignored.
+
+
+** SSHD Configuration Specific Problems
+
+* Ban "Not allowed" attempts:
+
+Make sure that you have
+ChallengeResponseAuthentication no
+PasswordAuthentication yes
+
+Details from the bug report #350980 [2]
+
+[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350980
+
+
+* Not caught attempts to login as root
+
+On the boxes running older versions of openssh (e.g. sarge
+distribution) in the case when PermitRootLogin is set to something
+else than "yes" and iff AllowUsers is active, failed root logins do
+not confirm to the standard logging message -- they omit the source
+IP, thus allowing attack to persist since such messages are not caught
+by fail2ban.
+
+
+* Bantime:
+
+An IP is banned for "bantime" not since the last failed login attempt
+from the IP, but rather since the moment when failed login was
+detected by fail2ban. Thus, if fail2ban gets [re]started, any IP which
+had enough of failed logins with durations less than "findtime" between
+them prior to the [re]start moment, will be banned for
+"bantime" since [re]start moment, not since the last failed login
+time.
+
+* Findtime:
+
+"Findtime" option of a jail actually defines a duration to reset the
+counter of failed login attempts, if no new attempt was detected within
+that time frame (i.e. within "findtime").
+
+See
+http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options
+for more information on jail options.
+
+
+* Syslog entries can be 'forged' by a regular user
+
+From
+http://fail2ban.sourceforge.net/wiki/index.php/FAQ_english#What_do_I_have_to_consider_when_using_Fail2ban
+
+Especially on systems wich provide ssh/CGI/PHP services to unknown
+users it is possible to block other users from ssh and probably other
+access as a unprivileged user may issue:
+
+logger -p auth.warning -t 'sshd[123]' 'Illegal user user1 from 1.2.3.4'
+
+N.B. chmod o-x /usr/bin/logger should provide at least obfuscation
+solution
+
+Or the malicious user may write via PHP's openlog()/syslog() to syslog.
+
+P.S. Anyone is welcome to recommend proper security solution to this
+issue, such as an alternative to sysklogd which allows better control
+over users logging to specific facilities (such as AUTH)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>, Thu, 4 Jan 2007 15:18:39 -0500
--- fail2ban-0.8.4.orig/debian/copyright
+++ fail2ban-0.8.4/debian/copyright
@@ -0,0 +1,31 @@
+This package was originally debianized by Yaroslav Halchenko
+<debian@onerussian.com> on Mon Jul 4 14:41:34 HST 2005
+
+It was downloaded from http://www.sourceforge.net/projects/fail2ban
+
+Author: Cyril Jaquier: <lostcontrol@users.sourceforge.net>
+ http://fail2ban.sourceforge.net
+
+Copyright: 2004, 2005, 2006, 2007 Cyril Jaquier
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the
+Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+MA 02110-1301, USA.
+
+On Debian systems, the complete text of the GNU General Public
+License, version 2, can be found in /usr/share/common-licenses/GPL-2.
+
+The Debian packaging is (C) 2006, Yaroslav Halchenko <debian@onerussian.com>
+and is licensed under the GPL, see above.
+
--- fail2ban-0.8.4.orig/debian/postrm
+++ fail2ban-0.8.4/debian/postrm
@@ -0,0 +1,42 @@
+#! /bin/sh
+# postrm script for fail2ban
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postrm> `remove'
+# * <postrm> `purge'
+# * <old-postrm> `upgrade' <new-version>
+# * <new-postrm> `failed-upgrade' <old-version>
+# * <new-postrm> `abort-install'
+# * <new-postrm> `abort-install' <old-version>
+# * <new-postrm> `abort-upgrade' <old-version>
+# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
+# for details, see /usr/doc/packaging-manual/
+
+
+case "$1" in
+ purge|disappear)
+
+ # Remove configuration
+ rm -f /etc/fail2ban.conf
+
+ # Remove logs
+ rm -f /var/log/fail2ban*
+
+ ;;
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade)
+ # nothing
+ # We may not delete the user fail2ban, as there may be
+ # files owned by it in /var/log/ and /etc/.
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+
--- fail2ban-0.8.4.orig/debian/rules
+++ fail2ban-0.8.4/debian/rules
@@ -0,0 +1,78 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+DESTDIR=$(CURDIR)/debian/fail2ban
+
+configure: configure-stamp
+configure-stamp:
+ dh_testdir
+ touch configure-stamp
+
+build:
+
+clean: clean-inits
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp configure-stamp
+ rm -rf build
+ # Does not hurt to ask distutils to do their duty
+ python setup.py clean
+ # Enforce removal of *.pyc files. Apparently dh_clean does
+ # not perform find on provided filename patterns.
+ find . -name \*.pyc -exec rm -f {} \;
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+
+ # Install the package into debian/fail2ban.
+ python setup.py install --root=$(DESTDIR) --no-compile --install-layout=deb
+ # Install Debian shipped jail file in 1 piece (instead of patching
+ # the shipped one since there are too many changes)
+ install -m 644 debian/jail.conf $(DESTDIR)/etc/fail2ban
+ # Remove explicitely created /var/run/fail2ban
+ # just to please lintian since init file will
+ # take care about it anyways
+ rm -rf $(DESTDIR)/var/run/fail2ban
+
+#
+# Just to comply with policy 4.8
+binary-arch:
+
+# Build architecture-independent files here.
+binary-indep: install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs ChangeLog
+ dh_installdocs
+ dh_installexamples config/jail.conf files/ipmasq-*
+ dh_installlogrotate
+ dh_pycentral
+ dh_installinit -- defaults 99
+ # perform swap of order of calls to init and pycentral in prerm
+ # to close #422655 -- pycentral section is cut and placed at
+ # the end of the file
+ sed -i -e '/^#.*ed by dh_pycentral/,/# End auto/{H;d};$$G' \
+ debian/fail2ban.prerm.debhelper
+ dh_installman man/*.1
+ dh_link
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-indep
+.PHONY: build clean binary-indep binary-arch binary install configure copy-inits clean-inits
--- fail2ban-0.8.4.orig/debian/docs
+++ fail2ban-0.8.4/debian/docs
@@ -0,0 +1,2 @@
+README
+TODO
--- fail2ban-0.8.4.orig/debian/postinst
+++ fail2ban-0.8.4/debian/postinst
@@ -0,0 +1,90 @@
+#! /bin/sh
+# postinst script for fail2ban
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+#
+preversion=$2
+
+case "$1" in
+ configure)
+ # To fix the bug in generated by previous version files permissions
+ # also closes #352053
+
+ LOG=/var/log/fail2ban.log
+ touch $LOG
+ chown root:adm ${LOG}*
+ chmod 640 ${LOG}*
+
+ # Note regarding changed configuration file
+ # Note regarding changed configuration file
+ if [ ! -z $preversion ]; then
+ if dpkg --compare-versions $preversion lt 0.7.1-1; then
+ cat <<EOF
+WARNING!
+
+ Fail2ban 0.7 is a complete rewrite of the 0.6 version, and if you
+ customized any of provided configuration or startup files
+ (/etc/default/fail2ban, /etc/fail2ban.conf, /etc/init.d/fail2ban), please
+ read relevant entry in /usr/share/doc/fail2ban/NEWS.Debian.gz.
+
+EOF
+ fi
+ if dpkg --compare-versions $preversion lt 0.5.4-5.14; then
+ cat <<EOF
+WARNING!
+
+ Configuration file /etc/fail2ban.conf, failregex configuration
+ parameter specificly, were changed in 0.5.4-5 to close reported
+ security breach, and in 0.5.4-5.14 to close few other bugs.
+
+updating from <0.5.4-5
+ Unless configuration file (or corresponding failregex'es) gets updated,
+ security breach is not closed and corresponding warning will be reported
+ by the fail2ban (in the log files).
+
+updating from <0.5.4-5.14
+ Bugs #329163, #331695 dealing with changed iptables rules
+ outside of fail2ban were fixed in 0.5.4-5.14, and require upgrade of the
+ configuration file (fwcheck option was introduced) to take full
+ advantage of the problem solution (otherwise some problems might
+ persist)
+
+ Please review the configuration file and make appropriate changes.
+ENJOY!
+
+EOF
+ fi
+ fi
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
--- fail2ban-0.8.4.orig/debian/fail2ban.logrotate
+++ fail2ban-0.8.4/debian/fail2ban.logrotate
@@ -0,0 +1,13 @@
+/var/log/fail2ban.log {
+
+ weekly
+ rotate 4
+ compress
+
+ delaycompress
+ missingok
+ postrotate
+ fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
+ endscript
+ create 640 root adm
+}
--- fail2ban-0.8.4.orig/debian/NEWS
+++ fail2ban-0.8.4/debian/NEWS
@@ -0,0 +1,47 @@
+fail2ban (0.8.4-3) unstable; urgency=low
+
+ * Jail named-refused-udp is unsafe and opens possibility for easy DoS,
+ thus discouraged to be used, and commented out (see #583364 for more
+ information).
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Mon, 28 Jun 2010 22:12:22 -0400
+
+fail2ban (0.7.1-0.2) unstable; urgency=low
+
+ fail2ban 0.7 is a complete rewrite of the 0.6 version, and if you
+ customized any of provided configuration or startup files
+ (/etc/default/fail2ban, /etc/fail2ban.conf, /etc/init.d/fail2ban),
+ please read further. The configuration scheme has changed upstream:
+ 0.7 ignores /etc/fail2ban.conf and instead uses a split configuration
+ under /etc/fail2ban/. To retain your customizations, for example to
+ monitor anything other than sshd, you will need to set them under that
+ new directory; use *.local files for customizations. Please see
+ /usr/share/doc/fail2ban/README.Debian.gz and
+ http://fail2ban.sourceforge.net for further description of new
+ configuration scheme. Detailed documentation is under development (see
+ #400416). When you are satisfied with the new settings, please delete
+ /etc/fail2ban.conf to avoid confusion.
+
+ Fail2ban 0.7 uses client/server architecture and fail2ban-client is to
+ substitute fail2ban command to provide an interface between the user and
+ fail2ban-server. That is why some command line parameters present in
+ fail2ban 0.6 are invalid in fail2ban-client. Such change affects
+ /etc/default/fail2ban; you should review that file if you customized it.
+ Please enable sections as directed in README.Debian.gz mentioned above.
+ You must use newly shipped init.d/fail2ban, or otherwise fail2ban will
+ not start.
+
+ This note was rewritten in release 0.7.5-2 to clarify its meaning.
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Sat, 9 Dec 2006 18:24:36 -0500
+
+fail2ban (0.6.0-4) unstable; urgency=low
+
+ In this version the new section ApacheAttacks was introduced to ban IPs
+ which are found to run some known attack on the host. For now it captures
+ just awstats and mambo related attacks. To make this feature work, the bug of
+ wrongly specified timeregexp for Apache's access.log file was fixed.
+ Besides that group of log files has changed to be adm, and now they are
+ readable by the group.
+
+ -- Yaroslav Halchenko <debian@onerussian.com> Fri, 10 Feb 2006 13:05:07 -0500
--- fail2ban-0.8.4.orig/debian/pycompat
+++ fail2ban-0.8.4/debian/pycompat
@@ -0,0 +1 @@
+2
--- fail2ban-0.8.4.orig/debian/TODO
+++ fail2ban-0.8.4/debian/TODO
@@ -0,0 +1,6 @@
+* Collect more sections for other log files
+* Find proper answer to "Syslog entries can be 'forged' by a regular
+ user" mentioned in README.Debian
+
+ -- Yaroslav O. Halchenko <debian@onerussian.com> Wed, 6 Dec 2006 22:14:26 -0500
+
--- fail2ban-0.8.4.orig/debian/fail2ban.init
+++ fail2ban-0.8.4/debian/fail2ban.init
@@ -0,0 +1,227 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: fail2ban
+# Required-Start: $local_fs $remote_fs
+# Required-Stop: $local_fs $remote_fs
+# Should-Start: $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
+# Should-Stop: $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Start/stop fail2ban
+# Description: Start/stop fail2ban, a daemon scanning the log files and
+# banning potential attackers.
+### END INIT INFO
+
+# Author: Aaron Isotton <aaron@isotton.com>
+# Modified: by Yaroslav Halchenko <debian@onerussian.com>
+# reindented + minor corrections + to work on sarge without modifications
+#
+PATH=/usr/sbin:/usr/bin:/sbin:/bin
+DESC="authentication failure monitor"
+NAME=fail2ban
+
+# fail2ban-client is not a daemon itself but starts a daemon and
+# loads its with configuration
+DAEMON=/usr/bin/$NAME-client
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Ad-hoc way to parse out socket file name
+SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \
+ | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
+[ -z "$SOCKFILE" ] && SOCKFILE='/tmp/fail2ban.sock'
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+DAEMON_ARGS="$FAIL2BAN_OPTS"
+
+# Load the VERBOSE setting and other rcS variables
+[ -f /etc/default/rcS ] && . /etc/default/rcS
+
+# Predefine what can be missing from lsb source later on -- necessary to run
+# on sarge. Just present it in a bit more compact way from what was shipped
+log_daemon_msg () {
+ [ -z "$1" ] && return 1
+ echo -n "$1:"
+ [ -z "$2" ] || echo -n " $2"
+}
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
+# Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined
+# so we must be ok
+. /lib/lsb/init-functions
+
+#
+# Shortcut function for abnormal init script interruption
+#
+report_bug()
+{
+ echo $*
+ echo "Please submit a bug report to Debian BTS (reportbug fail2ban)"
+ exit 1
+}
+
+#
+# Helper function to check if socket is present, which is often left after
+# abnormal exit of fail2ban and needs to be removed
+#
+check_socket()
+{
+ # Return
+ # 0 if socket is present and readable
+ # 1 if socket file is not present
+ # 2 if socket file is present but not readable
+ # 3 if socket file is present but is not a socket
+ [ -e "$SOCKFILE" ] || return 1
+ [ -r "$SOCKFILE" ] || return 2
+ [ -S "$SOCKFILE" ] || return 3
+ return 0
+}
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ do_status && return 1
+
+ if [ -e "$SOCKFILE" ]; then
+ log_failure_msg "Socket file $SOCKFILE is present"
+ [ "$1" = "force-start" ] \
+ && log_success_msg "Starting anyway as requested" \
+ || return 2
+ DAEMON_ARGS="$DAEMON_ARGS -x"
+ fi
+
+ # Assure that /var/run/fail2ban exists
+ [ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
+
+ start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \
+ $DAEMON_ARGS start > /dev/null\
+ || return 2
+
+ return 0
+}
+
+
+#
+# Function that checks the status of fail2ban and returns
+# corresponding code
+#
+do_status()
+{
+ $DAEMON ping > /dev/null
+ return $?
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ $DAEMON status > /dev/null || return 1
+ $DAEMON stop > /dev/null || return 2
+
+ # now we need actually to wait a bit since it might take time
+ # for server to react on client's stop request. Especially
+ # important for restart command on slow boxes
+ count=1
+ while do_status && [ $count -lt 60 ]; do
+ sleep 1
+ count=$(($count+1))
+ done
+ [ $count -lt 60 ] || return 3 # failed to stop
+
+ return 0
+}
+
+#
+# Function to reload configuration
+#
+do_reload() {
+ $DAEMON reload > /dev/null && return 0 || return 1
+ return 0
+}
+
+# yoh:
+# shortcut function to don't duplicate case statements and to don't use
+# bashisms (arrays). Fixes #368218
+#
+log_end_msg_wrapper()
+{
+ [ $1 -lt $2 ] && value=0 || value=1
+ log_end_msg $value
+}
+
+command="$1"
+case "$command" in
+ start|force-start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start "$command"
+ [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2
+ ;;
+
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2
+ ;;
+
+ restart|force-reload)
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ log_end_msg_wrapper $? 1
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+
+ reload|force-reload)
+ log_daemon_msg "Reloading $DESC" "$NAME"
+ do_reload
+ log_end_msg $?
+ ;;
+
+ status)
+ log_daemon_msg "Status of $DESC"
+ do_status
+ case $? in
+ 0) log_success_msg " $NAME is running" ;;
+ 255)
+ check_socket
+ case $? in
+ 1) log_warning_msg " $NAME is not running" ;;
+ 0) log_failure_msg " $NAME is not running but $SOCKFILE exists" ;;
+ 2) log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown";;
+ 3) log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown";;
+ *) report_bug "Unknown return code from $NAME:check_socket.";;
+ esac
+ ;;
+ *) report_bug "Unknown $NAME status code"
+ esac
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" >&2
+ exit 3
+ ;;
+esac
+
+:
--- fail2ban-0.8.4.orig/debian/jail.conf
+++ fail2ban-0.8.4/debian/jail.conf
@@ -0,0 +1,287 @@
+# Fail2Ban configuration file.
+#
+# This file was composed for Debian systems from the original one
+# provided now under /usr/share/doc/fail2ban/examples/jail.conf
+# for additional examples.
+#
+# To avoid merges during upgrades DO NOT MODIFY THIS FILE
+# and rather provide your changes in /etc/fail2ban/jail.local
+#
+# Author: Yaroslav O. Halchenko <debian@onerussian.com>
+#
+# $Revision: 281 $
+#
+
+# The DEFAULT allows a global definition of the options. They can be override
+# in each jail afterwards.
+
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host
+ignoreip = 127.0.0.1
+bantime = 600
+maxretry = 3
+
+# "backend" specifies the backend used to get files modification. Available
+# options are "gamin", "polling" and "auto".
+# yoh: For some reason Debian shipped python-gamin didn't work as expected
+# This issue left ToDo, so polling is default backend for now
+backend = polling
+
+#
+# Destination email address used solely for the interpolations in
+# jail.{conf,local} configuration files.
+destemail = root@localhost
+
+#
+# ACTIONS
+#
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overriden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+# email action. Since 0.8.1 upstream fail2ban uses sendmail
+# MTA for the mailing. Change mta configuration parameter to mail
+# if you want to revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
+ %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
+
+# Choose default action. To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+#
+# JAILS
+#
+
+# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
+# was shipped in Debian. Enable any defined here jail by including
+#
+# [SECTION_NAME]
+# enabled = true
+
+#
+# in /etc/fail2ban/jail.local.
+#
+# Optionally you may override any other parameter (e.g. banaction,
+# action, port, logpath, etc) in that section within jail.local
+
+[ssh]
+
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 6
+
+# Generic filter for pam. Has to be used with action which bans all ports
+# such as iptables-allports, shorewall
+[pam-generic]
+
+enabled = false
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+filter = pam-generic
+# port actually must be irrelevant but lets leave it all for some possible uses
+port = all
+banaction = iptables-allports
+port = anyport
+logpath = /var/log/auth.log
+maxretry = 6
+
+[xinetd-fail]
+
+enabled = false
+filter = xinetd-fail
+port = all
+banaction = iptables-multiport-log
+logpath = /var/log/daemon.log
+maxretry = 2
+
+
+[ssh-ddos]
+
+enabled = false
+port = ssh
+filter = sshd-ddos
+logpath = /var/log/auth.log
+maxretry = 6
+
+#
+# HTTP servers
+#
+
+[apache]
+
+enabled = false
+port = http,https
+filter = apache-auth
+logpath = /var/log/apache*/*error.log
+maxretry = 6
+
+# default action is now multiport, so apache-multiport jail was left
+# for compatibility with previous (<0.7.6-2) releases
+[apache-multiport]
+
+enabled = false
+port = http,https
+filter = apache-auth
+logpath = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-noscript]
+
+enabled = false
+port = http,https
+filter = apache-noscript
+logpath = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-overflows]
+
+enabled = false
+port = http,https
+filter = apache-overflows
+logpath = /var/log/apache*/*error.log
+maxretry = 2
+
+#
+# FTP servers
+#
+
+[vsftpd]
+
+enabled = false
+port = ftp,ftp-data,ftps,ftps-data
+filter = vsftpd
+logpath = /var/log/vsftpd.log
+# or overwrite it in jails.local to be
+# logpath = /var/log/auth.log
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+maxretry = 6
+
+
+[proftpd]
+
+enabled = false
+port = ftp,ftp-data,ftps,ftps-data
+filter = proftpd
+logpath = /var/log/proftpd/proftpd.log
+maxretry = 6
+
+
+[wuftpd]
+
+enabled = false
+port = ftp,ftp-data,ftps,ftps-data
+filter = wuftpd
+logpath = /var/log/auth.log
+maxretry = 6
+
+
+#
+# Mail servers
+#
+
+[postfix]
+
+enabled = false
+port = smtp,ssmtp
+filter = postfix
+logpath = /var/log/mail.log
+
+
+[couriersmtp]
+
+enabled = false
+port = smtp,ssmtp
+filter = couriersmtp
+logpath = /var/log/mail.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courierauth]
+
+enabled = false
+port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+filter = courierlogin
+logpath = /var/log/mail.log
+
+
+[sasl]
+
+enabled = false
+port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+filter = sasl
+# You might consider monitoring /var/log/warn.log instead
+# if you are running postfix. See http://bugs.debian.org/507990
+logpath = /var/log/mail.log
+
+
+# DNS Servers
+
+
+# These jails block attacks against named (bind9). By default, logging is off
+# with bind9 installation. You will need something like this:
+#
+# logging {
+# channel security_file {
+# file "/var/log/named/security.log" versions 3 size 30m;
+# severity dynamic;
+# print-time yes;
+# };
+# category security {
+# security_file;
+# };
+# };
+#
+# in your named.conf to provide proper logging
+
+# !!! WARNING !!!
+# Since UDP is connectionless protocol, spoofing of IP and immitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+# Please DO NOT USE this jail unless you know what you are doing.
+#[named-refused-udp]
+#
+#enabled = false
+#port = domain,953
+#protocol = udp
+#filter = named-refused
+#logpath = /var/log/named/security.log
+
+[named-refused-tcp]
+
+enabled = false
+port = domain,953
+protocol = tcp
+filter = named-refused
+logpath = /var/log/named/security.log
+
--- fail2ban-0.8.4.orig/debian/control
+++ fail2ban-0.8.4/debian/control
@@ -0,0 +1,32 @@
+Source: fail2ban
+Section: net
+Priority: optional
+Maintainer: Yaroslav Halchenko <debian@onerussian.com>
+Build-Depends: debhelper (>= 5.0.37.2), python (>= 2.5.4-1~)
+Build-Depends-Indep: python-central (>= 0.5.6)
+XS-Python-Version: current, >= 2.4
+Homepage: http://www.fail2ban.org
+Vcs-Browser: http://git.onerussian.com/?p=deb/fail2ban.git
+Vcs-git: git://git.onerussian.com/deb/fail2ban.git
+Standards-Version: 3.8.4
+
+
+Package: fail2ban
+Architecture: all
+Depends: ${python:Depends}, ${misc:Depends}, lsb-base (>=2.0-7)
+Recommends: iptables, whois
+Suggests: python-gamin, mailx
+XB-Python-Version: ${python:Versions}
+Description: bans IPs that cause multiple authentication errors
+ Monitors log files (e.g. /var/log/auth.log,
+ /var/log/apache/access.log) and temporarily or persistently bans
+ failure-prone addresses by updating existing firewall rules. The
+ software was completely rewritten at version 0.7.0 and now allows
+ easy specification of different actions to be taken such as to ban an
+ IP using iptables or hostsdeny rules, or simply to send a
+ notification email. Currently, by default, supports ssh/apache/vsftpd
+ but configuration can be easily extended for monitoring any other ASCII
+ file. All filters and actions are given in the config files, thus
+ fail2ban can be adopted to be used with a variety of files and
+ firewalls.
+
--- fail2ban-0.8.4.orig/debian/fail2ban.default
+++ fail2ban-0.8.4/debian/fail2ban.default
@@ -0,0 +1,23 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 1.2 $
+
+# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
+# valid options.
+FAIL2BAN_OPTS=""
--- fail2ban-0.8.4.orig/debian/compat
+++ fail2ban-0.8.4/debian/compat
@@ -0,0 +1 @@
+5
--- fail2ban-0.8.4.orig/debian/backports/00list.sarge-backports
+++ fail2ban-0.8.4/debian/backports/00list.sarge-backports
@@ -0,0 +1 @@
+nopycentral.patch
--- fail2ban-0.8.4.orig/debian/backports/nopycentral.patch
+++ fail2ban-0.8.4/debian/backports/nopycentral.patch
@@ -0,0 +1,40 @@
+diff -x '*~' -x .svn -Naur trunk/debian/control trunk.backports/debian/control
+--- trunk/debian/control 2006-10-23 00:57:02.000000000 -0400
++++ trunk.backports/debian/control 2006-12-04 08:45:25.000000000 -0500
+@@ -4,13 +4,13 @@
+ Maintainer: Yaroslav Halchenko <debian@onerussian.com>
+ Uploaders: Barak Pearlmutter <bap@debian.org>
+ Build-Depends: debhelper (>= 5.0.37.2), dpatch
+-Build-Depends-Indep: python, python-dev, help2man, python-central (>= 0.5.6)
++Build-Depends-Indep: python, python2.4, python2.4-dev, help2man
+ XS-Python-Version: current, >= 2.4
+ Standards-Version: 3.7.2
+
+ Package: fail2ban
+ Architecture: all
+-Depends: ${python:Depends}, iptables, lsb-base (>=2.0-7)
++Depends: python2.4, iptables, lsb-base (>=2.0-7)
+ Suggests: python-gamin
+ XB-Python-Version: ${python:Versions}
+ Description: bans IPs that cause multiple authentication errors
+diff -x '*~' -x .svn -Naur trunk/debian/rules trunk.backports/debian/rules
+--- trunk/debian/rules 2006-11-11 21:19:14.000000000 -0500
++++ trunk.backports/debian/rules 2006-12-04 08:45:45.000000000 -0500
+@@ -39,7 +39,7 @@
+ dh_installdirs
+
+ # Add here commands to install the package into debian/fail2ban.
+- python setup.py install --root=$(DESTDIR) --no-compile
++ python2.4 setup.py install --root=$(DESTDIR) --no-compile
+ #X Evil - must be removed after Debian switches over to 2.4, now
+ # distutils.setup will override the enterpreter line to /usr/bin/python
+ install fail2ban-server fail2ban-client $(DESTDIR)/usr/bin
+@@ -62,7 +62,7 @@
+ dh_installlogrotate
+ dh_installinit -- defaults 99
+ dh_installman man/*.1
+- dh_pycentral
++ dh_python
+ dh_link
+ dh_compress
+ dh_fixperms
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)