--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-caae9d7741
2020-04-30 03:42:10.988776
--------------------------------------------------------------------------------
Name : fail2ban
Product : Fedora 31
Version : 0.11.1
Release : 6.fc31
URL :
http://fail2ban.sourceforge.net/
Summary : Daemon to ban hosts that cause multiple authentication errors
Description :
Fail2Ban scans log files and bans IP addresses that makes too many password
failures. It updates firewall rules to reject the IP address. These rules can
be defined by the user. Fail2Ban can read multiple log files such as sshd or
Apache web server ones.
Fail2Ban is able to reduce the rate of incorrect authentications attempts
however it cannot eliminate the risk that weak authentication presents.
Configure services to use only two factor or public/private authentication
mechanisms if you really want to protect services.
This is a meta-package that will install the default configuration. Other
sub-packages are available to install support for other actions and
configurations.
--------------------------------------------------------------------------------
Update Information:
Change default from firewalld-ipset to firewalld-rich-rules, fixes #1823746.
---- ver. 0.11.1 (2020/01/11) - this-is-the-way ----------- ### Compatibility:
* to v.0.10: - 0.11 is totally compatible to 0.10 (configuration- and API-
related stuff), but the database got some new tables and fields (auto-
converted during the first start), so once updated to 0.11, you have to
remove the database /var/lib/fail2ban/fail2ban.sqlite3 (or its different to 0.10
schema) if you would need to downgrade to 0.10 for some reason. * to v.0.9:
- Filter (or `failregex`) internal capture-groups: * If you've your own
`failregex` or custom filters using conditional match `(?P=host)`, you should
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)`
instead of `(?P=host)` (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding
your `usedns` and `raw` settings). Of course you can always define your
own capture-group (like below `_cond_ip_`) to do this. ```
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-
regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad
host
(?P=_cond_ip_)$" ``` * New internal groups (currently reserved for
internal usage): `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user`
and another captures in lower case if mapping from tag `<F-*>` used in
failregex (e. g. `user` by `<F-USER>`). - v.0.10 and 0.11 use more precise
date template handling, that can be theoretically incompatible to some user
configurations resp. `datepattern`. - Since v0.10 fail2ban supports the
matching of IPv6 addresses, but not all ban actions are IPv6-capable now.
### Fixes * purge database will be executed now (within observer). * restoring
currently banned ip after service restart fixed (now < timeofban + bantime),
ignore old log failures (already banned) * upgrade database: update new created
table `bips` with entries from table `bans` (allows restore current bans after
upgrade from version <= 0.10) ### New Features * Increment ban time (+
observer) functionality introduced. * Database functionality extended with bad
ips. * New tags (usable in actions): - `<bancount>` - ban count of this
offender if known as bad (started by 1 for unknown) - `<bantime>` - current
ban-time of the ticket (prolongation can be retarded up to 10 sec.) * Introduced
new action command `actionprolong` to prolong ban-time (e. g. set new timeout if
expected); Several actions (like ipset, etc.) rewritten using net logic with
`actionprolong`. Note: because ban-time is dynamic, it was removed from
jail.conf as timeout argument (check jail.local). ### Enhancements * algorithm
of restore current bans after restart changed: update the restored ban-time (and
therefore end of ban) of the ticket with ban-time of jail (as maximum), for
all tickets with ban-time greater (or persistent); not affected if ban-time of
the jail is unchanged between stop/start. * added new setup-option `--without-
tests` to skip building and installing of tests files (gh-2287). * added new
command `fail2ban-client get <JAIL> banip ?sep-char|--with-time?` to get the
banned ip addresses (gh-1916). Include selinux policy in package
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 16 2020 Richard Shaw <hobbes1069(a)gmail.com> - 0.11.1-6
- Change default firewalld backend from ipset to rich-rules as ipset causes
firewalld to use legacy iptables. Fixes RHBZ#1823746.
- Remove conditionals for EL versions less than 7.
* Thu Mar 19 2020 Richard Shaw <hobbes1069(a)gmail.com> - 0.11.1-5
- Update for Python 3.9.
* Wed Feb 26 2020 Orion Poplawski <orion(a)nwra.com> - 0.11.1-4
- Add SELinux policy
* Tue Jan 28 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 0.11.1-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1823746 - fail2ban-firewalld default action uses unsupport direct rule,
should use rich-rule
https://bugzilla.redhat.com/show_bug.cgi?id=1823746
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-caae9d7741' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------