epel6 currently comes with 0.9.6 Is an upgrade possible 0.10.2 which in particular supports IPv6 address. EPEL7 also in same boat. 0.10.
Is it safe to just upgrade an existing machine to 0.10? My understanding is that most of the time it is OK, but not all of the time. Since this is security sensitive, breaking someone's existing configuration would be a pretty big problem. Unless the issues are really minor, I would think that a separate fail2ban0.10 package would be the right way to go with this. It would not require a package review.
There are a couple compatibility issues. From the fail2ban changelog (https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog): Incompatibility list (compared to v.0.9): * Filter (or `failregex`) internal capture-groups: - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings). Of course you can always define your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$" ``` - New internal groups (currently reserved for internal usage): `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`). * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some user configurations resp. `datepattern`. * Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now. These don't sound terrible. I don't quite understand why fail2ban0.10 wouldn't require a review. Here are some test packages: EL7: https://koji.fedoraproject.org/koji/taskinfo?taskID=30080764 EL6: https://koji.fedoraproject.org/koji/taskinfo?taskID=30082084 Finally, I don't have nearly the time that I used to for packaging. Help is always appreciated.
Would love to test this, but the test packages linked to above don't appear to exist anymore.
Upvoting this request -- the default package 0.9.7-1 is rather told. v0.10 is stable and adds significant enhancements.
(In reply to Amir Caspi from comment #4) > Upvoting this request -- the default package 0.9.7-1 is rather told. Rather *old, that is. The above refers to EPEL7. =)
New builds are here: https://copr.fedorainfracloud.org/coprs/orion/fail2ban/ should stick around for a bit longer :)
(In reply to Orion Poplawski from comment #6) > New builds are here: https://copr.fedorainfracloud.org/coprs/orion/fail2ban/ > should stick around for a bit longer :) Awesome, thanks -- will give it a try and report back. Is there any plan to integrate this into the official release? That way it can also get picked up downstream (e.g., CentOS). Thanks!
If I get several reports of upgrades just working without manual intervention I'll push it to EPEL proper.
I should note there are at least a couple of bugs that I discovered recently, affecting sendmail interaction, that you might want to implement manually (if they are not yet incorporated into v0.10 before you push). Upstream reports: https://github.com/fail2ban/fail2ban/pull/2388 and https://github.com/fail2ban/fail2ban/pull/2387/commits/ced9828d04ef5fbb4dbc76ca9ecb4e3256e413c0 Cheers.
Seems there is a dependency for the firewalld package, which is not available for CentOS 6 : --Error: Package: fail2ban-firewalld-0.10.4-1.el6.noarch (copr:copr.fedorainfracloud.org:orion:fail2ban) Requires: firewalld Should not be. thnx
In principle, firewalld shouldn't be a requirement even on CentOS 7, since fail2ban works just fine with iptables (and the existing EPEL config defaults to using iptables in the actions.conf, in any case, so firewalld isn't even used by default despite being required). I would suggest removing the firewalld dependency entirely.
Updated to the copr packages and "smoke tested" both IPv4 and IPv6 with no issue.
we use the V 0.10.4 (from copr) on a clone of centos7, called NethServer7, as the main version of fail2ban, we do not use the ipv6, only ipv4, so far it runs smoothly, no issues
I have recently taken maintainership of the fail2ban package and created a COPR for EPEL 7 & 8 of the latest version. I could use some feedback. https://copr.fedorainfracloud.org/coprs/hobbes1069/fail2ban/
I have updated EL 7 to the latest version (now in testing) but don't have plans update EL6 at this point in its lifecycle.