From 8710bcfdbd3277996f52c33a2dede32f4e67fb08 Mon Sep 17 00:00:00 2001
From: bms8197 <bogdan@898.ro>
Date: Fri, 14 Apr 2023 01:32:52 +0300
Subject: [PATCH] committing changes in /etc made by "-bash"

Package changes:
---
 .etckeeper                                    |  56 ++-
 fail2ban/action.d/apprise.conf                |  49 +++
 fail2ban/action.d/badips.conf                 |  19 -
 fail2ban/action.d/badips.py                   | 392 ------------------
 fail2ban/action.d/cloudflare-token.conf       |  92 ++++
 fail2ban/action.d/cloudflare.conf             |   9 +-
 fail2ban/action.d/dshield.conf                |   2 +-
 fail2ban/action.d/firewallcmd-ipset.conf      |  47 ++-
 fail2ban/action.d/firewallcmd-multiport.conf  |   4 +-
 fail2ban/action.d/firewallcmd-new.conf        |   4 +-
 fail2ban/action.d/firewallcmd-rich-rules.conf |   4 +-
 fail2ban/action.d/iptables-allports.conf      |  46 +-
 fail2ban/action.d/iptables-common.conf        |  92 ----
 fail2ban/action.d/iptables-ipset-proto4.conf  |   9 +-
 .../iptables-ipset-proto6-allports.conf       |  68 +--
 fail2ban/action.d/iptables-ipset-proto6.conf  |  68 +--
 fail2ban/action.d/iptables-ipset.conf.rpmnew  |  90 ++++
 fail2ban/action.d/iptables-multiport-log.conf |   2 +-
 fail2ban/action.d/iptables-multiport.conf     |  44 +-
 fail2ban/action.d/iptables-new.conf           |  45 +-
 .../action.d/iptables-xt_recent-echo.conf     |  20 +-
 fail2ban/action.d/iptables.conf               | 132 +++++-
 fail2ban/action.d/ipthreat.conf               | 107 +++++
 fail2ban/action.d/nginx-block-map.conf        |  11 +-
 .../symbiosis-blacklist-allports.conf         |   7 +-
 fail2ban/fail2ban.conf                        |  10 +-
 fail2ban/filter.d/apache-fakegooglebot.conf   |   4 +-
 fail2ban/filter.d/apache-overflows.conf       |   2 +-
 fail2ban/filter.d/asterisk.conf               |   2 +-
 fail2ban/filter.d/common.conf                 |   2 +-
 fail2ban/filter.d/courier-auth.conf           |   2 +-
 fail2ban/filter.d/dovecot.conf                |  15 +-
 fail2ban/filter.d/drupal-auth.conf            |   2 +-
 fail2ban/filter.d/exim-common.conf            |   2 +-
 .../ignorecommands/apache-fakegooglebot       |  25 +-
 fail2ban/filter.d/lighttpd-auth.conf          |   2 +-
 fail2ban/filter.d/monitorix.conf              |  25 ++
 fail2ban/filter.d/mssql-auth.conf             |  15 +
 fail2ban/filter.d/named-refused.conf          |   9 +-
 fail2ban/filter.d/nginx-bad-request.conf      |  16 +
 fail2ban/filter.d/nginx-botsearch.conf        |   4 +-
 fail2ban/filter.d/nginx-http-auth.conf        |  19 +-
 fail2ban/filter.d/nginx-limit-req.conf        |   3 +
 fail2ban/filter.d/nsd.conf                    |   6 +-
 fail2ban/filter.d/postfix.conf                |  19 +-
 fail2ban/filter.d/scanlogd.conf               |  17 +
 fail2ban/filter.d/sendmail-auth.conf          |   2 +-
 fail2ban/filter.d/sendmail-reject.conf        |   6 +-
 fail2ban/filter.d/sshd.conf                   |   8 +-
 fail2ban/filter.d/zoneminder.conf             |  16 +-
 fail2ban/jail.conf                            |  54 ++-
 fail2ban/jail.d/00-firewalld.conf             |   4 +-
 fail2ban/paths-common.conf                    |   3 -
 httpd/conf.d/ssl.conf                         | 203 +++++++++
 selinux/targeted/.policy.sha512               |   2 +-
 selinux/targeted/policy/policy.31             | Bin 8800699 -> 8801419 bytes
 56 files changed, 1011 insertions(+), 907 deletions(-)
 create mode 100644 fail2ban/action.d/apprise.conf
 delete mode 100644 fail2ban/action.d/badips.conf
 delete mode 100644 fail2ban/action.d/badips.py
 create mode 100644 fail2ban/action.d/cloudflare-token.conf
 delete mode 100644 fail2ban/action.d/iptables-common.conf
 create mode 100644 fail2ban/action.d/iptables-ipset.conf.rpmnew
 create mode 100644 fail2ban/action.d/ipthreat.conf
 create mode 100644 fail2ban/filter.d/monitorix.conf
 create mode 100644 fail2ban/filter.d/mssql-auth.conf
 create mode 100644 fail2ban/filter.d/nginx-bad-request.conf
 create mode 100644 fail2ban/filter.d/scanlogd.conf
 create mode 100644 httpd/conf.d/ssl.conf

diff --git a/.etckeeper b/.etckeeper
index 027ce23..4b3282f 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -734,11 +734,11 @@ maybe chmod 0755 'fail2ban'
 maybe chmod 0755 'fail2ban/action.d'
 maybe chmod 0644 'fail2ban/action.d/abuseipdb.conf'
 maybe chmod 0644 'fail2ban/action.d/apf.conf'
-maybe chmod 0644 'fail2ban/action.d/badips.conf'
-maybe chmod 0640 'fail2ban/action.d/badips.py'
+maybe chmod 0644 'fail2ban/action.d/apprise.conf'
 maybe chmod 0644 'fail2ban/action.d/badips.py.rpmnew'
 maybe chmod 0640 'fail2ban/action.d/badips.py.rpmsave'
 maybe chmod 0644 'fail2ban/action.d/blocklist_de.conf'
+maybe chmod 0644 'fail2ban/action.d/cloudflare-token.conf'
 maybe chmod 0644 'fail2ban/action.d/cloudflare.conf'
 maybe chmod 0644 'fail2ban/action.d/dshield.conf'
 maybe chmod 0644 'fail2ban/action.d/dummy.conf'
@@ -751,17 +751,18 @@ maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-logging.conf'
 maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-rules.conf'
 maybe chmod 0644 'fail2ban/action.d/helpers-common.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-allports.conf'
-maybe chmod 0640 'fail2ban/action.d/iptables-common.conf'
 maybe chmod 0640 'fail2ban/action.d/iptables-common.conf.rpmsave'
 maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto4.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6-allports.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6.conf'
 maybe chmod 0640 'fail2ban/action.d/iptables-ipset.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-ipset.conf.rpmnew'
 maybe chmod 0644 'fail2ban/action.d/iptables-multiport-log.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-multiport.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-new.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-xt_recent-echo.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables.conf'
+maybe chmod 0644 'fail2ban/action.d/ipthreat.conf'
 maybe chmod 0644 'fail2ban/action.d/mail-whois-common.conf'
 maybe chmod 0644 'fail2ban/action.d/mail.conf.rpmsave'
 maybe chmod 0644 'fail2ban/action.d/mynetwatchman.conf'
@@ -783,12 +784,12 @@ maybe chmod 0644 'fail2ban/action.d/sendmail-whois-matches.conf'
 maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf'
 maybe chmod 0644 'fail2ban/action.d/sendmail.conf'
 maybe chmod 0644 'fail2ban/action.d/shorewall-ipset-proto6.conf'
-maybe chmod 0640 'fail2ban/action.d/smtp.py'
+maybe chmod 0644 'fail2ban/action.d/smtp.py'
 maybe chmod 0644 'fail2ban/action.d/smtp.py.rpmnew'
 maybe chmod 0640 'fail2ban/action.d/smtp.py.rpmsave'
 maybe chmod 0644 'fail2ban/action.d/symbiosis-blacklist-allports.conf'
 maybe chmod 0644 'fail2ban/action.d/xarf-login-attack.conf'
-maybe chmod 0640 'fail2ban/fail2ban.conf'
+maybe chmod 0644 'fail2ban/fail2ban.conf'
 maybe chmod 0640 'fail2ban/fail2ban.conf.rpmsave'
 maybe chmod 0755 'fail2ban/fail2ban.d'
 maybe chmod 0755 'fail2ban/filter.d'
@@ -817,7 +818,7 @@ maybe chmod 0644 'fail2ban/filter.d/courier-smtp.conf'
 maybe chmod 0644 'fail2ban/filter.d/cyrus-imap.conf'
 maybe chmod 0644 'fail2ban/filter.d/directadmin.conf'
 maybe chmod 0644 'fail2ban/filter.d/domino-smtp.conf'
-maybe chmod 0640 'fail2ban/filter.d/dovecot.conf'
+maybe chmod 0644 'fail2ban/filter.d/dovecot.conf'
 maybe chmod 0644 'fail2ban/filter.d/dovecot.conf.rpmnew'
 maybe chmod 0640 'fail2ban/filter.d/dovecot.conf.rpmsave'
 maybe chmod 0644 'fail2ban/filter.d/dropbear.conf'
@@ -836,19 +837,22 @@ maybe chmod 0644 'fail2ban/filter.d/guacamole.conf'
 maybe chmod 0644 'fail2ban/filter.d/haproxy-http-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/horde.conf'
 maybe chmod 0755 'fail2ban/filter.d/ignorecommands'
-maybe chmod 0750 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot'
+maybe chmod 0755 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot'
 maybe chmod 0750 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot.rpmsave'
 maybe chmod 0644 'fail2ban/filter.d/kerio.conf'
 maybe chmod 0644 'fail2ban/filter.d/lighttpd-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/mongodb-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/monit.conf'
+maybe chmod 0644 'fail2ban/filter.d/monitorix.conf'
+maybe chmod 0644 'fail2ban/filter.d/mssql-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/murmur.conf'
 maybe chmod 0644 'fail2ban/filter.d/mysqld-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/nagios.conf'
-maybe chmod 0640 'fail2ban/filter.d/named-refused.conf'
+maybe chmod 0644 'fail2ban/filter.d/named-refused.conf'
 maybe chmod 0644 'fail2ban/filter.d/named-refused.conf.rpmnew'
 maybe chmod 0640 'fail2ban/filter.d/named-refused.conf.rpmsave'
-maybe chmod 0640 'fail2ban/filter.d/nginx-botsearch.conf'
+maybe chmod 0644 'fail2ban/filter.d/nginx-bad-request.conf'
+maybe chmod 0644 'fail2ban/filter.d/nginx-botsearch.conf'
 maybe chmod 0640 'fail2ban/filter.d/nginx-botsearch.conf.rpmsave'
 maybe chmod 0640 'fail2ban/filter.d/nginx-forbidden.conf'
 maybe chmod 0644 'fail2ban/filter.d/nginx-http-auth.conf'
@@ -871,9 +875,10 @@ maybe chmod 0644 'fail2ban/filter.d/postfix.conf'
 maybe chmod 0644 'fail2ban/filter.d/proftpd.conf'
 maybe chmod 0644 'fail2ban/filter.d/pure-ftpd.conf'
 maybe chmod 0644 'fail2ban/filter.d/qmail.conf'
-maybe chmod 0640 'fail2ban/filter.d/recidive.conf'
+maybe chmod 0644 'fail2ban/filter.d/recidive.conf'
 maybe chmod 0640 'fail2ban/filter.d/recidive.conf.rpmsave'
 maybe chmod 0644 'fail2ban/filter.d/roundcube-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/scanlogd.conf'
 maybe chmod 0644 'fail2ban/filter.d/screensharingd.conf'
 maybe chmod 0644 'fail2ban/filter.d/selinux-common.conf'
 maybe chmod 0644 'fail2ban/filter.d/selinux-ssh.conf'
@@ -886,7 +891,7 @@ maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf'
 maybe chmod 0644 'fail2ban/filter.d/squid.conf'
 maybe chmod 0644 'fail2ban/filter.d/squirrelmail.conf'
-maybe chmod 0640 'fail2ban/filter.d/sshd.conf'
+maybe chmod 0644 'fail2ban/filter.d/sshd.conf'
 maybe chmod 0644 'fail2ban/filter.d/stunnel.conf'
 maybe chmod 0644 'fail2ban/filter.d/suhosin.conf'
 maybe chmod 0644 'fail2ban/filter.d/tine20.conf'
@@ -898,7 +903,7 @@ maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf'
 maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf'
 maybe chmod 0644 'fail2ban/filter.d/znc-adminlog.conf'
 maybe chmod 0644 'fail2ban/filter.d/zoneminder.conf'
-maybe chmod 0640 'fail2ban/jail.conf'
+maybe chmod 0644 'fail2ban/jail.conf'
 maybe chmod 0640 'fail2ban/jail.conf.rpmsave'
 maybe chmod 0755 'fail2ban/jail.d'
 maybe chmod 0644 'fail2ban/jail.d/00-firewalld.conf'
@@ -991,6 +996,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew'
 maybe chmod 0644 'httpd/conf.d/php.conf'
 maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
 maybe chmod 0644 'httpd/conf.d/squid.conf'
+maybe chmod 0644 'httpd/conf.d/ssl.conf'
 maybe chmod 0640 'httpd/conf.d/ssl.conf_disabled'
 maybe chmod 0644 'httpd/conf.d/userdir.conf'
 maybe chmod 0644 'httpd/conf.d/welcome.conf'
@@ -3188,7 +3194,7 @@ maybe chmod 0644 'logrotate.d/btmp'
 maybe chmod 0644 'logrotate.d/chrony'
 maybe chmod 0644 'logrotate.d/clamav-unofficial-sigs'
 maybe chmod 0644 'logrotate.d/dnf'
-maybe chmod 0640 'logrotate.d/fail2ban'
+maybe chmod 0644 'logrotate.d/fail2ban'
 maybe chmod 0640 'logrotate.d/fail2ban.rpmsave'
 maybe chmod 0644 'logrotate.d/firewalld'
 maybe chmod 0644 'logrotate.d/httpd'
@@ -4144,9 +4150,7 @@ maybe chmod 0600 'nftables/nat.nft'
 maybe chmod 0700 'nftables/osf'
 maybe chmod 0600 'nftables/osf/pf.os'
 maybe chmod 0600 'nftables/router.nft'
-maybe chown 'nginx' 'nginx'
-maybe chgrp 'nginx' 'nginx'
-maybe chmod 0750 'nginx'
+maybe chmod 0755 'nginx'
 maybe chown 'nginx' 'nginx/.anaf'
 maybe chgrp 'nginx' 'nginx/.anaf'
 maybe chmod 0640 'nginx/.anaf'
@@ -4159,9 +4163,7 @@ maybe chmod 0640 'nginx/.passwd-madalin'
 maybe chown 'nginx' 'nginx/allowed_clients.config'
 maybe chgrp 'nginx' 'nginx/allowed_clients.config'
 maybe chmod 0640 'nginx/allowed_clients.config'
-maybe chown 'nginx' 'nginx/conf.d'
-maybe chgrp 'nginx' 'nginx/conf.d'
-maybe chmod 0750 'nginx/conf.d'
+maybe chmod 0755 'nginx/conf.d'
 maybe chown 'nginx' 'nginx/conf.d/_zira.go.ro.conf'
 maybe chgrp 'nginx' 'nginx/conf.d/_zira.go.ro.conf'
 maybe chmod 0640 'nginx/conf.d/_zira.go.ro.conf'
@@ -4679,9 +4681,7 @@ maybe chmod 0644 'nginx/default.d/php.conf'
 maybe chown 'nginx' 'nginx/fastcgi.conf'
 maybe chgrp 'nginx' 'nginx/fastcgi.conf'
 maybe chmod 0640 'nginx/fastcgi.conf'
-maybe chown 'nginx' 'nginx/fastcgi_params'
-maybe chgrp 'nginx' 'nginx/fastcgi_params'
-maybe chmod 0640 'nginx/fastcgi_params'
+maybe chmod 0644 'nginx/fastcgi_params'
 maybe chown 'nginx' 'nginx/html'
 maybe chgrp 'nginx' 'nginx/html'
 maybe chmod 0750 'nginx/html'
@@ -4697,9 +4697,7 @@ maybe chmod 0640 'nginx/lb_maint_5x.config'
 maybe chown 'nginx' 'nginx/lb_maintenance.config'
 maybe chgrp 'nginx' 'nginx/lb_maintenance.config'
 maybe chmod 0640 'nginx/lb_maintenance.config'
-maybe chown 'nginx' 'nginx/mime.types'
-maybe chgrp 'nginx' 'nginx/mime.types'
-maybe chmod 0640 'nginx/mime.types'
+maybe chmod 0644 'nginx/mime.types'
 maybe chown 'nginx' 'nginx/nginx.conf'
 maybe chgrp 'nginx' 'nginx/nginx.conf'
 maybe chmod 0640 'nginx/nginx.conf'
@@ -4712,9 +4710,7 @@ maybe chmod 0640 'nginx/off'
 maybe chown 'nginx' 'nginx/proxy.inc'
 maybe chgrp 'nginx' 'nginx/proxy.inc'
 maybe chmod 0640 'nginx/proxy.inc'
-maybe chown 'nginx' 'nginx/scgi_params'
-maybe chgrp 'nginx' 'nginx/scgi_params'
-maybe chmod 0640 'nginx/scgi_params'
+maybe chmod 0644 'nginx/scgi_params'
 maybe chown 'nginx' 'nginx/sites-available'
 maybe chgrp 'nginx' 'nginx/sites-available'
 maybe chmod 0750 'nginx/sites-available'
@@ -4757,9 +4753,7 @@ maybe chmod 0640 'nginx/ssl/demo1.cpuburnin.com.pem'
 maybe chown 'nginx' 'nginx/ssl/dhparam.pem'
 maybe chgrp 'nginx' 'nginx/ssl/dhparam.pem'
 maybe chmod 0640 'nginx/ssl/dhparam.pem'
-maybe chown 'nginx' 'nginx/uwsgi_params'
-maybe chgrp 'nginx' 'nginx/uwsgi_params'
-maybe chmod 0640 'nginx/uwsgi_params'
+maybe chmod 0644 'nginx/uwsgi_params'
 maybe chmod 0644 'npmrc'
 maybe chmod 0755 'nrpe.d'
 maybe chmod 0644 'nsswitch.conf'
diff --git a/fail2ban/action.d/apprise.conf b/fail2ban/action.d/apprise.conf
new file mode 100644
index 0000000..37c42ea
--- /dev/null
+++ b/fail2ban/action.d/apprise.conf
@@ -0,0 +1,49 @@
+# Fail2Ban configuration file
+#
+# Author: Chris Caron <lead2gold@gmail.com>
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "The jail <name> as been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b "The jail <name> has been stopped." | <apprise> -t "[Fail2Ban] <name>: stopped on `uname -n`"
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>" | <apprise> -n "warning" -t "[Fail2Ban] <name>: banned <ip> from `uname -n`"
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+
+# Define location of the default apprise configuration file to use
+#
+config = /etc/fail2ban/apprise.conf
+#
+apprise = apprise -c "<config>"
diff --git a/fail2ban/action.d/badips.conf b/fail2ban/action.d/badips.conf
deleted file mode 100644
index 6f9513f..0000000
--- a/fail2ban/action.d/badips.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Fail2ban reporting to badips.com
-#
-# Note: This reports an IP only and does not actually ban traffic. Use
-# another action in the same jail if you want bans to occur.
-#
-# Set the category to the appropriate value before use.
-#
-# To get see register and optional key to get personalised graphs see:
-# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key
-
-[Definition]
-
-actionban = curl --fail  --user-agent "<agent>" http://www.badips.com/add/<category>/<ip>
-
-[Init]
-
-# Option: category
-# Notes.: Values are from the list here: http://www.badips.com/get/categories
-category = 
diff --git a/fail2ban/action.d/badips.py b/fail2ban/action.d/badips.py
deleted file mode 100644
index d57b4e3..0000000
--- a/fail2ban/action.d/badips.py
+++ /dev/null
@@ -1,392 +0,0 @@
-# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
-# vi: set ft=python sts=4 ts=4 sw=4 noet :
-
-# This file is part of Fail2Ban.
-#
-# Fail2Ban is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# Fail2Ban is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Fail2Ban; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-
-import sys
-if sys.version_info < (2, 7): # pragma: no cover
-	raise ImportError("badips.py action requires Python >= 2.7")
-import json
-import threading
-import logging
-if sys.version_info >= (3, ): # pragma: 2.x no cover
-	from urllib.request import Request, urlopen
-	from urllib.parse import urlencode
-	from urllib.error import HTTPError
-else: # pragma: 3.x no cover
-	from urllib.request import Request, urlopen
-	from urllib.error import HTTPError
-	from urllib.parse import urlencode
-
-from fail2ban.server.actions import Actions, ActionBase, BanTicket
-from fail2ban.helpers import splitwords, str2LogLevel
-
-
-
-class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
-	"""Fail2Ban action which reports bans to badips.com, and also
-	blacklist bad IPs listed on badips.com by using another action's
-	ban method.
-
-	Parameters
-	----------
-	jail : Jail
-		The jail which the action belongs to.
-	name : str
-		Name assigned to the action.
-	category : str
-		Valid badips.com category for reporting failures.
-	score : int, optional
-		Minimum score for bad IPs. Default 3.
-	age : str, optional
-		Age of last report for bad IPs, per badips.com syntax.
-		Default "24h" (24 hours)
-	banaction : str, optional
-		Name of banaction to use for blacklisting bad IPs. If `None`,
-		no blacklist of IPs will take place.
-		Default `None`.
-	bancategory : str, optional
-		Name of category to use for blacklisting, which can differ
-		from category used for reporting. e.g. may want to report
-		"postfix", but want to use whole "mail" category for blacklist.
-		Default `category`.
-	bankey : str, optional
-		Key issued by badips.com to retrieve personal list
-		of blacklist IPs.
-	updateperiod : int, optional
-		Time in seconds between updating bad IPs blacklist.
-		Default 900 (15 minutes)
-	loglevel : int/str, optional
-		Log level of the message when an IP is (un)banned.
-		Default `DEBUG`.
-		Can be also supplied as two-value list (comma- or space separated) to
-		provide level of the summary message when a group of IPs is (un)banned.
-		Example `DEBUG,INFO`.
-	agent : str, optional
-		User agent transmitted to server.
-		Default `Fail2Ban/ver.`
-
-	Raises
-	------
-	ValueError
-		If invalid `category`, `score`, `banaction` or `updateperiod`.
-	"""
-
-	TIMEOUT = 10
-	_badips = "https://www.badips.com"
-	def _Request(self, url, **argv):
-		return Request(url, headers={'User-Agent': self.agent}, **argv)
-
-	def __init__(self, jail, name, category, score=3, age="24h",
-		banaction=None, bancategory=None, bankey=None, updateperiod=900, 
-		loglevel='DEBUG', agent="Fail2Ban", timeout=TIMEOUT):
-		super(BadIPsAction, self).__init__(jail, name)
-
-		self.timeout = timeout
-		self.agent = agent
-		self.category = category
-		self.score = score
-		self.age = age
-		self.banaction = banaction
-		self.bancategory = bancategory or category
-		self.bankey = bankey
-		loglevel = splitwords(loglevel)
-		self.sumloglevel = str2LogLevel(loglevel[-1])
-		self.loglevel = str2LogLevel(loglevel[0])
-		self.updateperiod = updateperiod
-
-		self._bannedips = set()
-		# Used later for threading.Timer for updating badips
-		self._timer = None
-
-	@staticmethod
-	def isAvailable(timeout=1):
-		try:
-			response = urlopen(Request("/".join([BadIPsAction._badips]),
-					headers={'User-Agent': "Fail2Ban"}), timeout=timeout)
-			return True, ''
-		except Exception as e: # pragma: no cover
-			return False, e
-
-	def logError(self, response, what=''): # pragma: no cover - sporadical (502: Bad Gateway, etc)
-		messages = {}
-		try:
-			messages = json.loads(response.read().decode('utf-8'))
-		except:
-			pass
-		self._logSys.error(
-			"%s. badips.com response: '%s'", what,
-				messages.get('err', 'Unknown'))
-
-	def getCategories(self, incParents=False):
-		"""Get badips.com categories.
-
-		Returns
-		-------
-		set
-			Set of categories.
-
-		Raises
-		------
-		HTTPError
-			Any issues with badips.com request.
-		ValueError
-			If badips.com response didn't contain necessary information
-		"""
-		try:
-			response = urlopen(
-				self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout)
-		except HTTPError as response: # pragma: no cover
-			self.logError(response, "Failed to fetch categories")
-			raise
-		else:
-			response_json = json.loads(response.read().decode('utf-8'))
-			if not 'categories' in response_json:
-				err = "badips.com response lacked categories specification. Response was: %s" \
-				  % (response_json,)
-				self._logSys.error(err)
-				raise ValueError(err)
-			categories = response_json['categories']
-			categories_names = set(
-				value['Name'] for value in categories)
-			if incParents:
-				categories_names.update(set(
-					value['Parent'] for value in categories
-					if "Parent" in value))
-			return categories_names
-
-	def getList(self, category, score, age, key=None):
-		"""Get badips.com list of bad IPs.
-
-		Parameters
-		----------
-		category : str
-			Valid badips.com category.
-		score : int
-			Minimum score for bad IPs.
-		age : str
-			Age of last report for bad IPs, per badips.com syntax.
-		key : str, optional
-			Key issued by badips.com to fetch IPs reported with the
-			associated key.
-
-		Returns
-		-------
-		set
-			Set of bad IPs.
-
-		Raises
-		------
-		HTTPError
-			Any issues with badips.com request.
-		"""
-		try:
-			url = "?".join([
-				"/".join([self._badips, "get", "list", category, str(score)]),
-				urlencode({'age': age})])
-			if key:
-				url = "&".join([url, urlencode({'key': key})])
-			self._logSys.debug('badips.com: get list, url: %r', url)
-			response = urlopen(self._Request(url), timeout=self.timeout)
-		except HTTPError as response: # pragma: no cover
-			self.logError(response, "Failed to fetch bad IP list")
-			raise
-		else:
-			return set(response.read().decode('utf-8').split())
-
-	@property
-	def category(self):
-		"""badips.com category for reporting IPs.
-		"""
-		return self._category
-
-	@category.setter
-	def category(self, category):
-		if category not in self.getCategories():
-			self._logSys.error("Category name '%s' not valid. "
-				"see badips.com for list of valid categories",
-				category)
-			raise ValueError("Invalid category: %s" % category)
-		self._category = category
-
-	@property
-	def bancategory(self):
-		"""badips.com bancategory for fetching IPs.
-		"""
-		return self._bancategory
-
-	@bancategory.setter
-	def bancategory(self, bancategory):
-		if bancategory != "any" and bancategory not in self.getCategories(incParents=True):
-			self._logSys.error("Category name '%s' not valid. "
-				"see badips.com for list of valid categories",
-				bancategory)
-			raise ValueError("Invalid bancategory: %s" % bancategory)
-		self._bancategory = bancategory
-
-	@property
-	def score(self):
-		"""badips.com minimum score for fetching IPs.
-		"""
-		return self._score
-
-	@score.setter
-	def score(self, score):
-		score = int(score)
-		if 0 <= score <= 5:
-			self._score = score
-		else:
-			raise ValueError("Score must be 0-5")
-
-	@property
-	def banaction(self):
-		"""Jail action to use for banning/unbanning.
-		"""
-		return self._banaction
-
-	@banaction.setter
-	def banaction(self, banaction):
-		if banaction is not None and banaction not in self._jail.actions:
-			self._logSys.error("Action name '%s' not in jail '%s'",
-				banaction, self._jail.name)
-			raise ValueError("Invalid banaction")
-		self._banaction = banaction
-
-	@property
-	def updateperiod(self):
-		"""Period in seconds between banned bad IPs will be updated.
-		"""
-		return self._updateperiod
-
-	@updateperiod.setter
-	def updateperiod(self, updateperiod):
-		updateperiod = int(updateperiod)
-		if updateperiod > 0:
-			self._updateperiod = updateperiod
-		else:
-			raise ValueError("Update period must be integer greater than 0")
-
-	def _banIPs(self, ips):
-		for ip in ips:
-			try:
-				ai = Actions.ActionInfo(BanTicket(ip), self._jail)
-				self._jail.actions[self.banaction].ban(ai)
-			except Exception as e:
-				self._logSys.error(
-					"Error banning IP %s for jail '%s' with action '%s': %s",
-					ip, self._jail.name, self.banaction, e,
-					exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
-			else:
-				self._bannedips.add(ip)
-				self._logSys.log(self.loglevel,
-					"Banned IP %s for jail '%s' with action '%s'",
-					ip, self._jail.name, self.banaction)
-
-	def _unbanIPs(self, ips):
-		for ip in ips:
-			try:
-				ai = Actions.ActionInfo(BanTicket(ip), self._jail)
-				self._jail.actions[self.banaction].unban(ai)
-			except Exception as e:
-				self._logSys.error(
-					"Error unbanning IP %s for jail '%s' with action '%s': %s",
-					ip, self._jail.name, self.banaction, e,
-					exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
-			else:
-				self._logSys.log(self.loglevel,
-					"Unbanned IP %s for jail '%s' with action '%s'",
-					ip, self._jail.name, self.banaction)
-			finally:
-				self._bannedips.remove(ip)
-
-	def start(self):
-		"""If `banaction` set, blacklists bad IPs.
-		"""
-		if self.banaction is not None:
-			self.update()
-
-	def update(self):
-		"""If `banaction` set, updates blacklisted IPs.
-
-		Queries badips.com for list of bad IPs, removing IPs from the
-		blacklist if no longer present, and adds new bad IPs to the
-		blacklist.
-		"""
-		if self.banaction is not None:
-			if self._timer:
-				self._timer.cancel()
-				self._timer = None
-
-			try:
-				ips = self.getList(
-					self.bancategory, self.score, self.age, self.bankey)
-				# Remove old IPs no longer listed
-				s = self._bannedips - ips
-				m = len(s)
-				self._unbanIPs(s)
-				# Add new IPs which are now listed
-				s = ips - self._bannedips
-				p = len(s)
-				self._banIPs(s)
-				if m != 0 or p != 0:
-					self._logSys.log(self.sumloglevel,
-						"Updated IPs for jail '%s' (-%d/+%d)",
-						self._jail.name, m, p)
-				self._logSys.debug(
-					"Next update for jail '%' in %i seconds",
-					self._jail.name, self.updateperiod)
-			finally:
-				self._timer = threading.Timer(self.updateperiod, self.update)
-				self._timer.start()
-
-	def stop(self):
-		"""If `banaction` set, clears blacklisted IPs.
-		"""
-		if self.banaction is not None:
-			if self._timer:
-				self._timer.cancel()
-				self._timer = None
-			self._unbanIPs(self._bannedips.copy())
-
-	def ban(self, aInfo):
-		"""Reports banned IP to badips.com.
-
-		Parameters
-		----------
-		aInfo : dict
-			Dictionary which includes information in relation to
-			the ban.
-
-		Raises
-		------
-		HTTPError
-			Any issues with badips.com request.
-		"""
-		try:
-			url = "/".join([self._badips, "add", self.category, str(aInfo['ip'])])
-			self._logSys.debug('badips.com: ban, url: %r', url)
-			response = urlopen(self._Request(url), timeout=self.timeout)
-		except HTTPError as response: # pragma: no cover
-			self.logError(response, "Failed to ban")
-			raise
-		else:
-			messages = json.loads(response.read().decode('utf-8'))
-			self._logSys.debug(
-				"Response from badips.com report: '%s'",
-				messages['suc'])
-
-Action = BadIPsAction
diff --git a/fail2ban/action.d/cloudflare-token.conf b/fail2ban/action.d/cloudflare-token.conf
new file mode 100644
index 0000000..8c5c37d
--- /dev/null
+++ b/fail2ban/action.d/cloudflare-token.conf
@@ -0,0 +1,92 @@
+#
+# Author: Logic-32
+#
+# IMPORTANT
+#
+# Please set jail.local's permission to 640 because it contains your CF API token.
+#
+# This action depends on curl.
+#
+# To get your Cloudflare API token: https://developers.cloudflare.com/api/tokens/create/
+#
+# Cloudflare Firewall API: https://developers.cloudflare.com/firewall/api/cf-firewall-rules/endpoints/
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+actionban = curl -s -X POST "<_cf_api_url>" \
+              <_cf_api_prms> \
+              --data '{"mode":"<cfmode>","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"<notes>"}'
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = id=$(curl -s -X GET "<_cf_api_url>?mode=<cfmode>&notes=<notes>&configuration.target=<cftarget>&configuration.value=<ip>" \
+                       <_cf_api_prms> \
+                       | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
+                       | tr -d ' "' \
+                       | head -n 1)
+              if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found using target <cftarget>"; exit 0; fi; \
+              curl -s -X DELETE "<_cf_api_url>/$id" \
+                  <_cf_api_prms> \
+                  --data '{"cascade": "none"}'
+
+_cf_api_url = https://api.cloudflare.com/client/v4/zones/<cfzone>/firewall/access_rules/rules
+_cf_api_prms = -H "Authorization: Bearer <cftoken>" -H "Content-Type: application/json"
+
+[Init]
+
+# Declare your Cloudflare Authorization Bearer Token in the [DEFAULT] section of your jail.local file.
+
+# The Cloudflare <ZONE_ID> of hte domain you want to manage.
+#
+# cfzone =
+
+# Your personal Cloudflare token.  Ideally restricted to just have "Zone.Firewall Services" permissions.
+#
+# cftoken =
+
+# Target of the firewall rule.  Default is "ip" (v4).
+#
+cftarget = ip
+
+# The firewall mode Cloudflare should use.  Default is "block" (deny access).
+# Consider also "js_challenge" or other "allowed_modes" if you want.
+#
+cfmode = block
+
+# The message to include in the firewall IP banning rule.
+#
+notes = Fail2Ban <name>
+
+[Init?family=inet6]
+cftarget = ip6
diff --git a/fail2ban/action.d/cloudflare.conf b/fail2ban/action.d/cloudflare.conf
index 361cb17..4af8708 100644
--- a/fail2ban/action.d/cloudflare.conf
+++ b/fail2ban/action.d/cloudflare.conf
@@ -44,7 +44,7 @@ actioncheck =
 #actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
 # API v4
 actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
-            -d '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"Fail2Ban <name>"}' \
+            -d '{"mode":"block","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"Fail2Ban <name>"}' \
             <_cf_api_url>
 
 # Option:  actionunban
@@ -59,7 +59,7 @@ actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
 #actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
 # API v4
 actionunban = id=$(curl -s -X GET <_cf_api_prms> \
-                   "<_cf_api_url>?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban%%20<name>" \
+                   "<_cf_api_url>?mode=block&configuration_target=<cftarget>&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban%%20<name>" \
                    | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; })
               if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;
               curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id"
@@ -81,3 +81,8 @@ _cf_api_prms = -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' -H 'Conten
 cftoken =
 
 cfuser =
+
+cftarget = ip
+
+[Init?family=inet6]
+cftarget = ip6
diff --git a/fail2ban/action.d/dshield.conf b/fail2ban/action.d/dshield.conf
index c128bef..3d5a7a5 100644
--- a/fail2ban/action.d/dshield.conf
+++ b/fail2ban/action.d/dshield.conf
@@ -179,7 +179,7 @@ tcpflags =
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
 # Values:  CMD
 #
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
 
 # Option:  mailargs
 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
diff --git a/fail2ban/action.d/firewallcmd-ipset.conf b/fail2ban/action.d/firewallcmd-ipset.conf
index c89a024..c36ba69 100644
--- a/fail2ban/action.d/firewallcmd-ipset.conf
+++ b/fail2ban/action.d/firewallcmd-ipset.conf
@@ -18,20 +18,45 @@ before = firewallcmd-common.conf
 
 [Definition]
 
-actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+actionstart = <ipstype_<ipsettype>/actionstart>
               firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
 
-actionflush = ipset flush <ipmset>
+actionflush = <ipstype_<ipsettype>/actionflush>
 
 actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
              <actionflush>
-             ipset destroy <ipmset>
+             <ipstype_<ipsettype>/actionstop>
 
-actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
+actionban = <ipstype_<ipsettype>/actionban>
 
 # actionprolong = %(actionban)s
 
-actionunban = ipset del <ipmset> <ip> -exist
+actionunban = <ipstype_<ipsettype>/actionunban>
+
+[ipstype_ipset]
+
+actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+
+actionflush = ipset flush <ipmset>
+
+actionstop = ipset destroy <ipmset>
+
+actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
+
+actionunban = ipset -exist del <ipmset> <ip>
+
+[ipstype_firewalld]
+
+actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> <firewalld_familyopt>
+
+# TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
+actionflush = 
+
+actionstop = firewall-cmd --direct --delete-ipset=<ipmset>
+
+actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip>
+
+actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>
 
 [Init]
 
@@ -56,6 +81,12 @@ ipsettime = 0
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
 
+# Option: ipsettype
+# Notes.: defines type of ipset used for match-set (firewalld or ipset)
+# Values: firewalld or ipset
+# Default: ipset
+ipsettype = ipset
+
 # Option: actiontype
 # Notes.: defines additions to the blocking rule
 # Values: leave empty to block all attempts from the host
@@ -71,18 +102,20 @@ allports = -p <protocol>
 # Option: multiport
 # Notes.: addition to block access only to specific ports
 # Usage.: use in jail config:  banaction = firewallcmd-ipset[actiontype=<multiport>]
-multiport = -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)"
+multiport = -p <protocol> -m multiport --dports <port>
 
 ipmset = f2b-<name>
 familyopt =
+firewalld_familyopt =
 
 [Init?family=inet6]
 
 ipmset = f2b-<name>6
 familyopt = family inet6
+firewalld_familyopt = --option=family=inet6
 
 
 # DEV NOTES:
 #
-# Author: Edgar Hoch and Daniel Black
+# Author: Edgar Hoch, Daniel Black, Sergey Brester and Mihail Politaev
 # firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
diff --git a/fail2ban/action.d/firewallcmd-multiport.conf b/fail2ban/action.d/firewallcmd-multiport.conf
index 0c401f1..81540e5 100644
--- a/fail2ban/action.d/firewallcmd-multiport.conf
+++ b/fail2ban/action.d/firewallcmd-multiport.conf
@@ -11,9 +11,9 @@ before = firewallcmd-common.conf
 
 actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
               firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
 
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
              firewall-cmd --direct --remove-rules <family> filter f2b-<name>
              firewall-cmd --direct --remove-chain <family> filter f2b-<name>
 
diff --git a/fail2ban/action.d/firewallcmd-new.conf b/fail2ban/action.d/firewallcmd-new.conf
index 7b08603..b06f5cc 100644
--- a/fail2ban/action.d/firewallcmd-new.conf
+++ b/fail2ban/action.d/firewallcmd-new.conf
@@ -10,9 +10,9 @@ before = firewallcmd-common.conf
 
 actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
               firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
 
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
              firewall-cmd --direct --remove-rules <family> filter f2b-<name>
              firewall-cmd --direct --remove-chain <family> filter f2b-<name>
 
diff --git a/fail2ban/action.d/firewallcmd-rich-rules.conf b/fail2ban/action.d/firewallcmd-rich-rules.conf
index 803d7d1..75a27d8 100644
--- a/fail2ban/action.d/firewallcmd-rich-rules.conf
+++ b/fail2ban/action.d/firewallcmd-rich-rules.conf
@@ -37,8 +37,8 @@ actioncheck =
 
 fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
 
-actionban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
+actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
 	   
-actionunban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
+actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
 
 rich-suffix = <rich-blocktype>
\ No newline at end of file
diff --git a/fail2ban/action.d/iptables-allports.conf b/fail2ban/action.d/iptables-allports.conf
index caf9ab8..51c4694 100644
--- a/fail2ban/action.d/iptables-allports.conf
+++ b/fail2ban/action.d/iptables-allports.conf
@@ -4,52 +4,12 @@
 # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
 # 			made active on all ports from original iptables.conf
 #
-#
+# Obsolete: superseded by iptables[type=allports]
 
 [INCLUDES]
 
-before = iptables-common.conf
-
+before = iptables.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -p <protocol> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
+type = allports
diff --git a/fail2ban/action.d/iptables-common.conf b/fail2ban/action.d/iptables-common.conf
deleted file mode 100644
index e016ef2..0000000
--- a/fail2ban/action.d/iptables-common.conf
+++ /dev/null
@@ -1,92 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Daniel Black
-#
-# This is a included configuration file and includes the definitions for the iptables
-# used in all iptables based actions by default.
-#
-# The user can override the defaults in iptables-common.local
-#
-# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
-#       made config file IPv6 capable (see new section Init?family=inet6)
-
-[INCLUDES]
-
-after = iptables-blocktype.local
-        iptables-common.local
-# iptables-blocktype.local is obsolete
-
-[Definition]
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = <iptables> -F f2b-<name>
-
-
-[Init]
-
-# Option:  chain
-# Notes    specifies the iptables chain to which the Fail2Ban rules should be
-#          added
-# Values:  STRING  Default: INPUT
-chain = INPUT
-
-# Default name of the chain
-#
-name = default
-
-# Option:  port
-# Notes.:  specifies port to monitor
-# Values:  [ NUM | STRING ]  Default:
-#
-port = ssh
-
-# Option:  protocol
-# Notes.:  internally used by config reader for interpolations.
-# Values:  [ tcp | udp | icmp | all ] Default: tcp
-#
-protocol = tcp
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp-port-unreachable
-
-# Option:  returntype
-# Note:    This is the default rule on "actionstart". This should be RETURN
-#          in all (blocking) actions, except REJECT in allowing actions.
-# Values:  STRING
-returntype = RETURN
-
-# Option:  lockingopt
-# Notes.:  Option was introduced to iptables to prevent multiple instances from
-#          running concurrently and causing irratic behavior.  -w was introduced
-#          in iptables 1.4.20, so might be absent on older systems
-#          See https://github.com/fail2ban/fail2ban/issues/1122
-# Values:  STRING
-lockingopt = -w
-
-# Option:  iptables
-# Notes.:  Actual command to be executed, including common to all calls options
-# Values:  STRING
-iptables = iptables <lockingopt>
-
-
-[Init?family=inet6]
-
-# Option:  blocktype (ipv6)
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the iptables man page (section 8). Common values are DROP
-#          REJECT, REJECT --reject-with icmp6-port-unreachable
-# Values:  STRING
-blocktype = REJECT --reject-with icmp6-port-unreachable
-
-# Option:  iptables (ipv6)
-# Notes.:  Actual command to be executed, including common to all calls options
-# Values:  STRING
-iptables = ip6tables <lockingopt>
-
diff --git a/fail2ban/action.d/iptables-ipset-proto4.conf b/fail2ban/action.d/iptables-ipset-proto4.conf
index 99ebbf8..3762428 100644
--- a/fail2ban/action.d/iptables-ipset-proto4.conf
+++ b/fail2ban/action.d/iptables-ipset-proto4.conf
@@ -19,7 +19,7 @@
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
@@ -28,7 +28,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = ipset --create f2b-<name> iphash
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+              <_ipt_add_rules>
 
 
 # Option:  actionflush
@@ -41,7 +41,7 @@ actionflush = ipset --flush f2b-<name>
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = <_ipt_del_rules>
              <actionflush>
              ipset --destroy f2b-<name>
 
@@ -61,5 +61,6 @@ actionban = ipset --test f2b-<name> <ip> ||  ipset --add f2b-<name> <ip>
 #
 actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
 
-[Init]
+# Several capabilities used internaly:
 
+rule-jump = -m set --match-set f2b-<name> src -j <blocktype>
diff --git a/fail2ban/action.d/iptables-ipset-proto6-allports.conf b/fail2ban/action.d/iptables-ipset-proto6-allports.conf
index 67d7947..1aa7fd6 100644
--- a/fail2ban/action.d/iptables-ipset-proto6-allports.conf
+++ b/fail2ban/action.d/iptables-ipset-proto6-allports.conf
@@ -15,73 +15,13 @@
 #
 # Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
 #       made config file IPv6 capable (see new section Init?family=inet6)
+#
+# Obsolete: superseded by iptables-ipset[type=allports]
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables-ipset.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
-              <iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = ipset flush <ipmset>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -m set --match-set <ipmset> src -j <blocktype>
-             <actionflush>
-             ipset destroy <ipmset>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
-
-# actionprolong = %(actionban)s
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = ipset del <ipmset> <ip> -exist
-
-[Init]
-
-# Option: default-ipsettime
-# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
-default-ipsettime = 0
-
-# Option: ipsettime
-# Notes:  specifies ticket timeout (handled ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
-ipsettime = 0
-
-# expresion to caclulate timeout from bantime, example:
-# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
-timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
-
-ipmset = f2b-<name>
-familyopt =
-
-
-[Init?family=inet6]
-
-ipmset = f2b-<name>6
-familyopt = family inet6
+type = allports
diff --git a/fail2ban/action.d/iptables-ipset-proto6.conf b/fail2ban/action.d/iptables-ipset-proto6.conf
index 8760102..ef74498 100644
--- a/fail2ban/action.d/iptables-ipset-proto6.conf
+++ b/fail2ban/action.d/iptables-ipset-proto6.conf
@@ -15,73 +15,13 @@
 #
 # Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
 #       made config file IPv6 capable (see new section Init?family=inet6)
+#
+# Obsolete: superseded by iptables-ipset[type=multiport]
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables-ipset.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = ipset flush <ipmset>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
-             <actionflush>
-             ipset destroy <ipmset>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
-
-# actionprolong = %(actionban)s
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = ipset del <ipmset> <ip> -exist
-
-[Init]
-
-# Option: default-ipsettime
-# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
-default-ipsettime = 0
-
-# Option: ipsettime
-# Notes:  specifies ticket timeout (handled ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
-ipsettime = 0
-
-# expresion to caclulate timeout from bantime, example:
-# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
-timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
-
-ipmset = f2b-<name>
-familyopt =
-
-
-[Init?family=inet6]
-
-ipmset = f2b-<name>6
-familyopt = family inet6
+type = multiport
diff --git a/fail2ban/action.d/iptables-ipset.conf.rpmnew b/fail2ban/action.d/iptables-ipset.conf.rpmnew
new file mode 100644
index 0000000..b44e6ec
--- /dev/null
+++ b/fail2ban/action.d/iptables-ipset.conf.rpmnew
@@ -0,0 +1,90 @@
+# Fail2Ban configuration file
+#
+# Authors: Sergey G Brester (sebres), Daniel Black, Alexander Koeppe
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules.
+#
+
+[INCLUDES]
+
+before = iptables.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+              <_ipt_add_rules>
+
+# Option:  actionflush
+# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
+# Values:  CMD
+#
+actionflush = ipset flush <ipmset>
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop = <_ipt_del_rules>
+             <actionflush>
+             ipset destroy <ipmset>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
+
+# actionprolong = %(actionban)s
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipset -exist del <ipmset> <ip>
+
+# Several capabilities used internaly:
+
+rule-jump = -m set --match-set <ipmset> src -j <blocktype>
+
+
+[Init]
+
+# Option: default-ipsettime
+# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
+# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
+default-ipsettime = 0
+
+# Option: ipsettime
+# Notes:  specifies ticket timeout (handled ipset timeout only)
+# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
+ipsettime = 0
+
+# expresion to caclulate timeout from bantime, example:
+# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
+timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
+
+ipmset = f2b-<name>
+familyopt =
+
+
+[Init?family=inet6]
+
+ipmset = f2b-<name>6
+familyopt = family inet6
diff --git a/fail2ban/action.d/iptables-multiport-log.conf b/fail2ban/action.d/iptables-multiport-log.conf
index df126db..322a749 100644
--- a/fail2ban/action.d/iptables-multiport-log.conf
+++ b/fail2ban/action.d/iptables-multiport-log.conf
@@ -11,7 +11,7 @@
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
diff --git a/fail2ban/action.d/iptables-multiport.conf b/fail2ban/action.d/iptables-multiport.conf
index 41b00c5..008208e 100644
--- a/fail2ban/action.d/iptables-multiport.conf
+++ b/fail2ban/action.d/iptables-multiport.conf
@@ -3,50 +3,12 @@
 # Author: Cyril Jaquier
 # Modified by Yaroslav Halchenko for multiport banning
 #
+# Obsolete: superseded by iptables[type=multiport]
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
+type = multiport
diff --git a/fail2ban/action.d/iptables-new.conf b/fail2ban/action.d/iptables-new.conf
index 39a1709..170cb93 100644
--- a/fail2ban/action.d/iptables-new.conf
+++ b/fail2ban/action.d/iptables-new.conf
@@ -4,51 +4,12 @@
 # Copied from iptables.conf and modified by Yaroslav Halchenko 
 #  to fulfill the needs of bugreporter dbts#350746.
 #
-#
+# Obsolete: superseded by iptables[pre-rule='-m state --state NEW<sp>']
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
+pre-rule = -m state --state NEW<sp>
\ No newline at end of file
diff --git a/fail2ban/action.d/iptables-xt_recent-echo.conf b/fail2ban/action.d/iptables-xt_recent-echo.conf
index 9744922..c3c175b 100644
--- a/fail2ban/action.d/iptables-xt_recent-echo.conf
+++ b/fail2ban/action.d/iptables-xt_recent-echo.conf
@@ -7,10 +7,14 @@
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
+_ipt_chain_rule = -m recent --update --seconds 3600 --name <iptname> -j <blocktype>
+_ipt_for_proto-iter =
+_ipt_for_proto-done =
+
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
@@ -33,7 +37,9 @@ before = iptables-common.conf
 #    own rules. The 3600 second timeout is independent and acts as a
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
-actionstart = if [ `id -u` -eq 0 ];then <iptables> -I <chain> -m recent --update --seconds 3600 --name <iptname> -j <blocktype>;fi
+actionstart = if [ `id -u` -eq 0 ];then
+              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
+              fi
 
 # Option:  actionflush
 #
@@ -46,13 +52,15 @@ actionflush =
 # Values:  CMD
 #
 actionstop = echo / > /proc/net/xt_recent/<iptname>
-             if [ `id -u` -eq 0 ];then <iptables> -D <chain> -m recent --update --seconds 3600 --name <iptname> -j <blocktype>;fi
+             if [ `id -u` -eq 0 ];then
+             <iptables> -D <chain> %(_ipt_chain_rule)s;
+             fi
 
 # Option:  actioncheck
-# Notes.:  command executed once before each actionban command
+# Notes.:  command executed as invariant check (error by ban)
 # Values:  CMD
 #
-actioncheck = test -e /proc/net/xt_recent/<iptname>
+actioncheck = { <iptables> -C <chain> %(_ipt_chain_rule)s; } && test -e /proc/net/xt_recent/<iptname>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -72,7 +80,7 @@ actionunban = echo -<ip> > /proc/net/xt_recent/<iptname>
 
 [Init]
 
-iptname              = f2b-<name>
+iptname = f2b-<name>
 
 [Init?family=inet6]
 
diff --git a/fail2ban/action.d/iptables.conf b/fail2ban/action.d/iptables.conf
index 8ed5fda..67d496f 100644
--- a/fail2ban/action.d/iptables.conf
+++ b/fail2ban/action.d/iptables.conf
@@ -1,28 +1,35 @@
 # Fail2Ban configuration file
 #
-# Author: Cyril Jaquier
+# Authors: Sergey G. Brester (sebres), Cyril Jaquier, Daniel Black, 
+#          Yaroslav O. Halchenko, Alexander Koeppe et al.
 #
-#
-
-[INCLUDES]
-
-before = iptables-common.conf
 
 [Definition]
 
+# Option:  type
+# Notes.:  type of the action.
+# Values:  [ oneport | multiport | allports ]  Default: oneport
+#
+type = oneport
+
+# Option:  actionflush
+# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
+# Values:  CMD
+#
+actionflush = <iptables> -F f2b-<name>
+
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>
+actionstart = { <iptables> -C f2b-<name> -j <returntype> >/dev/null 2>&1; } || { <iptables> -N f2b-<name> || true; <iptables> -A f2b-<name> -j <returntype>; }
+              <_ipt_add_rules>
 
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
-actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
+actionstop = <_ipt_del_rules>
              <actionflush>
              <iptables> -X f2b-<name>
 
@@ -30,7 +37,7 @@ actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck = <_ipt_check_rules>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -48,5 +55,108 @@ actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
 
+# Option:  pre-rule
+# Notes.:  prefix parameter(s) inserted to the begin of rule. No default (empty)
+#
+pre-rule =
+
+rule-jump = -j <_ipt_rule_target>
+
+# Several capabilities used internaly:
+
+_ipt_for_proto-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
+_ipt_for_proto-done = done
+
+_ipt_add_rules = <_ipt_for_proto-iter>
+              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
+              <_ipt_for_proto-done>
+
+_ipt_del_rules = <_ipt_for_proto-iter>
+              <iptables> -D <chain> %(_ipt_chain_rule)s
+              <_ipt_for_proto-done>
+
+_ipt_check_rules = <_ipt_for_proto-iter>
+              %(_ipt_check_rule)s
+              <_ipt_for_proto-done>
+
+_ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule>
+_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
+_ipt_rule_target = f2b-<name>
+
+[ipt_oneport]
+
+_chain_rule = -p $proto --dport <port> <rule-jump>
+
+[ipt_multiport]
+
+_chain_rule = -p $proto -m multiport --dports <port> <rule-jump>
+
+[ipt_allports]
+
+_chain_rule = -p $proto <rule-jump>
+
+
 [Init]
 
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
+
+# Option:  returntype
+# Note:    This is the default rule on "actionstart". This should be RETURN
+#          in all (blocking) actions, except REJECT in allowing actions.
+# Values:  STRING
+returntype = RETURN
+
+# Option:  lockingopt
+# Notes.:  Option was introduced to iptables to prevent multiple instances from
+#          running concurrently and causing irratic behavior.  -w was introduced
+#          in iptables 1.4.20, so might be absent on older systems
+#          See https://github.com/fail2ban/fail2ban/issues/1122
+# Values:  STRING
+lockingopt = -w
+
+# Option:  iptables
+# Notes.:  Actual command to be executed, including common to all calls options
+# Values:  STRING
+iptables = iptables <lockingopt>
+
+
+[Init?family=inet6]
+
+# Option:  blocktype (ipv6)
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp6-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp6-port-unreachable
+
+# Option:  iptables (ipv6)
+# Notes.:  Actual command to be executed, including common to all calls options
+# Values:  STRING
+iptables = ip6tables <lockingopt>
diff --git a/fail2ban/action.d/ipthreat.conf b/fail2ban/action.d/ipthreat.conf
new file mode 100644
index 0000000..193a60f
--- /dev/null
+++ b/fail2ban/action.d/ipthreat.conf
@@ -0,0 +1,107 @@
+# IPThreat configuration file
+#
+# Added to fail2ban by Jeff Johnson (jjxtra)
+#
+# Action to report IP address to ipthreat.net
+#
+# You must sign up to obtain an API key from ipthreat.net and request bulk report permissions
+# https://ipthreat.net/integrations
+#
+# IPThreat is a 100% free site and service, all data is licensed under a creative commons by attribution license
+# Please do not integrate if you do not agree to the license
+#
+# IMPORTANT:
+#
+# Reporting an IP is a serious action. Make sure that it is legit.
+# Consider using this action only for:
+#   * IP that has been banned more than once
+#   * High max retry to avoid user mis-typing password
+#   * Filters that are unlikely to be human error
+#
+# Example:
+# ```
+#   action = %(known/action)s
+#            ipthreat[]
+# ```
+#
+# The action accepts the following arguments: ipthreat[ipthreat_flags="8",ipthreat_system="SSH", ipthreat_apikey=...]
+# In most cases your action could be as simple as: ipthreat[], since the default flags and system are set to the most correct default values.
+# You can optionally override ipthreat_system and ipthreat_flags if desired.
+# The ipthreat_apikey must be set at the bottom of this configuration file.
+#
+# `ipthreat_system` is a short name of the system attacked, i.e. SSH, SMTP, MYSQL, PHP, etc.
+#
+# For `ipthreat_flags`, most cases will use 8 (BruteForce) which is the default, but you could use others.
+# You can use the name or the ordinal.
+# Multiple values are comma separated.
+# ```
+# Name           Ordinal Description
+# Dns            1       Abuse/attack of dns (domain name server)
+# Fraud          2       General fraud, whether orders, misuse of payment info, etc
+# DDos           4       Distributed denial of service attack, whether through http requests, large ping attack, etc
+# BruteForce     8       Brute force login attack
+# Proxy          16      IP is a proxy like TOR or other proxy server
+# Spam           32      Email, comment or other type of spam
+# Vpn            64      IP is part of a VPN
+# Hacking        128     General hacking outside of brute force attack (includes vulnerability scans, sql injection, etc.). Use port scan flag instead if it's just probe on ports.
+# BadBot         256     Bad bot that is not honoring robots.txt or just flooding with too many requests, etc
+# Compromised    512     The ip has been taken over by malware or botnet
+# Phishing       1024    The ip is involved in phishing or spoofing
+# Iot            2048    The ip has targetted an iot (Internet of Things) device
+# PortScan       4096    Port scan
+# See https://ipthreat.net/bulkreportformat for more information
+# ```
+
+[Definition]
+
+# bypass action for restored tickets
+norestored = 1
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+#
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = curl -sSf "https://api.ipthreat.net/api/report" -X POST -H "Content-Type: application/json" -H "X-API-KEY: <ipthreat_apikey>" -d "{\"ip\":\"<ip>\",\"flags\":\"<ipthreat_flags>\",\"system\":\"<ipthreat_system>\",\"notes\":\"fail2ban\"}"
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+# Option:  ipthreat_apikey
+# Notes    Your API key from ipthreat.net
+# Values:  STRING Default: None
+# Register for ipthreat [https://ipthreat.net], get api key and set below.
+# You will need to set the flags and system in the action call in jail.conf
+ipthreat_apikey =
+
+# By default, the ipthreat system is the name of the fail2ban jail
+ipthreat_system = <name>
+
+# By default the ip threat flags is 8 (brute force), but you can override this per jail if desired
+ipthreat_flags = 8
\ No newline at end of file
diff --git a/fail2ban/action.d/nginx-block-map.conf b/fail2ban/action.d/nginx-block-map.conf
index ee70290..0de382b 100644
--- a/fail2ban/action.d/nginx-block-map.conf
+++ b/fail2ban/action.d/nginx-block-map.conf
@@ -84,8 +84,15 @@ srv_cfg_path = /etc/nginx/
 #srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf
 srv_cmd = nginx
 
-# first test configuration is correct, hereafter send reload signal:
-blck_lst_reload = %(srv_cmd)s -qt; if [ $? -eq 0 ]; then
+# pid file (used to check nginx is running):
+srv_pid = /run/nginx.pid
+
+# command used to check whether nginx is running and configuration is valid:
+srv_is_running = [ -f "%(srv_pid)s" ]
+srv_check_cmd = %(srv_is_running)s && %(srv_cmd)s -qt
+
+# first test nginx is running and configuration is correct, hereafter send reload signal:
+blck_lst_reload = %(srv_check_cmd)s; if [ $? -eq 0 ]; then
                     %(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi;
                   fi;
 
diff --git a/fail2ban/action.d/symbiosis-blacklist-allports.conf b/fail2ban/action.d/symbiosis-blacklist-allports.conf
index 6fb7d0a..7208b29 100644
--- a/fail2ban/action.d/symbiosis-blacklist-allports.conf
+++ b/fail2ban/action.d/symbiosis-blacklist-allports.conf
@@ -5,7 +5,7 @@
 
 [INCLUDES]
 
-before = iptables-common.conf
+before = iptables.conf
 
 [Definition]
 
@@ -41,6 +41,11 @@ actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto
 actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto
               <iptables> -D <chain> -s <ip> -j <blocktype> || :
 
+# [TODO] Flushing is currently not implemented for symbiosis blacklist.d
+#
+actionflush = 
+
+
 [Init]
 
 # Option:  chain
diff --git a/fail2ban/fail2ban.conf b/fail2ban/fail2ban.conf
index f386783..fd6baeb 100644
--- a/fail2ban/fail2ban.conf
+++ b/fail2ban/fail2ban.conf
@@ -24,13 +24,13 @@
 loglevel = INFO
 
 # Option: logtarget
-# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+# Notes.: Set the log target. This could be a file, SYSTEMD-JOURNAL, SYSLOG, STDERR or STDOUT.
 #         Only one log target can be specified.
 #         If you change logtarget from the default value and you are
 #         using logrotate -- also adjust or disable rotation in the
 #         corresponding configuration file
 #         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
-# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
+# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ]  Default: STDERR
 #
 logtarget = /var/log/fail2ban.log
 
@@ -55,6 +55,12 @@ socket = /var/run/fail2ban/fail2ban.sock
 #
 pidfile = /var/run/fail2ban/fail2ban.pid
 
+# Option: allowipv6
+# Notes.: Allows IPv6 interface:
+#         Default: auto
+# Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
+#allowipv6 = auto
+
 # Options: dbfile
 # Notes.: Set the file for the fail2ban persistent data to be stored.
 #         A value of ":memory:" means database is only stored in memory 
diff --git a/fail2ban/filter.d/apache-fakegooglebot.conf b/fail2ban/filter.d/apache-fakegooglebot.conf
index 729410a..ee23656 100644
--- a/fail2ban/filter.d/apache-fakegooglebot.conf
+++ b/fail2ban/filter.d/apache-fakegooglebot.conf
@@ -2,11 +2,11 @@
 
 [Definition]
 
-failregex = ^<HOST> .*Googlebot.*$
+failregex = ^\s*<HOST> \S+ \S+(?: \S+)?\s+\S+ "[A-Z]+ /\S* [^"]*" \d+ \d+ \"[^"]*\" "[^"]*\bGooglebot/[^"]*"
 
 ignoreregex =
 
-datepattern = ^[^\[]*\[({DATE})
+datepattern = ^[^\[]*(\[{DATE}\s*\])
               {^LN-BEG}
 
 # DEV Notes:
diff --git a/fail2ban/filter.d/apache-overflows.conf b/fail2ban/filter.d/apache-overflows.conf
index 02a2ef2..0f54da1 100644
--- a/fail2ban/filter.d/apache-overflows.conf
+++ b/fail2ban/filter.d/apache-overflows.conf
@@ -8,7 +8,7 @@ before = apache-common.conf
 
 [Definition]
 
-failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
+failregex = ^%(_apache_error_client)s (?:(?:AH001[23][456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
 
 ignoreregex =
 
diff --git a/fail2ban/filter.d/asterisk.conf b/fail2ban/filter.d/asterisk.conf
index 6847249..e15d7bf 100644
--- a/fail2ban/filter.d/asterisk.conf
+++ b/fail2ban/filter.d/asterisk.conf
@@ -21,7 +21,7 @@ log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+
 prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
 
 failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
-            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
+            ^Call from '[^']*' \((?:(?:TCP|UDP):)?<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
             ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
             ^No registration for peer '[^']*' \(from <HOST>\)$
             ^hacking attempt detected '<HOST>'$
diff --git a/fail2ban/filter.d/common.conf b/fail2ban/filter.d/common.conf
index 1328603..e6b3c64 100644
--- a/fail2ban/filter.d/common.conf
+++ b/fail2ban/filter.d/common.conf
@@ -10,7 +10,7 @@ after = common.local
 
 [DEFAULT]
 
-# Type of log-file resp. log-format (file, short, journal, rfc542):
+# Type of log-file resp. log-format (file, short, journal, rfc5424):
 logtype = file
 
 # Daemon definition is to be specialized (if needed) in .conf file
diff --git a/fail2ban/filter.d/courier-auth.conf b/fail2ban/filter.d/courier-auth.conf
index 1ac3373..d5ba9c5 100644
--- a/fail2ban/filter.d/courier-auth.conf
+++ b/fail2ban/filter.d/courier-auth.conf
@@ -11,7 +11,7 @@ before = common.conf
 
 _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
 
-failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$
+failregex = ^%(__prefix_line)sLOGIN FAILED, (?:(?!ip=)(?:user=<F-USER>[^,]*</F-USER>|\w+=[^,]*), )*ip=\[<HOST>\]
 
 ignoreregex = 
 
diff --git a/fail2ban/filter.d/dovecot.conf b/fail2ban/filter.d/dovecot.conf
index 98d9f43..dc3ebbc 100644
--- a/fail2ban/filter.d/dovecot.conf
+++ b/fail2ban/filter.d/dovecot.conf
@@ -7,18 +7,21 @@ before = common.conf
 
 [Definition]
 
-_auth_worker = (?:dovecot: )?auth(?:-worker)?
 _daemon = (?:dovecot(?:-auth)?|auth)
 
-prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
+_auth_worker = (?:dovecot: )?auth(?:-worker)?
+_auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )?
+_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))*
+
+prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$
 
 failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
-            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
-            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
-            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)
+            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
+            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
             <mdre-<mode>>
 
-mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
 
 mdre-normal = 
 
diff --git a/fail2ban/filter.d/drupal-auth.conf b/fail2ban/filter.d/drupal-auth.conf
index b60abe3..2404cc6 100644
--- a/fail2ban/filter.d/drupal-auth.conf
+++ b/fail2ban/filter.d/drupal-auth.conf
@@ -14,7 +14,7 @@ before = common.conf
 
 [Definition]
 
-failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|<HOST>\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$
+failregex = ^%(__prefix_line)s(?:https?:\/\/)[^|]+\|[^|]+\|[^|]+\|<ADDR>\|(?:[^|]*\|)*Login attempt failed (?:for|from) <F-USER>[^|]+</F-USER>\.$
 
 ignoreregex =
 
diff --git a/fail2ban/filter.d/exim-common.conf b/fail2ban/filter.d/exim-common.conf
index b3b2575..36644e9 100644
--- a/fail2ban/filter.d/exim-common.conf
+++ b/fail2ban/filter.d/exim-common.conf
@@ -12,7 +12,7 @@ after = exim-common.local
 host_info_pre = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?
 host_info_suf = (?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\s
 host_info = %(host_info_pre)s\[<HOST>\]%(host_info_suf)s
-pid = (?: \[\d+\])?
+pid = (?: \[\d+\]| \w+ exim\[\d+\]:)?
 
 # DEV Notes:
 # From exim source code: ./src/receive.c:add_host_info_for_log
diff --git a/fail2ban/filter.d/ignorecommands/apache-fakegooglebot b/fail2ban/filter.d/ignorecommands/apache-fakegooglebot
index a734f85..c574ea2 100755
--- a/fail2ban/filter.d/ignorecommands/apache-fakegooglebot
+++ b/fail2ban/filter.d/ignorecommands/apache-fakegooglebot
@@ -6,24 +6,35 @@
 #
 import sys
 from fail2ban.server.ipdns import DNSUtils, IPAddr
+from threading import Thread
 
 def process_args(argv):
-    if len(argv) != 2:
-       raise ValueError("Please provide a single IP as an argument. Got: %s\n"
-                        % (argv[1:]))
+    if len(argv) - 1 not in (1, 2):
+       raise ValueError("Usage %s ip ?timeout?. Got: %s\n"
+                        % (argv[0], argv[1:]))
     ip = argv[1]
 
     if not IPAddr(ip).isValid:
        raise ValueError("Argument must be a single valid IP. Got: %s\n"
                         % ip)
-    return ip
+    return argv[1:]
 
 google_ips = None
 
-def is_googlebot(ip):
+def is_googlebot(ip, timeout=55):
     import re
 
-    host = DNSUtils.ipToName(ip)
+    timeout = float(timeout or 0)
+    if timeout:
+      def ipToNameTO(host, ip, timeout):
+        host[0] = DNSUtils.ipToName(ip)
+      host = [None]
+      th = Thread(target=ipToNameTO, args=(host, ip, timeout)); th.daemon=True; th.start()
+      th.join(timeout)
+      host = host[0]
+    else:
+      host = DNSUtils.ipToName(ip)
+
     if not host or not re.match(r'.*\.google(bot)?\.com$', host):
        return False
     host_ips = DNSUtils.dnsToIp(host)
@@ -31,7 +42,7 @@ def is_googlebot(ip):
 
 if __name__ == '__main__': # pragma: no cover
     try:
-      ret = is_googlebot(process_args(sys.argv))
+      ret = is_googlebot(*process_args(sys.argv))
     except ValueError as e:
       sys.stderr.write(str(e))
       sys.exit(2)
diff --git a/fail2ban/filter.d/lighttpd-auth.conf b/fail2ban/filter.d/lighttpd-auth.conf
index a68f4f4..dcf19d3 100644
--- a/fail2ban/filter.d/lighttpd-auth.conf
+++ b/fail2ban/filter.d/lighttpd-auth.conf
@@ -3,7 +3,7 @@
 
 [Definition]
 
-failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
+failregex = ^\s*(?:: )?\(?(?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match for (?:\S+|.*?) username:\s+<F-USER>(?:\S+|.*?)</F-USER>\s*|digest: auth failed(?: for\s+<F-ALT_USER>(?:\S+|.*?)</F-ALT_USER>\s*)?: (?:wrong password|uri mismatch \([^\)]*\))|get_password failed),? IP: <HOST>\s*$
 
 ignoreregex = 
 
diff --git a/fail2ban/filter.d/monitorix.conf b/fail2ban/filter.d/monitorix.conf
new file mode 100644
index 0000000..ff69f1b
--- /dev/null
+++ b/fail2ban/filter.d/monitorix.conf
@@ -0,0 +1,25 @@
+# Fail2Ban filter for Monitorix (HTTP built-in server)
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = monitorix-httpd
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+failregex = ^(?:\s+-)?\s*(?:NOTEXIST|AUTHERR|NOTALLOWED) - <ADDR>\b
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/fail2ban/filter.d/mssql-auth.conf b/fail2ban/filter.d/mssql-auth.conf
new file mode 100644
index 0000000..65bbd91
--- /dev/null
+++ b/fail2ban/filter.d/mssql-auth.conf
@@ -0,0 +1,15 @@
+# Fail2Ban filter for failed MSSQL Server authentication attempts
+
+[Definition]
+
+failregex = ^\s*Logon\s+Login failed for user '<F-USER>(?:[^']*|.*)</F-USER>'\. [^'\[]+\[CLIENT: <ADDR>\]$
+
+
+# DEV Notes:
+#	Tested with SQL Server 2019 on Ubuntu 18.04
+#
+# Example:
+#	2020-02-24 14:48:55.12 Logon       Login failed for user 'root'. Reason: Could not find a login matching the name provided. [CLIENT: 127.0.0.1]
+#
+# Author: Rüdiger Olschewsky
+#
\ No newline at end of file
diff --git a/fail2ban/filter.d/named-refused.conf b/fail2ban/filter.d/named-refused.conf
index 0d5a627..798f66e 100644
--- a/fail2ban/filter.d/named-refused.conf
+++ b/fail2ban/filter.d/named-refused.conf
@@ -22,7 +22,7 @@
 [Definition]
 
 # Daemon name
-_daemon=named
+_daemon=named(?:-\w+)?
 
 # Shortcuts for easier comprehension of the failregex
 
@@ -30,11 +30,14 @@ __pid_re=(?:\[\d+\])
 __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
 __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
 
+_category = (?!error|info)[\w-]+
+_category_re = (?:%(_category)s: )?
+
 #       hostname       daemon_id         spaces
 # this can be optional (for instance if we match named native log files)
-__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
+__line_prefix=\s*(?:\S+ %(__daemon_combs_re)s\s+)?%(_category_re)s
 
-prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
+prefregex = ^%(__line_prefix)s(?:(?:error|info):\s*)?client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
 
 failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
             ^zone transfer
diff --git a/fail2ban/filter.d/nginx-bad-request.conf b/fail2ban/filter.d/nginx-bad-request.conf
new file mode 100644
index 0000000..12c14ab
--- /dev/null
+++ b/fail2ban/filter.d/nginx-bad-request.conf
@@ -0,0 +1,16 @@
+# Fail2Ban filter to match bad requests to nginx
+#
+
+[Definition]
+
+# The request often doesn't contain a method, only some encoded garbage
+# This will also match requests that are entirely empty
+failregex = ^<HOST> - \S+ \[\] "[^"]*" 400
+
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+
+# Author: Jan Przybylak
diff --git a/fail2ban/filter.d/nginx-botsearch.conf b/fail2ban/filter.d/nginx-botsearch.conf
index 0be895b..2bd2307 100644
--- a/fail2ban/filter.d/nginx-botsearch.conf
+++ b/fail2ban/filter.d/nginx-botsearch.conf
@@ -17,7 +17,9 @@ datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]
               ^[^\[]*\[({DATE})
               {^LN-BEG}
 
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+
 # DEV Notes:
 # Based on apache-botsearch filter
 # 
-# Author: Frantisek Sumsal
\ No newline at end of file
+# Author: Frantisek Sumsal
diff --git a/fail2ban/filter.d/nginx-http-auth.conf b/fail2ban/filter.d/nginx-http-auth.conf
index 93341cd..71806e8 100644
--- a/fail2ban/filter.d/nginx-http-auth.conf
+++ b/fail2ban/filter.d/nginx-http-auth.conf
@@ -3,15 +3,32 @@
 
 [Definition]
 
+mode = normal
 
-failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+mdre-auth = ^\s*\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+mdre-fallback = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
+
+mdre-normal = %(mdre-auth)s
+mdre-aggressive = %(mdre-auth)s
+                  %(mdre-fallback)s
+
+failregex = <mdre-<mode>>
 
 ignoreregex = 
 
 datepattern = {^LN-BEG}
 
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+
 # DEV NOTES:
+# mdre-auth:
 # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
 # Extensive search of all nginx auth failures not done yet.
 # 
 # Author: Daniel Black
+
+# mdre-fallback:
+# Ban people checking for TLS_FALLBACK_SCSV repeatedly
+# https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608
+# Author: Stephan Orlowsky
+
diff --git a/fail2ban/filter.d/nginx-limit-req.conf b/fail2ban/filter.d/nginx-limit-req.conf
index e23548a..2f45e83 100644
--- a/fail2ban/filter.d/nginx-limit-req.conf
+++ b/fail2ban/filter.d/nginx-limit-req.conf
@@ -44,3 +44,6 @@ failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by
 ignoreregex = 
 
 datepattern = {^LN-BEG}
+
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+
diff --git a/fail2ban/filter.d/nsd.conf b/fail2ban/filter.d/nsd.conf
index bfd9954..0589c16 100644
--- a/fail2ban/filter.d/nsd.conf
+++ b/fail2ban/filter.d/nsd.conf
@@ -22,10 +22,10 @@ _daemon = nsd
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 
-failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
-             ^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
+failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <ADDR> TYPE255$
+             ^%(__prefix_line)sinfo: .* from(?: client)? <ADDR> refused, no acl matches\.?$
 
 ignoreregex =
 
 datepattern = {^LN-BEG}Epoch
-              {^LN-BEG}
\ No newline at end of file
+              {^LN-BEG}
diff --git a/fail2ban/filter.d/postfix.conf b/fail2ban/filter.d/postfix.conf
index fb690fb..b374f47 100644
--- a/fail2ban/filter.d/postfix.conf
+++ b/fail2ban/filter.d/postfix.conf
@@ -12,16 +12,15 @@ before = common.conf
 
 _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
 _port = (?::\d+)?
+_pref = [A-Z]{4}
 
 prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
 
-mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+)
-mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
-            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
-            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b
-            ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
-            ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
-            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b
+# Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this:
+exre-user = |[Uu](?:ser unknown|ndeliverable address)
+
+mdpr-normal = (?:\w+: (?:milter-)?reject:|(?:improper command pipelining|too many errors) after \S+)
+mdre-normal=^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45][50][04] [45]\.\d\.\d+ (?:(?:<[^>]*>)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|(?:Client host|Command|Data command) rejected|Relay access denied|(?:Host|Domain) not found|need fully-qualified hostname|match%(exre-user)s)\b
             ^from [^[]*\[<HOST>\]%(_port)s:?
 
 mdpr-auth = warning:
@@ -31,13 +30,15 @@ mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5
 
 # Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
 mdpr-rbl = %(mdpr-normal)s
-mdre-rbl  = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
+mdre-rbl  = ^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
 
 # Mode "rbl" currently included in mode "normal" (within 1st rule)
 mdpr-more = %(mdpr-normal)s
 mdre-more = %(mdre-normal)s
 
-mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+)))
+# Includes some of the log messages described in
+# <http://www.postfix.org/POSTSCREEN_README.html>.
+mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT)
 mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
 
 mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
diff --git a/fail2ban/filter.d/scanlogd.conf b/fail2ban/filter.d/scanlogd.conf
new file mode 100644
index 0000000..d3fe78b
--- /dev/null
+++ b/fail2ban/filter.d/scanlogd.conf
@@ -0,0 +1,17 @@
+# Fail2Ban filter for port scans detected by scanlogd
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = scanlogd
+
+failregex =  ^%(__prefix_line)s<ADDR>(?::<F-PORT/>)? to \S+ ports\b
+
+ignoreregex =
+
+# Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
diff --git a/fail2ban/filter.d/sendmail-auth.conf b/fail2ban/filter.d/sendmail-auth.conf
index 84fcbdd..3fa3c70 100644
--- a/fail2ban/filter.d/sendmail-auth.conf
+++ b/fail2ban/filter.d/sendmail-auth.conf
@@ -15,7 +15,7 @@ addr = (?:IPv6:<IP6>|<IP4>)
 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
 
 failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
-            ^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
+            ^AUTH failure \([^\)]+\):(?: [^:]+:)? (?:authentication failure|user not found): [^,]*, (?:user=<F-USER>(?:\S+|.*?)</F-USER>, )?relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
 ignoreregex =
 
 journalmatch = _SYSTEMD_UNIT=sendmail.service
diff --git a/fail2ban/filter.d/sendmail-reject.conf b/fail2ban/filter.d/sendmail-reject.conf
index e8b766c..41035e5 100644
--- a/fail2ban/filter.d/sendmail-reject.conf
+++ b/fail2ban/filter.d/sendmail-reject.conf
@@ -21,12 +21,12 @@ before = common.conf
 
 _daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
 __prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
-addr = (?:IPv6:<IP6>|<IP4>)
+addr = (?:(?:IPv6:)?<IP6>|<IP4>)
 
 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
 
-cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
-            ^ruleset=check_relay, arg1=(?P<dom>\S+), arg2=%(addr)s, relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
+cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|553 5\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
+            ^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
             ^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$
             ^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
             ^<[^@]+@[^>]+>\.\.\. No such user here$
diff --git a/fail2ban/filter.d/sshd.conf b/fail2ban/filter.d/sshd.conf
index e794226..d5d189b 100644
--- a/fail2ban/filter.d/sshd.conf
+++ b/fail2ban/filter.d/sshd.conf
@@ -68,15 +68,17 @@ cmnfailed = <cmnfailed-<publickey>>
 
 mdre-normal =
 # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
-mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
+mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
 
 mdre-ddos = ^Did not receive identification string from <HOST>
-            ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host)
+            ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer))
             ^Bad protocol version identification '.*' from <HOST>
             ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
             ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
-# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only:
+            ^banner exchange: Connection from <HOST><__on_port_opt>: invalid format
+# same as mdre-normal-other, but as failure (without <F-NOFAIL> with [preauth] and with <F-NOFAIL> on no preauth phase as helper to identify address):
 mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
+                  ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__on_port_opt)s|\s*)$
 
 mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
             ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
diff --git a/fail2ban/filter.d/zoneminder.conf b/fail2ban/filter.d/zoneminder.conf
index cc82755..8e8ed43 100644
--- a/fail2ban/filter.d/zoneminder.conf
+++ b/fail2ban/filter.d/zoneminder.conf
@@ -5,17 +5,23 @@ before = apache-common.conf
 
 [Definition]
 
-# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
-#
+# patterns: [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/
+#           [Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/
+#           [Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/
 #
 # Option:  failregex
-# Notes.:  regex to match the password failure messages in the logfile.
+# Notes.:  regex to match the login failure and non-existent user error messages in the logfile.
 
-failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
+prefregex = ^%(_apache_error_client)s (?:ERR|WAR) <F-CONTENT>\[(?:Login denied|Could not retrieve).*</F-CONTENT>$
+
+failregex = ^\[Login denied for user "<F-USER>[^"]*</F-USER>"\]
+            ^\[Could not retrieve user <F-USER>\S*</F-USER>
 
 ignoreregex =
 
 # Notes:
-#	Tested on Zoneminder 1.29.0
+#	Tested on Zoneminder 1.29 and 1.35.21
+#
+#	Zoneminder versions > 1.3x use "ERR" and < 1.3x use "WAR" level logs, so i've kept both for compatibility reasons
 #
 # Author: John Marzella
diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf
index 28fa289..566f73c 100644
--- a/fail2ban/jail.conf
+++ b/fail2ban/jail.conf
@@ -67,7 +67,7 @@ before = paths-fedora.conf
 # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
 #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
 
-# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 
+# "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding
 # previously ban count and given "bantime.factor" (for multipliers default is 1);
 # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
 # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
@@ -77,7 +77,7 @@ before = paths-fedora.conf
 #bantime.multipliers = 1 5 30 60 300 720 1440 2880
 
 # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
-# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
+# cross over all jails, if false (default), only current jail of the ban IP will be searched
 #bantime.overalljails = false
 
 # --------------------
@@ -227,6 +227,15 @@ action_mwl = %(action_)s
 action_xarf = %(action_)s
              xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
 
+# ban & send a notification to one or more of the 50+ services supported by Apprise.
+# See https://github.com/caronc/apprise/wiki for details on what is supported.
+#
+# You may optionally over-ride the default configuration line (containing the Apprise URLs)
+# by using 'apprise[config="/alternate/path/to/apprise.cfg"]' otherwise
+# /etc/fail2ban/apprise.conf is sourced for your supported notification configuration.
+# action = %(action_)s
+#          apprise
+
 # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
@@ -242,20 +251,6 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
 #
 action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
 
-# Report ban via badips.com, and use as blacklist
-#
-# See BadIPsAction docstring in config/action.d/badips.py for
-# documentation for this action.
-#
-# NOTE: This action relies on banaction being present on start and therefore
-# should be last action defined for a jail.
-#
-action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
-#
-# Report ban via badips.com (uses action.d/badips.conf for reporting only)
-#
-action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
-
 # Report ban via abuseipdb.com.
 #
 # See action.d/abuseipdb.conf for usage example and details.
@@ -351,7 +346,7 @@ maxretry = 2
 port     = http,https
 logpath  = %(apache_access_log)s
 maxretry = 1
-ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegooglebot <ip>
 
 
 [apache-modsecurity]
@@ -375,8 +370,11 @@ banaction = %(banaction_allports)s
 logpath = /opt/openhab/logs/request.log
 
 
+# To use more aggressive http-auth modes set filter parameter "mode" in jail.local:
+# normal (default), aggressive (combines all), auth or fallback
+# See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details.
 [nginx-http-auth]
-
+# mode = normal
 port    = http,https
 logpath = %(nginx_error_log)s
 
@@ -392,8 +390,10 @@ logpath = %(nginx_error_log)s
 
 port     = http,https
 logpath  = %(nginx_error_log)s
-maxretry = 2
 
+[nginx-bad-request]
+port    = http,https
+logpath = %(nginx_access_log)s
 
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
@@ -797,6 +797,14 @@ logpath  = %(mysql_log)s
 backend  = %(mysql_backend)s
 
 
+[mssql-auth]
+# Default configuration for Microsoft SQL Server for Linux
+# See the 'mssql-conf' manpage how to change logpath or port
+logpath = /var/opt/mssql/log/errorlog
+port = 1433
+filter = mssql-auth
+
+
 # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
 [mongodb-auth]
 # change port when running with "--shardsvr" or "--configsvr" runtime operation
@@ -962,3 +970,11 @@ logpath = %(apache_error_log)s
 # see `filter.d/traefik-auth.conf` for details and service example.
 port    = http,https
 logpath = /var/log/traefik/access.log
+
+[scanlogd]
+logpath = %(syslog_local0)s
+banaction = %(banaction_allports)s
+
+[monitorix]
+port	= 8080
+logpath = /var/log/monitorix-httpd
diff --git a/fail2ban/jail.d/00-firewalld.conf b/fail2ban/jail.d/00-firewalld.conf
index 61752cb..03f1128 100644
--- a/fail2ban/jail.d/00-firewalld.conf
+++ b/fail2ban/jail.d/00-firewalld.conf
@@ -2,5 +2,5 @@
 # the firewalld actions as the default actions.  You can remove this package
 # (along with the empty fail2ban meta-package) if you do not use firewalld
 [DEFAULT]
-banaction = firewallcmd-rich-rules[actiontype=<multiport>]
-banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
+banaction = firewallcmd-rich-rules
+banaction_allports = firewallcmd-rich-rules
diff --git a/fail2ban/paths-common.conf b/fail2ban/paths-common.conf
index 7383caf..4f6a5f7 100644
--- a/fail2ban/paths-common.conf
+++ b/fail2ban/paths-common.conf
@@ -91,6 +91,3 @@ mysql_log = %(syslog_daemon)s
 mysql_backend = %(default_backend)s
 
 roundcube_errors_log = /var/log/roundcube/errors
-
-# Directory with ignorecommand scripts
-ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands
diff --git a/httpd/conf.d/ssl.conf b/httpd/conf.d/ssl.conf
new file mode 100644
index 0000000..d28adf3
--- /dev/null
+++ b/httpd/conf.d/ssl.conf
@@ -0,0 +1,203 @@
+#
+# When we also provide SSL we have to listen to the 
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   List the protocol versions which clients are allowed to connect with.
+#   The OpenSSL system profile is used by default.  See
+#   update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+#   User agents such as web browsers are not configured for the user's
+#   own preference of either security or performance, therefore this
+#   must be the prerogative of the web server administrator who manages
+#   cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+#   The OpenSSL system profile is configured by default.  See
+#   update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+#   Point SSLCertificateFile at a PEM encoded certificate.  If
+#   the certificate is encrypted, then you will be prompted for a
+#   pass phrase.  Note that restarting httpd will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
+#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+#   require an ECC certificate which can also be configured in
+#   parallel.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+#   ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is sent or allowed to be received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is sent and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+
diff --git a/selinux/targeted/.policy.sha512 b/selinux/targeted/.policy.sha512
index b04358c..814b844 100644
--- a/selinux/targeted/.policy.sha512
+++ b/selinux/targeted/.policy.sha512
@@ -1 +1 @@
-94b341527eaeae89b7481bbb21da5757768cd43b2683a72a0a4464e1c7c05792a4e193e4a61db4453eba15053ac48d0e23c9df962db6f213ee08ecacccb473be
+5020ff024b92d2d5d7a2b0066e3d83e856dfa88046c653658ee78523cb7cb82cc1ba0340b6c33d8a05bd0bc00c73843ee3c21bd8f02774c0117ee1a097701e10
diff --git a/selinux/targeted/policy/policy.31 b/selinux/targeted/policy/policy.31
index e235312e7a245b8c3bbcb4bbc5c01c1256cc29f8..169308e156edc2ea7bf9d5068c72d74209cc424b 100644
GIT binary patch
delta 1646
zcmYk+4@?_X90%}s*E@RG|6EJUzp{dZ!9e*lbY)YA2y9bvK>4#jpa>{3hQiz!PB=OT
zxlKkkW0tOFMib}14Wf%I&sa#NhPlKgI^vd@=q8$u&BQH6Va9;-dsmv+<dd|&`@Q#m
z@Auv{^hS^y4hA{@AT!7g>IS)SzTd@EQrX4Rpm<o4#X`ammKL1mZ`)0>7&fr#Z$b!7
zo#GF;jh<)<A|L+3U#fM<;+&)>Hlm1xM7}emo{TDe-Wb~F)sIXXWpM)^gJ}lVc&IS1
z-)A<?#>%1^@evO_pc5{wMvjX&A>v>;+OSs0mk=?S^oZEVJM>V6aFIvkj-W;`J8kd@
z{2@emlM4|-{IuzsP{AS+6ryX5&Inl+L}p_J<RFWFe_N=k6+<>z)FL#kOtd#6<8z$>
z&(&%QKM+T<wffYJ7ZZk_offOI1MYvt1uZNhEMcnnyW)Gr7<%2HE@v-YPAAqGe#${)
zPKt@NgC5&qI9R8(EV^0GSBAwPawcpnazZvjlN*hvU)OS?Gheu6?5s!cWibUa3u^C+
z%1xDadUT7arWX$;Y)eZLdh?>`#(r%BM&$YkN588zhgTZH23a&CQqR&){pOM^q%>Qj
z{r&4B^U!fbGR#Z;ReH-Uw71-vUrNusW=*p)etIQn?F?#VseK^mL+L78|1pdTYG*Lu
zU7%;bv59&uN1exqb2>k53#<K(UZay$v7z%A(_oFBQfs2LsMFStR@0Osy|n_H^)d;V
z#ZUh!lYX#RF(2o_ee&UCIC7F+u91E%VQ(Fwp@6h?J?^C}s)cb>x+b-;+L1<n_smG|
zIxw9_(r&WioR_F`-rf;|MMLPicAKex!TyC#hYNMa>k!NENHj(3DK2w#yXj=J<L^ww
zJ?5p#mGNN*9UqQ!r!q}+dNi&r(HJ%;+AXeSJ=FVk+|8rf1&Q{;)974`F|pW#R)~6x
z?pCKGU0ZCa@igzCbE-nyOC*W@dD&^Xf-^oGDPJAMeC#^m#Hc@TuOctei78iVGWIwd
z8+lv5oN?VLK*n!G&Deu-K6Aw9|Bi?(=BZ=e)X^JELc0?yeJdp+a#u$;#V5=+7}a+n
za#08^-JQ_gfkDmIXnEs5Cj{R|HP`VsU?X7zs;N*CYeuyD6?v)X+m57jHWnAHEj?+P
zMRFZu#R~Wcv?w#l%W-O-l=hq?NCr2g(Ds~VyE2&V%GK&+;DJ;~gL_~(q(cU*fK14O
zm5>cNa4*~kxsV6>Pynl-5blQuU^RH@)#{?29|K2r?&SiXOm5~aGXAbM@`UJ7Xi!k9
zbJxIHcn}_fhhZHQ!y`}vk3uPwK{>344X_a&gU8_ssDLM76I4PKRD%y{pcd+&9yY@k
z*b3XA0UF^ccp94E8EA$UXoY9tIcS6Dp&hnE2kd}OcmZC7F6f4x@Dl8T-OvMjXmxJy
zwsV2J3tld^tEKDzO=&SJr{;R$W!MX^Kp*sj3<KbYee~4atCck16Nc=HWo$nTQp?!T
H*zx}W-S_4x

delta 968
zcmX}mYfOy+00!W5`M&zToYOgd=jL=e64DJNA`*ohw}?6+_k>WCYcA&~o%U&!F|(ZM
zhacuLb7`}^n%Vrw<@`9COBtJcY-|jhQCq|Nhj)8^zI)%6U{JVqGAPssv;kc}9}sSc
zK8JQF{0<R8<adgnEtqmwJnBaHo!H}5yRswDl^xl78%ush)*JCsFZE2u?HnmX!9bz(
zP(*LBB(&ngYiXelx$mUpXw-g_io6IH$mVi<x*)fvq2Y;KlxFbDT{@FSt6`+}N5ADk
zJpUt~%R_Ts)Qd5wt&Tcc3b8wCFbLzCA=ghJ^mRzpGUR&<MHY5t;a?Xg$_yoS`2N`N
zu@N6ijqg*@+hEK~LBeHYphNBSM5EJV%9zcP_x~W?wwOkkv>FI!Ow~d7CYleOh8Q+W
zk#P2y-}@mK$J~5?uuB=#qc>jZNP^F!JdM^1nu{neRr+S?qRsFGl`;>myiqE2aQ7)^
zt!n6(g3vEZWdw46TkhyD$U18QY#wWkoAcwv|DT&Gto_MqbDI^-ZML`s9yx#2wmBBg
zknQ6s7}wedBVgNPw<aR1#ok>A@wwgb4DL?HIXlAl9mC@=(C7G(i2?i2j4#L%oRxN5
zigo^2g-iRKHQSKb=RAELq2}0<Hl#RQ-DX{}249n0k97#Ay0Qf|Cf!AG<fdVWNsq4@
zt*uo3-gp{L2{eL6(kM!#(Ue5VltQVLMq_9!jiYqRpz)MR6KEo3(IlEo+3<U(?0wOG
z{7jC}eyp}GN_AyUr5u_@xip<-P#)#eOqxZrsetB?hvw2enokR8Ar;ahT1-W>gqBh<
zm5`T8X&Ei26;wtmX%(%eHMEx2(RwPU4OBrJX%lUxO4>qOX&Y5hHEpLIR7172lXlT=
z+CzJ3A6%Jr3+}1D{yN%E2k0OjA|LtbFx687eEmljq5XAPlSO@Xt&swFb*<@2$6p%1
BX{i7J