committing changes in /etc made by "-bash"

Package changes:
2023-04-14 01:32:52 +03:00
parent 72dfd9177b
commit 8710bcfdbd
56 changed files with 1011 additions and 907 deletions
--- a/.etckeeper
+++ b/.etckeeper
@@ -734,11 +734,11 @@ maybe chmod 0755 'fail2ban'
 maybe chmod 0755 'fail2ban/action.d'
 maybe chmod 0644 'fail2ban/action.d/abuseipdb.conf'
 maybe chmod 0644 'fail2ban/action.d/apf.conf'
-maybe chmod 0644 'fail2ban/action.d/badips.conf'
+maybe chmod 0644 'fail2ban/action.d/apprise.conf'
 maybe chmod 0640 'fail2ban/action.d/badips.py'
 maybe chmod 0644 'fail2ban/action.d/badips.py.rpmnew'
 maybe chmod 0640 'fail2ban/action.d/badips.py.rpmsave'
 maybe chmod 0644 'fail2ban/action.d/blocklist_de.conf'
 maybe chmod 0644 'fail2ban/action.d/cloudflare-token.conf'
 maybe chmod 0644 'fail2ban/action.d/cloudflare.conf'
 maybe chmod 0644 'fail2ban/action.d/dshield.conf'
 maybe chmod 0644 'fail2ban/action.d/dummy.conf'
@@ -751,17 +751,18 @@ maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-logging.conf'
 maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-rules.conf'
 maybe chmod 0644 'fail2ban/action.d/helpers-common.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-allports.conf'
 maybe chmod 0640 'fail2ban/action.d/iptables-common.conf'
 maybe chmod 0640 'fail2ban/action.d/iptables-common.conf.rpmsave'
 maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto4.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6-allports.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6.conf'
 maybe chmod 0640 'fail2ban/action.d/iptables-ipset.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-ipset.conf.rpmnew'
 maybe chmod 0644 'fail2ban/action.d/iptables-multiport-log.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-multiport.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-new.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables-xt_recent-echo.conf'
 maybe chmod 0644 'fail2ban/action.d/iptables.conf'
 maybe chmod 0644 'fail2ban/action.d/ipthreat.conf'
 maybe chmod 0644 'fail2ban/action.d/mail-whois-common.conf'
 maybe chmod 0644 'fail2ban/action.d/mail.conf.rpmsave'
 maybe chmod 0644 'fail2ban/action.d/mynetwatchman.conf'
@@ -783,12 +784,12 @@ maybe chmod 0644 'fail2ban/action.d/sendmail-whois-matches.conf'
 maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf'
 maybe chmod 0644 'fail2ban/action.d/sendmail.conf'
 maybe chmod 0644 'fail2ban/action.d/shorewall-ipset-proto6.conf'
-maybe chmod 0640 'fail2ban/action.d/smtp.py'
+maybe chmod 0644 'fail2ban/action.d/smtp.py'
 maybe chmod 0644 'fail2ban/action.d/smtp.py.rpmnew'
 maybe chmod 0640 'fail2ban/action.d/smtp.py.rpmsave'
 maybe chmod 0644 'fail2ban/action.d/symbiosis-blacklist-allports.conf'
 maybe chmod 0644 'fail2ban/action.d/xarf-login-attack.conf'
-maybe chmod 0640 'fail2ban/fail2ban.conf'
+maybe chmod 0644 'fail2ban/fail2ban.conf'
 maybe chmod 0640 'fail2ban/fail2ban.conf.rpmsave'
 maybe chmod 0755 'fail2ban/fail2ban.d'
 maybe chmod 0755 'fail2ban/filter.d'
@@ -817,7 +818,7 @@ maybe chmod 0644 'fail2ban/filter.d/courier-smtp.conf'
 maybe chmod 0644 'fail2ban/filter.d/cyrus-imap.conf'
 maybe chmod 0644 'fail2ban/filter.d/directadmin.conf'
 maybe chmod 0644 'fail2ban/filter.d/domino-smtp.conf'
-maybe chmod 0640 'fail2ban/filter.d/dovecot.conf'
+maybe chmod 0644 'fail2ban/filter.d/dovecot.conf'
 maybe chmod 0644 'fail2ban/filter.d/dovecot.conf.rpmnew'
 maybe chmod 0640 'fail2ban/filter.d/dovecot.conf.rpmsave'
 maybe chmod 0644 'fail2ban/filter.d/dropbear.conf'
@@ -836,19 +837,22 @@ maybe chmod 0644 'fail2ban/filter.d/guacamole.conf'
 maybe chmod 0644 'fail2ban/filter.d/haproxy-http-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/horde.conf'
 maybe chmod 0755 'fail2ban/filter.d/ignorecommands'
-maybe chmod 0750 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot'
+maybe chmod 0755 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot'
 maybe chmod 0750 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot.rpmsave'
 maybe chmod 0644 'fail2ban/filter.d/kerio.conf'
 maybe chmod 0644 'fail2ban/filter.d/lighttpd-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/mongodb-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/monit.conf'
 maybe chmod 0644 'fail2ban/filter.d/monitorix.conf'
 maybe chmod 0644 'fail2ban/filter.d/mssql-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/murmur.conf'
 maybe chmod 0644 'fail2ban/filter.d/mysqld-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/nagios.conf'
-maybe chmod 0640 'fail2ban/filter.d/named-refused.conf'
+maybe chmod 0644 'fail2ban/filter.d/named-refused.conf'
 maybe chmod 0644 'fail2ban/filter.d/named-refused.conf.rpmnew'
 maybe chmod 0640 'fail2ban/filter.d/named-refused.conf.rpmsave'
-maybe chmod 0640 'fail2ban/filter.d/nginx-botsearch.conf'
+maybe chmod 0644 'fail2ban/filter.d/nginx-bad-request.conf'
 maybe chmod 0644 'fail2ban/filter.d/nginx-botsearch.conf'
 maybe chmod 0640 'fail2ban/filter.d/nginx-botsearch.conf.rpmsave'
 maybe chmod 0640 'fail2ban/filter.d/nginx-forbidden.conf'
 maybe chmod 0644 'fail2ban/filter.d/nginx-http-auth.conf'
@@ -871,9 +875,10 @@ maybe chmod 0644 'fail2ban/filter.d/postfix.conf'
 maybe chmod 0644 'fail2ban/filter.d/proftpd.conf'
 maybe chmod 0644 'fail2ban/filter.d/pure-ftpd.conf'
 maybe chmod 0644 'fail2ban/filter.d/qmail.conf'
-maybe chmod 0640 'fail2ban/filter.d/recidive.conf'
+maybe chmod 0644 'fail2ban/filter.d/recidive.conf'
 maybe chmod 0640 'fail2ban/filter.d/recidive.conf.rpmsave'
 maybe chmod 0644 'fail2ban/filter.d/roundcube-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/scanlogd.conf'
 maybe chmod 0644 'fail2ban/filter.d/screensharingd.conf'
 maybe chmod 0644 'fail2ban/filter.d/selinux-common.conf'
 maybe chmod 0644 'fail2ban/filter.d/selinux-ssh.conf'
@@ -886,7 +891,7 @@ maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf'
 maybe chmod 0644 'fail2ban/filter.d/squid.conf'
 maybe chmod 0644 'fail2ban/filter.d/squirrelmail.conf'
-maybe chmod 0640 'fail2ban/filter.d/sshd.conf'
+maybe chmod 0644 'fail2ban/filter.d/sshd.conf'
 maybe chmod 0644 'fail2ban/filter.d/stunnel.conf'
 maybe chmod 0644 'fail2ban/filter.d/suhosin.conf'
 maybe chmod 0644 'fail2ban/filter.d/tine20.conf'
@@ -898,7 +903,7 @@ maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf'
 maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf'
 maybe chmod 0644 'fail2ban/filter.d/znc-adminlog.conf'
 maybe chmod 0644 'fail2ban/filter.d/zoneminder.conf'
-maybe chmod 0640 'fail2ban/jail.conf'
+maybe chmod 0644 'fail2ban/jail.conf'
 maybe chmod 0640 'fail2ban/jail.conf.rpmsave'
 maybe chmod 0755 'fail2ban/jail.d'
 maybe chmod 0644 'fail2ban/jail.d/00-firewalld.conf'
@@ -991,6 +996,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew'
 maybe chmod 0644 'httpd/conf.d/php.conf'
 maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
 maybe chmod 0644 'httpd/conf.d/squid.conf'
 maybe chmod 0644 'httpd/conf.d/ssl.conf'
 maybe chmod 0640 'httpd/conf.d/ssl.conf_disabled'
 maybe chmod 0644 'httpd/conf.d/userdir.conf'
 maybe chmod 0644 'httpd/conf.d/welcome.conf'
@@ -3188,7 +3194,7 @@ maybe chmod 0644 'logrotate.d/btmp'
 maybe chmod 0644 'logrotate.d/chrony'
 maybe chmod 0644 'logrotate.d/clamav-unofficial-sigs'
 maybe chmod 0644 'logrotate.d/dnf'
-maybe chmod 0640 'logrotate.d/fail2ban'
+maybe chmod 0644 'logrotate.d/fail2ban'
 maybe chmod 0640 'logrotate.d/fail2ban.rpmsave'
 maybe chmod 0644 'logrotate.d/firewalld'
 maybe chmod 0644 'logrotate.d/httpd'
@@ -4144,9 +4150,7 @@ maybe chmod 0600 'nftables/nat.nft'
 maybe chmod 0700 'nftables/osf'
 maybe chmod 0600 'nftables/osf/pf.os'
 maybe chmod 0600 'nftables/router.nft'
-maybe chown 'nginx' 'nginx'
+maybe chmod 0755 'nginx'
 maybe chgrp 'nginx' 'nginx'
 maybe chmod 0750 'nginx'
 maybe chown 'nginx' 'nginx/.anaf'
 maybe chgrp 'nginx' 'nginx/.anaf'
 maybe chmod 0640 'nginx/.anaf'
@@ -4159,9 +4163,7 @@ maybe chmod 0640 'nginx/.passwd-madalin'
 maybe chown 'nginx' 'nginx/allowed_clients.config'
 maybe chgrp 'nginx' 'nginx/allowed_clients.config'
 maybe chmod 0640 'nginx/allowed_clients.config'
-maybe chown 'nginx' 'nginx/conf.d'
+maybe chmod 0755 'nginx/conf.d'
 maybe chgrp 'nginx' 'nginx/conf.d'
 maybe chmod 0750 'nginx/conf.d'
 maybe chown 'nginx' 'nginx/conf.d/_zira.go.ro.conf'
 maybe chgrp 'nginx' 'nginx/conf.d/_zira.go.ro.conf'
 maybe chmod 0640 'nginx/conf.d/_zira.go.ro.conf'
@@ -4679,9 +4681,7 @@ maybe chmod 0644 'nginx/default.d/php.conf'
 maybe chown 'nginx' 'nginx/fastcgi.conf'
 maybe chgrp 'nginx' 'nginx/fastcgi.conf'
 maybe chmod 0640 'nginx/fastcgi.conf'
-maybe chown 'nginx' 'nginx/fastcgi_params'
+maybe chmod 0644 'nginx/fastcgi_params'
 maybe chgrp 'nginx' 'nginx/fastcgi_params'
 maybe chmod 0640 'nginx/fastcgi_params'
 maybe chown 'nginx' 'nginx/html'
 maybe chgrp 'nginx' 'nginx/html'
 maybe chmod 0750 'nginx/html'
@@ -4697,9 +4697,7 @@ maybe chmod 0640 'nginx/lb_maint_5x.config'
 maybe chown 'nginx' 'nginx/lb_maintenance.config'
 maybe chgrp 'nginx' 'nginx/lb_maintenance.config'
 maybe chmod 0640 'nginx/lb_maintenance.config'
-maybe chown 'nginx' 'nginx/mime.types'
+maybe chmod 0644 'nginx/mime.types'
 maybe chgrp 'nginx' 'nginx/mime.types'
 maybe chmod 0640 'nginx/mime.types'
 maybe chown 'nginx' 'nginx/nginx.conf'
 maybe chgrp 'nginx' 'nginx/nginx.conf'
 maybe chmod 0640 'nginx/nginx.conf'
@@ -4712,9 +4710,7 @@ maybe chmod 0640 'nginx/off'
 maybe chown 'nginx' 'nginx/proxy.inc'
 maybe chgrp 'nginx' 'nginx/proxy.inc'
 maybe chmod 0640 'nginx/proxy.inc'
-maybe chown 'nginx' 'nginx/scgi_params'
+maybe chmod 0644 'nginx/scgi_params'
 maybe chgrp 'nginx' 'nginx/scgi_params'
 maybe chmod 0640 'nginx/scgi_params'
 maybe chown 'nginx' 'nginx/sites-available'
 maybe chgrp 'nginx' 'nginx/sites-available'
 maybe chmod 0750 'nginx/sites-available'
@@ -4757,9 +4753,7 @@ maybe chmod 0640 'nginx/ssl/demo1.cpuburnin.com.pem'
 maybe chown 'nginx' 'nginx/ssl/dhparam.pem'
 maybe chgrp 'nginx' 'nginx/ssl/dhparam.pem'
 maybe chmod 0640 'nginx/ssl/dhparam.pem'
-maybe chown 'nginx' 'nginx/uwsgi_params'
+maybe chmod 0644 'nginx/uwsgi_params'
 maybe chgrp 'nginx' 'nginx/uwsgi_params'
 maybe chmod 0640 'nginx/uwsgi_params'
 maybe chmod 0644 'npmrc'
 maybe chmod 0755 'nrpe.d'
 maybe chmod 0644 'nsswitch.conf'
--- a/fail2ban/action.d/apprise.conf
+++ b/fail2ban/action.d/apprise.conf
@@ -0,0 +1,49 @@
 # Fail2Ban configuration file
 #
 # Author: Chris Caron <lead2gold@gmail.com>
 #
 #
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
 actionstart = printf %%b "The jail <name> as been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
 actionstop = printf %%b "The jail <name> has been stopped." | <apprise> -t "[Fail2Ban] <name>: stopped on `uname -n`"
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = printf %%b "The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>" | <apprise> -n "warning" -t "[Fail2Ban] <name>: banned <ip> from `uname -n`"
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban =
 [Init]
 # Define location of the default apprise configuration file to use
 #
 config = /etc/fail2ban/apprise.conf
 #
 apprise = apprise -c "<config>"
--- a/fail2ban/action.d/badips.conf
+++ b/fail2ban/action.d/badips.conf
@@ -1,19 +0,0 @@
 # Fail2ban reporting to badips.com
 #
 # Note: This reports an IP only and does not actually ban traffic. Use
 # another action in the same jail if you want bans to occur.
 #
 # Set the category to the appropriate value before use.
 #
 # To get see register and optional key to get personalised graphs see:
 # http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key
 [Definition]
 actionban = curl --fail  --user-agent "<agent>" http://www.badips.com/add/<category>/<ip>
 [Init]
 # Option: category
 # Notes.: Values are from the list here: http://www.badips.com/get/categories
 category = 
--- a/fail2ban/action.d/badips.py
+++ b/fail2ban/action.d/badips.py
@@ -1,392 +0,0 @@
 # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
 # vi: set ft=python sts=4 ts=4 sw=4 noet :
 # This file is part of Fail2Ban.
 #
 # Fail2Ban is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # Fail2Ban is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 import sys
 if sys.version_info < (2, 7): # pragma: no cover
 	raise ImportError("badips.py action requires Python >= 2.7")
 import json
 import threading
 import logging
 if sys.version_info >= (3, ): # pragma: 2.x no cover
 	from urllib.request import Request, urlopen
 	from urllib.parse import urlencode
 	from urllib.error import HTTPError
 else: # pragma: 3.x no cover
 	from urllib.request import Request, urlopen
 	from urllib.error import HTTPError
 	from urllib.parse import urlencode
 from fail2ban.server.actions import Actions, ActionBase, BanTicket
 from fail2ban.helpers import splitwords, str2LogLevel
 class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
 	"""Fail2Ban action which reports bans to badips.com, and also
 	blacklist bad IPs listed on badips.com by using another action's
 	ban method.
 	Parameters
 	----------
 	jail : Jail
 		The jail which the action belongs to.
 	name : str
 		Name assigned to the action.
 	category : str
 		Valid badips.com category for reporting failures.
 	score : int, optional
 		Minimum score for bad IPs. Default 3.
 	age : str, optional
 		Age of last report for bad IPs, per badips.com syntax.
 		Default "24h" (24 hours)
 	banaction : str, optional
 		Name of banaction to use for blacklisting bad IPs. If `None`,
 		no blacklist of IPs will take place.
 		Default `None`.
 	bancategory : str, optional
 		Name of category to use for blacklisting, which can differ
 		from category used for reporting. e.g. may want to report
 		"postfix", but want to use whole "mail" category for blacklist.
 		Default `category`.
 	bankey : str, optional
 		Key issued by badips.com to retrieve personal list
 		of blacklist IPs.
 	updateperiod : int, optional
 		Time in seconds between updating bad IPs blacklist.
 		Default 900 (15 minutes)
 	loglevel : int/str, optional
 		Log level of the message when an IP is (un)banned.
 		Default `DEBUG`.
 		Can be also supplied as two-value list (comma- or space separated) to
 		provide level of the summary message when a group of IPs is (un)banned.
 		Example `DEBUG,INFO`.
 	agent : str, optional
 		User agent transmitted to server.
 		Default `Fail2Ban/ver.`
 	Raises
 	------
 	ValueError
 		If invalid `category`, `score`, `banaction` or `updateperiod`.
 	"""
 	TIMEOUT = 10
 	_badips = "https://www.badips.com"
 	def _Request(self, url, **argv):
 		return Request(url, headers={'User-Agent': self.agent}, **argv)
 	def __init__(self, jail, name, category, score=3, age="24h",
 		banaction=None, bancategory=None, bankey=None, updateperiod=900, 
 		loglevel='DEBUG', agent="Fail2Ban", timeout=TIMEOUT):
 		super(BadIPsAction, self).__init__(jail, name)
 		self.timeout = timeout
 		self.agent = agent
 		self.category = category
 		self.score = score
 		self.age = age
 		self.banaction = banaction
 		self.bancategory = bancategory or category
 		self.bankey = bankey
 		loglevel = splitwords(loglevel)
 		self.sumloglevel = str2LogLevel(loglevel[-1])
 		self.loglevel = str2LogLevel(loglevel[0])
 		self.updateperiod = updateperiod
 		self._bannedips = set()
 		# Used later for threading.Timer for updating badips
 		self._timer = None
 	@staticmethod
 	def isAvailable(timeout=1):
 		try:
 			response = urlopen(Request("/".join([BadIPsAction._badips]),
 					headers={'User-Agent': "Fail2Ban"}), timeout=timeout)
 			return True, ''
 		except Exception as e: # pragma: no cover
 			return False, e
 	def logError(self, response, what=''): # pragma: no cover - sporadical (502: Bad Gateway, etc)
 		messages = {}
 		try:
 			messages = json.loads(response.read().decode('utf-8'))
 		except:
 			pass
 		self._logSys.error(
 			"%s. badips.com response: '%s'", what,
 				messages.get('err', 'Unknown'))
 	def getCategories(self, incParents=False):
 		"""Get badips.com categories.
 		Returns
 		-------
 		set
 			Set of categories.
 		Raises
 		------
 		HTTPError
 			Any issues with badips.com request.
 		ValueError
 			If badips.com response didn't contain necessary information
 		"""
 		try:
 			response = urlopen(
 				self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout)
 		except HTTPError as response: # pragma: no cover
 			self.logError(response, "Failed to fetch categories")
 			raise
 		else:
 			response_json = json.loads(response.read().decode('utf-8'))
 			if not 'categories' in response_json:
 				err = "badips.com response lacked categories specification. Response was: %s" \
 				  % (response_json,)
 				self._logSys.error(err)
 				raise ValueError(err)
 			categories = response_json['categories']
 			categories_names = set(
 				value['Name'] for value in categories)
 			if incParents:
 				categories_names.update(set(
 					value['Parent'] for value in categories
 					if "Parent" in value))
 			return categories_names
 	def getList(self, category, score, age, key=None):
 		"""Get badips.com list of bad IPs.
 		Parameters
 		----------
 		category : str
 			Valid badips.com category.
 		score : int
 			Minimum score for bad IPs.
 		age : str
 			Age of last report for bad IPs, per badips.com syntax.
 		key : str, optional
 			Key issued by badips.com to fetch IPs reported with the
 			associated key.
 		Returns
 		-------
 		set
 			Set of bad IPs.
 		Raises
 		------
 		HTTPError
 			Any issues with badips.com request.
 		"""
 		try:
 			url = "?".join([
 				"/".join([self._badips, "get", "list", category, str(score)]),
 				urlencode({'age': age})])
 			if key:
 				url = "&".join([url, urlencode({'key': key})])
 			self._logSys.debug('badips.com: get list, url: %r', url)
 			response = urlopen(self._Request(url), timeout=self.timeout)
 		except HTTPError as response: # pragma: no cover
 			self.logError(response, "Failed to fetch bad IP list")
 			raise
 		else:
 			return set(response.read().decode('utf-8').split())
 	@property
 	def category(self):
 		"""badips.com category for reporting IPs.
 		"""
 		return self._category
 	@category.setter
 	def category(self, category):
 		if category not in self.getCategories():
 			self._logSys.error("Category name '%s' not valid. "
 				"see badips.com for list of valid categories",
 				category)
 			raise ValueError("Invalid category: %s" % category)
 		self._category = category
 	@property
 	def bancategory(self):
 		"""badips.com bancategory for fetching IPs.
 		"""
 		return self._bancategory
 	@bancategory.setter
 	def bancategory(self, bancategory):
 		if bancategory != "any" and bancategory not in self.getCategories(incParents=True):
 			self._logSys.error("Category name '%s' not valid. "
 				"see badips.com for list of valid categories",
 				bancategory)
 			raise ValueError("Invalid bancategory: %s" % bancategory)
 		self._bancategory = bancategory
 	@property
 	def score(self):
 		"""badips.com minimum score for fetching IPs.
 		"""
 		return self._score
 	@score.setter
 	def score(self, score):
 		score = int(score)
 		if 0 <= score <= 5:
 			self._score = score
 		else:
 			raise ValueError("Score must be 0-5")
 	@property
 	def banaction(self):
 		"""Jail action to use for banning/unbanning.
 		"""
 		return self._banaction
 	@banaction.setter
 	def banaction(self, banaction):
 		if banaction is not None and banaction not in self._jail.actions:
 			self._logSys.error("Action name '%s' not in jail '%s'",
 				banaction, self._jail.name)
 			raise ValueError("Invalid banaction")
 		self._banaction = banaction
 	@property
 	def updateperiod(self):
 		"""Period in seconds between banned bad IPs will be updated.
 		"""
 		return self._updateperiod
 	@updateperiod.setter
 	def updateperiod(self, updateperiod):
 		updateperiod = int(updateperiod)
 		if updateperiod > 0:
 			self._updateperiod = updateperiod
 		else:
 			raise ValueError("Update period must be integer greater than 0")
 	def _banIPs(self, ips):
 		for ip in ips:
 			try:
 				ai = Actions.ActionInfo(BanTicket(ip), self._jail)
 				self._jail.actions[self.banaction].ban(ai)
 			except Exception as e:
 				self._logSys.error(
 					"Error banning IP %s for jail '%s' with action '%s': %s",
 					ip, self._jail.name, self.banaction, e,
 					exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
 			else:
 				self._bannedips.add(ip)
 				self._logSys.log(self.loglevel,
 					"Banned IP %s for jail '%s' with action '%s'",
 					ip, self._jail.name, self.banaction)
 	def _unbanIPs(self, ips):
 		for ip in ips:
 			try:
 				ai = Actions.ActionInfo(BanTicket(ip), self._jail)
 				self._jail.actions[self.banaction].unban(ai)
 			except Exception as e:
 				self._logSys.error(
 					"Error unbanning IP %s for jail '%s' with action '%s': %s",
 					ip, self._jail.name, self.banaction, e,
 					exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
 			else:
 				self._logSys.log(self.loglevel,
 					"Unbanned IP %s for jail '%s' with action '%s'",
 					ip, self._jail.name, self.banaction)
 			finally:
 				self._bannedips.remove(ip)
 	def start(self):
 		"""If `banaction` set, blacklists bad IPs.
 		"""
 		if self.banaction is not None:
 			self.update()
 	def update(self):
 		"""If `banaction` set, updates blacklisted IPs.
 		Queries badips.com for list of bad IPs, removing IPs from the
 		blacklist if no longer present, and adds new bad IPs to the
 		blacklist.
 		"""
 		if self.banaction is not None:
 			if self._timer:
 				self._timer.cancel()
 				self._timer = None
 			try:
 				ips = self.getList(
 					self.bancategory, self.score, self.age, self.bankey)
 				# Remove old IPs no longer listed
 				s = self._bannedips - ips
 				m = len(s)
 				self._unbanIPs(s)
 				# Add new IPs which are now listed
 				s = ips - self._bannedips
 				p = len(s)
 				self._banIPs(s)
 				if m != 0 or p != 0:
 					self._logSys.log(self.sumloglevel,
 						"Updated IPs for jail '%s' (-%d/+%d)",
 						self._jail.name, m, p)
 				self._logSys.debug(
 					"Next update for jail '%' in %i seconds",
 					self._jail.name, self.updateperiod)
 			finally:
 				self._timer = threading.Timer(self.updateperiod, self.update)
 				self._timer.start()
 	def stop(self):
 		"""If `banaction` set, clears blacklisted IPs.
 		"""
 		if self.banaction is not None:
 			if self._timer:
 				self._timer.cancel()
 				self._timer = None
 			self._unbanIPs(self._bannedips.copy())
 	def ban(self, aInfo):
 		"""Reports banned IP to badips.com.
 		Parameters
 		----------
 		aInfo : dict
 			Dictionary which includes information in relation to
 			the ban.
 		Raises
 		------
 		HTTPError
 			Any issues with badips.com request.
 		"""
 		try:
 			url = "/".join([self._badips, "add", self.category, str(aInfo['ip'])])
 			self._logSys.debug('badips.com: ban, url: %r', url)
 			response = urlopen(self._Request(url), timeout=self.timeout)
 		except HTTPError as response: # pragma: no cover
 			self.logError(response, "Failed to ban")
 			raise
 		else:
 			messages = json.loads(response.read().decode('utf-8'))
 			self._logSys.debug(
 				"Response from badips.com report: '%s'",
 				messages['suc'])
 Action = BadIPsAction
--- a/fail2ban/action.d/cloudflare-token.conf
+++ b/fail2ban/action.d/cloudflare-token.conf
@@ -0,0 +1,92 @@
 #
 # Author: Logic-32
 #
 # IMPORTANT
 #
 # Please set jail.local's permission to 640 because it contains your CF API token.
 #
 # This action depends on curl.
 #
 # To get your Cloudflare API token: https://developers.cloudflare.com/api/tokens/create/
 #
 # Cloudflare Firewall API: https://developers.cloudflare.com/firewall/api/cf-firewall-rules/endpoints/
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
 actionstart =
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop =
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    <ip>  IP address
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 actionban = curl -s -X POST "<_cf_api_url>" \
              <_cf_api_prms> \
              --data '{"mode":"<cfmode>","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"<notes>"}'
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    <ip>  IP address
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
 actionunban = id=$(curl -s -X GET "<_cf_api_url>?mode=<cfmode>&notes=<notes>&configuration.target=<cftarget>&configuration.value=<ip>" \
                       <_cf_api_prms> \
                       | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
                       | tr -d ' "' \
                       | head -n 1)
              if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found using target <cftarget>"; exit 0; fi; \
              curl -s -X DELETE "<_cf_api_url>/$id" \
                  <_cf_api_prms> \
                  --data '{"cascade": "none"}'
 _cf_api_url = https://api.cloudflare.com/client/v4/zones/<cfzone>/firewall/access_rules/rules
 _cf_api_prms = -H "Authorization: Bearer <cftoken>" -H "Content-Type: application/json"
 [Init]
 # Declare your Cloudflare Authorization Bearer Token in the [DEFAULT] section of your jail.local file.
 # The Cloudflare <ZONE_ID> of hte domain you want to manage.
 #
 # cfzone =
 # Your personal Cloudflare token.  Ideally restricted to just have "Zone.Firewall Services" permissions.
 #
 # cftoken =
 # Target of the firewall rule.  Default is "ip" (v4).
 #
 cftarget = ip
 # The firewall mode Cloudflare should use.  Default is "block" (deny access).
 # Consider also "js_challenge" or other "allowed_modes" if you want.
 #
 cfmode = block
 # The message to include in the firewall IP banning rule.
 #
 notes = Fail2Ban <name>
 [Init?family=inet6]
 cftarget = ip6
--- a/fail2ban/action.d/cloudflare.conf
+++ b/fail2ban/action.d/cloudflare.conf
@@ -44,7 +44,7 @@ actioncheck =
 #actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
 # API v4
 actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
-            -d '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"Fail2Ban <name>"}' \
+            -d '{"mode":"block","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"Fail2Ban <name>"}' \
            <_cf_api_url>
 # Option:  actionunban
@@ -59,7 +59,7 @@ actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
 #actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
 # API v4
 actionunban = id=$(curl -s -X GET <_cf_api_prms> \
-                   "<_cf_api_url>?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban%%20<name>" \
+                   "<_cf_api_url>?mode=block&configuration_target=<cftarget>&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban%%20<name>" \
                   | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; })
              if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;
              curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id"
@@ -81,3 +81,8 @@ _cf_api_prms = -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' -H 'Conten
 cftoken =
 cfuser =
 cftarget = ip
 [Init?family=inet6]
 cftarget = ip6
--- a/fail2ban/action.d/dshield.conf
+++ b/fail2ban/action.d/dshield.conf
@@ -179,7 +179,7 @@ tcpflags =
 # Notes.:  Your system mail command. Is passed 2 args: subject and recipient
 # Values:  CMD
 #
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
 # Option:  mailargs
 # Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
--- a/fail2ban/action.d/firewallcmd-ipset.conf
+++ b/fail2ban/action.d/firewallcmd-ipset.conf
@@ -18,20 +18,45 @@ before = firewallcmd-common.conf
 [Definition]
-actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+actionstart = <ipstype_<ipsettype>/actionstart>
              firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
-actionflush = ipset flush <ipmset>
+actionflush = <ipstype_<ipsettype>/actionflush>
 actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
             <actionflush>
-             ipset destroy <ipmset>
+             <ipstype_<ipsettype>/actionstop>
-actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
+actionban = <ipstype_<ipsettype>/actionban>
 # actionprolong = %(actionban)s
-actionunban = ipset del <ipmset> <ip> -exist
+actionunban = <ipstype_<ipsettype>/actionunban>
 [ipstype_ipset]
 actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
 actionflush = ipset flush <ipmset>
 actionstop = ipset destroy <ipmset>
 actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
 actionunban = ipset -exist del <ipmset> <ip>
 [ipstype_firewalld]
 actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> <firewalld_familyopt>
 # TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
 actionflush = 
 actionstop = firewall-cmd --direct --delete-ipset=<ipmset>
 actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip>
 actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>
 [Init]
@@ -56,6 +81,12 @@ ipsettime = 0
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
 # Option: ipsettype
 # Notes.: defines type of ipset used for match-set (firewalld or ipset)
 # Values: firewalld or ipset
 # Default: ipset
 ipsettype = ipset
 # Option: actiontype
 # Notes.: defines additions to the blocking rule
 # Values: leave empty to block all attempts from the host
@@ -71,18 +102,20 @@ allports = -p <protocol>
 # Option: multiport
 # Notes.: addition to block access only to specific ports
 # Usage.: use in jail config:  banaction = firewallcmd-ipset[actiontype=<multiport>]
-multiport = -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)"
+multiport = -p <protocol> -m multiport --dports <port>
 ipmset = f2b-<name>
 familyopt =
 firewalld_familyopt =
 [Init?family=inet6]
 ipmset = f2b-<name>6
 familyopt = family inet6
 firewalld_familyopt = --option=family=inet6
 # DEV NOTES:
 #
-# Author: Edgar Hoch and Daniel Black
+# Author: Edgar Hoch, Daniel Black, Sergey Brester and Mihail Politaev
 # firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
--- a/fail2ban/action.d/firewallcmd-multiport.conf
+++ b/fail2ban/action.d/firewallcmd-multiport.conf
@@ -11,9 +11,9 @@ before = firewallcmd-common.conf
 actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
              firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
             firewall-cmd --direct --remove-rules <family> filter f2b-<name>
             firewall-cmd --direct --remove-chain <family> filter f2b-<name>
--- a/fail2ban/action.d/firewallcmd-new.conf
+++ b/fail2ban/action.d/firewallcmd-new.conf
@@ -10,9 +10,9 @@ before = firewallcmd-common.conf
 actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
              firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
             firewall-cmd --direct --remove-rules <family> filter f2b-<name>
             firewall-cmd --direct --remove-chain <family> filter f2b-<name>
--- a/fail2ban/action.d/firewallcmd-rich-rules.conf
+++ b/fail2ban/action.d/firewallcmd-rich-rules.conf
@@ -37,8 +37,8 @@ actioncheck =
 fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
-actionban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
+actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
-actionunban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
+actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
 rich-suffix = <rich-blocktype>
--- a/fail2ban/action.d/iptables-allports.conf
+++ b/fail2ban/action.d/iptables-allports.conf
@@ -4,52 +4,12 @@
 # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
 # 			made active on all ports from original iptables.conf
 #
-#
+# Obsolete: superseded by iptables[type=allports]
 [INCLUDES]
-before = iptables-common.conf
+before = iptables.conf
 [Definition]
-# Option:  actionstart
+type = allports
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
 actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -j f2b-<name>
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
--- a/fail2ban/action.d/iptables-common.conf
+++ b/fail2ban/action.d/iptables-common.conf
@@ -1,92 +0,0 @@
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
 #
 # This is a included configuration file and includes the definitions for the iptables
 # used in all iptables based actions by default.
 #
 # The user can override the defaults in iptables-common.local
 #
 # Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
 #       made config file IPv6 capable (see new section Init?family=inet6)
 [INCLUDES]
 after = iptables-blocktype.local
        iptables-common.local
 # iptables-blocktype.local is obsolete
 [Definition]
 # Option:  actionflush
 # Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
 # Values:  CMD
 #
 actionflush = <iptables> -F f2b-<name>
 [Init]
 # Option:  chain
 # Notes    specifies the iptables chain to which the Fail2Ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default:
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option:  blocktype
 # Note:    This is what the action does with rules. This can be any jump target
 #          as per the iptables man page (section 8). Common values are DROP
 #          REJECT, REJECT --reject-with icmp-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp-port-unreachable
 # Option:  returntype
 # Note:    This is the default rule on "actionstart". This should be RETURN
 #          in all (blocking) actions, except REJECT in allowing actions.
 # Values:  STRING
 returntype = RETURN
 # Option:  lockingopt
 # Notes.:  Option was introduced to iptables to prevent multiple instances from
 #          running concurrently and causing irratic behavior.  -w was introduced
 #          in iptables 1.4.20, so might be absent on older systems
 #          See https://github.com/fail2ban/fail2ban/issues/1122
 # Values:  STRING
 lockingopt = -w
 # Option:  iptables
 # Notes.:  Actual command to be executed, including common to all calls options
 # Values:  STRING
 iptables = iptables <lockingopt>
 [Init?family=inet6]
 # Option:  blocktype (ipv6)
 # Note:    This is what the action does with rules. This can be any jump target
 #          as per the iptables man page (section 8). Common values are DROP
 #          REJECT, REJECT --reject-with icmp6-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp6-port-unreachable
 # Option:  iptables (ipv6)
 # Notes.:  Actual command to be executed, including common to all calls options
 # Values:  STRING
 iptables = ip6tables <lockingopt>
--- a/fail2ban/action.d/iptables-ipset-proto4.conf
+++ b/fail2ban/action.d/iptables-ipset-proto4.conf
@@ -19,7 +19,7 @@
 [INCLUDES]
-before = iptables-common.conf
+before = iptables.conf
 [Definition]
@@ -28,7 +28,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = ipset --create f2b-<name> iphash
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+              <_ipt_add_rules>
 # Option:  actionflush
@@ -41,7 +41,7 @@ actionflush = ipset --flush f2b-<name>
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = <_ipt_del_rules>
             <actionflush>
             ipset --destroy f2b-<name>
@@ -61,5 +61,6 @@ actionban = ipset --test f2b-<name> <ip> ||  ipset --add f2b-<name> <ip>
 #
 actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
-[Init]
+# Several capabilities used internaly:
 rule-jump = -m set --match-set f2b-<name> src -j <blocktype>
--- a/fail2ban/action.d/iptables-ipset-proto6-allports.conf
+++ b/fail2ban/action.d/iptables-ipset-proto6-allports.conf
@@ -15,73 +15,13 @@
 #
 # Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
 #       made config file IPv6 capable (see new section Init?family=inet6)
 #
 # Obsolete: superseded by iptables-ipset[type=allports]
 [INCLUDES]
-before = iptables-common.conf
+before = iptables-ipset.conf
 [Definition]
-# Option:  actionstart
+type = allports
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
 actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
              <iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
 # Option:  actionflush
 # Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
 # Values:  CMD
 #
 actionflush = ipset flush <ipmset>
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop = <iptables> -D <chain> -m set --match-set <ipmset> src -j <blocktype>
             <actionflush>
             ipset destroy <ipmset>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
 # actionprolong = %(actionban)s
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = ipset del <ipmset> <ip> -exist
 [Init]
 # Option: default-ipsettime
 # Notes:  specifies default timeout in seconds (handled default ipset timeout only)
 # Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
 default-ipsettime = 0
 # Option: ipsettime
 # Notes:  specifies ticket timeout (handled ipset timeout only)
 # Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
 ipsettime = 0
 # expresion to caclulate timeout from bantime, example:
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
 ipmset = f2b-<name>
 familyopt =
 [Init?family=inet6]
 ipmset = f2b-<name>6
 familyopt = family inet6
--- a/fail2ban/action.d/iptables-ipset-proto6.conf
+++ b/fail2ban/action.d/iptables-ipset-proto6.conf
@@ -15,73 +15,13 @@
 #
 # Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
 #       made config file IPv6 capable (see new section Init?family=inet6)
 #
 # Obsolete: superseded by iptables-ipset[type=multiport]
 [INCLUDES]
-before = iptables-common.conf
+before = iptables-ipset.conf
 [Definition]
-# Option:  actionstart
+type = multiport
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
 actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
 # Option:  actionflush
 # Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
 # Values:  CMD
 #
 actionflush = ipset flush <ipmset>
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
             <actionflush>
             ipset destroy <ipmset>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
 # actionprolong = %(actionban)s
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = ipset del <ipmset> <ip> -exist
 [Init]
 # Option: default-ipsettime
 # Notes:  specifies default timeout in seconds (handled default ipset timeout only)
 # Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
 default-ipsettime = 0
 # Option: ipsettime
 # Notes:  specifies ticket timeout (handled ipset timeout only)
 # Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
 ipsettime = 0
 # expresion to caclulate timeout from bantime, example:
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
 ipmset = f2b-<name>
 familyopt =
 [Init?family=inet6]
 ipmset = f2b-<name>6
 familyopt = family inet6
--- a/fail2ban/action.d/iptables-ipset.conf.rpmnew
+++ b/fail2ban/action.d/iptables-ipset.conf.rpmnew
@@ -0,0 +1,90 @@
 # Fail2Ban configuration file
 #
 # Authors: Sergey G Brester (sebres), Daniel Black, Alexander Koeppe
 #
 # This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
 # Use ipset -V to see the protocol and version. Version 4 should use
 # iptables-ipset-proto4.conf.
 #
 # This requires the program ipset which is normally in package called ipset.
 #
 # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
 #
 # If you are running on an older kernel you make need to patch in external
 # modules.
 #
 [INCLUDES]
 before = iptables.conf
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
 actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
              <_ipt_add_rules>
 # Option:  actionflush
 # Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
 # Values:  CMD
 #
 actionflush = ipset flush <ipmset>
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop = <_ipt_del_rules>
             <actionflush>
             ipset destroy <ipmset>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
 # actionprolong = %(actionban)s
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = ipset -exist del <ipmset> <ip>
 # Several capabilities used internaly:
 rule-jump = -m set --match-set <ipmset> src -j <blocktype>
 [Init]
 # Option: default-ipsettime
 # Notes:  specifies default timeout in seconds (handled default ipset timeout only)
 # Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
 default-ipsettime = 0
 # Option: ipsettime
 # Notes:  specifies ticket timeout (handled ipset timeout only)
 # Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
 ipsettime = 0
 # expresion to caclulate timeout from bantime, example:
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
 ipmset = f2b-<name>
 familyopt =
 [Init?family=inet6]
 ipmset = f2b-<name>6
 familyopt = family inet6
--- a/fail2ban/action.d/iptables-multiport-log.conf
+++ b/fail2ban/action.d/iptables-multiport-log.conf
@@ -11,7 +11,7 @@
 [INCLUDES]
-before = iptables-common.conf
+before = iptables.conf
 [Definition]
--- a/fail2ban/action.d/iptables-multiport.conf
+++ b/fail2ban/action.d/iptables-multiport.conf
@@ -3,50 +3,12 @@
 # Author: Cyril Jaquier
 # Modified by Yaroslav Halchenko for multiport banning
 #
 # Obsolete: superseded by iptables[type=multiport]
 [INCLUDES]
-before = iptables-common.conf
+before = iptables.conf
 [Definition]
-# Option:  actionstart
+type = multiport
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
 actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
--- a/fail2ban/action.d/iptables-new.conf
+++ b/fail2ban/action.d/iptables-new.conf
@@ -4,51 +4,12 @@
 # Copied from iptables.conf and modified by Yaroslav Halchenko 
 #  to fulfill the needs of bugreporter dbts#350746.
 #
-#
+# Obsolete: superseded by iptables[pre-rule='-m state --state NEW<sp>']
 [INCLUDES]
-before = iptables-common.conf
+before = iptables.conf
 [Definition]
-# Option:  actionstart
+pre-rule = -m state --state NEW<sp>
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
 actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop = <iptables> -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
 [Init]
--- a/fail2ban/action.d/iptables-xt_recent-echo.conf
+++ b/fail2ban/action.d/iptables-xt_recent-echo.conf
@@ -7,10 +7,14 @@
 [INCLUDES]
-before = iptables-common.conf
+before = iptables.conf
 [Definition]
 _ipt_chain_rule = -m recent --update --seconds 3600 --name <iptname> -j <blocktype>
 _ipt_for_proto-iter =
 _ipt_for_proto-done =
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
@@ -33,7 +37,9 @@ before = iptables-common.conf
 #    own rules. The 3600 second timeout is independent and acts as a
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
-actionstart = if [ `id -u` -eq 0 ];then <iptables> -I <chain> -m recent --update --seconds 3600 --name <iptname> -j <blocktype>;fi
+actionstart = if [ `id -u` -eq 0 ];then
              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
              fi
 # Option:  actionflush
 #
@@ -46,13 +52,15 @@ actionflush =
 # Values:  CMD
 #
 actionstop = echo / > /proc/net/xt_recent/<iptname>
-             if [ `id -u` -eq 0 ];then <iptables> -D <chain> -m recent --update --seconds 3600 --name <iptname> -j <blocktype>;fi
+             if [ `id -u` -eq 0 ];then
             <iptables> -D <chain> %(_ipt_chain_rule)s;
             fi
 # Option:  actioncheck
-# Notes.:  command executed once before each actionban command
+# Notes.:  command executed as invariant check (error by ban)
 # Values:  CMD
 #
-actioncheck = test -e /proc/net/xt_recent/<iptname>
+actioncheck = { <iptables> -C <chain> %(_ipt_chain_rule)s; } && test -e /proc/net/xt_recent/<iptname>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -72,7 +80,7 @@ actionunban = echo -<ip> > /proc/net/xt_recent/<iptname>
 [Init]
-iptname              = f2b-<name>
+iptname = f2b-<name>
 [Init?family=inet6]
--- a/fail2ban/action.d/iptables.conf
+++ b/fail2ban/action.d/iptables.conf
@@ -1,28 +1,35 @@
 # Fail2Ban configuration file
 #
-# Author: Cyril Jaquier
+# Authors: Sergey G. Brester (sebres), Cyril Jaquier, Daniel Black, 
 #          Yaroslav O. Halchenko, Alexander Koeppe et al.
 #
 #
 [INCLUDES]
 before = iptables-common.conf
 [Definition]
 # Option:  type
 # Notes.:  type of the action.
 # Values:  [ oneport | multiport | allports ]  Default: oneport
 #
 type = oneport
 # Option:  actionflush
 # Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
 # Values:  CMD
 #
 actionflush = <iptables> -F f2b-<name>
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
-actionstart = <iptables> -N f2b-<name>
+actionstart = { <iptables> -C f2b-<name> -j <returntype> >/dev/null 2>&1; } || { <iptables> -N f2b-<name> || true; <iptables> -A f2b-<name> -j <returntype>; }
-              <iptables> -A f2b-<name> -j <returntype>
+              <_ipt_add_rules>
              <iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
-actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
+actionstop = <_ipt_del_rules>
             <actionflush>
             <iptables> -X f2b-<name>
@@ -30,7 +37,7 @@ actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck = <_ipt_check_rules>
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -48,5 +55,108 @@ actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
 #
 actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
 # Option:  pre-rule
 # Notes.:  prefix parameter(s) inserted to the begin of rule. No default (empty)
 #
 pre-rule =
 rule-jump = -j <_ipt_rule_target>
 # Several capabilities used internaly:
 _ipt_for_proto-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
 _ipt_for_proto-done = done
 _ipt_add_rules = <_ipt_for_proto-iter>
              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
              <_ipt_for_proto-done>
 _ipt_del_rules = <_ipt_for_proto-iter>
              <iptables> -D <chain> %(_ipt_chain_rule)s
              <_ipt_for_proto-done>
 _ipt_check_rules = <_ipt_for_proto-iter>
              %(_ipt_check_rule)s
              <_ipt_for_proto-done>
 _ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule>
 _ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
 _ipt_rule_target = f2b-<name>
 [ipt_oneport]
 _chain_rule = -p $proto --dport <port> <rule-jump>
 [ipt_multiport]
 _chain_rule = -p $proto -m multiport --dports <port> <rule-jump>
 [ipt_allports]
 _chain_rule = -p $proto <rule-jump>
 [Init]
 # Option:  chain
 # Notes    specifies the iptables chain to which the Fail2Ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
 # Default name of the chain
 #
 name = default
 # Option:  port
 # Notes.:  specifies port to monitor
 # Values:  [ NUM | STRING ]  Default:
 #
 port = ssh
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
 # Option:  blocktype
 # Note:    This is what the action does with rules. This can be any jump target
 #          as per the iptables man page (section 8). Common values are DROP
 #          REJECT, REJECT --reject-with icmp-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp-port-unreachable
 # Option:  returntype
 # Note:    This is the default rule on "actionstart". This should be RETURN
 #          in all (blocking) actions, except REJECT in allowing actions.
 # Values:  STRING
 returntype = RETURN
 # Option:  lockingopt
 # Notes.:  Option was introduced to iptables to prevent multiple instances from
 #          running concurrently and causing irratic behavior.  -w was introduced
 #          in iptables 1.4.20, so might be absent on older systems
 #          See https://github.com/fail2ban/fail2ban/issues/1122
 # Values:  STRING
 lockingopt = -w
 # Option:  iptables
 # Notes.:  Actual command to be executed, including common to all calls options
 # Values:  STRING
 iptables = iptables <lockingopt>
 [Init?family=inet6]
 # Option:  blocktype (ipv6)
 # Note:    This is what the action does with rules. This can be any jump target
 #          as per the iptables man page (section 8). Common values are DROP
 #          REJECT, REJECT --reject-with icmp6-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp6-port-unreachable
 # Option:  iptables (ipv6)
 # Notes.:  Actual command to be executed, including common to all calls options
 # Values:  STRING
 iptables = ip6tables <lockingopt>
--- a/fail2ban/action.d/ipthreat.conf
+++ b/fail2ban/action.d/ipthreat.conf
@@ -0,0 +1,107 @@
 # IPThreat configuration file
 #
 # Added to fail2ban by Jeff Johnson (jjxtra)
 #
 # Action to report IP address to ipthreat.net
 #
 # You must sign up to obtain an API key from ipthreat.net and request bulk report permissions
 # https://ipthreat.net/integrations
 #
 # IPThreat is a 100% free site and service, all data is licensed under a creative commons by attribution license
 # Please do not integrate if you do not agree to the license
 #
 # IMPORTANT:
 #
 # Reporting an IP is a serious action. Make sure that it is legit.
 # Consider using this action only for:
 #   * IP that has been banned more than once
 #   * High max retry to avoid user mis-typing password
 #   * Filters that are unlikely to be human error
 #
 # Example:
 # ```
 #   action = %(known/action)s
 #            ipthreat[]
 # ```
 #
 # The action accepts the following arguments: ipthreat[ipthreat_flags="8",ipthreat_system="SSH", ipthreat_apikey=...]
 # In most cases your action could be as simple as: ipthreat[], since the default flags and system are set to the most correct default values.
 # You can optionally override ipthreat_system and ipthreat_flags if desired.
 # The ipthreat_apikey must be set at the bottom of this configuration file.
 #
 # `ipthreat_system` is a short name of the system attacked, i.e. SSH, SMTP, MYSQL, PHP, etc.
 #
 # For `ipthreat_flags`, most cases will use 8 (BruteForce) which is the default, but you could use others.
 # You can use the name or the ordinal.
 # Multiple values are comma separated.
 # ```
 # Name           Ordinal Description
 # Dns            1       Abuse/attack of dns (domain name server)
 # Fraud          2       General fraud, whether orders, misuse of payment info, etc
 # DDos           4       Distributed denial of service attack, whether through http requests, large ping attack, etc
 # BruteForce     8       Brute force login attack
 # Proxy          16      IP is a proxy like TOR or other proxy server
 # Spam           32      Email, comment or other type of spam
 # Vpn            64      IP is part of a VPN
 # Hacking        128     General hacking outside of brute force attack (includes vulnerability scans, sql injection, etc.). Use port scan flag instead if it's just probe on ports.
 # BadBot         256     Bad bot that is not honoring robots.txt or just flooding with too many requests, etc
 # Compromised    512     The ip has been taken over by malware or botnet
 # Phishing       1024    The ip is involved in phishing or spoofing
 # Iot            2048    The ip has targetted an iot (Internet of Things) device
 # PortScan       4096    Port scan
 # See https://ipthreat.net/bulkreportformat for more information
 # ```
 [Definition]
 # bypass action for restored tickets
 norestored = 1
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
 actionstart =
 # Option:  actionstop
 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
 # Values:  CMD
 #
 actionstop =
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
 actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 #
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionban = curl -sSf "https://api.ipthreat.net/api/report" -X POST -H "Content-Type: application/json" -H "X-API-KEY: <ipthreat_apikey>" -d "{\"ip\":\"<ip>\",\"flags\":\"<ipthreat_flags>\",\"system\":\"<ipthreat_system>\",\"notes\":\"fail2ban\"}"
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
 actionunban =
 [Init]
 # Option:  ipthreat_apikey
 # Notes    Your API key from ipthreat.net
 # Values:  STRING Default: None
 # Register for ipthreat [https://ipthreat.net], get api key and set below.
 # You will need to set the flags and system in the action call in jail.conf
 ipthreat_apikey =
 # By default, the ipthreat system is the name of the fail2ban jail
 ipthreat_system = <name>
 # By default the ip threat flags is 8 (brute force), but you can override this per jail if desired
 ipthreat_flags = 8
--- a/fail2ban/action.d/nginx-block-map.conf
+++ b/fail2ban/action.d/nginx-block-map.conf
@@ -84,8 +84,15 @@ srv_cfg_path = /etc/nginx/
 #srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf
 srv_cmd = nginx
-# first test configuration is correct, hereafter send reload signal:
+# pid file (used to check nginx is running):
-blck_lst_reload = %(srv_cmd)s -qt; if [ $? -eq 0 ]; then
+srv_pid = /run/nginx.pid
 # command used to check whether nginx is running and configuration is valid:
 srv_is_running = [ -f "%(srv_pid)s" ]
 srv_check_cmd = %(srv_is_running)s && %(srv_cmd)s -qt
 # first test nginx is running and configuration is correct, hereafter send reload signal:
 blck_lst_reload = %(srv_check_cmd)s; if [ $? -eq 0 ]; then
                    %(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi;
                  fi;
--- a/fail2ban/action.d/symbiosis-blacklist-allports.conf
+++ b/fail2ban/action.d/symbiosis-blacklist-allports.conf
@@ -5,7 +5,7 @@
 [INCLUDES]
-before = iptables-common.conf
+before = iptables.conf
 [Definition]
@@ -41,6 +41,11 @@ actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto
 actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto
              <iptables> -D <chain> -s <ip> -j <blocktype> || :
 # [TODO] Flushing is currently not implemented for symbiosis blacklist.d
 #
 actionflush = 
 [Init]
 # Option:  chain
--- a/fail2ban/fail2ban.conf
+++ b/fail2ban/fail2ban.conf
@@ -24,13 +24,13 @@
 loglevel = INFO
 # Option: logtarget
-# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+# Notes.: Set the log target. This could be a file, SYSTEMD-JOURNAL, SYSLOG, STDERR or STDOUT.
 #         Only one log target can be specified.
 #         If you change logtarget from the default value and you are
 #         using logrotate -- also adjust or disable rotation in the
 #         corresponding configuration file
 #         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
-# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
+# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ]  Default: STDERR
 #
 logtarget = /var/log/fail2ban.log
@@ -55,6 +55,12 @@ socket = /var/run/fail2ban/fail2ban.sock
 #
 pidfile = /var/run/fail2ban/fail2ban.pid
 # Option: allowipv6
 # Notes.: Allows IPv6 interface:
 #         Default: auto
 # Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
 #allowipv6 = auto
 # Options: dbfile
 # Notes.: Set the file for the fail2ban persistent data to be stored.
 #         A value of ":memory:" means database is only stored in memory 
--- a/fail2ban/filter.d/apache-fakegooglebot.conf
+++ b/fail2ban/filter.d/apache-fakegooglebot.conf
@@ -2,11 +2,11 @@
 [Definition]
-failregex = ^<HOST> .*Googlebot.*$
+failregex = ^\s*<HOST> \S+ \S+(?: \S+)?\s+\S+ "[A-Z]+ /\S* [^"]*" \d+ \d+ \"[^"]*\" "[^"]*\bGooglebot/[^"]*"
 ignoreregex =
-datepattern = ^[^\[]*\[({DATE})
+datepattern = ^[^\[]*(\[{DATE}\s*\])
              {^LN-BEG}
 # DEV Notes:
--- a/fail2ban/filter.d/apache-overflows.conf
+++ b/fail2ban/filter.d/apache-overflows.conf
@@ -8,7 +8,7 @@ before = apache-common.conf
 [Definition]
-failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
+failregex = ^%(_apache_error_client)s (?:(?:AH001[23][456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
 ignoreregex =
--- a/fail2ban/filter.d/asterisk.conf
+++ b/fail2ban/filter.d/asterisk.conf
@@ -21,7 +21,7 @@ log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+
 prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
 failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
-            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
+            ^Call from '[^']*' \((?:(?:TCP|UDP):)?<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
            ^hacking attempt detected '<HOST>'$
--- a/fail2ban/filter.d/common.conf
+++ b/fail2ban/filter.d/common.conf
@@ -10,7 +10,7 @@ after = common.local
 [DEFAULT]
-# Type of log-file resp. log-format (file, short, journal, rfc542):
+# Type of log-file resp. log-format (file, short, journal, rfc5424):
 logtype = file
 # Daemon definition is to be specialized (if needed) in .conf file
--- a/fail2ban/filter.d/courier-auth.conf
+++ b/fail2ban/filter.d/courier-auth.conf
@@ -11,7 +11,7 @@ before = common.conf
 _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
-failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$
+failregex = ^%(__prefix_line)sLOGIN FAILED, (?:(?!ip=)(?:user=<F-USER>[^,]*</F-USER>|\w+=[^,]*), )*ip=\[<HOST>\]
 ignoreregex = 
--- a/fail2ban/filter.d/dovecot.conf
+++ b/fail2ban/filter.d/dovecot.conf
@@ -7,18 +7,21 @@ before = common.conf
 [Definition]
 _auth_worker = (?:dovecot: )?auth(?:-worker)?
 _daemon = (?:dovecot(?:-auth)?|auth)
-prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
+_auth_worker = (?:dovecot: )?auth(?:-worker)?
 _auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )?
 _bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))*
 prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$
 failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
-            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
-            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
+            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
-            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)
+            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
            <mdre-<mode>>
-mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
 mdre-normal = 
--- a/fail2ban/filter.d/drupal-auth.conf
+++ b/fail2ban/filter.d/drupal-auth.conf
@@ -14,7 +14,7 @@ before = common.conf
 [Definition]
-failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|<HOST>\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$
+failregex = ^%(__prefix_line)s(?:https?:\/\/)[^|]+\|[^|]+\|[^|]+\|<ADDR>\|(?:[^|]*\|)*Login attempt failed (?:for|from) <F-USER>[^|]+</F-USER>\.$
 ignoreregex =
--- a/fail2ban/filter.d/exim-common.conf
+++ b/fail2ban/filter.d/exim-common.conf
@@ -12,7 +12,7 @@ after = exim-common.local
 host_info_pre = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?
 host_info_suf = (?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\s
 host_info = %(host_info_pre)s\[<HOST>\]%(host_info_suf)s
-pid = (?: \[\d+\])?
+pid = (?: \[\d+\]| \w+ exim\[\d+\]:)?
 # DEV Notes:
 # From exim source code: ./src/receive.c:add_host_info_for_log
--- a/fail2ban/filter.d/ignorecommands/apache-fakegooglebot
+++ b/fail2ban/filter.d/ignorecommands/apache-fakegooglebot
@@ -6,24 +6,35 @@
 #
 import sys
 from fail2ban.server.ipdns import DNSUtils, IPAddr
 from threading import Thread
 def process_args(argv):
-    if len(argv) != 2:
+    if len(argv) - 1 not in (1, 2):
-       raise ValueError("Please provide a single IP as an argument. Got: %s\n"
+       raise ValueError("Usage %s ip ?timeout?. Got: %s\n"
-                        % (argv[1:]))
+                        % (argv[0], argv[1:]))
    ip = argv[1]
    if not IPAddr(ip).isValid:
       raise ValueError("Argument must be a single valid IP. Got: %s\n"
                        % ip)
-    return ip
+    return argv[1:]
 google_ips = None
-def is_googlebot(ip):
+def is_googlebot(ip, timeout=55):
    import re
-    host = DNSUtils.ipToName(ip)
+    timeout = float(timeout or 0)
    if timeout:
      def ipToNameTO(host, ip, timeout):
        host[0] = DNSUtils.ipToName(ip)
      host = [None]
      th = Thread(target=ipToNameTO, args=(host, ip, timeout)); th.daemon=True; th.start()
      th.join(timeout)
      host = host[0]
    else:
      host = DNSUtils.ipToName(ip)
    if not host or not re.match(r'.*\.google(bot)?\.com$', host):
       return False
    host_ips = DNSUtils.dnsToIp(host)
@@ -31,7 +42,7 @@ def is_googlebot(ip):
 if __name__ == '__main__': # pragma: no cover
    try:
-      ret = is_googlebot(process_args(sys.argv))
+      ret = is_googlebot(*process_args(sys.argv))
    except ValueError as e:
      sys.stderr.write(str(e))
      sys.exit(2)
--- a/fail2ban/filter.d/lighttpd-auth.conf
+++ b/fail2ban/filter.d/lighttpd-auth.conf
@@ -3,7 +3,7 @@
 [Definition]
-failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
+failregex = ^\s*(?:: )?\(?(?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match for (?:\S+|.*?) username:\s+<F-USER>(?:\S+|.*?)</F-USER>\s*|digest: auth failed(?: for\s+<F-ALT_USER>(?:\S+|.*?)</F-ALT_USER>\s*)?: (?:wrong password|uri mismatch \([^\)]*\))|get_password failed),? IP: <HOST>\s*$
 ignoreregex = 
--- a/fail2ban/filter.d/monitorix.conf
+++ b/fail2ban/filter.d/monitorix.conf
@@ -0,0 +1,25 @@
 # Fail2Ban filter for Monitorix (HTTP built-in server)
 #
 [INCLUDES]
 before = common.conf
 [Definition]
 _daemon = monitorix-httpd
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
 failregex = ^(?:\s+-)?\s*(?:NOTEXIST|AUTHERR|NOTALLOWED) - <ADDR>\b
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
--- a/fail2ban/filter.d/mssql-auth.conf
+++ b/fail2ban/filter.d/mssql-auth.conf
@@ -0,0 +1,15 @@
 # Fail2Ban filter for failed MSSQL Server authentication attempts
 [Definition]
 failregex = ^\s*Logon\s+Login failed for user '<F-USER>(?:[^']*|.*)</F-USER>'\. [^'\[]+\[CLIENT: <ADDR>\]$
 # DEV Notes:
 #	Tested with SQL Server 2019 on Ubuntu 18.04
 #
 # Example:
 #	2020-02-24 14:48:55.12 Logon       Login failed for user 'root'. Reason: Could not find a login matching the name provided. [CLIENT: 127.0.0.1]
 #
 # Author: Rüdiger Olschewsky
 #
--- a/fail2ban/filter.d/named-refused.conf
+++ b/fail2ban/filter.d/named-refused.conf
@@ -22,7 +22,7 @@
 [Definition]
 # Daemon name
-_daemon=named
+_daemon=named(?:-\w+)?
 # Shortcuts for easier comprehension of the failregex
@@ -30,11 +30,14 @@ __pid_re=(?:\[\d+\])
 __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
 __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
 _category = (?!error|info)[\w-]+
 _category_re = (?:%(_category)s: )?
 #       hostname       daemon_id         spaces
 # this can be optional (for instance if we match named native log files)
-__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
+__line_prefix=\s*(?:\S+ %(__daemon_combs_re)s\s+)?%(_category_re)s
-prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
+prefregex = ^%(__line_prefix)s(?:(?:error|info):\s*)?client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
 failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
            ^zone transfer
--- a/fail2ban/filter.d/nginx-bad-request.conf
+++ b/fail2ban/filter.d/nginx-bad-request.conf
@@ -0,0 +1,16 @@
 # Fail2Ban filter to match bad requests to nginx
 #
 [Definition]
 # The request often doesn't contain a method, only some encoded garbage
 # This will also match requests that are entirely empty
 failregex = ^<HOST> - \S+ \[\] "[^"]*" 400
 datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
              ^[^\[]*\[({DATE})
              {^LN-BEG}
 journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
 # Author: Jan Przybylak
--- a/fail2ban/filter.d/nginx-botsearch.conf
+++ b/fail2ban/filter.d/nginx-botsearch.conf
@@ -17,7 +17,9 @@ datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]
              ^[^\[]*\[({DATE})
              {^LN-BEG}
 journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
 # DEV Notes:
 # Based on apache-botsearch filter
 # 
-# Author: Frantisek Sumsal
+# Author: Frantisek Sumsal
--- a/fail2ban/filter.d/nginx-http-auth.conf
+++ b/fail2ban/filter.d/nginx-http-auth.conf
@@ -3,15 +3,32 @@
 [Definition]
 mode = normal
-failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+mdre-auth = ^\s*\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
 mdre-fallback = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
 mdre-normal = %(mdre-auth)s
 mdre-aggressive = %(mdre-auth)s
                  %(mdre-fallback)s
 failregex = <mdre-<mode>>
 ignoreregex = 
 datepattern = {^LN-BEG}
 journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
 # DEV NOTES:
 # mdre-auth:
 # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
 # Extensive search of all nginx auth failures not done yet.
 # 
 # Author: Daniel Black
 # mdre-fallback:
 # Ban people checking for TLS_FALLBACK_SCSV repeatedly
 # https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608
 # Author: Stephan Orlowsky
--- a/fail2ban/filter.d/nginx-limit-req.conf
+++ b/fail2ban/filter.d/nginx-limit-req.conf
@@ -44,3 +44,6 @@ failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by
 ignoreregex = 
 datepattern = {^LN-BEG}
 journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
--- a/fail2ban/filter.d/nsd.conf
+++ b/fail2ban/filter.d/nsd.conf
@@ -22,10 +22,10 @@ _daemon = nsd
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
-failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
+failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <ADDR> TYPE255$
-             ^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
+             ^%(__prefix_line)sinfo: .* from(?: client)? <ADDR> refused, no acl matches\.?$
 ignoreregex =
 datepattern = {^LN-BEG}Epoch
-              {^LN-BEG}
+              {^LN-BEG}
--- a/fail2ban/filter.d/postfix.conf
+++ b/fail2ban/filter.d/postfix.conf
@@ -12,16 +12,15 @@ before = common.conf
 _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
 _port = (?::\d+)?
 _pref = [A-Z]{4}
 prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
-mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+)
+# Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this:
-mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
+exre-user = |[Uu](?:ser unknown|ndeliverable address)
-            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
+
-            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b
+mdpr-normal = (?:\w+: (?:milter-)?reject:|(?:improper command pipelining|too many errors) after \S+)
-            ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
+mdre-normal=^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45][50][04] [45]\.\d\.\d+ (?:(?:<[^>]*>)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|(?:Client host|Command|Data command) rejected|Relay access denied|(?:Host|Domain) not found|need fully-qualified hostname|match%(exre-user)s)\b
            ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b
            ^from [^[]*\[<HOST>\]%(_port)s:?
 mdpr-auth = warning:
@@ -31,13 +30,15 @@ mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5
 # Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
 mdpr-rbl = %(mdpr-normal)s
-mdre-rbl  = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
+mdre-rbl  = ^%(_pref)s from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
 # Mode "rbl" currently included in mode "normal" (within 1st rule)
 mdpr-more = %(mdpr-normal)s
 mdre-more = %(mdre-normal)s
-mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+)))
+# Includes some of the log messages described in
 # <http://www.postfix.org/POSTSCREEN_README.html>.
 mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT)
 mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
 mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
--- a/fail2ban/filter.d/scanlogd.conf
+++ b/fail2ban/filter.d/scanlogd.conf
@@ -0,0 +1,17 @@
 # Fail2Ban filter for port scans detected by scanlogd
 [INCLUDES]
 # Read common prefixes. If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 _daemon = scanlogd
 failregex =  ^%(__prefix_line)s<ADDR>(?::<F-PORT/>)? to \S+ ports\b
 ignoreregex =
 # Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
--- a/fail2ban/filter.d/sendmail-auth.conf
+++ b/fail2ban/filter.d/sendmail-auth.conf
@@ -15,7 +15,7 @@ addr = (?:IPv6:<IP6>|<IP4>)
 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
 failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
-            ^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
+            ^AUTH failure \([^\)]+\):(?: [^:]+:)? (?:authentication failure|user not found): [^,]*, (?:user=<F-USER>(?:\S+|.*?)</F-USER>, )?relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
 ignoreregex =
 journalmatch = _SYSTEMD_UNIT=sendmail.service
--- a/fail2ban/filter.d/sendmail-reject.conf
+++ b/fail2ban/filter.d/sendmail-reject.conf
@@ -21,12 +21,12 @@ before = common.conf
 _daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
 __prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
-addr = (?:IPv6:<IP6>|<IP4>)
+addr = (?:(?:IPv6:)?<IP6>|<IP4>)
 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
-cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
+cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|553 5\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
-            ^ruleset=check_relay, arg1=(?P<dom>\S+), arg2=%(addr)s, relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
+            ^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
            ^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$
            ^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
            ^<[^@]+@[^>]+>\.\.\. No such user here$
--- a/fail2ban/filter.d/sshd.conf
+++ b/fail2ban/filter.d/sshd.conf
@@ -68,15 +68,17 @@ cmnfailed = <cmnfailed-<publickey>>
 mdre-normal =
 # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
-mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
+mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
 mdre-ddos = ^Did not receive identification string from <HOST>
-            ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host)
+            ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer))
            ^Bad protocol version identification '.*' from <HOST>
            ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
            ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
-# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only:
+            ^banner exchange: Connection from <HOST><__on_port_opt>: invalid format
 # same as mdre-normal-other, but as failure (without <F-NOFAIL> with [preauth] and with <F-NOFAIL> on no preauth phase as helper to identify address):
 mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
                  ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__on_port_opt)s|\s*)$
 mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
            ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
--- a/fail2ban/filter.d/zoneminder.conf
+++ b/fail2ban/filter.d/zoneminder.conf
@@ -5,17 +5,23 @@ before = apache-common.conf
 [Definition]
-# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
+# patterns: [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/
-#
+#           [Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/
 #           [Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/
 #
 # Option:  failregex
-# Notes.:  regex to match the password failure messages in the logfile.
+# Notes.:  regex to match the login failure and non-existent user error messages in the logfile.
-failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
+prefregex = ^%(_apache_error_client)s (?:ERR|WAR) <F-CONTENT>\[(?:Login denied|Could not retrieve).*</F-CONTENT>$
 failregex = ^\[Login denied for user "<F-USER>[^"]*</F-USER>"\]
            ^\[Could not retrieve user <F-USER>\S*</F-USER>
 ignoreregex =
 # Notes:
-#	Tested on Zoneminder 1.29.0
+#	Tested on Zoneminder 1.29 and 1.35.21
 #
 #	Zoneminder versions > 1.3x use "ERR" and < 1.3x use "WAR" level logs, so i've kept both for compatibility reasons
 #
 # Author: John Marzella
--- a/fail2ban/jail.conf
+++ b/fail2ban/jail.conf
@@ -67,7 +67,7 @@ before = paths-fedora.conf
 # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
 #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
-# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 
+# "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding
 # previously ban count and given "bantime.factor" (for multipliers default is 1);
 # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
 # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
@@ -77,7 +77,7 @@ before = paths-fedora.conf
 #bantime.multipliers = 1 5 30 60 300 720 1440 2880
 # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
-# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
+# cross over all jails, if false (default), only current jail of the ban IP will be searched
 #bantime.overalljails = false
 # --------------------
@@ -227,6 +227,15 @@ action_mwl = %(action_)s
 action_xarf = %(action_)s
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
 # ban & send a notification to one or more of the 50+ services supported by Apprise.
 # See https://github.com/caronc/apprise/wiki for details on what is supported.
 #
 # You may optionally over-ride the default configuration line (containing the Apprise URLs)
 # by using 'apprise[config="/alternate/path/to/apprise.cfg"]' otherwise
 # /etc/fail2ban/apprise.conf is sourced for your supported notification configuration.
 # action = %(action_)s
 #          apprise
 # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
@@ -242,20 +251,6 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
 #
 action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
 # Report ban via badips.com, and use as blacklist
 #
 # See BadIPsAction docstring in config/action.d/badips.py for
 # documentation for this action.
 #
 # NOTE: This action relies on banaction being present on start and therefore
 # should be last action defined for a jail.
 #
 action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
 #
 # Report ban via badips.com (uses action.d/badips.conf for reporting only)
 #
 action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
 # Report ban via abuseipdb.com.
 #
 # See action.d/abuseipdb.conf for usage example and details.
@@ -351,7 +346,7 @@ maxretry = 2
 port     = http,https
 logpath  = %(apache_access_log)s
 maxretry = 1
-ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegooglebot <ip>
 [apache-modsecurity]
@@ -375,8 +370,11 @@ banaction = %(banaction_allports)s
 logpath = /opt/openhab/logs/request.log
 # To use more aggressive http-auth modes set filter parameter "mode" in jail.local:
 # normal (default), aggressive (combines all), auth or fallback
 # See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details.
 [nginx-http-auth]
-
+# mode = normal
 port    = http,https
 logpath = %(nginx_error_log)s
@@ -392,8 +390,10 @@ logpath = %(nginx_error_log)s
 port     = http,https
 logpath  = %(nginx_error_log)s
 maxretry = 2
 [nginx-bad-request]
 port    = http,https
 logpath = %(nginx_access_log)s
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
@@ -797,6 +797,14 @@ logpath  = %(mysql_log)s
 backend  = %(mysql_backend)s
 [mssql-auth]
 # Default configuration for Microsoft SQL Server for Linux
 # See the 'mssql-conf' manpage how to change logpath or port
 logpath = /var/opt/mssql/log/errorlog
 port = 1433
 filter = mssql-auth
 # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
 [mongodb-auth]
 # change port when running with "--shardsvr" or "--configsvr" runtime operation
@@ -962,3 +970,11 @@ logpath = %(apache_error_log)s
 # see `filter.d/traefik-auth.conf` for details and service example.
 port    = http,https
 logpath = /var/log/traefik/access.log
 [scanlogd]
 logpath = %(syslog_local0)s
 banaction = %(banaction_allports)s
 [monitorix]
 port	= 8080
 logpath = /var/log/monitorix-httpd
--- a/fail2ban/jail.d/00-firewalld.conf
+++ b/fail2ban/jail.d/00-firewalld.conf
@@ -2,5 +2,5 @@
 # the firewalld actions as the default actions.  You can remove this package
 # (along with the empty fail2ban meta-package) if you do not use firewalld
 [DEFAULT]
-banaction = firewallcmd-rich-rules[actiontype=<multiport>]
+banaction = firewallcmd-rich-rules
-banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
+banaction_allports = firewallcmd-rich-rules
--- a/fail2ban/paths-common.conf
+++ b/fail2ban/paths-common.conf
@@ -91,6 +91,3 @@ mysql_log = %(syslog_daemon)s
 mysql_backend = %(default_backend)s
 roundcube_errors_log = /var/log/roundcube/errors
 # Directory with ignorecommand scripts
 ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands
--- a/httpd/conf.d/ssl.conf
+++ b/httpd/conf.d/ssl.conf
@@ -0,0 +1,203 @@
 #
 # When we also provide SSL we have to listen to the 
 # standard HTTPS port in addition.
 #
 Listen 443 https
 ##
 ##  SSL Global Context
 ##
 ##  All SSL configuration in this context applies both to
 ##  the main server and all SSL-enabled virtual hosts.
 ##
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.
 #   The filtering dialog program (`builtin' is a internal
 #   terminal dialog) has to provide the pass phrase on stdout.
 SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
 #   Inter-Process Session Cache:
 #   Configure the SSL Session Cache: First the mechanism 
 #   to use and second the expiring timeout (in seconds).
 SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
 SSLSessionCacheTimeout  300
 #
 # Use "SSLCryptoDevice" to enable any supported hardware
 # accelerators. Use "openssl engine -v" to list supported
 # engine names.  NOTE: If you enable an accelerator and the
 # server does not start, consult the error logs and ensure
 # your accelerator is functioning properly. 
 #
 SSLCryptoDevice builtin
 #SSLCryptoDevice ubsec
 ##
 ## SSL Virtual Host Context
 ##
 <VirtualHost _default_:443>
 # General setup for the virtual host, inherited from global configuration
 #DocumentRoot "/var/www/html"
 #ServerName www.example.com:443
 # Use separate log files for the SSL virtual host; note that LogLevel
 # is not inherited from httpd.conf.
 ErrorLog logs/ssl_error_log
 TransferLog logs/ssl_access_log
 LogLevel warn
 #   SSL Engine Switch:
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
 #   List the protocol versions which clients are allowed to connect with.
 #   The OpenSSL system profile is used by default.  See
 #   update-crypto-policies(8) for more details.
 #SSLProtocol all -SSLv3
 #SSLProxyProtocol all -SSLv3
 #   User agents such as web browsers are not configured for the user's
 #   own preference of either security or performance, therefore this
 #   must be the prerogative of the web server administrator who manages
 #   cpu load versus confidentiality, so enforce the server's cipher order.
 SSLHonorCipherOrder on
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
 #   The OpenSSL system profile is configured by default.  See
 #   update-crypto-policies(8) for more details.
 SSLCipherSuite PROFILE=SYSTEM
 SSLProxyCipherSuite PROFILE=SYSTEM
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
 #   pass phrase.  Note that restarting httpd will prompt again.  Keep
 #   in mind that if you have both an RSA and a DSA certificate you
 #   can configure both in parallel (to also allow the use of DSA
 #   ciphers, etc.)
 #   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
 #   require an ECC certificate which can also be configured in
 #   parallel.
 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
 #   ECC keys, when in use, can also be configured in parallel
 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
 #   concatenation of PEM encoded CA certificates which form the
 #   certificate chain for the server certificate. Alternatively
 #   the referenced file can be the same as SSLCertificateFile
 #   when the CA certificates are directly appended to the server
 #   certificate for convenience.
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
 #   Certificate Authority (CA):
 #   Set the CA certificate verification path where to find CA
 #   certificates for client authentication or alternatively one
 #   huge file containing all of them (file must be PEM encoded)
 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
 #   Client Authentication (Type):
 #   Client certificate verification type and depth.  Types are
 #   none, optional, require and optional_no_ca.  Depth is a
 #   number which specifies how deeply to verify the certificate
 #   issuer chain before deciding the certificate is not valid.
 #SSLVerifyClient require
 #SSLVerifyDepth  10
 #   Access Control:
 #   With SSLRequire you can do per-directory access control based
 #   on arbitrary complex boolean expressions containing server
 #   variable checks and other lookup directives.  The syntax is a
 #   mixture between C and Perl.  See the mod_ssl documentation
 #   for more details.
 #<Location />
 #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
 #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
 #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
 #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
 #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
 #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
 #</Location>
 #   SSL Engine Options:
 #   Set various options for the SSL engine.
 #   o FakeBasicAuth:
 #     Translate the client X.509 into a Basic Authorisation.  This means that
 #     the standard Auth/DBMAuth methods can be used for access control.  The
 #     user name is the `one line' version of the client's X.509 certificate.
 #     Note that no password is obtained from the user. Every entry in the user
 #     file needs this password: `xxj31ZMTZzkVA'.
 #   o ExportCertData:
 #     This exports two additional environment variables: SSL_CLIENT_CERT and
 #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
 #     server (always existing) and the client (only existing when client
 #     authentication is used). This can be used to import the certificates
 #     into CGI scripts.
 #   o StdEnvVars:
 #     This exports the standard SSL/TLS related `SSL_*' environment variables.
 #     Per default this exportation is switched off for performance reasons,
 #     because the extraction step is an expensive operation and is usually
 #     useless for serving static content. So one usually enables the
 #     exportation for CGI and SSI requests only.
 #   o StrictRequire:
 #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
 #     under a "Satisfy any" situation, i.e. when it applies access is denied
 #     and no other module can change it.
 #   o OptRenegotiate:
 #     This enables optimized SSL connection renegotiation handling when SSL
 #     directives are used in per-directory context. 
 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
 </Directory>
 #   SSL Protocol Adjustments:
 #   The safe and default but still SSL/TLS standard compliant shutdown
 #   approach is that mod_ssl sends the close notify alert but doesn't wait for
 #   the close notify alert from client. When you need a different shutdown
 #   approach you can use one of the following variables:
 #   o ssl-unclean-shutdown:
 #     This forces an unclean shutdown when the connection is closed, i.e. no
 #     SSL close notify alert is sent or allowed to be received.  This violates
 #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
 #     this when you receive I/O errors because of the standard approach where
 #     mod_ssl sends the close notify alert.
 #   o ssl-accurate-shutdown:
 #     This forces an accurate shutdown when the connection is closed, i.e. a
 #     SSL close notify alert is sent and mod_ssl waits for the close notify
 #     alert of the client. This is 100% SSL/TLS standard compliant, but in
 #     practice often causes hanging connections with brain-dead browsers. Use
 #     this only for browsers where you know that their SSL implementation
 #     works correctly. 
 #   Notice: Most problems of broken clients are also related to the HTTP
 #   keep-alive facility, so you usually additionally want to disable
 #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 #   "force-response-1.0" for this.
 BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
 #   Per-Server Logging:
 #   The home of a custom SSL log file. Use this when you want a
 #   compact non-error SSL logfile on a virtual host basis.
 CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 </VirtualHost>
--- a/selinux/targeted/.policy.sha512
+++ b/selinux/targeted/.policy.sha512
@@ -1 +1 @@
-94b341527eaeae89b7481bbb21da5757768cd43b2683a72a0a4464e1c7c05792a4e193e4a61db4453eba15053ac48d0e23c9df962db6f213ee08ecacccb473be
+5020ff024b92d2d5d7a2b0066e3d83e856dfa88046c653658ee78523cb7cb82cc1ba0340b6c33d8a05bd0bc00c73843ee3c21bd8f02774c0117ee1a097701e10
--- a/selinux/targeted/policy/policy.31
+++ b/selinux/targeted/policy/policy.31
`@@ -1 +1 @@`
	`94b341527eaeae89b7481bbb21da5757768cd43b2683a72a0a4464e1c7c05792a4e193e4a61db4453eba15053ac48d0e23c9df962db6f213ee08ecacccb473be`	`5020ff024b92d2d5d7a2b0066e3d83e856dfa88046c653658ee78523cb7cb82cc1ba0340b6c33d8a05bd0bc00c73843ee3c21bd8f02774c0117ee1a097701e10`