--- fail2ban-0.8.6.orig/config/action.d/iptables-xt_recent-echo.conf
+++ fail2ban-0.8.6/config/action.d/iptables-xt_recent-echo.conf
@@ -0,0 +1,76 @@
+# Fail2Ban configuration file
+#
+# Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+#
+# $Revision: 1 $
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+# Changing iptables rules requires root priviledges. If fail2ban is
+# configured to run as root, firewall setup can be performed by
+# fail2ban automatically. However, if fail2ban is configured to run as
+# a normal user, the configuration must be done by some other means
+# (e.g. using static firewall configuration with the
+# iptables-persistent package).
+# 
+# Explanation of the rule below:
+#    Check if any packets coming from an IP on the fail2ban-<name>
+#    list have been seen in the last 3600 seconds. If yes, update the
+#    timestamp for this IP and drop the packet. If not, let the packet
+#    through.
+#
+#    Fail2ban inserts blacklisted hosts into the fail2ban-<name> list
+#    and removes them from the list after some time, according to its
+#    own rules. The 3600 second timeout is independent and acts as a
+#    safeguard in case the fail2ban process dies unexpectedly. The
+#    shorter of the two timeouts actually matters.
+actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = echo / > /proc/net/xt_recent/fail2ban-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = test -e /proc/net/xt_recent/fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = echo +<ip> > /proc/net/xt_recent/fail2ban-<name>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = echo -<ip> > /proc/net/xt_recent/fail2ban-<name>
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
--- fail2ban-0.8.6.orig/config/filter.d/apache-common.conf
+++ fail2ban-0.8.6/config/filter.d/apache-common.conf
@@ -0,0 +1,17 @@
+# Generic configuration items (to be used as interpolations) in other
+# apache filters
+#
+# Author: Yaroslav Halchenko
+#
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = apache-common.local
+
+
+[DEFAULT]
+
+# Common prefix for [error] apache messages which also would include <HOST>
+_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\]
--- fail2ban-0.8.6.orig/config/filter.d/apache-auth.conf
+++ fail2ban-0.8.6/config/filter.d/apache-auth.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,9 +20,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] user .* authentication failure
-            [[]client <HOST>[]] user .* not found
-            [[]client <HOST>[]] user .* password mismatch
+failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- fail2ban-0.8.6.orig/config/filter.d/apache-overflows.conf
+++ fail2ban-0.8.6/config/filter.d/apache-overflows.conf
@@ -5,13 +5,19 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
 # Notes.:  Regexp to catch Apache overflow attempts.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
+failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- fail2ban-0.8.6.orig/config/filter.d/apache-nohome.conf
+++ fail2ban-0.8.6/config/filter.d/apache-nohome.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,7 +20,7 @@
 #          per-domain log files.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] File does not exist: .*/~.*
+failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- fail2ban-0.8.6.orig/config/filter.d/apache-noscript.conf
+++ fail2ban-0.8.6/config/filter.d/apache-noscript.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,8 +20,8 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
-            [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
+failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
+            ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- fail2ban-0.8.6.orig/doc/run-rootless.txt
+++ fail2ban-0.8.6/doc/run-rootless.txt
@@ -0,0 +1,92 @@
+Fail2ban normally requires root priviledges to insert iptables rules
+through calls to /sbin/iptables and also to read the logfiles.
+Fail2ban can run as an unpriviledged user provided that those two
+capabilites are preserved. The idea is to run fail2ban as a normal
+user (e.g. fail2ban) who belongs to a group which is allowed to read
+logfiles. The user should also be allowed to write to
+/proc/net/xt_recent/fail2ban-<name> (name is specified in the iptables
+rule).
+
+/proc/net/xt_recent/* is created by the xt_recent kernel module when
+an iptables rule with '-m limit' is inserted. This file contains a
+dynamic list of IP addresses which can than be used in iptables rules.
+Addresses can be matched against this list, with an optional timeout.
+One way to use xt_recent is to insert IPs into this list from an
+iptables rule, e.g. after connecting to the SSH port three times in a
+minute. This is the standard usage described in iptables(3).
+
+Another way to use xt_recent is by inserting the rules by writing to
+/proc/net/xt_recent/fail2ban-<name>. This can be performed by a fail2ban
+action. Files in /proc/net/xt_recent/ are protected by normal
+filesystem rules, so can be chown'ed and chmod'ed to be writable by a
+certain user. After the necessary iptables rules are inserted (which
+requires root priviledges), blacklisting can be perfomed by an
+unpriviledged user.
+
+Using fail2ban with xt_recent allows smarter filtering than normal
+iptables rules with the xt_recent module can provide.
+
+The disadvantage is that fail2ban cannot perform the setup by itself,
+which would require the priviledge to call /sbin/iptables, and it must
+be done through other means.
+
+The primary advantage is obvious: it's generally better to run
+services not as root. This setup is more robust, because xt_recent has
+it's own memory management and should behave smartly in case a very
+large amount of IPs is blocked. Also in case the fail2ban process dies
+the rules expire automatically. In case of a large amount of blocked
+IPs, traversing rules linearly for each SYN packet as fail2ban
+normally inserts them will be slow, but xt_recent with the same number
+of IPs would be much faster. (Didn't test this, so this is pure
+handwaving, but it should really be this way ;)) From the
+administrators point of view, a setup with xt_recent might also be
+easier, because it's very simple to modify the permissions on
+/proc/net/xt_recent/fail2ban-<name> to be readable or writable by
+some user and thus allow delisting IPs by helper administrators
+without the ability to mess up other iptables rules.
+
+The xt_recent-echo jail can be used under the root user without
+further configuration. To run not as root, futher setup is necessary:
+
+- Create user:
+
+  - set FAIL2BAN_USER in /etc/default/fail2ban.
+
+    This probably should be fail2ban.
+
+  - add user fail2ban who can read /var/log/auth.log and other
+    necessary log files. Log files are owned by group 'adm', so
+    it is enough if this user belongs to this group.
+
+    The user can be created e.g. with
+
+     useradd --system --no-create-home --home-dir / --groups adm fail2ban
+
+- Statically initialize chains firewall:
+
+  - put a rule to check the xt_recent list in the static firewall initialization
+    script, with names like fail2ban-ssh (action uses separate chains per each
+    jail, so define here the ones you need 1-per-jail)
+
+    Sample invocation might be
+
+     iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP
+
+    with <name> suitably replaced.
+
+  - suppress actionstart for iptables-xt_recent-echo action by creating an override file
+    iptables-xt_recent-echo.local to accompany iptables-xt_recent-echo.conf with
+
+     [Definition]
+     actionstart =
+
+- Permissions:
+
+  make sure that configuration files under /etc/fail2ban are readable by
+  fail2ban user. Make sure that logfiles of fail2ban itself are writable
+  by the fail2ban user. /etc/init.d/fail2ban will change the ownership at
+  startup, but it is also necessary to modify /etc/logrotate.d/fail2ban.
+
+  The simplest way is to replace '# create ...' with the following
+    # create 640 fail2ban adm
+
--- fail2ban-0.8.6.orig/man/fail2ban-server.1
+++ fail2ban-0.8.6/man/fail2ban-server.1
@@ -35,7 +35,8 @@
 Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
 Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
 .SH "REPORTING BUGS"
-Report bugs to <cyril.jaquier@fail2ban.org>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
 .SH COPYRIGHT
 Copyright \(co 2004-2008 Cyril Jaquier
 .br
--- fail2ban-0.8.6.orig/man/fail2ban-client.1
+++ fail2ban-0.8.6/man/fail2ban-client.1
@@ -251,7 +251,8 @@
 Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
 Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
 .SH "REPORTING BUGS"
-Report bugs to <cyril.jaquier@fail2ban.org>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
 .SH COPYRIGHT
 Copyright \(co 2004-2008 Cyril Jaquier
 .br
--- fail2ban-0.8.6.orig/server/action.py
+++ fail2ban-0.8.6/server/action.py
@@ -230,7 +230,14 @@
 	def execActionStop(self):
 		stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
 		return Action.executeCmd(stopCmd)
-	
+
+	def escapeTag(tag):
+		for c in '\\#&;`|*?~<>^()[]{}$\n':
+			if c in tag:
+				tag = tag.replace(c, '\\' + c)
+		return tag
+	escapeTag = staticmethod(escapeTag)
+
 	##
 	# Replaces tags in query with property values in aInfo.
 	#
@@ -243,8 +250,13 @@
 		""" Replace tags in query
 		"""
 		string = query
-		for tag in aInfo:
-			string = string.replace('<' + tag + '>', str(aInfo[tag]))
+		for tag, value in aInfo.iteritems():
+			value = str(value)			  # assure string
+			if tag == 'matches':
+				# That one needs to be escaped since its content is
+				# out of our control
+				value = Action.escapeTag(value)
+			string = string.replace('<' + tag + '>', value)
 		# New line
 		string = string.replace("<br>", '\n')
 		return string
--- fail2ban-0.8.6.orig/debian/watch
+++ fail2ban-0.8.6/debian/watch
@@ -0,0 +1,6 @@
+# watch control file for uscan
+# Run the "uscan" command to check for upstream updates and more.
+# Site		Directory		Pattern			Version	Script
+version=3
+opts="filenamemangle=s/.*\/(.*).tar.gz/fail2ban_$1\.orig.tar.gz/" \
+ http://githubredir.debian.net/github/fail2ban/fail2ban /([0-9].*).tar.gz
--- fail2ban-0.8.6.orig/debian/changelog
+++ fail2ban-0.8.6/debian/changelog
@@ -0,0 +1,991 @@
+fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high
+
+  * Anchor apache- filters failregexes to avoid possible DoS on servers
+    which enabled corresponding jails. Fix cherry-picked from upstream
+    0.8.9-29-g6ccd578 . See http://seclists.org/fulldisclosure/2013/Jun/66
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 12 Jun 2013 14:11:15 -0400
+
+fail2ban (0.8.6-3wheezy1) unstable; urgency=high
+
+  * CVE-2012-5642: Escape the content of <matches> since its value could
+    contain arbitrary symbols (Closes: #696184)
+  * Since package source format remained 1.0, manpages patch
+    (deb_manpages_reportbug) was not applied -- fold it into .diff.gz
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 17 Dec 2012 13:19:32 -0500
+
+fail2ban (0.8.6-3) unstable; urgency=low
+
+  * Added dovecot section to Debian's jail.conf.  Thanks to Laurent
+    Léonard (Closes: #655182)
+  * init.d script now returns non-0 exit codes upon status command
+    with not running / failed to connect server.  Thanks to
+    Glenn Aaldering for the patch
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 08 Jan 2012 21:46:24 -0500
+
+fail2ban (0.8.6-2) unstable; urgency=low
+
+  * Added pure-ftpd section to Debian's jail.conf.  Thanks to Laurent
+    Léonard (Closes: #654412)
+  * Enhancement: action to use /proc/net/xt_recent and run f2b as a normal
+    user. Many many thanks to Zbyszek Szmek (Closes: #602016)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 03 Jan 2012 10:36:24 -0500
+
+fail2ban (0.8.6-1) unstable; urgency=low
+
+  * [1efe1bc] Fresh upstream release (Closes: #648324)
+  * Boosted policy compliance to 3.9.2 -- no changes
+  * Adjusted debian/watch to fetch tarballs from github
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 28 Nov 2011 22:27:18 -0500
+
+fail2ban (0.8.5-2) unstable; urgency=low
+
+  * [5242e73] BF: (cherry-picked from upstream, DEP-3 yet TODO) Lock
+    server's executeCmd to prevent racing among iptables calls (Closes:
+    #554162) Many kudos go to Michael Saavedra for the patch
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 23 Sep 2011 22:12:08 -0400
+
+fail2ban (0.8.5-1) unstable; urgency=low
+
+  * [de95777] Fresh upstream release FAIL2BAN-0_8_5:
+    - [00e1827] BF: use addfailregex instead of failregex while processing
+      per-jail "failregex" parameter (Closes: #635830) (LP: #635036)
+      Thanks Marat Khayrullin for the patch and Daniel T Chen for forwarding to
+      Debian.
+  * [1cbdafc] Set backend to auto and recommends python-gamin (Closes: #524425)
+  * [ef449f4] Added a note on diverting logrotate configuration for custom
+    logtarget=SYSLOG (Closes: #631917).  Thanks Kenyon Ralph for report
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 28 Jul 2011 23:20:55 -0400
+
+fail2ban (0.8.4+svn20110323-1) unstable; urgency=low
+
+  * Fresh upstream snapshot which absorbed some of the patches from Debian
+    and
+    - [c6d64e9] debug entry for lines ignored due to falling below
+      findtime (v2)
+    - [fc20f12] Tai64N stores time in GMT, we need to convert to
+      local time before returning
+    - [b0331bb] default ignoreip to ignore entire loopback zone (/8)
+      (Closes: #598200)
+    - [b9f15f6] ENH: dovecot filter
+    - [69165b1] ENH: add <chain> to action.d/iptables*. Thanks
+      Matthijs Kooijman
+    - [8330a20] ENH: make filter.d/apache-overflows.conf catch more
+      (Closes: #574182)
+    - [66cc6cb] BF: allow space in the trailing of failregex for sasl.conf
+      (Closes: #573314)
+    - [2714019] ENH: dropbear filter (Closes: #546913)
+    - [ea7d352] BF: Use /var/run/fail2ban instead of /tmp for temp files in
+      actions (Closes: #544232)
+  * debian/jail.conf:
+    - [bc8e22d] spellcheck (Closes: #598206). Thanks Christoph Anton Mitterer
+    - [d7f3e23] adjusted description for sasl jail (Closes: #615952)
+    - [92fb484] debian/jail.conf: closing " for protocol specification
+    - [f828c31] debian/jail.conf: got 'chain' parameter to be specified for
+      iptables actions (Closes: #515599)
+  * debian/control:
+    - [858af30] slight rewordings of the long description (Closes: #588176)
+    - [167dfd4] Boosted policy compliance version to 3.9.1 (no changes seems
+      to be due)
+  * [4e1e845] debian/copyright: updated copyright years
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 23 Mar 2011 17:04:56 -0400
+
+fail2ban (0.8.4-3) unstable; urgency=low
+
+  * Commenting out named-refused-udp jail and providing even fatter
+    WARNING against using it (Closes: #583364)
+  * Merging upstream's commit for fixing missing import
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 28 Jun 2010 21:50:20 -0400
+
+fail2ban (0.8.4-2) unstable; urgency=low
+
+  * Merged few upstream patches (svn rev ) which fixed:
+    - Patch to make log file descriptors cloexec to stop leaking file
+      descriptors on fork/exec.
+  * debian/rules,control: -install-layout=deb for setup.py +  python (>=
+    2.5.4-1~) to fix install with python2.6 (Closes: #571213).
+  * Boosted policy to 3.8.4 (no changes seems to be due).
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 25 Feb 2010 00:17:07 -0500
+
+fail2ban (0.8.4-1) unstable; urgency=low
+
+  * New upstream release. Fixes compatibility issue with python2.6
+  * Yet only in Debian fixes:
+   - escaping () in pure-ftpd. Thanks Teodor (Closes: #544744)
+   - use "set logtarget" instead of "reload" while logrotate. Thanks
+     J.M.Roth (Closes: #537773)
+   - be able to detect time for VNC recording only 2 letters of year
+     (Closes: #537610)
+   - proftpd filter: count all failed logins regardless of the reason
+  * Debian-specific changes:
+   - adjusted README.Debian - multiport is default (closes: #545971)
+   - Boosted policy to 3.8.3 (no changes seems to be due)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 10 Sep 2009 11:16:51 -0400
+
+fail2ban (0.8.3-6) unstable; urgency=low
+
+  * Time to shake the ground with upload to unstable.
+  * Merged upstream's development as of SVN revision 732:
+     - Fixed maxretry/findtime rate. Many thanks to Christos Psonis.
+       Tracker #2019714.
+     - Made the named-refused regex a bit less restrictive in order to match
+       logs with "view". Thanks to Stephen Gildea.
+     - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100%
+       correct fix but seems to work. Tracker #2500276.
+     - Changed <HOST> template to be more restrictive (closes: #514163).
+     - Added cyrus-imap and sieve filters. Thanks to Jan Wagner.  (closes:
+       #513953).
+     - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh
+       log (closes: #512193).
+     - Added missing semi-colon in the bind9 example. Thanks to Yaroslav
+       Halchenko.
+     - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker
+       #2484115.
+     - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
+       (closes: #507990)
+     - Added CPanel date format. Thanks to David Collins. Tracker #1967610.
+     - Added nagios script. Thanks to Sebastian Mueller.
+     - Removed print.
+     - Removed begin-line anchor for "standard" timestamp (closes: #500824)
+     - Remove socket file on startup is fail2ban crashed. Thanks to Detlef
+       Reichelt.
+  * Added a comment into Debian-shipped jail.conf about sasl logpath -- it
+    might preferable to monitor warn.log in case of postfix (To complete react
+    to #507990) (git branch up/fixes). Also added sasl example log file (git
+    branch up/log_examples).
+  * Removing minor bashism in ipmasq example file (closes: #530078).
+    Thanks Raphael Geissert (git branch up/ipmasq)
+  * Allow for trailing spaces in proftpd logs (closes: #507986)
+    (git branch up/fixes).
+  * Removed duplicate entry for DataCha0s/2\.0 in badbots (closes: #519557)
+    (git branch up/fixes).
+  * Adjusted Git-vcs field to point to git:// .
+  * Thanks lintian fixes:
+    - Boosted policy to 3.8.2 (no changes are due).
+    - Boosted debhelper compatibility to 5.
+    - Misspell in README.Debian
+    - Removing stale /var/run/fail2ban from dirs -- should be created by 
+      init script
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 09 Jul 2009 01:08:40 -0400
+
+fail2ban (0.8.3-5) experimental; urgency=low
+
+  * BF: anchoring regex for IP with " *$" at the end + adjust regexp for
+    <HOST> (closes: #514163)
+  * NF: adding unittests for previous BF
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 05 Feb 2009 09:51:45 -0500
+
+fail2ban (0.8.3-4) experimental; urgency=low
+
+  * BF: added missing semicolon in a logging template for bind within
+    jail.conf (thanks to anonymous on www.debian-administration.org)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 02 Feb 2009 23:02:56 -0500
+
+fail2ban (0.8.3-3) experimental; urgency=low
+
+  * BF: addressed added bang to ssh log (closes: #512193).
+    Thanks Silvestre Zabala.
+  * Adjusted description of bantime/findtime in README.Debian (closes:
+    #507771)
+  * Synced current debian revision to FAIL2BAN-0_8@717 of upstream,
+    since it includes fixes to some forwarded bugs. Total list of 
+    functional changes
+    - Added actions to report abuse to ISP, DShield and myNetWatchman.
+      Thanks to Russell Odom.
+    - Added apache-nohome.conf. Thanks to Yaroslav Halchenko.
+    - Added new time format. No idea from where it comes...
+    - Added new regex. Thanks to Tobias Offermann.
+    - Try to match the regex even if the line does not contain a valid
+      date/time. Described in Debian #491253. Thanks to Yaroslav
+      Halchenko.
+    - Removed "timeregex" and "timepattern" stuff that is not needed
+      anymore.
+    - Added date template for Day-Month-Year Hour:Minute:Second 
+      (closes: #491253)
+    - Added date pattern for Hour:Minute:Second. Thanks to Andreas
+      Itzchak Rehberg.
+    - Use current day and month instead of Jan 1st if both are not
+      available in the log. Thanks to Andreas Itzchak Rehberg.
+    - Improved pattern. Thanks to Yaroslav Halchenko.
+    - Merged patches from Debian package. Thanks to Yaroslav Halchenko.
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 18 Jan 2009 11:31:01 -0500
+
+fail2ban (0.8.3-2) unstable; urgency=low
+
+  * BF in apache-noscript.conf - regexp matched in referer (Closes: #492319).
+    Thanks Bernd Zeimetz.
+  * BF: extended apache-noscript with additional regexp
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 25 Jul 2008 13:33:56 -0400
+
+fail2ban (0.8.3-1) unstable; urgency=low
+
+  * Fresh upstream release
+  * Boosted policy compliance to 3.8.0 (no changes needed)
+  * Specify explicitely facilities in "Failed .. for". Thanks Dean
+    Gaudet. (closes: #481760)
+  * Added failregex for "User not known" in sshd.conf. thanks Alexander
+    Gerasiov (closes: #479966)
+
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 21 Jul 2008 10:27:12 -0400
+
+fail2ban (0.8.2-3) unstable; urgency=low
+
+  * Changes propagated from upstream trunk (future 0.8.3):
+    - Fixed "fail2ban-client get <jail> logpath". Bug #1916986.
+    - Changed some log level.
+    - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to
+      Dennis Winter.
+    - Fixed PID file while started in daemon mode. Thanks to Christian
+      Jobic who submitted a similar patch (closes: #479703)
+    - Added gssftpd filter. Thanks to Kevin Zembower.
+    - Process failtickets as long as failmanager is not empty.
+  * Assure that /var/run/fail2ban exists upon start (LP: #222804, #223706)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 06 May 2008 10:49:34 -0400
+
+fail2ban (0.8.2-2) unstable; urgency=low
+
+  * BF: Recommends whois, which is used in some actions (LP: #213227)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 07 Apr 2008 10:25:52 -0400
+
+fail2ban (0.8.2-1) unstable; urgency=low
+
+  * New upstream release! Divergence from Debian version descreased
+    considerably, Major changes:
+     - "full line failregex"
+     - Moved socket to /var/run/fail2ban.
+     - Removed Python 2.4. Minimum required version is now Python 2.3.
+     - New log rotation detection algorithm.
+     - Some wishlists got accepted (closes: #456567, #468477, #462060,
+     #461426)
+     - Leap year issue (closes: #468452)
+  * debian/watch: switched to git-import-orig
+  * 2 new jails: xinetd-fail, apache-overflows added to jails.conf
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 05 Mar 2008 23:30:56 -0500
+
+fail2ban (0.8.1-5) unstable; urgency=low
+
+  * manually "cherry picked" f6639981:  Fixed "Feb 29" bug. Thanks to
+    James Andrewartha who pointed this out. Thanks to Yaroslav Halchenko
+    for the fix (closes: #468382)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 28 Feb 2008 19:51:53 -0500
+
+fail2ban (0.8.1-4) unstable; urgency=low
+
+  * Debian packaging switched from git+dpatch into pure git way via
+    feature-branches. That revealed the true amount of accumulated patching
+    done of top of vanilla upstream, thus this is the last Debian release
+    prior 0.8.2 upstream release which will hopefully absorb most of the
+    patches
+  * vsftp filter anchoring
+  * Fix/extension of proftpd failrexes (Closes: #461412). Thanks Guido
+    Bozzetto
+  * Added ipmasq rule file (in the examples) to restart fail2ban when
+    iptables are wiped out (closes: #461417). Thanks Guido Bozzetto
+  * Extended apache-noscript filter with more file extensions and to
+    react to "script not found or unable to stat" log message (closes:
+    #456565). Thanks Tim Connors
+  * Fixed == bashism (Closes: #464647). Thanks Raphael Geisser
+  * Confirms to policy 3.7.3 (no changes)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat, 09 Feb 2008 22:08:55 -0500
+
+fail2ban (0.8.1-3) unstable; urgency=low
+
+  * Added Vcs- fields, moved Homepage into source header's field
+  * Propagated patch from 0.9 upstream branch: "Replaced ssocket.py with
+    asyncore/asynchat implementation.  Correct fix for bug #1769616. That is
+    supposed to resolve spontaneous 100% CPU utilization by fail2ban-server."
+  * BF: removed sftp from ssh jails (closes: #436053)
+  * NF: new filter for 'refused connect' (closes: #451093). Thanks Guido
+    Bozzetto
+  * Moved iptables into recommends since fail2ban can work without iptables
+    using some other action (e.g hosts.deny)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 23 Nov 2007 11:42:24 -0500
+
+fail2ban (0.8.1-2) unstable; urgency=low
+
+  * Fixed named-refused filter.
+  * Added force-start action to init script, so it could be forced
+    to start if previous run crashed and left a socket file. Must to be
+    used with caution.
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 18 Oct 2007 18:31:58 -0400
+
+fail2ban (0.8.1-1) unstable; urgency=low
+
+  * New upstream release.
+     Patches absorbed upstream:
+      00_daemon_pids.dpatch
+      00_iptables_allports.dpatch
+      00_vsftp_filter_spaces.dpatch
+      00_resolve_all_names.dpatch
+      00_HOST_ignoreregex.dpatch
+     Patches which needed some tune-up:
+      00_ssh_strong_re.dpatch
+      00_mail-whois-lines.dpatch
+      00_named_refused.dpatch
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 14 Aug 2007 23:15:21 -0400
+
+fail2ban (0.8.0-5~pre1) UNRELEASED; urgency=low
+
+  * Added optional spaces at the end of failregex for vsftpd.
+  * Resolve all "names" which became a part of <HOST>. Previousely only fqdn's
+    were resolved
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 05 Aug 2007 21:38:44 -0400
+
+fail2ban (0.8.0-4) unstable; urgency=low
+
+  * Moved <HOST> expansion into regex.py (closes: #429263). Thanks James
+    Andrewartha.
+  * Added optional regexp entry for process PID in some entries (closes:
+    #426050). Thanks Roderick Schertler.
+  * Added a filter pam_generic to catch any login errors.
+  * Added iptables-allports.
+  * Use /var/run to keep socket file (closes: #425746)
+  * Added a filter for named to catch refused/denied queries
+  * Added new time template matching named log entries
+  * jail.conf has specification of protocol (default to tcp) to be provided to
+    banaction
+  * Adjusted failregex for sshd filter:
+    - anchored properly at the end of line, and source code has .examples
+      files to perform testing of the rules.
+    - added new explicit rule for users not in the AllowUsers lists
+
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 19 Jun 2007 23:04:02 -0400
+
+fail2ban (0.8.0-2) unstable; urgency=low
+
+  * Manually changing the order of debhelper inserted scripts in prerm
+    (Closes: #422655)
+  * Removed obsolete hack to have /bin/env invocation of python for
+    fail2ban-* scripts
+  * Applied changes submitted by Bernd Zeimetz (thanks Bernd):
+    - Removed obsolete Build-Depends-Indep on help2man, python-dev
+    - Explicit removal of *.pyc files compiled during build
+    - Invoke 'python setup.py clean' in clean target, which required also
+      to move python into Build-Depends
+  * Minor clean up of debian/rules
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 16 May 2007 14:13:57 -0400
+
+fail2ban (0.8.0-1) unstable; urgency=low
+
+  * New stable upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat, 05 May 2007 12:35:02 -0400
+
+fail2ban (0.7.9-1) unstable; urgency=low
+
+  * New upstream release
+  * Updated copyright to include current year
+  * Removed patches absorbed upstream
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 19 Apr 2007 21:44:28 -0400
+
+fail2ban (0.7.8-1) unstable; urgency=low
+
+  * New upstream release
+  * Applied post-release upstream changes to resolve issues with
+   - Fix to close opened handlers to log file
+   - Tentative incomplete gamin fix
+   - Fix to "reload" bug
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 26 Mar 2007 17:52:23 -0400
+
+fail2ban (0.7.7-1) unstable; urgency=low
+
+  * New upstream release (included most of the debian-provided patches -- new
+    filters and actions)
+  * Refreshed and made verbatim homepage in description
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu,  8 Feb 2007 22:20:49 -0500
+
+fail2ban (0.7.6-3) unstable; urgency=low
+
+  * Synchronized action.d/iptables-* rules from upstream SVN (closes:
+    #407561)
+  * Minor: options renames in the comments to be in sync with upstream
+  * Use /usr/bin/python interpreter instead of wrapped call to python by
+    /usr/bin/env
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 19 Jan 2007 10:43:59 -0500
+
+fail2ban (0.7.6-2) unstable; urgency=low
+
+  * iptables-multiport is default action to take since Debian kernel arrives
+    with multiport module. That is to address the fact that most services
+    listen on multiple port (for encrypted and non-encrypted connections)
+  * Added [courierauth] jail (First 2 items are to partially address #407404
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 18 Jan 2007 10:35:36 -0500
+
+fail2ban (0.7.6-1) unstable; urgency=low
+
+  * New upstream release, which incorporates fixes introduced in 3~pre
+    non-released versions (which were suggested to the users to overcome
+    problems reported in bug reports). In particular attention should be paid
+    to upstream changelog entries
+    - Several "failregex" and "ignoreregex" are now accepted.
+      Creation of rules should be easier now.
+      This is an alternative solution to 'multiple <HOST>' entries fix,
+      which is not applied to this shipped version - pay caution if upgrading
+      from 0.7.5-3~pre?
+    - Allow comma in action options. The value of the option must
+      be escaped with " or '.
+      That allowed to implement requested ability to ban multiple ports
+      at once (See 373592). README.Debian and jail.conf adjusted to reflect
+      possible use of iptables-mport
+    - Now Fail2ban goes in /usr/share/fail2ban instead of
+      /usr/lib/fail2ban. This is more compliant with FHS.
+      Patch 00_share_insteadof_lib no longer applied
+  * Refactored installed by debian package jail.conf:
+    - Added option banaction which is to incorporate banning agent
+      (usually some flavor of iptables rule), which can then be easily
+      overriden globally or per section
+    - Multiple actions are defined as action_* to serve as shortcuts
+  * Initd script was modified to inform about present socket file which
+    would forbid fail2ban-server from starting
+  * Adjusted default log file for postfix to be /var/log/mail.log
+    (Closes: #404921)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu,  4 Jan 2007 15:24:52 -0500
+
+fail2ban (0.7.5-3~pre6) unstable; urgency=low
+
+  * Fail2ban now bans vsftpd logins (corrected logfile path and failregex)
+    (Closes: #404060)
+  * Made fail2ban-server tollerate multiple <HOST> entries in failregex
+  * Moved call to dh_pycentral before dh_installinit
+  * Removed unnecessary call of dh_shlibdeps
+  * Added filter ssh-ddos to fight DDOS attacks. Must be used with caution
+    if there is a possibility of valid clients accessing through
+    unreliable connection or faulty firewall (Closes: #404487)
+  * Not applying patch any more for rigid python2.4 - it is default now in
+    sid/etch
+  * Moving waiting loop for fail2ban-server to stop under do_stop
+    function, so it gets invoked by both 'restart' and 'stop' commands
+  * do_status action of init script is now using 'fail2ban-client ping'
+    instead of '... status' since we don't really use returned status
+    information, besides the return error code
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 26 Dec 2006 21:56:58 -0500
+
+fail2ban (0.7.5-2) unstable; urgency=low
+
+  * NEWS.Debian confusions - the latest NEWS entry and postinst message were
+    rephrased (Closes: #402350)
+  * Added mail-whois-lines action, which emails log lines containing abuser
+    IP. Those lines are often required for proper abuse reports sent to the
+    Internet providers.  Forwarding of such received emails to the email
+    addresses of abuse departments present in the output of whois is a
+    tentative solution for semi-automatic abuse reporting (Closes: #358810)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 10 Dec 2006 18:55:37 -0500
+
+fail2ban (0.7.5-1) unstable; urgency=low
+
+  * New upstream release which fixes next issues
+   + Socket parameter not work with other path (Closes: #400162)
+   + fail2ban does not start with /etc/init.d/fail2ban start but
+     with fail2ban-client start (Closes: #400278)
+  * Removed obsolete patches left from 0.6
+  * Adjusted wsftpd patch to use <HOST> tag to be in line with the other
+    filter definitions
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu,  7 Dec 2006 20:19:09 -0500
+
+fail2ban (0.7.4-5) unstable; urgency=low
+
+  * Added Suggests on mailx and relevant comments in README.Debian about
+    invoking mail actions (closes: #396668)
+  * Removed obsolete entries in TODO and README
+  * README.Debian describes the use of interpolations vs parameters passed
+    from jail.{conf,local} into an action definitions (closes:
+    #398739)
+  * Initial version of postfix filter has been present in 0.7 (closes:
+    #377711)
+  * Removed Uploaded field from control since I am a DD now. Big thanks to
+    Barak Pearlmutter for being the sponsor of my packages for few years.
+
+ -- Yaroslav O. Halchenko <debian@onerussian.com>  Wed,  6 Dec 2006 22:14:26 -0500
+
+fail2ban (0.7.4-4) unstable; urgency=low
+
+  * Added debian/backports to contain patches necessary for backporting. It
+    gets used by pbuilder-ssh to create package for backports.org
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon,  4 Dec 2006 08:55:48 -0500
+
+fail2ban (0.7.4-3) unstable; urgency=low
+
+  * Reincarnated logrotate configuration (Closes: #397878)
+  * Only block new connects by using a new action iptables-new instead of
+    iptables (Closes: #350746)
+  * Updated README.Debian to reflect transition over to 0.7 branch and to
+    comment on 350746
+  * "Clean" target removes generated .pyc files now (Closes: #398146)
+  * Cleaned up debian/rules a bit
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat, 11 Nov 2006 21:00:18 -0500
+
+fail2ban (0.7.4-2) unstable; urgency=low
+
+  * Added reload/force-reload actions to init script
+  * Adjusted jail.conf a bit
+  * Warning NEWS entry for 0.7.1 was not shown during installation on test
+    boxes, thus postinst was adjusted accordingly to inform the user about the
+    changes in the configuration files since 0.6.
+  * no logrotation anymore? (Closes: #397878)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 10 Nov 2006 10:53:23 -0500
+
+fail2ban (0.7.4-1) experimental; urgency=low
+
+  * New upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed,  1 Nov 2006 20:54:14 -0500
+
+fail2ban (0.7.4~pre20061023.2-3) experimental; urgency=low
+
+  * Corrected init.d script to properly perform restart due to server delay to
+    react to client command to stop. Handling of status was adjusted as well
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 29 Oct 2006 22:29:27 -0500
+
+fail2ban (0.7.4~pre20061023.2-2) experimental; urgency=low
+
+  * Added apache-noscript to jail.conf
+  * Default action does not send emails to be inline with previous (0.6.x)
+    behavior
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 26 Oct 2006 13:27:20 -0400
+
+fail2ban (0.7.4~pre20061023.2-1) experimental; urgency=low
+
+  * Fresh upstream: fixed a bug with not handling error producing
+    actioncheck call
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 23 Oct 2006 17:00:03 -0400
+
+fail2ban (0.7.4~pre2006102-1) experimental; urgency=low
+
+  * Currrent snapshot of trunk
+  * Removed outdated (applied in 0.7.4 or specific for 0.6.?) patches
+    from debian/patches
+  * Adjusted rule to install man pages -- only .1 files since there are also
+    h2m sources
+  * debian/{rules,control} adjusted to conform all points in recent python
+    policy changes
+  * install under /usr/share instead of /usr/lib
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 23 Oct 2006 00:17:55 -0400
+
+fail2ban (0.7.3-2) experimental; urgency=low
+
+  * Added wuftpd section
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 18 Oct 2006 01:15:00 -0400
+
+fail2ban (0.7.3-1) experimental; urgency=low
+
+  * New upstream release
+  * Debian shipped jail.conf
+  * Refreshen init.d script
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 28 Sep 2006 22:17:16 -0400
+
+fail2ban (0.7.1-0.2) experimental; urgency=low
+
+  * New upstream release (closes: #370095,#366307)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue,  5 Sep 2006 00:26:08 -0400
+
+fail2ban (0.6.1-11) unstable; urgency=low
+
+  * Adjusted manpage for fail2ban.conf to point to shipped examples of
+    configuration files as the source of details about available configuration
+    options (closes: #382403)
+  * Changes in man/fail2ban.conf.5 are managed via dpatch now
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 16 Aug 2006 00:18:59 +0300
+
+fail2ban (0.6.1-10) unstable; urgency=low
+
+  * Adjusted to comply with recent changes in debian python policy and use
+    pycentral to byte compile modules
+  * Filtered out empty entries for ignoreip to reduce confusing WARNING log
+    message
+  * Added configuration parameter "locale" to specify LC_TIME for time
+    pattern matching (closes: #367990,363391)
+  * Verbosity is chosen to be max between cmdline parameters and config file
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu,  6 Jul 2006 20:19:54 -0400
+
+fail2ban (0.6.1-9) unstable; urgency=low
+
+  * Adjusted rm commands in init script to don't use -r for removal of
+    the pidfile (thanks Stephen Gran)
+  * Added clarification about multiport banning to README.Debian
+    (closes: #373592)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 14 Jun 2006 12:05:44 -0400
+
+fail2ban (0.6.1-8) unstable; urgency=low
+
+  * Removed bashism (arrays) from init.d script to make it POSIX shell
+    complient (closes: #368218)
+  * Added new proftpd section
+  * Added new saslauthd section. Thanks to martin f krafft
+    <madduck@debian.org> (closes: #369483)
+  * Mentioned apache2 log file in Other. comment field for FILE in 
+    apache section.  Nothing has to be changed besides the logfile path to
+    work with apache2 (closes: #342144)
+    
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 22 May 2006 15:37:17 -0400
+
+fail2ban (0.6.1-5) unstable; urgency=low
+
+  * Further fixed debian packaging: to comply with policy empty target
+    binary-arch was provided
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 16 May 2006 16:43:37 -0400
+
+fail2ban (0.6.1-4) unstable; urgency=low
+
+  * Adjusted debian packaging:
+    - Clean up of debian/rules: removed commented out dh_ scripts which
+      definetly will never be used
+    - debhelper and dpatch moved to Build-Depends
+    - added --no-compile for python setup.py install, and removed explicit
+      cleaning of .pyc's
+    - fixed separation binary-indep and binary-arch in debian/rules
+    - restricted depends on python >= 2.3
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 16 May 2006 15:53:06 -0400
+
+fail2ban (0.6.1-3) unstable; urgency=low
+
+  * Fixed vsftpd failregexp (closes: #366687)
+  * Started to use dpatch
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 10 May 2006 11:45:57 -0400
+
+fail2ban (0.6.1-2) unstable; urgency=low
+
+  * Assigned maxreinits to 1000 to be reasonable since otherwise logfile grows
+    indefinetly if there is a real problem on the system (closes: #359218)
+  * Adjusted debian/{copyright,watch}
+  * New version of init.d script (Thanks to Aaron Isotton) (closes: #364278)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 27 Mar 2006 12:55:39 -0500
+
+fail2ban (0.6.1-1) unstable; urgency=low
+
+  * New upstream release
+  * In config file added fwchain to ease switching to another input chain
+    (closes: #357164)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat, 18 Mar 2006 23:11:53 -0500
+
+fail2ban (0.6.0-8) unstable; urgency=low
+
+  * Minor adjustments to reduce the deviation from the upstream code
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat, 11 Mar 2006 00:48:14 -0500
+
+fail2ban (0.6.0-7) unstable; urgency=low
+
+  * Fixed a typo in failregex for SSH section (closes: #356112)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu,  9 Mar 2006 15:13:48 -0500
+
+fail2ban (0.6.0-6) unstable; urgency=low
+
+  * Updated README.Debian with information about some cases with
+    not-as-shipped configurations of sshd on the boxes running older versions
+    of openssh server
+  * Included regexps for SSH in case iff authentication as root using keys was
+    attempted whenever PermitRootLogin is set to something else than "yes" and
+    key authentication fails
+  * Included postrm script to remove log files during purge to comply with
+    policy 10.8 (closes: #355443)
+ 
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri,  3 Mar 2006 16:32:38 -0500
+
+fail2ban (0.6.0-5) unstable; urgency=low
+
+  * Fixed Apache section: changed filepath to point at error.log, thus I had
+    to revert timeregex and timepattern to user RFC 2822 format (closes:
+    #354346)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat, 25 Feb 2006 19:56:46 -0500
+
+fail2ban (0.6.0-4) unstable; urgency=low
+
+  * Modifications in README.Debian to reflect a "finding" on
+    not-AllowedUsers banning which requires default Debian configuration
+    of "ChallengeResponseAuthentication no" and "PasswordAuthentication
+    yes"
+  * Fixed Apache timeregex and timepattern to confirm
+    the fomat of time stamp used in Debian's acccess.log (error.log uses
+    RFC 2822 format)
+  * Added section ApacheAttacks to specify some common patterns of attacks on
+    a webserver (awstats.pl as a try). This section stays split from Apache
+    since it is of different nature and might be not appropriate for some
+    users
+  * Forced owner/permissions of log file to be root:adm/640 in postinst and
+    logrotate (closes: #352053)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 16 Jan 2006 04:05:19 -0500
+
+fail2ban (0.6.0-3) unstable; urgency=low
+
+  * ignoreip is now empty by default (closes: #347766)
+  * increased verbosity in verbose=2 mode: now prints options accepted
+    from the config file
+  * to make fail2ban.conf more compact, thus to improve its readability,
+    fail2ban.conf was converted to use "interpolations" provided by
+    ConfigParser class. fw{start,end,{,un}ban} options were moved into
+    DEFAULT section and required options (port, protocol) were added
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 12 Jan 2006 18:32:14 -0500
+
+fail2ban (0.6.0-2) unstable; urgency=low
+
+  * fail2ban path is inserted first in the list to avoid a conflict with
+    existing elsewhere modules with the same names. (Thanks for report and
+    patch to Nick Craig-Wood) (closes: #343821) 
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 19 Dec 2005 17:44:58 +0200
+
+fail2ban (0.6.0-1) unstable; urgency=low
+
+  * Merged with the latest stable upstream release. That incure some
+    changes for the Debian configuration of the package to be more
+    upstream-like. Visible one is: subject in the sent email includes
+    section outside of "[Fail2Ban]"
+  * Updated README.Debian to answer possible question regarding effective
+    bantime starting moment
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 20 Nov 2005 14:56:41 -0500
+
+fail2ban (0.5.4-10) unstable; urgency=low
+
+  * Fixed the order of ssh and apache rules to avoid possible race
+    condition (Thanks to Jefferson Cowart for the bug report) (closes:
+    #339133)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 14 Nov 2005 23:44:45 -0500
+
+fail2ban (0.5.4-9) unstable; urgency=low
+
+  * Fixed init.d script so it doesn't return non-0 status if fail2ban is not
+    running. That fixes issues with purging the package and leaving garbage in
+    /usr/share/fail2ban (Thanx to Justin Pryzby for the insight)
+    (closes: #337223)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu,  3 Nov 2005 17:05:20 -0500
+
+fail2ban (0.5.4-8) unstable; urgency=low
+
+  * Added config option MAIL.localtime (closes: #336449)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 31 Oct 2005 16:53:19 -0500
+
+fail2ban (0.5.4-7) unstable; urgency=low
+
+  * Adjusted init.d script so it is resistant to delayed shutdowns of
+    fail2ban and in general more stable
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 20 Oct 2005 21:22:03 -0400
+
+fail2ban (0.5.4-6.2) unstable; urgency=low
+
+  * Fixed typos (thanx to Ross Boylan).
+  * Robust startup: if iptables module gets fully initialized after
+    startup of fail2ban, fail2ban will do "maxreinit" attempts to
+    initialize its own firewall. It will sleep between attempts for
+    "polltime" number of seconds (closes: #334272).
+  * To overcome possible conflict with other firewall solutions and as a
+    secondary solution for the bug 334272, fail2ban startup is moved
+    during bootup to the latest (S99) sequenece position. That should not
+    cause any discomfort I believe.
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 18 Oct 2005 15:54:38 -0400
+
+fail2ban (0.5.4-5.14) unstable; urgency=low
+
+  * Added a notification regarding the importance of 0.5.4-5 change of
+    failregex in the config file.
+  * Adjusted address to FSF.
+  * Adjusted failregex for SSH so it bans "Illegal user" entries as well, and
+    restricted full failregex more to include ":" at the beginning, because
+    otherwise it might not be sufficient and would revive bug 330827 (closes:
+    #333056).
+  * Adjusted failregex for SSH to accommodate recent changes in logging of
+    SSH: Illegal -> Invalid. Should match both now.
+  * Fixed a problem of raise AttributeError exception reported as a side
+    effect of crash during parsing of the config file.
+  * Introduced fwcheck option to verify consistency of the
+    chains. Implemented automatic restart of fail2ban main function in
+    case check of fwban or fwunban command failed (closes: #329163, #331695).
+    (Introduced patch was further adjusted by upstream author).
+  * Added -f command line parameter for [findtime].
+  * Fixed the issue of not respecting command line parameters for parameters
+    within sections.
+  * Added -e command line parameter to provide enabled sections from command
+    line.
+  * Added a cleanup of firewall rules on emergency shutdown when unknown
+    exception is catched.
+  * Fail2ban should not crash now if a wrong file name is specified in
+    config.
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon,  3 Oct 2005 22:26:28 -1000
+
+fail2ban (0.5.4-5) unstable; urgency=low
+
+  * Made failregex'es more specific to don't allow usernames to be used as a
+    tool for denial of service attacks. Config files (or at least
+    failregex'es) must be updated from this package, otherwise the security
+    breach would remain open and only warning gets issued (closes: #330827)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat,  1 Oct 2005 02:42:23 -1000
+
+fail2ban (0.5.4-4) unstable; urgency=low
+
+  * On a request from Calum Mackay added reporting of the enabled sections
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 29 Sep 2005 11:20:43 -1000
+
+fail2ban (0.5.4-3) unstable; urgency=low
+
+  * Resolved the mystery of debug mode in which commands are not really
+    executed: added verbose option to config file, removed -v from
+    /etc/default/fail2ban, reordered code a bit so that log targets are
+    setup right after background and then only loglevel (verbose,debug) is
+    processed, so the warning could be seen in the logs
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 29 Sep 2005 00:20:43 -1000
+
+fail2ban (0.5.4-2) unstable; urgency=low
+
+  * Now exporting PATH explicitely in init.d/fail2ban script, to avoid
+    problems finding iptables in the cases when PATH was not exported outside
+    (cfengine, broken shell environment) (closes: #329304)
+  * Removed -b from start-stop-daemon because fail2ban detahes on its own
+  * Added @localhost to MAIL:from and MAIL:to in fail2ban.conf and placed
+    a note to README.Debian regarding necessity to specify full email
+    address in MAIL:from (closes: #329722)
+  * Added a keyword <section> in parsing of the subject and the body of an
+    email sent out by fail2ban (closes: #330311)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Wed, 27 Sep 2005 08:09:06 -0400
+
+fail2ban (0.5.4-1) unstable; urgency=low
+
+  * New upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 20 Sep 2005 12:19:19 -0400
+
+fail2ban (0.5.3-2) unstable; urgency=low
+
+  * Refined comments in README.Debian
+  * Reindented init.d script
+  P.S. Was not released
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 11 Sep 2005 15:19:44 -0400
+
+fail2ban (0.5.3-1) unstable; urgency=low
+
+  * New upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri,  9 Sep 2005 16:55:00 -0400
+
+fail2ban (0.5.2-5) unstable; urgency=low
+
+  * Included a patch from Stephen Gildea to provide "status" report by
+    init.d script
+  * Included a note in README.Debian regarding the fail2ban iptable's
+    chains
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri,  9 Sep 2005 14:52:24 -0400
+
+fail2ban (0.5.2-4) unstable; urgency=low
+
+  * Format of SYSLOG entries is up to the standard now
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 19 Aug 2005 00:06:44 -1000
+
+fail2ban (0.5.2-3) unstable; urgency=low
+
+  * Fixed errata in /etc/default/fail2ban (closes: #323451)
+  * Fixed handling of SYSLOG logging target. Now it can log to any syslog
+    target and facility as directed by the config (revisions 160:166 patch
+    from syslog branch) (closes: #323543)
+  * Included upstream README and TODO
+  * Mentioned in README.Debian that apache section is disabled by default
+  * Adjusted man pages to cross-reference each other
+  * Moved fail2ban man page under section 8 as in upstream
+  * Introduced findtime configuration variable to control the lifetime
+    of caught "failed" log entries (closes: #323840)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 16 Aug 2005 11:23:28 -1000
+
+fail2ban (0.5.2-2) unstable; urgency=low
+
+  * Updated description to reflect flexibility in application of fail2ban
+  * Included logrotate (Thanks to Baruch Even)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat, 13 Aug 2005 04:51:57 -0400
+
+fail2ban (0.5.2-1) unstable; urgency=low
+
+  * New upstream release
+  * No log4py any more
+  * removed -i eth0 from config
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat,  6 Aug 2005 09:21:07 -1000
+
+fail2ban (0.5.1-1) unstable; urgency=low
+
+  * New upstream release
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat, 23 Jul 2005 08:50:00 -1000
+
+fail2ban (0.5.0-1) unstable; urgency=low
+
+  * New upstream release
+  * Libraries placed under /usr/share/fail2ban instead of /usr/lib/fail2ban
+  * Corrections to the description of the package
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 12 Jul 2005 23:33:20 -1000
+
+fail2ban (0.4.1-1) unstable; urgency=low
+
+  * First upstream release of a Debian package
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 04 Jul 2005 11:47:23 +0300
--- fail2ban-0.8.6.orig/debian/README.Debian
+++ fail2ban-0.8.6/debian/README.Debian
@@ -0,0 +1,234 @@
+fail2ban (>=0.7.0) for Debian
+-----------------------------
+
+This package is ~99% identical to the upstream version. Few features
+could have been added but not yet propagated into upstream version and
+some modifications might be Debian-specific. Debian specific jail.conf
+file is shipped. Original upstream file is available from
+/usr/share/doc/fail2ban/examples/jail.conf
+
+Currently, the major difference with upstream: python libraries are
+placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to
+comply with policy regarding architecture independent resources.
+
+Upgrade from 0.6 versions:
+-------------------------
+
+* New Config Files Format:
+
+If you had introduced your own sections in /etc/fail2ban.conf, you
+would need manually to convert them into a new format. At minimum you
+need to create /etc/fail2ban/filter.d/NAME.local (leave .conf files
+for me and upstream please to avoid any conflicts -- introduce your
+changes in .local) with failregex in [Definition] section. And provide
+appropriate jail definition in /etc/fail2ban/jail.local
+
+
+* Enabled Sections:
+
+Only handling of ssh files is enabled by default. If you want to use
+fail2ban with apache, please enable apache section manually in
+/etc/fail2ban/jail.local by including next lines:
+
+[apache]
+enabled = true
+
+NOTE: -e command line parameter is non existant in 0.7.x
+
+
+* Interpolations vs actions/filters parameters:
+
+For details see #398739 or wait for a closure of #400416
+
+Every pair of .conf and then .local (if exists) files is read
+separately from any other configuration file, so interpolations cannot
+penetrate from jail.* into actions.d/*. To overcome this, it is
+necessary to create a PARAMETER which can be substituted in actions
+[Definition] section, if it is also defined in the [Init] section of
+that file and is used in place of necessary allocation as <PARAMETER>
+tag. Parameters can be specified in the definitions within
+jail.{conf,local}. For instance, 1 lengthy example, where the same
+name "fwchain" is used both as interpolation (in jail.local) and as a
+parameter (in iptables-flex.local) (from #398739)
+
+==> /etc/fail2ban/jail.local <==
+[DEFAULT]
+action = iptables-flex[name=%(__name__)s, port=%(port)s, fwchain=%(fwchain)s, post_start_commands=%(post_start_commands)s, pre_end_commands=%(pre_end_commands)s]
+fwchain = INPUT
+[ssh]
+fwchain = ssh-tarpit
+==> /etc/fail2ban/action.d/iptables-flex.local <==
+[Definition]
+actionstart = iptables -N fail2ban-<name>
+               iptables -I <fwchain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+               iptables -I <fwchain> -j <whitelist>
+actionstop  = iptables -D <fwchain> -j <whitelist>
+               iptables -D <fwchain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+               iptables -F fail2ban-<name>
+               iptables -X fail2ban-<name>
+actioncheck = iptables -n -L <fwchain> | grep -q fail2ban-<name>
+actionban   = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+[Init]
+whitelist = ssh-whitelist
+fwchain = INPUT
+name = default
+port = ssh
+protocol = tcp
+
+
+* Multiport banning: Comment for #373592, #545971
+
+iptables-multiport action is now default banaction (file jail.conf, to
+be customized within jail.local). Therefore assure that you have built
+multiport module if you use custom kernel.
+
+If you would like to ban all ports for that host, just redefine
+fwban/fwunban commands to don't have --dport %(port)s statement at
+all, or use shorewall, where actionban bans whole IP.
+
+* Blocking of NEW connections only
+Comment for the wishlist #350746.
+
+It might be benefitial in some cases to ban only new connections. For
+that just use iptables-new action instead of default banaction
+
+/etc/fail2ban/jail.local:
+
+[DEFAULT]
+banaction=iptables-new
+
+(you can override banaction within interesting for you section).
+ Also you can redefine the whole action parameter if you like.
+
+
+* Interaction with ipmasq
+  Comment to #461417
+
+Although fail2ban should detect and recreate missing chains if the external
+command wipes out iptables, it is better to explicitly to force-reload
+fail2ban. For this reason there is examples/ipmasq-ZZZzzz|fail2ban.rul file is
+shipped along to be installed under name ZZZzzz|fail2ban.rul within
+/etc/ipmasq.
+
+* Interaction with logrotate with custom logtarget
+  Comment to #631917
+
+if you use an alternative logtarget (e.g. SYSLOG) thus not using
+/var/log/fail2ban.log you should divert logrotate configuration into
+a disabled state, e.g.
+
+sudo dpkg-divert --rename --divert \
+	 /etc/logrotate.d/fail2ban.disabled /etc/logrotate.d/fail2ban
+
+
+Troubleshooting:
+---------------
+
+* Updated failregex:
+
+To resolve the security bug #330827 [1] failregex expressions must
+provide a named group (?P<host>...) as a placeholder of the abuser's
+host. Alternative tag (since 0.7.5) can be "<HOST>". The naming of the
+group was introduced to capture possible future generalizations of
+failregex to provide even more information.
+
+[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
+
+You might benefit from using fail2ban-regex command shipped along to
+construct and debug your failregex statements.
+
+* "Interpolations" in the config file:
+
+Since version 0.6.0-3 to reduce duplication, thus to improve
+readability of the config file, interpolations provided by the module
+ConfigParser are used. If you had custom sections defined before, you
+might benefit from updating config file and adding appropriate
+information for the new sections.
+
+N.B. If you have some nice additional sections defined, I would really
+appreciate if you share them with me or upstream author, so they could
+be eventually included in the fail2ban package for general use by the
+rest of the community.
+
+
+* Mailing:
+
+Since actions.d/mail*.conf commands rely on presence of "mail"
+command, mailx package (or another package providing mailx
+functionality such as mailutils) is required if those actions are
+activated in jail.{conf,local}.
+
+
+* Dirty exit:
+
+If firewall rules gets cleaned out before fail2ban exits (like was
+happening with firestarter), errors get reported during the exit of
+fail2ban, but they are "safe" and can be ignored.
+
+
+** SSHD Configuration Specific Problems
+
+* Ban "Not allowed" attempts:
+
+Make sure that you have
+ChallengeResponseAuthentication no
+PasswordAuthentication yes
+
+Details from the bug report #350980 [2]
+
+[2]  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350980
+
+
+* Not caught attempts to login as root
+
+On the boxes running older versions of openssh (e.g. sarge
+distribution) in the case when PermitRootLogin is set to something
+else than "yes" and iff AllowUsers is active, failed root logins do
+not confirm to the standard logging message -- they omit the source
+IP, thus allowing attack to persist since such messages are not caught
+by fail2ban.
+
+
+* Bantime:
+
+An IP is banned for "bantime" not since the last failed login attempt
+from the IP, but rather since the moment when failed login was
+detected by fail2ban. Thus, if fail2ban gets [re]started, any IP which
+had enough of failed logins with durations less than "findtime" between
+them prior to the [re]start moment, will be banned for
+"bantime" since [re]start moment, not since the last failed login
+time.
+
+* Findtime:
+
+"Findtime" option of a jail actually defines a duration to reset the
+counter of failed login attempts, if no new attempt was detected within
+that time frame (i.e.  within "findtime").
+
+See
+http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options
+for more information on jail options.
+
+
+* Syslog entries can be 'forged' by a regular user
+
+From
+http://fail2ban.sourceforge.net/wiki/index.php/FAQ_english#What_do_I_have_to_consider_when_using_Fail2ban
+
+Especially on systems wich provide ssh/CGI/PHP services to unknown
+users it is possible to block other users from ssh and probably other
+access as a unprivileged user may issue:
+
+logger -p auth.warning -t 'sshd[123]' 'Illegal user user1 from 1.2.3.4'
+
+N.B. chmod o-x /usr/bin/logger should provide at least obfuscation
+solution
+
+Or the malicious user may write via PHP's openlog()/syslog() to syslog.
+
+P.S. Anyone is welcome to recommend proper security solution to this
+issue, such as an alternative to sysklogd which allows better control
+over users logging to specific facilities (such as AUTH)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>, Thu, 28 Jul 2011 23:19:44 -0400
--- fail2ban-0.8.6.orig/debian/copyright
+++ fail2ban-0.8.6/debian/copyright
@@ -0,0 +1,31 @@
+This package was originally debianized by Yaroslav Halchenko
+<debian@onerussian.com> on Mon Jul  4 14:41:34 HST 2005
+
+It was downloaded from http://www.sourceforge.net/projects/fail2ban
+
+Author: Cyril Jaquier: <cyril.jaquier@fail2ban.org>
+        http://fail2ban.sourceforge.net
+
+Copyright: 2004-2009 Cyril Jaquier
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the
+Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+MA 02110-1301, USA.
+
+On Debian systems, the complete text of the GNU General Public
+License, version 2, can be found in /usr/share/common-licenses/GPL-2.
+
+The Debian packaging is (C) 2006-2011, Yaroslav Halchenko <debian@onerussian.com>
+and is licensed under the GPL, see above.
+
--- fail2ban-0.8.6.orig/debian/postrm
+++ fail2ban-0.8.6/debian/postrm
@@ -0,0 +1,42 @@
+#! /bin/sh
+# postrm script for fail2ban
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
+# for details, see /usr/doc/packaging-manual/
+
+
+case "$1" in
+       purge|disappear)
+       				
+		# Remove configuration
+                rm -f /etc/fail2ban.conf
+		
+		# Remove logs
+		rm -f /var/log/fail2ban*
+		
+		;;
+       remove|upgrade|failed-upgrade|abort-install|abort-upgrade)
+		# nothing
+		# We may not delete the user fail2ban, as there may be
+		# files owned by it in /var/log/ and /etc/.
+        	;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+
--- fail2ban-0.8.6.orig/debian/rules
+++ fail2ban-0.8.6/debian/rules
@@ -0,0 +1,82 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+DESTDIR=$(CURDIR)/debian/fail2ban
+
+configure: configure-stamp
+configure-stamp:
+	dh_testdir
+	touch configure-stamp
+
+build:
+
+build-arch:
+
+build-indep:
+
+clean: clean-inits
+	dh_testdir
+	dh_testroot
+	rm -f  build-stamp configure-stamp
+	rm -rf build
+	# Does not hurt to ask distutils to do their duty
+	python setup.py clean
+	# Enforce removal of *.pyc files. Apparently dh_clean does
+	# not perform find on provided filename patterns.
+	find . -name \*.pyc -exec rm -f {} \;
+	dh_clean
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_clean -k
+	dh_installdirs
+
+	# Install the package into debian/fail2ban.
+	python setup.py install --root=$(DESTDIR) --no-compile --install-layout=deb
+	# Install Debian shipped jail file in 1 piece (instead of patching
+	# the shipped one since there are too many changes)
+	install -m 644 debian/jail.conf $(DESTDIR)/etc/fail2ban
+	# Remove explicitely created /var/run/fail2ban
+	# just to please lintian since init file will
+	# take care about it anyways
+	rm -rf $(DESTDIR)/var/run/fail2ban
+
+#
+# Just to comply with policy 4.8
+binary-arch:
+
+# Build architecture-independent files here.
+binary-indep: install
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs ChangeLog
+	dh_installdocs
+	dh_installexamples config/jail.conf files/ipmasq-*
+	dh_installlogrotate
+	dh_pycentral
+	dh_installinit -- defaults 99
+	# perform swap of order of calls to init and pycentral in prerm
+	# to close #422655 -- pycentral section is cut and placed at
+	# the end of the file
+	sed -i -e '/^#.*ed by dh_pycentral/,/# End auto/{H;d};$$G' \
+		debian/fail2ban.prerm.debhelper
+	dh_installman man/*.1
+	dh_link
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
+binary: binary-indep
+.PHONY: build clean binary-indep binary-arch binary install configure copy-inits clean-inits
--- fail2ban-0.8.6.orig/debian/docs
+++ fail2ban-0.8.6/debian/docs
@@ -0,0 +1,3 @@
+README
+TODO
+doc/run-rootless.txt
--- fail2ban-0.8.6.orig/debian/postinst
+++ fail2ban-0.8.6/debian/postinst
@@ -0,0 +1,90 @@
+#! /bin/sh
+# postinst script for fail2ban
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+#
+preversion=$2
+
+case "$1" in
+    configure)
+       # To fix the bug in generated by previous version files permissions
+       # also closes #352053
+
+       LOG=/var/log/fail2ban.log
+       touch $LOG
+       chown root:adm ${LOG}*
+       chmod 640 ${LOG}*
+        
+       # Note regarding changed configuration file
+       # Note regarding changed configuration file
+		if [ ! -z $preversion ]; then
+			if dpkg --compare-versions $preversion lt 0.7.1-1; then
+			cat <<EOF
+WARNING!
+  
+  Fail2ban 0.7 is a complete rewrite of the 0.6 version, and if you
+  customized any of provided configuration or startup files
+  (/etc/default/fail2ban, /etc/fail2ban.conf, /etc/init.d/fail2ban), please
+  read relevant entry in /usr/share/doc/fail2ban/NEWS.Debian.gz.
+  
+EOF
+			fi
+			if dpkg --compare-versions $preversion lt 0.5.4-5.14; then
+			cat <<EOF
+WARNING!
+
+ Configuration file /etc/fail2ban.conf, failregex configuration
+ parameter specificly, were changed in 0.5.4-5 to close reported
+ security breach, and in 0.5.4-5.14 to close few other bugs.
+
+updating from <0.5.4-5
+ Unless configuration file (or corresponding failregex'es) gets updated,
+ security breach is not closed and corresponding warning will be reported
+ by the fail2ban (in the log files).
+
+updating from <0.5.4-5.14
+ Bugs #329163, #331695 dealing with changed iptables rules
+ outside of fail2ban were fixed in 0.5.4-5.14, and require upgrade of the
+ configuration file (fwcheck option was introduced) to take full
+ advantage of the problem solution (otherwise some problems might
+ persist)
+
+ Please review the configuration file and make appropriate changes.
+ENJOY!
+
+EOF
+			fi
+		fi
+		;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
--- fail2ban-0.8.6.orig/debian/fail2ban.logrotate
+++ fail2ban-0.8.6/debian/fail2ban.logrotate
@@ -0,0 +1,17 @@
+/var/log/fail2ban.log {
+   
+    weekly
+    rotate 4
+    compress
+
+    delaycompress
+    missingok
+    postrotate
+	fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
+    endscript
+
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
--- fail2ban-0.8.6.orig/debian/gbp.conf
+++ fail2ban-0.8.6/debian/gbp.conf
@@ -0,0 +1,18 @@
+[DEFAULT]
+# the default branch for upstream sources:
+upstream-branch = upstream
+# the default branch for the debian patch:
+debian-branch = debian-releases/wheezy
+# use pristine-tar
+pristine-tar = True
+# the default tag formats used:
+upstream-tag = upstream/%(version)s
+debian-tag = debian/%(version)s
+
+
+# Options only affecting git-buildpackage
+[git-buildpackage]
+# use this for more svn-buildpackage like bahaviour:
+export-dir = ../build-area/
+tarball-dir = ../tarballs/
+
--- fail2ban-0.8.6.orig/debian/NEWS
+++ fail2ban-0.8.6/debian/NEWS
@@ -0,0 +1,47 @@
+fail2ban (0.8.4-3) unstable; urgency=low
+
+  * Jail named-refused-udp is unsafe and opens possibility for easy DoS,
+    thus discouraged to be used, and commented out (see #583364 for more
+    information).
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Mon, 28 Jun 2010 22:12:22 -0400
+
+fail2ban (0.7.1-0.2) unstable; urgency=low
+
+  fail2ban 0.7 is a complete rewrite of the 0.6 version, and if you
+  customized any of provided configuration or startup files
+  (/etc/default/fail2ban, /etc/fail2ban.conf, /etc/init.d/fail2ban),
+  please read further. The configuration scheme has changed upstream:
+  0.7 ignores /etc/fail2ban.conf and instead uses a split configuration
+  under /etc/fail2ban/. To retain your customizations, for example to
+  monitor anything other than sshd, you will need to set them under that
+  new directory; use *.local files for customizations. Please see
+  /usr/share/doc/fail2ban/README.Debian.gz and
+  http://fail2ban.sourceforge.net for further description of new
+  configuration scheme. Detailed documentation is under development (see
+  #400416).  When you are satisfied with the new settings, please delete
+  /etc/fail2ban.conf to avoid confusion.
+
+  Fail2ban 0.7 uses client/server architecture and fail2ban-client is to
+  substitute fail2ban command to provide an interface between the user and
+  fail2ban-server. That is why some command line parameters present in
+  fail2ban 0.6 are invalid in fail2ban-client. Such change affects
+  /etc/default/fail2ban; you should review that file if you customized it.
+  Please enable sections as directed in README.Debian.gz mentioned above.
+  You must use newly shipped init.d/fail2ban, or otherwise fail2ban will
+  not start.
+
+  This note was rewritten in release 0.7.5-2 to clarify its meaning.
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat,  9 Dec 2006 18:24:36 -0500
+
+fail2ban (0.6.0-4) unstable; urgency=low
+
+  In this version the new section ApacheAttacks was introduced to ban IPs
+  which are found to run some known attack on the host. For now it captures
+  just awstats and mambo related attacks. To make this feature work, the bug of
+  wrongly specified timeregexp for Apache's access.log file was fixed.
+  Besides that group of log files has changed to be adm, and now they are
+  readable by the group.
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 10 Feb 2006 13:05:07 -0500
--- fail2ban-0.8.6.orig/debian/pycompat
+++ fail2ban-0.8.6/debian/pycompat
@@ -0,0 +1 @@
+2
--- fail2ban-0.8.6.orig/debian/TODO
+++ fail2ban-0.8.6/debian/TODO
@@ -0,0 +1,6 @@
+* Collect more sections for other log files
+* Find proper answer to "Syslog entries can be 'forged' by a regular
+   user" mentioned in README.Debian
+
+ -- Yaroslav O. Halchenko <debian@onerussian.com>  Wed,  6 Dec 2006 22:14:26 -0500
+
--- fail2ban-0.8.6.orig/debian/fail2ban.init
+++ fail2ban-0.8.6/debian/fail2ban.init
@@ -0,0 +1,242 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          fail2ban
+# Required-Start:    $local_fs $remote_fs
+# Required-Stop:     $local_fs $remote_fs
+# Should-Start:      $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
+# Should-Stop:       $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start/stop fail2ban
+# Description:       Start/stop fail2ban, a daemon scanning the log files and
+#                    banning potential attackers.
+### END INIT INFO
+
+# Author: Aaron Isotton <aaron@isotton.com>
+# Modified: by Yaroslav Halchenko <debian@onerussian.com>
+#  reindented + minor corrections + to work on sarge without modifications
+# Modified: by Glenn Aaldering <glenn@openvideo.nl>
+#  added exit codes for status command
+#
+PATH=/usr/sbin:/usr/bin:/sbin:/bin
+DESC="authentication failure monitor"
+NAME=fail2ban
+
+# fail2ban-client is not a daemon itself but starts a daemon and
+# loads its with configuration
+DAEMON=/usr/bin/$NAME-client
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Ad-hoc way to parse out socket file name
+SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \
+          | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
+[ -z "$SOCKFILE" ] && SOCKFILE='/tmp/fail2ban.sock'
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Run as root by default.
+FAIL2BAN_USER=root
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+DAEMON_ARGS="$FAIL2BAN_OPTS"
+
+# Load the VERBOSE setting and other rcS variables
+[ -f /etc/default/rcS ] && . /etc/default/rcS
+
+# Predefine what can be missing from lsb source later on -- necessary to run
+# on sarge. Just present it in a bit more compact way from what was shipped
+log_daemon_msg () {
+	[ -z "$1" ] && return 1
+	echo -n "$1:"
+	[ -z "$2" ] || echo -n " $2"
+}
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
+# Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined
+#  so we must be ok
+. /lib/lsb/init-functions
+
+#
+# Shortcut function for abnormal init script interruption
+#
+report_bug()
+{
+	echo $*
+	echo "Please submit a bug report to Debian BTS (reportbug fail2ban)"
+	exit 1
+}
+
+#
+# Helper function to check if socket is present, which is often left after
+# abnormal exit of fail2ban and needs to be removed
+#
+check_socket()
+{
+	# Return
+	#	0 if socket is present and readable
+	#	1 if socket file is not present
+	#	2 if socket file is present but not readable
+	#	3 if socket file is present but is not a socket
+	[ -e "$SOCKFILE" ] || return 1
+	[ -r "$SOCKFILE" ] || return 2
+	[ -S "$SOCKFILE" ] || return 3
+	return 0
+}
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+	# Return
+	#	0 if daemon has been started
+	#	1 if daemon was already running
+	#	2 if daemon could not be started
+	do_status && return 1
+
+	if [ -e "$SOCKFILE" ]; then
+		log_failure_msg "Socket file $SOCKFILE is present"
+		[ "$1" = "force-start" ] \
+			&& log_success_msg "Starting anyway as requested" \
+			|| return 2
+		DAEMON_ARGS="$DAEMON_ARGS -x"
+	fi
+
+	# Assure that /var/run/fail2ban exists
+	[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
+
+	if [ "$FAIL2BAN_USER" != "root" ]; then
+		# Make the socket directory, IP lists and fail2ban log
+		# files writable by fail2ban
+		chown "$FAIL2BAN_USER" /var/run/fail2ban
+		# Create the logfile if it doesn't exist
+		touch /var/log/fail2ban.log
+		chown "$FAIL2BAN_USER" /var/log/fail2ban.log
+		find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \;
+	fi
+
+	start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \
+		$DAEMON_ARGS start > /dev/null\
+		|| return 2
+
+	return 0
+}
+
+
+#
+# Function that checks the status of fail2ban and returns
+# corresponding code
+#
+do_status()
+{
+	$DAEMON ping > /dev/null
+	return $?
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+	# Return
+	#	0 if daemon has been stopped
+	#	1 if daemon was already stopped
+	#	2 if daemon could not be stopped
+	#	other if a failure occurred
+	$DAEMON status > /dev/null || return 1
+	$DAEMON stop > /dev/null || return 2
+
+	# now we need actually to wait a bit since it might take time
+	# for server to react on client's stop request. Especially
+	# important for restart command on slow boxes
+	count=1
+	while do_status && [ $count -lt 60 ]; do
+		sleep 1
+		count=$(($count+1))
+	done
+	[ $count -lt 60 ] || return 3 # failed to stop
+
+	return 0
+}
+
+#
+# Function to reload configuration
+#
+do_reload() {
+	$DAEMON reload > /dev/null && return 0 || return 1
+	return 0
+}
+
+# yoh:
+# shortcut function to don't duplicate case statements and to don't use
+# bashisms (arrays). Fixes #368218
+#
+log_end_msg_wrapper()
+{
+	[ $1 -lt $2 ] && value=0 || value=1
+	log_end_msg $value
+}
+
+command="$1"
+case "$command" in
+	start|force-start)
+		[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+		do_start "$command"
+		[ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2
+		;;
+
+	stop)
+		[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+		do_stop
+		[ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2
+		;;
+
+	restart|force-reload)
+		log_daemon_msg "Restarting $DESC" "$NAME"
+		do_stop
+		case "$?" in
+			0|1)
+				do_start
+				log_end_msg_wrapper $? 1
+				;;
+			*)
+				# Failed to stop
+				log_end_msg 1
+				;;
+ 		esac
+		;;
+
+	reload|force-reload)
+        log_daemon_msg "Reloading $DESC" "$NAME"
+        do_reload
+        log_end_msg $?
+        ;;
+
+	status)
+		log_daemon_msg "Status of $DESC"
+		do_status
+		case $? in
+			0)  log_success_msg " $NAME is running" ;;
+			255)
+				check_socket
+				case $? in
+					1)  log_failure_msg " $NAME is not running" && exit 3 ;;
+					0)  log_failure_msg " $NAME is not running but $SOCKFILE exists" && exit 3 ;;
+					2)  log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown" && exit 3 ;;
+					3)  log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown" && exit 3 ;;
+					*)  report_bug "Unknown return code from $NAME:check_socket." && exit 4 ;;
+				esac
+				;;
+			*)  report_bug "Unknown $NAME status code" && exit 4
+		esac
+		;;
+	*)
+		echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" >&2
+		exit 3
+		;;
+esac
+
+:
--- fail2ban-0.8.6.orig/debian/jail.conf
+++ fail2ban-0.8.6/debian/jail.conf
@@ -0,0 +1,314 @@
+# Fail2Ban configuration file.
+#
+# This file was composed for Debian systems from the original one
+#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
+#  for additional examples.
+#
+# To avoid merges during upgrades DO NOT MODIFY THIS FILE
+# and rather provide your changes in /etc/fail2ban/jail.local
+#
+# Author: Yaroslav O. Halchenko <debian@onerussian.com>
+#
+# $Revision$
+#
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host
+ignoreip = 127.0.0.1/8
+bantime  = 600
+maxretry = 3
+
+# "backend" specifies the backend used to get files modification. Available
+# options are "gamin", "polling" and "auto".
+# yoh: For some reason Debian shipped python-gamin didn't work as expected
+#      This issue left ToDo, so polling is default backend for now
+backend = auto
+
+#
+# Destination email address used solely for the interpolations in
+# jail.{conf,local} configuration files.
+destemail = root@localhost
+
+#
+# ACTIONS
+#
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+# email action. Since 0.8.1 upstream fail2ban uses sendmail
+# MTA for the mailing. Change mta configuration parameter to mail
+# if you want to revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# Choose default action.  To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+#
+# JAILS
+#
+
+# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
+# was shipped in Debian. Enable any defined here jail by including
+#
+# [SECTION_NAME]
+# enabled = true
+
+#
+# in /etc/fail2ban/jail.local.
+#
+# Optionally you may override any other parameter (e.g. banaction,
+# action, port, logpath, etc) in that section within jail.local
+
+[ssh]
+
+enabled  = true
+port     = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+maxretry = 6
+
+[dropbear]
+
+enabled  = false
+port     = ssh
+filter   = sshd
+logpath  = /var/log/dropbear
+maxretry = 6
+
+# Generic filter for pam. Has to be used with action which bans all ports
+# such as iptables-allports, shorewall
+[pam-generic]
+
+enabled  = false
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+filter   = pam-generic
+# port actually must be irrelevant but lets leave it all for some possible uses
+port     = all
+banaction = iptables-allports
+port     = anyport
+logpath  = /var/log/auth.log
+maxretry = 6
+
+[xinetd-fail]
+
+enabled   = false
+filter    = xinetd-fail
+port      = all
+banaction = iptables-multiport-log
+logpath   = /var/log/daemon.log
+maxretry  = 2
+
+
+[ssh-ddos]
+
+enabled  = false
+port     = ssh
+filter   = sshd-ddos
+logpath  = /var/log/auth.log
+maxretry = 6
+
+#
+# HTTP servers
+#
+
+[apache]
+
+enabled  = false
+port     = http,https
+filter   = apache-auth
+logpath  = /var/log/apache*/*error.log
+maxretry = 6
+
+# default action is now multiport, so apache-multiport jail was left
+# for compatibility with previous (<0.7.6-2) releases
+[apache-multiport]
+
+enabled   = false
+port      = http,https
+filter    = apache-auth
+logpath   = /var/log/apache*/*error.log
+maxretry  = 6
+
+[apache-noscript]
+
+enabled  = false
+port     = http,https
+filter   = apache-noscript
+logpath  = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-overflows]
+
+enabled  = false
+port     = http,https
+filter   = apache-overflows
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
+#
+# FTP servers
+#
+
+[vsftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = vsftpd
+logpath  = /var/log/vsftpd.log
+# or overwrite it in jails.local to be
+# logpath = /var/log/auth.log
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+maxretry = 6
+
+
+[proftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = proftpd
+logpath  = /var/log/proftpd/proftpd.log
+maxretry = 6
+
+
+[pure-ftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = pure-ftpd
+logpath  = /var/log/auth.log
+maxretry = 6
+
+
+[wuftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = wuftpd
+logpath  = /var/log/auth.log
+maxretry = 6
+
+
+#
+# Mail servers
+#
+
+[postfix]
+
+enabled  = false
+port     = smtp,ssmtp
+filter   = postfix
+logpath  = /var/log/mail.log
+
+
+[couriersmtp]
+
+enabled  = false
+port     = smtp,ssmtp
+filter   = couriersmtp
+logpath  = /var/log/mail.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courierauth]
+
+enabled  = false
+port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+filter   = courierlogin
+logpath  = /var/log/mail.log
+
+
+[sasl]
+
+enabled  = false
+port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+filter   = sasl
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath  = /var/log/mail.log
+
+[dovecot]
+
+enabled = false
+port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+filter  = dovecot
+logpath = /var/log/mail.log
+
+# DNS Servers
+
+
+# These jails block attacks against named (bind9). By default, logging is off
+# with bind9 installation. You will need something like this:
+#
+# logging {
+#     channel security_file {
+#         file "/var/log/named/security.log" versions 3 size 30m;
+#         severity dynamic;
+#         print-time yes;
+#     };
+#     category security {
+#         security_file;
+#     };
+# };
+#
+# in your named.conf to provide proper logging
+
+# !!! WARNING !!!
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#[named-refused-udp]
+#
+#enabled  = false
+#port     = domain,953
+#protocol = udp
+#filter   = named-refused
+#logpath  = /var/log/named/security.log
+
+[named-refused-tcp]
+
+enabled  = false
+port     = domain,953
+protocol = tcp
+filter   = named-refused
+logpath  = /var/log/named/security.log
+
--- fail2ban-0.8.6.orig/debian/control
+++ fail2ban-0.8.6/debian/control
@@ -0,0 +1,33 @@
+Source: fail2ban
+Section: net
+Priority: optional
+Maintainer: Yaroslav Halchenko <debian@onerussian.com>
+Build-Depends: debhelper (>= 5.0.37.2), python (>= 2.5.4-1~)
+Build-Depends-Indep: python-central (>= 0.5.6)
+XS-Python-Version: current, >= 2.4
+Homepage: http://www.fail2ban.org
+Vcs-Git: git://github.com/fail2ban/fail2ban.git
+Vcs-Browser: http://github.com/fail2ban/fail2ban
+Standards-Version: 3.9.2
+
+
+Package: fail2ban
+Architecture: all
+Depends: ${python:Depends}, ${misc:Depends}, lsb-base (>=2.0-7)
+Recommends: iptables, whois, python-gamin
+Suggests: mailx
+XB-Python-Version: ${python:Versions}
+Description: ban hosts that cause multiple authentication errors
+ Fail2ban monitors log files (e.g. /var/log/auth.log,
+ /var/log/apache/access.log) and temporarily or persistently bans
+ failure-prone addresses by updating existing firewall rules.  Fail2ban allows
+ easy specification of different actions to be taken such as to ban an
+ IP using iptables or hostsdeny rules, or simply to send a
+ notification email.
+ .
+ By default, it comes with filter expressions for various services
+ (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be
+ easily extended for monitoring any other text file.  All filters and
+ actions are given in the config files, thus fail2ban can be adopted
+ to be used with a variety of files and firewalls.
+
--- fail2ban-0.8.6.orig/debian/fail2ban.default
+++ fail2ban-0.8.6/debian/fail2ban.default
@@ -0,0 +1,39 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
+# valid options.
+FAIL2BAN_OPTS=""
+
+# Run fail2ban as a different user. If not set, fail2ban
+# will run as root.
+#
+# The user is not created automatically.
+# The user can be created e.g. with
+#    useradd --system --no-create-home --home-dir / --groups adm fail2ban
+# Log files are readable by group adm by default. Adding the fail2ban
+# user to this group allows it to read the logfiles.
+#
+# Another manual step that needs to be taken is to allow write access
+# for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban
+# script will change the ownership when starting fail2ban. Logrotate
+# needs to be configured seperately, see /etc/logrotate.d/fail2ban.
+#
+# FAIL2BAN_USER="fail2ban"
--- fail2ban-0.8.6.orig/debian/compat
+++ fail2ban-0.8.6/debian/compat
@@ -0,0 +1 @@
+5
--- fail2ban-0.8.6.orig/debian/backports/00list.sarge-backports
+++ fail2ban-0.8.6/debian/backports/00list.sarge-backports
@@ -0,0 +1 @@
+nopycentral.patch
--- fail2ban-0.8.6.orig/debian/backports/nopycentral.patch
+++ fail2ban-0.8.6/debian/backports/nopycentral.patch
@@ -0,0 +1,40 @@
+diff -x '*~' -x .svn -Naur trunk/debian/control trunk.backports/debian/control
+--- trunk/debian/control	2006-10-23 00:57:02.000000000 -0400
++++ trunk.backports/debian/control	2006-12-04 08:45:25.000000000 -0500
+@@ -4,13 +4,13 @@
+ Maintainer: Yaroslav Halchenko <debian@onerussian.com>
+ Uploaders: Barak Pearlmutter <bap@debian.org>
+ Build-Depends: debhelper (>= 5.0.37.2), dpatch
+-Build-Depends-Indep: python, python-dev, help2man, python-central (>= 0.5.6)
++Build-Depends-Indep: python, python2.4, python2.4-dev, help2man
+ XS-Python-Version: current, >= 2.4
+ Standards-Version: 3.7.2
+ 
+ Package: fail2ban
+ Architecture: all
+-Depends: ${python:Depends}, iptables, lsb-base (>=2.0-7)
++Depends: python2.4, iptables, lsb-base (>=2.0-7)
+ Suggests: python-gamin
+ XB-Python-Version: ${python:Versions}
+ Description: bans IPs that cause multiple authentication errors
+diff -x '*~' -x .svn -Naur trunk/debian/rules trunk.backports/debian/rules
+--- trunk/debian/rules	2006-11-11 21:19:14.000000000 -0500
++++ trunk.backports/debian/rules	2006-12-04 08:45:45.000000000 -0500
+@@ -39,7 +39,7 @@
+ 	dh_installdirs
+ 
+ 	# Add here commands to install the package into debian/fail2ban.
+-	python setup.py install --root=$(DESTDIR) --no-compile
++	python2.4 setup.py install --root=$(DESTDIR) --no-compile
+ 	#X Evil - must be removed after Debian switches over to 2.4, now
+ 	#  distutils.setup will override the enterpreter line to /usr/bin/python
+ 	install fail2ban-server fail2ban-client $(DESTDIR)/usr/bin
+@@ -62,7 +62,7 @@
+ 	dh_installlogrotate
+ 	dh_installinit -- defaults 99
+ 	dh_installman man/*.1
+-	dh_pycentral
++	dh_python
+ 	dh_link
+ 	dh_compress
+ 	dh_fixperms