From 8bcd8ae66d1ceb69ae65e59fe4d78527c25e20a1 Mon Sep 17 00:00:00 2001
From: root <root@helga.brehm-online.com>
Date: Mon, 15 May 2017 17:15:07 +0200
Subject: [PATCH] saving uncommitted changes in /etc prior to emerge run

---
 .etckeeper                                    |  14 ++
 fail2ban/action.d/badips.conf                 |   4 +-
 fail2ban/action.d/badips.py                   |  21 +--
 fail2ban/action.d/blocklist_de.conf           |   2 +-
 fail2ban/action.d/cloudflare.conf             |   2 +
 fail2ban/action.d/firewallcmd-allports.conf   |   2 +-
 fail2ban/action.d/firewallcmd-multiport.conf  |   6 +-
 .../action.d/firewallcmd-rich-logging.conf    |  65 +++++++++
 fail2ban/action.d/firewallcmd-rich-rules.conf |  57 ++++++++
 fail2ban/action.d/mynetwatchman.conf          |   8 +-
 fail2ban/action.d/nftables-allports.conf      |  22 +++
 fail2ban/action.d/nftables-common.conf        | 119 ++++++++++++++++
 fail2ban/action.d/nftables-multiport.conf     |  22 +++
 fail2ban/action.d/npf.conf                    |  61 +++++++++
 fail2ban/action.d/route.conf                  |   3 +
 fail2ban/filter.d/apache-badbots.conf         |   2 +-
 fail2ban/filter.d/apache-modsecurity.conf     |   3 +-
 fail2ban/filter.d/assp.conf                   |  33 ++++-
 fail2ban/filter.d/asterisk.conf               |  23 ++--
 fail2ban/filter.d/botsearch-common.conf       |   4 +-
 fail2ban/filter.d/common.conf                 |  10 +-
 fail2ban/filter.d/courier-smtp.conf           |   2 +-
 fail2ban/filter.d/dovecot.conf                |  13 +-
 fail2ban/filter.d/exim-common.conf            |   4 +-
 fail2ban/filter.d/exim.conf                   |  12 +-
 fail2ban/filter.d/freeswitch.conf             |   2 +-
 fail2ban/filter.d/haproxy-http-auth.conf      |  37 +++++
 .../ignorecommands/apache-fakegooglebot       |   7 +-
 fail2ban/filter.d/mongodb-auth.conf           |  49 +++++++
 fail2ban/filter.d/monit.conf                  |  15 +-
 fail2ban/filter.d/murmur.conf                 |  28 ++++
 fail2ban/filter.d/mysqld-auth.conf            |   2 +-
 fail2ban/filter.d/nginx-limit-req.conf        |  45 ++++++
 fail2ban/filter.d/nsd.conf                    |   4 +-
 fail2ban/filter.d/openhab.conf                |  16 +++
 fail2ban/filter.d/postfix-rbl.conf            |   2 +-
 fail2ban/filter.d/postfix-sasl.conf           |   4 +-
 fail2ban/filter.d/postfix.conf                |   4 +-
 fail2ban/filter.d/pure-ftpd.conf              |   4 +
 fail2ban/filter.d/screensharingd.conf         |  31 +++++
 fail2ban/filter.d/sendmail-reject.conf        |   2 +-
 fail2ban/filter.d/slapd.conf                  |  25 ++++
 fail2ban/filter.d/sshd.conf                   |   9 +-
 fail2ban/filter.d/vsftpd.conf                 |   2 +-
 fail2ban/jail.conf                            | 129 ++++++++++++++----
 fail2ban/paths-common.conf                    |  19 ++-
 fail2ban/paths-fedora.conf                    |  14 +-
 fail2ban/paths-opensuse.conf                  |  50 +++++++
 init.d/fail2ban                               |  20 ++-
 logrotate.d/fail2ban                          |   6 +-
 50 files changed, 921 insertions(+), 119 deletions(-)
 create mode 100644 fail2ban/action.d/firewallcmd-rich-logging.conf
 create mode 100644 fail2ban/action.d/firewallcmd-rich-rules.conf
 create mode 100644 fail2ban/action.d/nftables-allports.conf
 create mode 100644 fail2ban/action.d/nftables-common.conf
 create mode 100644 fail2ban/action.d/nftables-multiport.conf
 create mode 100644 fail2ban/action.d/npf.conf
 create mode 100644 fail2ban/filter.d/haproxy-http-auth.conf
 create mode 100644 fail2ban/filter.d/mongodb-auth.conf
 create mode 100644 fail2ban/filter.d/murmur.conf
 create mode 100644 fail2ban/filter.d/nginx-limit-req.conf
 create mode 100644 fail2ban/filter.d/openhab.conf
 create mode 100644 fail2ban/filter.d/screensharingd.conf
 create mode 100644 fail2ban/filter.d/slapd.conf
 create mode 100644 fail2ban/paths-opensuse.conf

diff --git a/.etckeeper b/.etckeeper
index 3030186..0431529 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -1342,6 +1342,8 @@ maybe chmod 0644 'fail2ban/action.d/firewallcmd-allports.conf'
 maybe chmod 0644 'fail2ban/action.d/firewallcmd-ipset.conf'
 maybe chmod 0644 'fail2ban/action.d/firewallcmd-multiport.conf'
 maybe chmod 0644 'fail2ban/action.d/firewallcmd-new.conf'
+maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-logging.conf'
+maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-rules.conf'
 maybe chmod 0644 'fail2ban/action.d/hostsdeny.conf'
 maybe chmod 0644 'fail2ban/action.d/ipfilter.conf'
 maybe chmod 0644 'fail2ban/action.d/ipfw.conf'
@@ -1361,6 +1363,10 @@ maybe chmod 0644 'fail2ban/action.d/mail-whois-lines.conf'
 maybe chmod 0644 'fail2ban/action.d/mail-whois.conf'
 maybe chmod 0644 'fail2ban/action.d/mail.conf'
 maybe chmod 0644 'fail2ban/action.d/mynetwatchman.conf'
+maybe chmod 0644 'fail2ban/action.d/nftables-allports.conf'
+maybe chmod 0644 'fail2ban/action.d/nftables-common.conf'
+maybe chmod 0644 'fail2ban/action.d/nftables-multiport.conf'
+maybe chmod 0644 'fail2ban/action.d/npf.conf'
 maybe chmod 0644 'fail2ban/action.d/nsupdate.conf'
 maybe chmod 0644 'fail2ban/action.d/osx-afctl.conf'
 maybe chmod 0644 'fail2ban/action.d/osx-ipfw.conf'
@@ -1417,18 +1423,23 @@ maybe chmod 0644 'fail2ban/filter.d/froxlor-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/groupoffice.conf'
 maybe chmod 0644 'fail2ban/filter.d/gssftpd.conf'
 maybe chmod 0644 'fail2ban/filter.d/guacamole.conf'
+maybe chmod 0644 'fail2ban/filter.d/haproxy-http-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/horde.conf'
 maybe chmod 0755 'fail2ban/filter.d/ignorecommands'
 maybe chmod 0755 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot'
 maybe chmod 0644 'fail2ban/filter.d/kerio.conf'
 maybe chmod 0644 'fail2ban/filter.d/lighttpd-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/mongodb-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/monit.conf'
+maybe chmod 0644 'fail2ban/filter.d/murmur.conf'
 maybe chmod 0644 'fail2ban/filter.d/mysqld-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/nagios.conf'
 maybe chmod 0644 'fail2ban/filter.d/named-refused.conf'
 maybe chmod 0644 'fail2ban/filter.d/nginx-botsearch.conf'
 maybe chmod 0644 'fail2ban/filter.d/nginx-http-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/nginx-limit-req.conf'
 maybe chmod 0644 'fail2ban/filter.d/nsd.conf'
+maybe chmod 0644 'fail2ban/filter.d/openhab.conf'
 maybe chmod 0644 'fail2ban/filter.d/openwebmail.conf'
 maybe chmod 0644 'fail2ban/filter.d/oracleims.conf'
 maybe chmod 0644 'fail2ban/filter.d/pam-generic.conf'
@@ -1443,11 +1454,13 @@ maybe chmod 0644 'fail2ban/filter.d/pure-ftpd.conf'
 maybe chmod 0644 'fail2ban/filter.d/qmail.conf'
 maybe chmod 0644 'fail2ban/filter.d/recidive.conf'
 maybe chmod 0644 'fail2ban/filter.d/roundcube-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/screensharingd.conf'
 maybe chmod 0644 'fail2ban/filter.d/selinux-common.conf'
 maybe chmod 0644 'fail2ban/filter.d/selinux-ssh.conf'
 maybe chmod 0644 'fail2ban/filter.d/sendmail-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/sendmail-reject.conf'
 maybe chmod 0644 'fail2ban/filter.d/sieve.conf'
+maybe chmod 0644 'fail2ban/filter.d/slapd.conf'
 maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf'
 maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf'
 maybe chmod 0644 'fail2ban/filter.d/squid.conf'
@@ -1471,6 +1484,7 @@ maybe chmod 0644 'fail2ban/paths-common.conf'
 maybe chmod 0644 'fail2ban/paths-debian.conf'
 maybe chmod 0644 'fail2ban/paths-fedora.conf'
 maybe chmod 0644 'fail2ban/paths-freebsd.conf'
+maybe chmod 0644 'fail2ban/paths-opensuse.conf'
 maybe chmod 0644 'fail2ban/paths-osx.conf'
 maybe chmod 0644 'filesystems'
 maybe chmod 0755 'fonts'
diff --git a/fail2ban/action.d/badips.conf b/fail2ban/action.d/badips.conf
index 4a5c0f9..6f9513f 100644
--- a/fail2ban/action.d/badips.conf
+++ b/fail2ban/action.d/badips.conf
@@ -1,6 +1,6 @@
 # Fail2ban reporting to badips.com
 #
-# Note: This reports and IP only and does not actually ban traffic. Use 
+# Note: This reports an IP only and does not actually ban traffic. Use
 # another action in the same jail if you want bans to occur.
 #
 # Set the category to the appropriate value before use.
@@ -10,7 +10,7 @@
 
 [Definition]
 
-actionban = curl --fail  --user-agent "fail2ban v0.8.12" http://www.badips.com/add/<category>/<ip>
+actionban = curl --fail  --user-agent "<agent>" http://www.badips.com/add/<category>/<ip>
 
 [Init]
 
diff --git a/fail2ban/action.d/badips.py b/fail2ban/action.d/badips.py
index a1df00a..4bc879a 100644
--- a/fail2ban/action.d/badips.py
+++ b/fail2ban/action.d/badips.py
@@ -21,7 +21,6 @@ import sys
 if sys.version_info < (2, 7):
 	raise ImportError("badips.py action requires Python >= 2.7")
 import json
-from functools import partial
 import threading
 import logging
 if sys.version_info >= (3, ):
@@ -33,7 +32,6 @@ else:
 	from urllib import urlencode
 
 from fail2ban.server.actions import ActionBase
-from fail2ban.version import version as f2bVersion
 
 
 class BadIPsAction(ActionBase):
@@ -72,6 +70,9 @@ class BadIPsAction(ActionBase):
 	updateperiod : int, optional
 		Time in seconds between updating bad IPs blacklist.
 		Default 900 (15 minutes)
+	agent : str, optional
+		User agent transmitted to server.
+		Default `Fail2Ban/ver.`
 
 	Raises
 	------
@@ -79,14 +80,18 @@ class BadIPsAction(ActionBase):
 		If invalid `category`, `score`, `banaction` or `updateperiod`.
 	"""
 
+	TIMEOUT = 10
 	_badips = "http://www.badips.com"
-	_Request = partial(
-		Request, headers={'User-Agent': "Fail2Ban %s" % f2bVersion})
+	def _Request(self, url, **argv):
+		return Request(url, headers={'User-Agent': self.agent}, **argv)
 
 	def __init__(self, jail, name, category, score=3, age="24h", key=None,
-		banaction=None, bancategory=None, bankey=None, updateperiod=900):
+		banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban", 
+		timeout=TIMEOUT):
 		super(BadIPsAction, self).__init__(jail, name)
 
+		self.timeout = timeout
+		self.agent = agent
 		self.category = category
 		self.score = score
 		self.age = age
@@ -117,7 +122,7 @@ class BadIPsAction(ActionBase):
 		"""
 		try:
 			response = urlopen(
-				self._Request("/".join([self._badips, "get", "categories"])))
+				self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout)
 		except HTTPError as response:
 			messages = json.loads(response.read().decode('utf-8'))
 			self._logSys.error(
@@ -171,7 +176,7 @@ class BadIPsAction(ActionBase):
 				urlencode({'age': age})])
 			if key:
 				url = "&".join([url, urlencode({'key': key})])
-			response = urlopen(self._Request(url))
+			response = urlopen(self._Request(url), timeout=self.timeout)
 		except HTTPError as response:
 			messages = json.loads(response.read().decode('utf-8'))
 			self._logSys.error(
@@ -356,7 +361,7 @@ class BadIPsAction(ActionBase):
 			url = "/".join([self._badips, "add", self.category, aInfo['ip']])
 			if self.key:
 				url = "?".join([url, urlencode({'key': self.key})])
-			response = urlopen(self._Request(url))
+			response = urlopen(self._Request(url), timeout=self.timeout)
 		except HTTPError as response:
 			messages = json.loads(response.read().decode('utf-8'))
 			self._logSys.error(
diff --git a/fail2ban/action.d/blocklist_de.conf b/fail2ban/action.d/blocklist_de.conf
index 6d52069..2f31d8b 100644
--- a/fail2ban/action.d/blocklist_de.conf
+++ b/fail2ban/action.d/blocklist_de.conf
@@ -54,7 +54,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = curl --fail --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=<matches>' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"
+actionban = curl --fail --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=<matches>' --data 'format=text' --user-agent "<agent>" "https://www.blocklist.de/en/httpreports.html"
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
diff --git a/fail2ban/action.d/cloudflare.conf b/fail2ban/action.d/cloudflare.conf
index 4bc90c9..aa87163 100644
--- a/fail2ban/action.d/cloudflare.conf
+++ b/fail2ban/action.d/cloudflare.conf
@@ -9,6 +9,8 @@
 # Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE
 #
 # To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account
+#
+# CloudFlare API error codes: https://www.cloudflare.com/docs/host-api.html#s4.2
 
 [Definition]
 
diff --git a/fail2ban/action.d/firewallcmd-allports.conf b/fail2ban/action.d/firewallcmd-allports.conf
index ec52bab..571d5ba 100644
--- a/fail2ban/action.d/firewallcmd-allports.conf
+++ b/fail2ban/action.d/firewallcmd-allports.conf
@@ -6,7 +6,7 @@
 
 [INCLUDES]
 
-before = iptables-blocktype.conf
+before = iptables-common.conf
 
 [Definition]
 
diff --git a/fail2ban/action.d/firewallcmd-multiport.conf b/fail2ban/action.d/firewallcmd-multiport.conf
index 4d806e6..438d4cf 100644
--- a/fail2ban/action.d/firewallcmd-multiport.conf
+++ b/fail2ban/action.d/firewallcmd-multiport.conf
@@ -5,15 +5,15 @@
 
 [INCLUDES]
 
-before = iptables-blocktype.conf
+before = iptables-common.conf
 
 [Definition]
 
 actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b-<name>
               firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
+              firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
 
-actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
              firewall-cmd --direct --remove-rules ipv4 filter f2b-<name>
              firewall-cmd --direct --remove-chain ipv4 filter f2b-<name>
 
diff --git a/fail2ban/action.d/firewallcmd-rich-logging.conf b/fail2ban/action.d/firewallcmd-rich-logging.conf
new file mode 100644
index 0000000..1b88c2d
--- /dev/null
+++ b/fail2ban/action.d/firewallcmd-rich-logging.conf
@@ -0,0 +1,65 @@
+# Fail2Ban configuration file
+#
+# Author: Donald Yandt 
+# 
+# Because of the rich rule commands requires firewalld-0.3.1+
+# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
+# by chain. So for an example all deny rules will be listed under <zone>_deny and all log rules under <zone>_log. 
+#
+# Also this action logs banned access attempts so you can filter that and increase ban time for offenders.
+#
+# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
+#
+# Example commands to view rules:
+# firewall-cmd [--zone=<zone>] --list-rich-rules
+# firewall-cmd [--zone=<zone>] --list-all
+# firewall-cmd [--zone=zone] --query-rich-rule='rule'
+
+[Definition]
+
+actionstart = 
+
+actionstop = 
+
+actioncheck = 
+
+# you can also use zones and/or service names. 
+#
+# zone example: 
+# 	firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"
+# service name example:
+#	firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"
+# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges seperated by a comma or space for an example: http, https, 22-60, 18 smtp 
+
+actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"; done
+	   
+actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"; done
+
+[Init]
+
+name = default
+
+# log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug"
+level = info
+
+# log rate per minute
+rate = 1
+
+zone = public
+
+# use command firewall-cmd --get-services to see a list of services available
+#
+# Examples:
+#
+# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps 
+# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos 
+# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s 
+# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy 
+# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
+
+service = ssh
+
+# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', 
+# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset'
+
+blocktype = reject type='icmp-port-unreachable'
diff --git a/fail2ban/action.d/firewallcmd-rich-rules.conf b/fail2ban/action.d/firewallcmd-rich-rules.conf
new file mode 100644
index 0000000..4e39df5
--- /dev/null
+++ b/fail2ban/action.d/firewallcmd-rich-rules.conf
@@ -0,0 +1,57 @@
+# Fail2Ban configuration file
+#
+# Author: Donald Yandt 
+# 
+# Because of the rich rule commands requires firewalld-0.3.1+
+# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
+# by chain. So for an example all deny rules will be listed under <zone>_deny. 
+#
+# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
+#
+# Example commands to view rules:
+# firewall-cmd [--zone=<zone>] --list-rich-rules
+# firewall-cmd [--zone=<zone>] --list-all
+# firewall-cmd [--zone=zone] --query-rich-rule='rule'
+
+[Definition]
+
+actionstart = 
+
+actionstop = 
+
+actioncheck = 
+
+#you can also use zones and/or service names. 
+#
+# zone example: 
+# 	firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' <blocktype>"
+# service name example:
+#	firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' <blocktype>"
+# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges seperated by a comma or space for an example: http, https, 22-60, 18 smtp 
+
+actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' <blocktype>"; done
+	   
+actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' <blocktype>"; done
+
+[Init]
+
+name = default
+
+zone = public
+
+# use command firewall-cmd --get-services to see a list of services available
+#
+# Examples:
+#
+# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps 
+# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos 
+# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s 
+# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy 
+# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
+
+service = ssh
+
+# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', 
+# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset'
+
+blocktype = reject type='icmp-port-unreachable'
diff --git a/fail2ban/action.d/mynetwatchman.conf b/fail2ban/action.d/mynetwatchman.conf
index fbb8a8f..e3395d5 100644
--- a/fail2ban/action.d/mynetwatchman.conf
+++ b/fail2ban/action.d/mynetwatchman.conf
@@ -111,13 +111,17 @@ myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-
 #
 protocol = tcp
 
+# Option:  agent
+# Default: Fail2ban
+agent = Fail2ban
+
 # Option:  getcmd
 # Notes.:  A command to fetch a URL. Should output page to STDOUT
 # Values:  CMD  Default: wget
 #
-getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=Fail2Ban
+getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=<agent>
 # Alternative value:
-# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent Fail2Ban
+# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent <agent>
 
 # Option:  srcport
 # Notes.:  The source port of the attack. You're unlikely to have this info, so
diff --git a/fail2ban/action.d/nftables-allports.conf b/fail2ban/action.d/nftables-allports.conf
new file mode 100644
index 0000000..afd0ca8
--- /dev/null
+++ b/fail2ban/action.d/nftables-allports.conf
@@ -0,0 +1,22 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+# 			made active on all ports from original iptables.conf
+# Modified: Alexander Belykh <albel727@ngs.ru>
+#                       adapted for nftables
+#
+
+[INCLUDES]
+
+before = nftables-common.conf
+
+[Definition]
+
+# Option:  nftables_mode
+# Notes.:  additional expressions for nftables filter rule
+# Values:  nftables expressions
+#
+nftables_mode = ip protocol <protocol>
+
+[Init]
diff --git a/fail2ban/action.d/nftables-common.conf b/fail2ban/action.d/nftables-common.conf
new file mode 100644
index 0000000..80657c5
--- /dev/null
+++ b/fail2ban/action.d/nftables-common.conf
@@ -0,0 +1,119 @@
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+# 			made active on all ports from original iptables.conf
+# Modified: Alexander Belykh <albel727@ngs.ru>
+#                       adapted for nftables
+#
+# This is a included configuration file and includes the definitions for the nftables
+# used in all nftables based actions by default.
+#
+# The user can override the defaults in nftables-common.local
+
+[INCLUDES]
+
+after = nftables-common.local
+
+[Definition]
+
+# Option:  nftables_mode
+# Notes.:  additional expressions for nftables filter rule
+# Values:  nftables expressions
+#
+nftables_mode = <protocol> dport \{ <port> \}
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = <nftables> add set <nftables_family> <nftables_table> f2b-<name> \{ type <nftables_type>\; \}
+              <nftables> insert rule <nftables_family> <nftables_table> <chain> %(nftables_mode)s ip saddr @f2b-<name> <blocktype>
+
+_nft_list = <nftables> --handle --numeric list chain <nftables_family> <nftables_table> <chain>
+_nft_get_handle_id = grep -m1 'ip saddr @f2b-<name> <blocktype> # handle' | grep -oe ' handle [0-9]*'
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s)
+             <nftables> delete rule <nftables_family> <nftables_table> <chain> $HANDLE_ID
+             <nftables> delete set <nftables_family> <nftables_table> f2b-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> | grep -q '@f2b-<name>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = <nftables> add element <nftables_family> <nftables_table> f2b-<name> \{ <ip> \}
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = <nftables> delete element <nftables_family> <nftables_table> f2b-<name> \{ <ip> \}
+
+[Init]
+
+# Option:  nftables_type
+# Notes.:  address type to work with
+# Values:  [ipv4_addr | ipv6_addr]  Default: ipv4_addr
+#
+nftables_type = ipv4_addr
+
+# Option:  nftables_family
+# Notes.:  address family to work in
+# Values:  [ip | ip6 | inet]  Default: inet
+#
+nftables_family = inet
+
+# Option:  nftables_table
+# Notes.:  table in the address family to work in
+# Values:  STRING  Default: filter
+#
+nftables_table = filter
+
+# Option:  chain
+# Notes    specifies the nftables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: input
+chain = input
+
+# Default name of the filtering set
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp ] Default: tcp
+#
+protocol = tcp
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the nftables man page (section 8). Common values are drop
+#          reject, reject with icmp type host-unreachable
+# Values:  STRING
+blocktype = reject
+
+# Option:  nftables
+# Notes.:  Actual command to be executed, including common to all calls options
+# Values:  STRING
+nftables = nft
diff --git a/fail2ban/action.d/nftables-multiport.conf b/fail2ban/action.d/nftables-multiport.conf
new file mode 100644
index 0000000..d1afafb
--- /dev/null
+++ b/fail2ban/action.d/nftables-multiport.conf
@@ -0,0 +1,22 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+# 			made active on all ports from original iptables.conf
+# Modified: Alexander Belykh <albel727@ngs.ru>
+#                       adapted for nftables
+#
+
+[INCLUDES]
+
+before = nftables-common.conf
+
+[Definition]
+
+# Option:  nftables_mode
+# Notes.:  additional expressions for nftables filter rule
+# Values:  nftables expressions
+#
+nftables_mode = <protocol> dport \{ <port> \}
+
+[Init]
diff --git a/fail2ban/action.d/npf.conf b/fail2ban/action.d/npf.conf
new file mode 100644
index 0000000..8b00d17
--- /dev/null
+++ b/fail2ban/action.d/npf.conf
@@ -0,0 +1,61 @@
+# Fail2Ban configuration file
+#
+# NetBSD npf ban/unban
+#
+# Author: Nils Ratusznik <nils@NetBSD.org>
+# Based on pf.conf action file
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+# we don't enable NPF automatically, as it will be enabled elsewhere
+actionstart = 
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+# we don't disable NPF automatically either
+actionstop = 
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = /sbin/npfctl table <tablename> add <ip>
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+# note -r option used to remove matching rule
+actionunban = /sbin/npfctl table <tablename> rem <ip>
+
+[Init]
+# Option:  tablename
+# Notes.:  The pf table name.
+# Values:  [ STRING ]
+#
+tablename = fail2ban
diff --git a/fail2ban/action.d/route.conf b/fail2ban/action.d/route.conf
index 123245e..9b96a7b 100644
--- a/fail2ban/action.d/route.conf
+++ b/fail2ban/action.d/route.conf
@@ -17,6 +17,9 @@
 [Definition]
 actionban   = ip route add <blocktype> <ip>
 actionunban = ip route del <blocktype> <ip>
+actioncheck =
+actionstart =
+actionstop =
 
 [Init]
 
diff --git a/fail2ban/filter.d/apache-badbots.conf b/fail2ban/filter.d/apache-badbots.conf
index 75c0de0..48b3066 100644
--- a/fail2ban/filter.d/apache-badbots.conf
+++ b/fail2ban/filter.d/apache-badbots.conf
@@ -8,7 +8,7 @@
 [Definition]
 
 badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
-badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
+badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
 
 failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
 
diff --git a/fail2ban/filter.d/apache-modsecurity.conf b/fail2ban/filter.d/apache-modsecurity.conf
index ad7e9b2..13e9c5e 100644
--- a/fail2ban/filter.d/apache-modsecurity.conf
+++ b/fail2ban/filter.d/apache-modsecurity.conf
@@ -10,9 +10,10 @@ before = apache-common.conf
 [Definition]
 
 
-failregex = ^%(_apache_error_client)s ModSecurity:  (\[.*?\] )*Access denied with code [45]\d\d.*$
+failregex = ^%(_apache_error_client)s ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
 
 ignoreregex = 
 
 # https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
 # Author: Daniel Black
+#         Sergey G. Brester aka sebres (review, optimization)
\ No newline at end of file
diff --git a/fail2ban/filter.d/assp.conf b/fail2ban/filter.d/assp.conf
index 2aa8958..278e25c 100644
--- a/fail2ban/filter.d/assp.conf
+++ b/fail2ban/filter.d/assp.conf
@@ -1,24 +1,43 @@
-# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
-# 
-#    Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
-#    ProjektSite: http://sourceforge.net/projects/assp/?source=directory
+# Fail2Ban filter for Anti-Spam SMTP Proxy Server (ASSP)
+#    Filter works in theory for both ASSP V1 and V2. Recommended ASSP is V2.5.1 or later.
+#    Support for ASSP V1 ended in 2014 so if you are still running ASSP V1 an immediate upgrade is recommended.
+#
+#    Homepage:    http://sourceforge.net/projects/assp/
+#    ProjectSite: http://sourceforge.net/projects/assp/?source=directory
 #
 #
 
 [Definition] 
+# Note: First three failregex matches below are for ASSP V1 with the remaining being designed for V2. Deleting the V1 regex is recommended but I left it in for compatibilty reasons.
 
 __assp_actions = (?:dropping|refusing)
 
 failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
 			^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
 			^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
+			^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> (?:\<\S+@\S+\.\S+\> )*(?:to: \S+@\S+\.\S+ )*relay attempt blocked for(?: \(parsing\))?: \S+$
+			^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> \[SMTP Error\] 535 5\.7\.8 Error: authentication failed:\s+(?:\S+|Connection lost to authentication server|Invalid authentication mechanism|Invalid base64 data in continued response)?$
 
 ignoreregex = 
 
 # DEV Notes:
+# V1 Examples matches:
+#   Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
+#   Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+#   Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
 #
-# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
-#           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
-#           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
+# V2 Examples matches:
+#   Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user@example.org relay attempt blocked for: someone@example.org
+#   Jul-30-16 16:59:42 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
+#   Jul-30-16 00:15:36 m1-52131-09651 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
+#   Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed:
+#   Jan-05-16 08:38:49 m1-01129-09140 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> relay attempt blocked for (parsing): <user2@example>
+#   Jun-12-16 16:43:37 m1-64217-12013 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user2@example.com relay attempt blocked for (parsing): <a.notheruser69@example.c>
+#   Jan-22-16 22:25:51 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid authentication mechanism
+#   Mar-19-16 13:42:20 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid base64 data in continued response
+#   Jul-18-16 16:54:21 [Worker_2] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server
+#   Jul-18-16 17:14:23 m1-76453-02949 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server
+
 #
 # Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
+# V2 Filters: Robert Hardy (rhardy@webcon.ca)
diff --git a/fail2ban/filter.d/asterisk.conf b/fail2ban/filter.d/asterisk.conf
index b446c44..79bd1ff 100644
--- a/fail2ban/filter.d/asterisk.conf
+++ b/fail2ban/filter.d/asterisk.conf
@@ -16,17 +16,18 @@ __pid_re = (?:\[\d+\])
 iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
 
 # All Asterisk log messages begin like this:
-log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
-
-failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
-            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
-            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
-            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
-            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
-            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
-            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
-            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
-            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
+log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
+
+failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
+            ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
+            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
+            ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
+            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
+            ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
+            ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
+            ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
+            ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
+            ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
 
 ignoreregex =
 
diff --git a/fail2ban/filter.d/botsearch-common.conf b/fail2ban/filter.d/botsearch-common.conf
index 65f9da2..a673a31 100644
--- a/fail2ban/filter.d/botsearch-common.conf
+++ b/fail2ban/filter.d/botsearch-common.conf
@@ -11,9 +11,9 @@ webmail = roundcube|(ext)?mail|horde|(v-?)?webmail
 
 phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)
 
-wordpress = wp-(login|signup)\.php
+wordpress = wp-(login|signup|admin)\.php
 
 # DEV Notes:
 # Taken from apache-botsearch filter
 # 
-# Author: Frantisek Sumsal
\ No newline at end of file
+# Author: Frantisek Sumsal
diff --git a/fail2ban/filter.d/common.conf b/fail2ban/filter.d/common.conf
index 3e35f1d..586f428 100644
--- a/fail2ban/filter.d/common.conf
+++ b/fail2ban/filter.d/common.conf
@@ -26,7 +26,7 @@ __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
 
 # extra daemon info
 # EXAMPLE: [ID 800047 auth.info]
-__daemon_extra_re = (?:\[ID \d+ \S+\])
+__daemon_extra_re = \[ID \d+ \S+\]
 
 # Combinations of daemon name and PID
 # EXAMPLES: sshd[31607], pop(pam_unix)[4920]
@@ -44,14 +44,18 @@ __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
 
 # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
 # <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
-__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
+__bsd_syslog_verbose = <[^.]+\.[^.]+>
+
+__vserver = @vserver_\S+
+
+__date_ambit = (?:\[\])
 
 # Common line prefixes (beginnings) which could be used in filters
 #
 #      [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
 #
 # This can be optional (for instance if we match named native log files)
-__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
+__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?
 
 # PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
 # pam_ldap
diff --git a/fail2ban/filter.d/courier-smtp.conf b/fail2ban/filter.d/courier-smtp.conf
index 7df385b..fc0afc2 100644
--- a/fail2ban/filter.d/courier-smtp.conf
+++ b/fail2ban/filter.d/courier-smtp.conf
@@ -13,7 +13,7 @@ before = common.conf
 _daemon = courieresmtpd
 
 failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User (<.*> )?unknown\.?$
-            ^%(__prefix_line)serror,relay=<HOST>,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?$
+            ^%(__prefix_line)serror,relay=<HOST>,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$
 
 ignoreregex = 
 
diff --git a/fail2ban/filter.d/dovecot.conf b/fail2ban/filter.d/dovecot.conf
index 856c220..a3dc60b 100644
--- a/fail2ban/filter.d/dovecot.conf
+++ b/fail2ban/filter.d/dovecot.conf
@@ -9,10 +9,11 @@ before = common.conf
 
 _daemon = (auth|dovecot(-auth)?|auth-worker)
 
-failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
-            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
-            ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
-            ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
+failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
+            ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
+            ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
+            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
+            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
 
 ignoreregex = 
 
@@ -22,9 +23,11 @@ journalmatch = _SYSTEMD_UNIT=dovecot.service
 
 # DEV Notes:
 # * the first regex is essentially a copy of pam-generic.conf
-# * Probably doesn't do dovecot sql/ldap backends properly
+# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
 # * Removed the 'no auth attempts' log lines from the matches because produces
 #    lots of false positives on misconfigured MTAs making regexp unusable
 #
 # Author: Martin Waschbuesch
 #         Daniel Black (rewrote with begin and end anchors)
+#         Martin O'Neal (added LDAP authentication failure regex)
+#         Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
diff --git a/fail2ban/filter.d/exim-common.conf b/fail2ban/filter.d/exim-common.conf
index 1c0a0a2..0e1b74f 100644
--- a/fail2ban/filter.d/exim-common.conf
+++ b/fail2ban/filter.d/exim-common.conf
@@ -9,8 +9,8 @@ after = exim-common.local
 
 [Definition]
 
-host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
-pid = ( \[\d+\])?
+host_info = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?\[<HOST>\](?::\d+)? (?:I=\[\S+\](:\d+)? )?(?:U=\S+ )?(?:P=e?smtp )?
+pid = (?: \[\d+\])?
 
 # DEV Notes:
 # From exim source code: ./src/receive.c:add_host_info_for_log
diff --git a/fail2ban/filter.d/exim.conf b/fail2ban/filter.d/exim.conf
index 11fd03d..a1d699c 100644
--- a/fail2ban/filter.d/exim.conf
+++ b/fail2ban/filter.d/exim.conf
@@ -14,10 +14,13 @@ before = exim-common.conf
 [Definition]
 
 failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
-             ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
-             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
-             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
-             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
+            ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
+            ^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$
+            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
+            ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
+            ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
+            ^%(pid)s no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sD=\d+s(?: C=\S*)?\s*$
+            ^%(pid)s \S+ SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
 
 ignoreregex = 
 
@@ -30,3 +33,4 @@ ignoreregex =
 #
 # Author: Cyril Jaquier
 #         Daniel Black (rewrote with strong regexs)
+#         Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
diff --git a/fail2ban/filter.d/freeswitch.conf b/fail2ban/filter.d/freeswitch.conf
index ecc4a8b..1ef5a25 100644
--- a/fail2ban/filter.d/freeswitch.conf
+++ b/fail2ban/filter.d/freeswitch.conf
@@ -16,7 +16,7 @@ failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((
 ignoreregex =
 
 # Author: Rupa SChomaker, soapee01, Daniel Black
-# http://wiki.freeswitch.org/wiki/Fail2ban
+# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
 # Thanks to Jim on mailing list of samples and guidance
 #
 # No need to match the following. Its a duplicate of the SIP auth regex.
diff --git a/fail2ban/filter.d/haproxy-http-auth.conf b/fail2ban/filter.d/haproxy-http-auth.conf
new file mode 100644
index 0000000..298ca29
--- /dev/null
+++ b/fail2ban/filter.d/haproxy-http-auth.conf
@@ -0,0 +1,37 @@
+# Fail2Ban filter configuration file to match failed login attempts to
+# HAProxy HTTP Authentication protected servers.
+#
+# PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server
+# which prompts their browser to ask for login details.
+# This initial 401 is logged by HAProxy.
+# In other words, even successful logins will have at least 1 fail regex match.
+# Please keep this in mind when setting findtime and maxretry for jails.
+#
+# Author: Jordan Moeser
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = haproxy
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)s<HOST>.*<NOSRV> -1/-1/-1/-1/\+*\d* 401
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/fail2ban/filter.d/ignorecommands/apache-fakegooglebot b/fail2ban/filter.d/ignorecommands/apache-fakegooglebot
index 47ef51f..9e6f445 100755
--- a/fail2ban/filter.d/ignorecommands/apache-fakegooglebot
+++ b/fail2ban/filter.d/ignorecommands/apache-fakegooglebot
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env fail2ban-python
 # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
 #
 # Written in Python to reuse built-in Python batteries and not depend on
@@ -26,7 +26,10 @@ def is_googlebot(ip):
     from fail2ban.server.filter import DNSUtils
 
     host = DNSUtils.ipToName(ip)
-    sys.exit(0 if (host and re.match('crawl-.*\.googlebot\.com', host)) else 1)
+    if not host or not re.match('.*\.google(bot)?\.com$', host):
+       sys.exit(1)
+    host_ips = DNSUtils.dnsToIp(host)
+    sys.exit(0 if ip in host_ips else 1)
 
 if __name__ == '__main__':
     is_googlebot(process_args(sys.argv))
diff --git a/fail2ban/filter.d/mongodb-auth.conf b/fail2ban/filter.d/mongodb-auth.conf
new file mode 100644
index 0000000..66c27ab
--- /dev/null
+++ b/fail2ban/filter.d/mongodb-auth.conf
@@ -0,0 +1,49 @@
+# Fail2Ban filter for unsuccesfull MongoDB authentication attempts
+#
+# Logfile /var/log/mongodb/mongodb.log
+#
+# add setting in /etc/mongodb.conf
+# logpath=/var/log/mongodb/mongodb.log
+#
+# and use of the authentication
+# auth = true
+#
+
+[Definition]
+#failregex = ^\s+\[initandlisten\] connection accepted from <HOST>:\d+ \#(?P<__connid>\d+) \(1 connection now open\)<SKIPLINES>\s+\[conn(?P=__connid)\] Failed to authenticate\s+
+failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST>
+
+ignoreregex =
+
+
+[Init]
+maxlines = 10
+
+# DEV Notes:
+#
+# Regarding the multiline regex:
+#
+# There can be a nunber of non-related lines between the first and second part
+# of this regex maxlines of 10 is quite generious.
+#
+# Note the capture __connid, includes the connection ID, used in second part of regex.
+#
+# The first regex is commented out (but will match also), because it is better to use
+# the host from "end connection" line (uncommented above):
+#  -  it has the same prefix, searching begins directly with failure message
+#     (so faster, because ignores success connections at all)
+#  -  it is not so vulnerable in case of possible race condition
+#
+# Log example:
+# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open)
+# 2016-10-20T09:54:27.109+0200 [conn1]  authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
+# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test
+# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open)
+# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open)
+# 2016-11-09T11:55:58.892+0100 [conn1510]  authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
+# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
+# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open)
+#
+# Authors: Alexander FinkhÃ¤user
+#          Sergey G. Brester (sebres)
+
diff --git a/fail2ban/filter.d/monit.conf b/fail2ban/filter.d/monit.conf
index c2ef20d..599bd36 100644
--- a/fail2ban/filter.d/monit.conf
+++ b/fail2ban/filter.d/monit.conf
@@ -2,9 +2,20 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
-failregex = ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied unknown user '\w+' accessing monit httpd$
-            ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied wrong password for user '\w+' accessing monit httpd$
+_daemon = monit
+
+# Regexp for previous (accessing monit httpd) and new (access denied) versions
+failregex = ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied (?:unknown user '[^']+'|wrong password for user '[^']*') accessing monit httpd$
+            ^%(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '[^']+'|wrong password for user '[^']*'|empty password)$
 
+# Ignore login with empty user (first connect, no user specified)
+# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '')
 ignoreregex =
diff --git a/fail2ban/filter.d/murmur.conf b/fail2ban/filter.d/murmur.conf
new file mode 100644
index 0000000..3775a9d
--- /dev/null
+++ b/fail2ban/filter.d/murmur.conf
@@ -0,0 +1,28 @@
+# Fail2Ban filter for murmur/mumble-server
+#
+
+[INCLUDES]
+
+before = common.conf
+
+
+[Definition]
+
+_daemon = murmurd
+
+# N.B. If you allow users to have usernames that include the '>' character you
+#      should change this to match the regex assigned to the 'username'
+#      variable in your server config file (murmur.ini / mumble-server.ini).
+_usernameregex = [^>]+
+
+_prefix = <W>[\n\s]*(\.\d{3})?\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
+
+failregex = ^%(_prefix)s Invalid server password$
+            ^%(_prefix)s Wrong certificate or password for existing user$
+
+ignoreregex =
+
+
+# DEV Notes:
+#
+# Author: Ross Brown
diff --git a/fail2ban/filter.d/mysqld-auth.conf b/fail2ban/filter.d/mysqld-auth.conf
index 92dc9a9..3ad70cb 100644
--- a/fail2ban/filter.d/mysqld-auth.conf
+++ b/fail2ban/filter.d/mysqld-auth.conf
@@ -17,7 +17,7 @@ before = common.conf
 
 _daemon = mysqld
 
-failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
+failregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[\w+\] Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
 
 ignoreregex = 
 
diff --git a/fail2ban/filter.d/nginx-limit-req.conf b/fail2ban/filter.d/nginx-limit-req.conf
new file mode 100644
index 0000000..589d3d7
--- /dev/null
+++ b/fail2ban/filter.d/nginx-limit-req.conf
@@ -0,0 +1,45 @@
+# Fail2ban filter configuration for nginx :: limit_req
+# used to ban hosts, that were failed through nginx by limit request processing rate 
+#
+# Author: Serg G. Brester (sebres)
+#
+# To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module`
+# and define `limit_req` and `limit_req_zone` as described in nginx documentation
+# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+#
+# Example:
+#
+#   http {
+#     ...
+#     limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s;
+#     ...
+#     # http, server, or location:
+#     location ... {
+#       limit_req zone=lr_zone burst=1 nodelay;
+#       ...
+#     }
+#     ...
+#   }
+#   ...
+#
+
+[Definition]
+
+# Specify following expression to define exact zones, if you want to ban IPs limited 
+# from specified zones only.
+# Example:
+#
+#   ngx_limit_req_zones = lr_zone|lr_zone2
+#
+ngx_limit_req_zones = [^"]+
+
+# Use following full expression if you should range limit request to specified 
+# servers, requests, referrers etc. only :
+#
+# failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
+
+# Shortly, much faster and stable version of regexp:
+failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>
+
+ignoreregex = 
+
diff --git a/fail2ban/filter.d/nsd.conf b/fail2ban/filter.d/nsd.conf
index 70b41ca..8f32f7b 100644
--- a/fail2ban/filter.d/nsd.conf
+++ b/fail2ban/filter.d/nsd.conf
@@ -22,7 +22,7 @@ _daemon = nsd
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 
-failregex =  ^\[\]%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
-              ^\[\]%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
+failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
+             ^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
 
 ignoreregex =
diff --git a/fail2ban/filter.d/openhab.conf b/fail2ban/filter.d/openhab.conf
new file mode 100644
index 0000000..83857c7
--- /dev/null
+++ b/fail2ban/filter.d/openhab.conf
@@ -0,0 +1,16 @@
+# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf:
+#
+# Block IPs trying to auth openhab by web or rest api
+#
+# Matches e.g.
+# 12.34.33.22 -  -  [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 
+# 175.18.15.10 -  -  [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384
+
+[Definition] 
+failregex = ^<HOST>\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$
+
+[Init]
+datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z
+
+
+
diff --git a/fail2ban/filter.d/postfix-rbl.conf b/fail2ban/filter.d/postfix-rbl.conf
index 05a8bbc..c3f8c33 100644
--- a/fail2ban/filter.d/postfix-rbl.conf
+++ b/fail2ban/filter.d/postfix-rbl.conf
@@ -10,7 +10,7 @@ before = common.conf
 
 [Definition]
 
-_daemon = postfix/smtpd
+_daemon = postfix(-\w+)?/smtpd
 
 failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
 
diff --git a/fail2ban/filter.d/postfix-sasl.conf b/fail2ban/filter.d/postfix-sasl.conf
index 199e29b..1a24ca9 100644
--- a/fail2ban/filter.d/postfix-sasl.conf
+++ b/fail2ban/filter.d/postfix-sasl.conf
@@ -7,9 +7,9 @@ before = common.conf
 
 [Definition]
 
-_daemon = postfix/(submission/)?smtp(d|s)
+_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
 
-failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
 
 ignoreregex = authentication failed: Connection lost to authentication server$
 
diff --git a/fail2ban/filter.d/postfix.conf b/fail2ban/filter.d/postfix.conf
index a994d77..3051409 100644
--- a/fail2ban/filter.d/postfix.conf
+++ b/fail2ban/filter.d/postfix.conf
@@ -10,12 +10,14 @@ before = common.conf
 
 [Definition]
 
-_daemon = postfix/(submission/)?smtp(d|s)
+_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
 
 failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
             ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
             ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
+            ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
             ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
+            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
             ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
 
 ignoreregex = 
diff --git a/fail2ban/filter.d/pure-ftpd.conf b/fail2ban/filter.d/pure-ftpd.conf
index be3d0ae..034336f 100644
--- a/fail2ban/filter.d/pure-ftpd.conf
+++ b/fail2ban/filter.d/pure-ftpd.conf
@@ -21,6 +21,10 @@ failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
 
 ignoreregex = 
 
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd
+
 # Author: Cyril Jaquier
 # Modified: Yaroslav Halchenko for pure-ftpd
 # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
diff --git a/fail2ban/filter.d/screensharingd.conf b/fail2ban/filter.d/screensharingd.conf
new file mode 100644
index 0000000..4cd7646
--- /dev/null
+++ b/fail2ban/filter.d/screensharingd.conf
@@ -0,0 +1,31 @@
+# Fail2Ban configuration file
+#
+# Author: Simon Brown
+#
+# Filter for Mac OS X Screen Sharing service
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = screensharingd
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: <HOST> :: Type: DH$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/fail2ban/filter.d/sendmail-reject.conf b/fail2ban/filter.d/sendmail-reject.conf
index 93b8343..20d3648 100644
--- a/fail2ban/filter.d/sendmail-reject.conf
+++ b/fail2ban/filter.d/sendmail-reject.conf
@@ -23,7 +23,7 @@ _daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
 
 failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
             ^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
-            ^%(__prefix_line)s\w{14}: rejecting commands from  (\S+ )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
+            ^%(__prefix_line)s\w{14}: rejecting commands from (\S* )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
             ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]: ((?i)expn|vrfy) \S+ \[rejected\]$
             ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here<SKIPLINES>(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[<HOST>\]$
 
diff --git a/fail2ban/filter.d/slapd.conf b/fail2ban/filter.d/slapd.conf
new file mode 100644
index 0000000..22cf430
--- /dev/null
+++ b/fail2ban/filter.d/slapd.conf
@@ -0,0 +1,25 @@
+# slapd (Stand-alone LDAP Daemon) openldap daemon filter
+#
+# Detecting invalid credentials: error code 49
+# http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49)
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = slapd
+
+failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=<HOST>:\d{1,5} \(IP=\S+\)\s*<SKIPLINES>(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$
+
+ignoreregex =
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 20
+
+# Author: Andrii Melnyk
diff --git a/fail2ban/filter.d/sshd.conf b/fail2ban/filter.d/sshd.conf
index b000cd4..35cd875 100644
--- a/fail2ban/filter.d/sshd.conf
+++ b/fail2ban/filter.d/sshd.conf
@@ -18,21 +18,22 @@ before = common.conf
 
 _daemon = sshd
 
-failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*$
             ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
-            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
+            ^%(__prefix_line)sFailed \S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \d+)?(?: ssh\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$)
             ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
-            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
             ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
-            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
+            ^%(__prefix_line)s(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: \[preauth\])?$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
             ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
             ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
             ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
+            ^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \d*)?(?: ssh\d*)? \[preauth\]$
             ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
 
 ignoreregex = 
diff --git a/fail2ban/filter.d/vsftpd.conf b/fail2ban/filter.d/vsftpd.conf
index 930b0d7..2ecc44d 100644
--- a/fail2ban/filter.d/vsftpd.conf
+++ b/fail2ban/filter.d/vsftpd.conf
@@ -14,7 +14,7 @@ __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
 _daemon =  vsftpd
 
 failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
-            ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
+            ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)
 
 ignoreregex = 
 
diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf
index f545ff1..d80e3d0 100644
--- a/fail2ban/jail.conf
+++ b/fail2ban/jail.conf
@@ -46,7 +46,7 @@ before = paths-debian.conf
 
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 # ban a host which matches an address in this list. Several addresses can be
-# defined using space separator.
+# defined using space (and/or comma) separator.
 ignoreip = 127.0.0.1/8
 
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
@@ -80,7 +80,7 @@ maxretry = 5
 # auto:      will try to use the following backends, in order:
 #              pyinotify, gamin, polling.
 #
-# Note: if systemd backend is choses as the default but you enable a jail
+# Note: if systemd backend is chosen as the default but you enable a jail
 #       for which logs are present only in its own log files, specify some other
 #       backend for that jail (e.g. polling) and provide empty value for
 #       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
@@ -94,6 +94,7 @@ backend = auto
 #        but it will be logged as a warning.
 # no:    if a hostname is encountered, will not be used for banning,
 #        but it will be logged as info.
+# raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
 usedns = warn
 
 # "logencoding" specifies the encoding of the log files handled by the jail
@@ -146,6 +147,9 @@ chain = INPUT
 # Usually should be overridden in a particular jail
 port = 0:65535
 
+# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+
 #
 # Action shortcuts. To be used to define action parameter
 
@@ -154,18 +158,19 @@ port = 0:65535
 # action_* variables. Can be overridden globally or per
 # section within jail.local file
 banaction = iptables-multiport
+banaction_allports = iptables-allports
 
 # The simplest action to take: ban only
 action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
 # ban & send an e-mail with whois report to the destemail.
 action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 
 # ban & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
 # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
 #
@@ -177,7 +182,7 @@ action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(po
 # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
-                %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
 # Report block via blocklist.de fail2ban reporting service API
 # 
@@ -186,7 +191,7 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
 # [Init]
 # blocklist_de_apikey = {api key from registration]
 #
-action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
+action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
 
 # Report ban via badips.com, and use as blacklist
 #
@@ -196,7 +201,11 @@ action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apik
 # NOTE: This action relies on banaction being present on start and therefore
 # should be last action defined for a jail.
 #
-action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
+action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
+#
+# Report ban via badips.com (uses action.d/badips.conf for reporting only)
+#
+action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
 
 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
@@ -216,6 +225,7 @@ action = %(action_)s
 
 port    = ssh
 logpath = %(sshd_log)s
+backend = %(sshd_backend)s
 
 
 [sshd-ddos]
@@ -224,19 +234,20 @@ logpath = %(sshd_log)s
 # in the body.
 port    = ssh
 logpath = %(sshd_log)s
+backend = %(sshd_backend)s
 
 
 [dropbear]
 
 port     = ssh
 logpath  = %(dropbear_log)s
+backend  = %(dropbear_backend)s
 
 
 [selinux-ssh]
 
 port     = ssh
 logpath  = %(auditd_log)s
-maxretry = 5
 
 
 #
@@ -262,7 +273,6 @@ maxretry = 1
 
 port     = http,https
 logpath  = %(apache_error_log)s
-maxretry = 6
 
 
 [apache-overflows]
@@ -300,23 +310,41 @@ port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 
+
 [apache-shellshock]
 
 port    = http,https
 logpath = %(apache_error_log)s
 maxretry = 1
 
+
+[openhab-auth]
+
+filter = openhab
+action = iptables-allports[name=NoAuthFailures]
+logpath = /opt/openhab/logs/request.log
+
+
 [nginx-http-auth]
 
 port    = http,https
 logpath = %(nginx_error_log)s
 
+# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
+# and define `limit_req` and `limit_req_zone` as described in nginx documentation
+# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+# or for example see in 'config/filter.d/nginx-limit-req.conf'
+[nginx-limit-req]
+port    = http,https
+logpath = %(nginx_error_log)s
+
 [nginx-botsearch]
 
 port     = http,https
 logpath  = %(nginx_error_log)s
 maxretry = 2
 
+
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
@@ -348,7 +376,7 @@ logpath = %(lighttpd_error_log)s
 [roundcube-auth]
 
 port     = http,https
-logpath  = logpath = %(roundcube_errors_log)s
+logpath  = %(roundcube_errors_log)s
 
 
 [openwebmail]
@@ -381,7 +409,6 @@ logpath  = /var/log/sogo/sogo.log
 
 logpath  = /var/log/tine20/tine20.log
 port     = http,https
-maxretry = 5
 
 
 #
@@ -393,6 +420,7 @@ maxretry = 5
 
 port     = http,https
 logpath  = %(syslog_daemon)s
+backend  = %(syslog_backend)s
 
 [guacamole]
 
@@ -401,7 +429,6 @@ logpath  = /var/log/tomcat*/catalina.out
 
 [monit]
 #Ban clients brute-forcing the monit gui login
-filter   = monit
 port = 2812
 logpath  = /var/log/monit
 
@@ -410,12 +437,14 @@ logpath  = /var/log/monit
 
 port    = 10000
 logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
 
 
 [froxlor-auth]
 
 port    = http,https
 logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
 
 
 #
@@ -444,27 +473,28 @@ logpath = /var/log/3proxy.log
 
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(proftpd_log)s
+backend  = %(proftpd_backend)s
 
 
 [pure-ftpd]
 
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(pureftpd_log)s
-maxretry = 6
+backend  = %(pureftpd_backend)s
 
 
 [gssftpd]
 
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(syslog_daemon)s
-maxretry = 6
+backend  = %(syslog_backend)s
 
 
 [wuftpd]
 
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(wuftpd_log)s
-maxretry = 6
+backend  = %(wuftpd_backend)s
 
 
 [vsftpd]
@@ -491,18 +521,21 @@ logpath  = /root/path/to/assp/logs/maillog.txt
 
 port     = smtp,465,submission
 logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
 
 
 [postfix]
 
 port     = smtp,465,submission
 logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
 
 
 [postfix-rbl]
 
 port     = smtp,465,submission
-logpath  = %(syslog_mail)s
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
 maxretry = 1
 
 
@@ -510,12 +543,14 @@ maxretry = 1
 
 port    = submission,465,smtp
 logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
 
 
 [sendmail-reject]
 
 port     = smtp,465,submission
 logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
 
 
 [qmail-rbl]
@@ -531,12 +566,14 @@ logpath = /service/qmail/log/main/current
 
 port    = pop3,pop3s,imap,imaps,submission,465,sieve
 logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
 
 
 [sieve]
 
 port   = smtp,465,submission
 logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
 
 
 [solid-pop3d]
@@ -572,6 +609,7 @@ logpath = /opt/kerio/mailserver/store/logs/security.log
 
 port     = smtp,465,submission,imap3,imaps,pop3,pop3s
 logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
 
 
 [postfix-sasl]
@@ -581,12 +619,14 @@ port     = smtp,465,submission,imap3,imaps,pop3,pop3s
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
 logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
 
 
 [perdition]
 
 port   = imap3,imaps,pop3,pop3s
 logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
 
 
 [squirrelmail]
@@ -599,12 +639,14 @@ logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
 
 port   = imap3,imaps
 logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
 
 
 [uwimap-auth]
 
 port   = imap3,imaps
 logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
 
 
 #
@@ -686,7 +728,14 @@ maxretry = 10
 
 port     = 3306
 logpath  = %(mysql_log)s
-maxretry = 5
+backend  = %(mysql_backend)s
+
+
+# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
+[mongodb-auth]
+# change port when running with "--shardsvr" or "--configsvr" runtime operation
+port     = 27017
+logpath  = /var/log/mongodb/mongodb.log
 
 
 # Jail for more extended banning of persistent abusers
@@ -699,10 +748,9 @@ maxretry = 5
 [recidive]
 
 logpath  = /var/log/fail2ban.log
-banaction = iptables-allports
+banaction = %(banaction_allports)s
 bantime  = 604800  ; 1 week
 findtime = 86400   ; 1 day
-maxretry = 5
 
 
 # Generic filter for PAM. Has to be used with action which bans all
@@ -710,14 +758,16 @@ maxretry = 5
 
 [pam-generic]
 # pam-generic filter can be customized to monitor specific subset of 'tty's
-banaction = iptables-allports
+banaction = %(banaction_allports)s
 logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
 
 
 [xinetd-fail]
 
 banaction = iptables-multiport-log
 logpath   = %(syslog_daemon)s
+backend   = %(syslog_backend)s
 maxretry  = 2
 
 
@@ -746,33 +796,30 @@ action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp
 # nobody except your own Nagios server should ever probe nrpe
 [nagios]
 
-enabled  = false
 logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
+backend  = %(syslog_backend)s
 maxretry = 1
 
 
 [oracleims]
 # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
-enabled = false
 logpath = /opt/sun/comms/messaging64/log/mail.log_current
-maxretry = 6
-banaction = iptables-allports
+banaction = %(banaction_allports)s
 
 [directadmin]
-enabled = false
 logpath = /var/log/directadmin/login.log
 port = 2222
 
 [portsentry]
-enabled  = false
 logpath  = /var/lib/portsentry/portsentry.history
 maxretry = 1
 
 [pass2allow-ftp]
 # this pass2allow example allows FTP traffic after successful HTTP authentication
 port         = ftp,ftp-data,ftps,ftps-data
-# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local
-filter       = apache-pass
+# knocking_url variable must be overridden to some secret value in jail.local
+knocking_url = /knocking/
+filter       = apache-pass[knocking_url="%(knocking_url)s"]
 # access log of the website with HTTP auth
 logpath      = %(apache_access_log)s
 blocktype    = RETURN
@@ -780,3 +827,29 @@ returntype   = DROP
 bantime      = 3600
 maxretry     = 1
 findtime     = 1
+
+
+[murmur]
+# AKA mumble-server
+port     = 64738
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
+logpath  = /var/log/mumble-server/mumble-server.log
+
+
+[screensharingd]
+# For Mac OS Screen Sharing Service (VNC)
+logpath  = /var/log/system.log
+logencoding = utf-8
+
+[haproxy-http-auth]
+# HAProxy by default doesn't log to file you'll need to set it up to forward
+# logs to a syslog server which would then write them to disk.
+# See "haproxy-http-auth" filter for a brief cautionary note when setting
+# maxretry and findtime.
+logpath  = /var/log/haproxy.log
+
+[slapd]
+port    = ldap,ldaps
+filter  = slapd
+logpath = /var/log/slapd.log
diff --git a/fail2ban/paths-common.conf b/fail2ban/paths-common.conf
index bf3cfb6..9072136 100644
--- a/fail2ban/paths-common.conf
+++ b/fail2ban/paths-common.conf
@@ -7,9 +7,13 @@ after  = paths-overrides.local
 
 [DEFAULT]
 
+default_backend = auto
+
 sshd_log = %(syslog_authpriv)s
+sshd_backend = %(default_backend)s
 
 dropbear_log = %(syslog_authpriv)s
+dropbear_backend = %(default_backend)s
 
 # There is no sensible generic defaults for syslog log targets, thus
 # leaving them empty here so that no errors while parsing/interpolating configs
@@ -18,15 +22,17 @@ syslog_ftp =
 syslog_local0 =
 syslog_mail_warn =
 syslog_user =
+# Set the default syslog backend target to default_backend
+syslog_backend = %(default_backend)s
 
 # from /etc/audit/auditd.conf
 auditd_log = /var/log/audit/audit.log
 
 exim_main_log = /var/log/exim/mainlog
 
-nginx_error_log = /var/log/nginx/error.log
+nginx_error_log = /var/log/nginx/*error.log
 
-nginx_access_log = /var/log/nginx/access.log
+nginx_access_log = /var/log/nginx/*access.log
 
 
 lighttpd_error_log = /var/log/lighttpd/error.log
@@ -34,18 +40,22 @@ lighttpd_error_log = /var/log/lighttpd/error.log
 # http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility
 # syslog_user is the default. Lighttpd also hooks errors into its log.
 
-suhosin_log = %(syslog_user)s %(lighttpd_error_log)s
+suhosin_log = %(syslog_user)s
+              %(lighttpd_error_log)s
 
 # defaults to ftp or local2 if ftp doesn't exist
 proftpd_log = %(syslog_ftp)s
+proftpd_backend = %(default_backend)s
 
 # http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup
 # defaults to ftp but can be overwritten.
 pureftpd_log = %(syslog_ftp)s
+pureftpd_backend = %(default_backend)s
 
 # ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time
 #
 wuftpd_log = %(syslog_ftp)s
+wuftpd_backend = %(default_backend)s
 
 # syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log
 # No distro seems to set it to syslog by default
@@ -54,13 +64,16 @@ vsftpd_log = /var/log/vsftpd.log
 
 # Technically syslog_facility in main.cf can overwrite but no-one sane does this.
 postfix_log = %(syslog_mail_warn)s
+postfix_backend = %(default_backend)s
 
 dovecot_log = %(syslog_mail_warn)s
+dovecot_backend = %(default_backend)s
 
 # Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
 solidpop3d_log = %(syslog_local0)s
 
 mysql_log = %(syslog_daemon)s
+mysql_backend = %(default_backend)s
 
 roundcube_errors_log = /var/log/roundcube/errors
 
diff --git a/fail2ban/paths-fedora.conf b/fail2ban/paths-fedora.conf
index c5601d3..d13645b 100644
--- a/fail2ban/paths-fedora.conf
+++ b/fail2ban/paths-fedora.conf
@@ -34,6 +34,18 @@ apache_access_log = /var/log/httpd/*access_log
 
 exim_main_log = /var/log/exim/main.log
 
-mysql_log = /var/lib/mysql/mysqld.log
+mysql_log = /var/log/mariadb/mariadb.log
+            /var/log/mysqld.log
 
 roundcube_errors_log = /var/log/roundcubemail/errors
+
+# These services will log to the journal via syslog, so use the journal by
+# default.
+syslog_backend = systemd
+sshd_backend = systemd
+dropbear_backend = systemd
+proftpd_backend = systemd
+pureftpd_backend = systemd
+wuftpd_backend = systemd
+postfix_backend = systemd
+dovecot_backend = systemd
diff --git a/fail2ban/paths-opensuse.conf b/fail2ban/paths-opensuse.conf
new file mode 100644
index 0000000..227a5e9
--- /dev/null
+++ b/fail2ban/paths-opensuse.conf
@@ -0,0 +1,50 @@
+# openSUSE log-file locations
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_local0  = /var/log/messages
+
+syslog_mail = /var/log/mail
+
+syslog_mail_warn = %(syslog_mail)s
+
+syslog_authpriv = %(syslog_local0)s
+
+syslog_user =  %(syslog_local0)s
+
+syslog_ftp  = %(syslog_local0)s
+
+syslog_daemon  = %(syslog_local0)s
+
+apache_error_log = /var/log/apache2/*error_log
+
+apache_access_log = /var/log/apache2/*access_log
+
+pureftpd_log = %(syslog_local0)s
+
+exim_main_log = /var/log/exim/main.log
+
+mysql_log = /var/log/mysql/mysqld.log
+
+roundcube_errors_log = /srv/www/roundcubemail/logs/errors
+
+solidpop3d_log = %(syslog_mail)s
+
+# These services will log to the journal via syslog, so use the journal by
+# default.
+syslog_backend = systemd
+sshd_backend = systemd
+dropbear_backend = systemd
+proftpd_backend = systemd
+pureftpd_backend = systemd
+wuftpd_backend = systemd
+postfix_backend = systemd
+dovecot_backend = systemd
+mysql_backend = systemd
diff --git a/init.d/fail2ban b/init.d/fail2ban
index aaf4ed3..03e57ff 100755
--- a/init.d/fail2ban
+++ b/init.d/fail2ban
@@ -1,4 +1,4 @@
-#!/sbin/runscript
+#!/sbin/openrc-run
 # This file is part of Fail2Ban.
 #
 # Fail2Ban is free software; you can redistribute it and/or modify
@@ -30,21 +30,19 @@ depend() {
 
 start() {
 	ebegin "Starting fail2ban"
-	if [ ! -d /run/fail2ban ]; then
-		mkdir /run/fail2ban || return 1
-	fi
-	if [ -e /run/fail2ban/fail2ban.sock ]; then
-		# remove stalled sock file after system crash
-		# bug 347477
-		rm -rf /run/fail2ban/fail2ban.sock || return 1
-	fi
-	${FAIL2BAN} start
+	mkdir -p /run/fail2ban || return 1
+	# remove stalled sock file after system crash
+	# bug 347477
+	rm -f /run/fail2ban/fail2ban.sock || return 1
+	start-stop-daemon --start --pidfile /run/fail2ban/fail2ban.pid \
+	-- ${FAIL2BAN} start
 	eend $? "Failed to start fail2ban"
 }
 
 stop() {
 	ebegin "Stopping fail2ban"
-	${FAIL2BAN} stop
+	start-stop-daemon --stop --pidfile /run/fail2ban/fail2ban.pid \
+	-- ${FAIL2BAN} stop
 	eend $? "Failed to stop fail2ban"
 }
 
diff --git a/logrotate.d/fail2ban b/logrotate.d/fail2ban
index fe4f797..13a9453 100644
--- a/logrotate.d/fail2ban
+++ b/logrotate.d/fail2ban
@@ -4,13 +4,11 @@
 #
 # Debian:
 # https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate
-#
-# Fedora view:
-#  http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate
 
 /var/log/fail2ban.log {
     missingok
+    notifempty
     postrotate
-      /usr/bin/fail2ban-client flushlogs  1>/dev/null || true
+      /usr/bin/fail2ban-client flushlogs >/dev/null || true
     endscript
 }
-- 
2.39.5