From 0482957f9c7bffb35b632ea62194a7651c9ed76e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Sat, 1 Oct 2005 06:53:51 +0000 Subject: [PATCH] fixed security bug #330827 --- config/fail2ban.conf.default | 8 ++++---- debian/README.Debian | 14 +++++++++++++- debian/changelog | 9 +++++++++ logreader/logreader.py | 11 ++++++++++- 4 files changed, 36 insertions(+), 6 deletions(-) diff --git a/config/fail2ban.conf.default b/config/fail2ban.conf.default index 014bd41b..18e00c4b 100644 --- a/config/fail2ban.conf.default +++ b/config/fail2ban.conf.default @@ -227,9 +227,9 @@ timepattern = %%a %%b %%d %%H:%%M:%%S %%Y # Option: failregex # Notes.: regex to match the password failure messages in the logfile. -# Values: TEXT Default: authentication failure|user .* not found +# Values: TEXT Default: [[]client (?P\S*)[]] user .*(?:: authentication failure|not found) # -failregex = authentication failure|user .* not found +failregex = [[]client (?P\S*)[]] user .*(?:: authentication failure|not found) [SSH] # Option: enabled @@ -299,6 +299,6 @@ timepattern = %%b %%d %%H:%%M:%%S # Option: failregex # Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: Authentication failure|Failed password|Invalid user +# Values: TEXT Default: (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P\S*) # -failregex = Authentication failure|Failed password|Invalid user|Illegal user|Failed keyboard-interactive +failregex = (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P\S*) diff --git a/debian/README.Debian b/debian/README.Debian index 0e6bdc0f..9d4b30ec 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -20,6 +20,18 @@ fail2ban with apache, please enable apache section manually in Troubleshooting: --------------- +Updated failregex: + +To resolve the security bug #330827 [1] failregex expressions must +provide a named group (?P...) as a placeholder of the abuser's +host. The naming of the group was introduced to capture possible +future generalizations of failregex to provide even more +information. At a current point, all named groups are considered as +possible locations of the host addresses, but usually you should need +just a single group (?P...) + +[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827 + Broken chain: Currently no checks if an iptables queue generated at the beginning @@ -40,4 +52,4 @@ work nicely now See TODO.Debian for more details, as well as the Debian Bug Tracking system. - -- Yaroslav O. Halchenko , Tue Sep 27 11:36:41 2005 + -- Yaroslav O. Halchenko , Sat Oct 1 02:47:46 2005 diff --git a/debian/changelog b/debian/changelog index 072cf1ca..273c7ed2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +fail2ban (0.5.4-5pre1) unstable; urgency=low + + * Made failregex'es more specific to don't allow usernames to be used as a + tool for denial of service attacks. Config files (or at least + failregex'es) must be updated from this package, otherwise the security + breach would remain open and only warning gets issued (closes: #330827) + + -- Yaroslav Halchenko Sat, 1 Oct 2005 02:42:23 -1000 + fail2ban (0.5.4-4) unstable; urgency=low * On a request from Calum Mackay added reporting of the enabled sections diff --git a/logreader/logreader.py b/logreader/logreader.py index 1e6ec979..29991890 100644 --- a/logreader/logreader.py +++ b/logreader/logreader.py @@ -172,7 +172,16 @@ class LogReader: timeMatch = re.search(self.timeregex, match.string) if timeMatch: date = self.getUnixTime(timeMatch.group()) - ipMatch = textToIp(match.string) + # Bug fix for Debian #330827 + hostMatch = match.groupdict() + if len(hostMatch)==0: + logSys.warn("Must have been using old style of failregex! " + "Security Breach! Read README.Debian") + ipMatch = textToIp(match.string) + else: + ipMatch = reduce(lambda x,y:x+textToIp(y), + hostMatch.values(), []) + if ipMatch: for ip in ipMatch: failList.append([ip, date])