fixed security bug #330827

2005-10-01 06:53:51 +00:00 · 2005-10-01 06:53:51 +00:00 · 0482957f9c
parent 83c201992d
commit 0482957f9c
4 changed files with 36 additions and 6 deletions
--- a/config/fail2ban.conf.default
+++ b/config/fail2ban.conf.default
@ -227,9 +227,9 @@ timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile.
-# Values:  TEXT  Default:  authentication failure|user .* not found
+# Values:  TEXT  Default:  [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
 #
-failregex = authentication failure|user .* not found
+failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
 [SSH]
 # Option:  enabled
@ -299,6 +299,6 @@ timepattern = %%b %%d %%H:%%M:%%S
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile.
-# Values:  TEXT  Default:  Authentication failure|Failed password|Invalid user
+# Values:  TEXT  Default:  (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P<host>\S*)
 #
-failregex = Authentication failure|Failed password|Invalid user|Illegal user|Failed keyboard-interactive
+failregex = (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P<host>\S*)
--- a/debian/README.Debian
+++ b/debian/README.Debian
@ -20,6 +20,18 @@ fail2ban with apache, please enable apache section manually in
 Troubleshooting:
 ---------------
 Updated failregex:
 To resolve the security bug #330827 [1] failregex expressions must
 provide a named group (?P<host>...) as a placeholder of the abuser's
 host. The naming of the group was introduced to capture possible
 future generalizations of failregex to provide even more
 information. At a current point, all named groups are considered as
 possible locations of the host addresses, but usually you should need
 just a single group (?P<host>...)
 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
 Broken chain:
 Currently no checks if an iptables queue generated at the beginning
@ -40,4 +52,4 @@ work nicely now
 See TODO.Debian for more details, as well as the Debian Bug Tracking
 system.
- -- Yaroslav O. Halchenko <debian@onerussian.com>, Tue Sep 27 11:36:41 2005
+ -- Yaroslav O. Halchenko <debian@onerussian.com>, Sat Oct  1 02:47:46 2005
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,12 @@
 fail2ban (0.5.4-5pre1) unstable; urgency=low
  * Made failregex'es more specific to don't allow usernames to be used as a
    tool for denial of service attacks. Config files (or at least
    failregex'es) must be updated from this package, otherwise the security
    breach would remain open and only warning gets issued (closes: #330827)
 -- Yaroslav Halchenko <debian@onerussian.com>  Sat,  1 Oct 2005 02:42:23 -1000
 fail2ban (0.5.4-4) unstable; urgency=low
  * On a request from Calum Mackay added reporting of the enabled sections
--- a/logreader/logreader.py
+++ b/logreader/logreader.py
@ -172,7 +172,16 @@ class LogReader:
 			timeMatch = re.search(self.timeregex, match.string)
 			if timeMatch:
 				date = self.getUnixTime(timeMatch.group())
 				# Bug fix for Debian #330827
 				hostMatch = match.groupdict()
 				if len(hostMatch)==0:
 					logSys.warn("Must have been using old style of failregex! "
 								"Security Breach! Read README.Debian")
 					ipMatch = textToIp(match.string)
 				else:
 					ipMatch = reduce(lambda x,y:x+textToIp(y),
 									 hostMatch.values(), [])
 				if ipMatch:
 					for ip in ipMatch:
 						failList.append([ip, date])