fixed security bug #330827

2005-10-01 06:53:51 +00:00 · 2005-10-01 06:53:51 +00:00 · 0482957f9c
parent 83c201992d
commit 0482957f9c
4 changed files with 36 additions and 6 deletions
--- a/config/fail2ban.conf.default
+++ b/config/fail2ban.conf.default
@ -227,9 +227,9 @@ timepattern = %%a %%b %%d %%H:%%M:%%S %%Y

 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile.
-# Values:  TEXT  Default:  authentication failure|user .* not found
+# Values:  TEXT  Default:  [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
 #
-failregex = authentication failure|user .* not found
+failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)

 [SSH]
 # Option:  enabled
@ -299,6 +299,6 @@ timepattern = %%b %%d %%H:%%M:%%S

 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile.
-# Values:  TEXT  Default:  Authentication failure|Failed password|Invalid user
+# Values:  TEXT  Default:  (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P<host>\S*)
 #
-failregex = Authentication failure|Failed password|Invalid user|Illegal user|Failed keyboard-interactive
+failregex = (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P<host>\S*)
--- a/debian/README.Debian
+++ b/debian/README.Debian
@ -20,6 +20,18 @@ fail2ban with apache, please enable apache section manually in
 Troubleshooting:
 ---------------

+Updated failregex:
+
+To resolve the security bug #330827 [1] failregex expressions must
+provide a named group (?P<host>...) as a placeholder of the abuser's
+host. The naming of the group was introduced to capture possible
+future generalizations of failregex to provide even more
+information. At a current point, all named groups are considered as
+possible locations of the host addresses, but usually you should need
+just a single group (?P<host>...)
+
+[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
+
 Broken chain:

 Currently no checks if an iptables queue generated at the beginning
@ -40,4 +52,4 @@ work nicely now
 See TODO.Debian for more details, as well as the Debian Bug Tracking
 system.

- -- Yaroslav O. Halchenko <debian@onerussian.com>, Tue Sep 27 11:36:41 2005
+ -- Yaroslav O. Halchenko <debian@onerussian.com>, Sat Oct  1 02:47:46 2005
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,12 @@
+fail2ban (0.5.4-5pre1) unstable; urgency=low
+
+  * Made failregex'es more specific to don't allow usernames to be used as a
+    tool for denial of service attacks. Config files (or at least
+    failregex'es) must be updated from this package, otherwise the security
+    breach would remain open and only warning gets issued (closes: #330827)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sat,  1 Oct 2005 02:42:23 -1000
+
 fail2ban (0.5.4-4) unstable; urgency=low

  * On a request from Calum Mackay added reporting of the enabled sections
--- a/logreader/logreader.py
+++ b/logreader/logreader.py
@ -172,7 +172,16 @@ class LogReader:
 			timeMatch = re.search(self.timeregex, match.string)
 			if timeMatch:
 				date = self.getUnixTime(timeMatch.group())
+				# Bug fix for Debian #330827
+				hostMatch = match.groupdict()
+				if len(hostMatch)==0:
+					logSys.warn("Must have been using old style of failregex! "
+								"Security Breach! Read README.Debian")
 					ipMatch = textToIp(match.string)
+				else:
+ 					ipMatch = reduce(lambda x,y:x+textToIp(y),
+									 hostMatch.values(), [])
+					
 				if ipMatch:
 					for ip in ipMatch:
 						failList.append([ip, date])