From 0a8f24c5f431a2e542975db6835436ac852f3e70 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Sun, 10 Dec 2006 21:16:26 +0000
Subject: [PATCH] - Added named group "host" for "failregex" - Fixed
 vulnerability CVE-2006-6302

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_6@484 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 CHANGELOG                      |  2 ++
 README                         | 10 +++++-----
 config/fail2ban.conf.hostsdeny |  6 +++---
 config/fail2ban.conf.iptables  |  6 +++---
 config/fail2ban.conf.shorewall |  7 ++++---
 logreader/logreader.py         | 11 ++++++++++-
 version.py                     |  2 +-
 7 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 60d4f7cc..1d6108bf 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -14,6 +14,8 @@ ver. 0.6.2 (2006/??/??) - ???
   (Yaroslav Halchenko):
   * Made locale configurable
   * Fixed warning if ignoreip is empty
+- Added named group "host" for "failregex". Fixed security
+  vulnerability CVE-2006-6302
 
 ver. 0.6.1 (2006/03/16) - stable
 ----------
diff --git a/README b/README
index c7878a59..cc71fbdb 100644
--- a/README
+++ b/README
@@ -4,7 +4,7 @@
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 =============================================================
-Fail2Ban (version 0.6.1)                           2006/03/16
+Fail2Ban (version 0.6.2)                           2006/??/??
 =============================================================
 
 Fail2Ban scans log files like /var/log/pwdfail and bans IP
@@ -58,8 +58,8 @@ Require: python-2.4 (http://www.python.org)
 
 To install, just do:
 
-> tar xvfj fail2ban-0.6.1.tar.bz2
-> cd fail2ban-0.6.1
+> tar xvfj fail2ban-0.6.2.tar.bz2
+> cd fail2ban-0.6.2
 > python setup.py install
 
 This will install Fail2Ban into /usr/lib/fail2ban. The
@@ -130,10 +130,10 @@ Cyril Jaquier: <lostcontrol@users.sourceforge.net>
 Thanks:
 -------
 
-Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
+KĂ©vin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
 Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko,
 Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
-Edgington, Patrick Börjesson, kojiro, zugeschmiert
+Edgington, Patrick Börjesson, kojiro, zugeschmiert
 
 License:
 --------
diff --git a/config/fail2ban.conf.hostsdeny b/config/fail2ban.conf.hostsdeny
index 68a75409..5bfeab3b 100644
--- a/config/fail2ban.conf.hostsdeny
+++ b/config/fail2ban.conf.hostsdeny
@@ -257,7 +257,7 @@ timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
 # Notes.:  regex to match the password failure messages in the logfile.
 # Values:  TEXT  Default:  authentication failure|user .* not found
 #
-failregex = authentication failure|user .* not found
+failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
 
 
 [VSFTPD]
@@ -297,7 +297,7 @@ timepattern = %%b %%d %%H:%%M:%%S
 # Notes.: regex to match the password failures messages in the logfile.
 # Values: TEXT Default: Authentication failure|Failed password|Invalid user
 #
-failregex = FAIL LOGIN
+failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S+)
 
 
 [SSH]
@@ -333,4 +333,4 @@ timepattern = %%b %%d %%H:%%M:%%S
 # Notes.:  regex to match the password failures messages in the logfile.
 # Values:  TEXT  Default:  Authentication failure|Failed password|Invalid user
 #
-failregex = Authentication failure|Failed password|Invalid user
+failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)
diff --git a/config/fail2ban.conf.iptables b/config/fail2ban.conf.iptables
index 9d492e95..7b7eb2ef 100644
--- a/config/fail2ban.conf.iptables
+++ b/config/fail2ban.conf.iptables
@@ -285,7 +285,7 @@ timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
 # Notes.:  regex to match the password failure messages in the logfile.
 # Values:  TEXT  Default:  authentication failure|user .* not found
 #
-failregex = authentication failure|user .* not found
+failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
 
 
 [VSFTPD]
@@ -325,7 +325,7 @@ timepattern = %%b %%d %%H:%%M:%%S
 # Notes.: regex to match the password failures messages in the logfile.
 # Values: TEXT Default: Authentication failure|Failed password|Invalid user
 #
-failregex = FAIL LOGIN
+failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S+)
 
 
 [SSH]
@@ -367,4 +367,4 @@ timepattern = %%b %%d %%H:%%M:%%S
 # Notes.:  regex to match the password failures messages in the logfile.
 # Values:  TEXT  Default:  Authentication failure|Failed password|Invalid user
 #
-failregex = Authentication failure|Failed password|Invalid user
+failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)
diff --git a/config/fail2ban.conf.shorewall b/config/fail2ban.conf.shorewall
index ed99c8ec..453f38f8 100644
--- a/config/fail2ban.conf.shorewall
+++ b/config/fail2ban.conf.shorewall
@@ -251,7 +251,8 @@ timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
 # Notes.:  regex to match the password failure messages in the logfile.
 # Values:  TEXT  Default:  authentication failure|user .* not found
 #
-failregex = authentication failure|user .* not found
+failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
+
 
 [VSFTPD]
 # Option: enabled
@@ -284,7 +285,7 @@ timepattern = %%b %%d %%H:%%M:%%S
 # Notes.: regex to match the password failures messages in the logfile.
 # Values: TEXT Default: Authentication failure|Failed password|Invalid user
 #
-failregex = FAIL LOGIN
+failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S+)
 
 
 [SSH]
@@ -320,4 +321,4 @@ timepattern = %%b %%d %%H:%%M:%%S
 # Notes.:  regex to match the password failures messages in the logfile.
 # Values:  TEXT  Default:  Authentication failure|Failed password|Invalid user
 #
-failregex = Authentication failure|Failed password|Invalid user
+failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)
diff --git a/logreader/logreader.py b/logreader/logreader.py
index ca2695a1..2a51f26b 100644
--- a/logreader/logreader.py
+++ b/logreader/logreader.py
@@ -177,7 +177,16 @@ class LogReader:
 			timeMatch = re.search(self.timeregex, match.string)
 			if timeMatch:
 				date = self.getUnixTime(timeMatch.group())
-				ipMatch = textToIp(match.string)
+				try:
+					# Fix for CVE-2006-6302
+					matchString = match.group("host")
+				except IndexError:
+					# However does not break the current configuration
+					logSys.warn("No 'host' group defined. This is a security " +
+								"issue. Please fix your configuration file " +
+								"and look at CVE-2006-6302")
+					matchString = match.string
+				ipMatch = textToIp(matchString)
 				if ipMatch:
 					for ip in ipMatch:
 						failList.append([ip, date])
diff --git a/version.py b/version.py
index e52dcfc0..8b7d3026 100644
--- a/version.py
+++ b/version.py
@@ -24,4 +24,4 @@ __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-version = "0.6.1-CVS"
+version = "0.6.1-SVN"