github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

ENH: filter enhancements on mod-digest (with test cases) for apache-auth (httpd-2.4.4)

pull/287/head
Daniel Black 2013-07-28 22:00:55 +10:00
parent 5cfe108186
commit 0fb04cb2f0
6 changed files with 146 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
config/filter.d/apache-auth.conf
View File

@ -35,15 +35,14 @@ failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server config
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
^%(_apache_error_client)s (AH0179[01]: )?(Digest: )?user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
^%(_apache_error_client)s user .* authorization failure: \S*\s*$
^%(_apache_error_client)s (AH01631: )?user .* authorization failure for "\S*": \s*$
^%(_apache_error_client)s invalid nonce .* received - (length|hash) is not \S+\s*$
^%(_apache_error_client)s invalid nonce .* received - user attempted time travel\s*$
^%(_apache_error_client)s user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
^%(_apache_error_client)s user .*: one-time-nonce mismatch - sending new nonce\s*$
^%(_apache_error_client)s realm mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s unknown algorithm `\S+' received: \S*\s*"$
^%(_apache_error_client)s invalid qop `.*' received: \S*\s*"$
^%(_apache_error_client)s (AH0177[56]: )?invalid nonce .* received - (length|hash) is not \S+\s*$
^%(_apache_error_client)s (AH01788: )?realm mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s (AH01789: )?unknown algorithm `\S+' received: \S*\s*"$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*"$
^%(_apache_error_client)s (AH01777: )?invalid nonce .* received - user attempted time travel\s*$
^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$

99
testcases/files/config/apache-auth/digest.py Executable file
View File

@ -0,0 +1,99 @@
#!/bin/env python
import requests
import md5
def auth(v):
ha1 = md5.new(username + ':' + realm + ':' + password).hexdigest()
ha2 = md5.new("GET:" + url).hexdigest()
#response = md5.new(ha1 + ':' + v['nonce'][1:-1] + ':' + v['nc'] + ':' + v['cnonce'][1:-1]
# + ':' + v['qop'][1:-1] + ':' + ha2).hexdigest()
nonce = v['nonce'][1:-1]
nc=v.get('nc') or ''
cnonce = v.get('cnonce') or ''
qop = v['qop'][1:-1]
algorithm = v['algorithm']
response = md5.new(ha1 + ':' + nonce + ':' + nc + ':' + cnonce + ':' + qop + ':' + ha2).hexdigest()
p = requests.Request('GET', host + url).prepare()
#p.headers['Authentication-Info'] = response
p.headers['Authorization'] = """
Digest username="%s",
algorithm="%s",
realm="%s",
uri="%s",
nonce="%s",
cnonce="",
nc="",
qop=%s,
response="%s"
""" % ( username, algorithm, realm, url, nonce, qop, response )
s = requests.Session()
return s.send(p)
def preauth():
r = requests.get(host + url)
r.headers['www-authenticate'].split(', ')
return dict([ a.split('=',1) for a in r.headers['www-authenticate'].split(', ') ])
url='/digest/'
host = 'http://localhost:801'
v = preauth()
#print v
username="username"
password = "password"
realm = 'so far away'
r = auth(v)
realm = v['Digest realm'][1:-1]
# [Sun Jul 28 21:27:56.549667 2013] [auth_digest:error] [pid 24835:tid 139895297222400] [client 127.0.0.1:57052] AH01788: realm mismatch - got `so far away' but expected `digest private area'
algorithm = v['algorithm']
v['algorithm'] = 'super funky chicken'
r = auth(v)
# [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/
print r.status_code,r.headers, r.text
v['algorithm'] = algorithm
r = auth(v)
print r.status_code,r.headers, r.text
nonce = v['nonce']
v['nonce']=v['nonce'][5:-5]
r = auth(v)
print r.status_code,r.headers, r.text
# [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/
v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:]
r = auth(v)
print r.status_code,r.headers, r.text
#[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b
url='/digest_time/'
v=preauth()
import time
time.sleep(1)
r = auth(v)
print r.status_code,r.headers, r.text

7
testcases/files/config/apache-auth/digest_time/.htaccess Normal file
View File

@ -0,0 +1,7 @@
AuthType Digest
AuthName "digest private area"
AuthDigestDomain /digest_time/
AuthBasicProvider file
AuthUserFile /var/www/html/digest_time/.htpasswd
AuthDigestNonceLifetime 1
Require valid-user

BIN
testcases/files/config/apache-auth/digest_time/.htaccess.swp Normal file
View File

Binary file not shown.

1
testcases/files/config/apache-auth/digest_time/.htpasswd Normal file
View File

@ -0,0 +1 @@
username:digest private area:fad48d3a7c63f61b5b3567a4105bbb04

32
testcases/files/logs/apache-auth
View File

@ -66,3 +66,35 @@
# failJSON: { "time": "2013-07-20T21:45:28", "match": true , "host": "127.0.0.1" }
[Sat Jul 20 21:45:28.890523 2013] [auth_digest:error] [pid 17540:tid 140122972485376] [client 127.0.0.1:51408] AH01790: user `username' in realm `digest private area' not found: /digest_wrongrelm/cant_get_me.html
# ./testcases/files/config/apache-auth/digest.py
# failJSON: { "time": "2013-07-28T21:05:31", "match": true , "host": "127.0.0.1" }
[Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/
# ./testcases/files/config/apache-auth/digest.py
# failJSON: { "time": "2013-07-28T21:12:44", "match": true , "host": "127.0.0.1" }
[Sun Jul 28 21:12:44 2013] [error] [client 127.0.0.1] Digest: invalid nonce JDiBAA=db9372522295196b7ac31db99e10cd1106c received - length is not 52
# ./testcases/files/config/apache-auth/digest.py
# failJSON: { "time": "2013-07-28T21:16:37", "match": true , "host": "127.0.0.1" }
[Sun Jul 28 21:16:37 2013] [error] [client 127.0.0.1] Digest: invalid nonce l19lgpDiBAZZZf1ec3d9613f3b3ef43660e3628d78455fd8b937 received - hash is not 6fda8bbcbcf85ff1ebfe7d1c43faba583bc53a02
# ./testcases/files/config/apache-auth/digest.py
# failJSON: { "time": "2013-07-28T21:18:11", "match": true , "host": "127.0.0.1" }
[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b
# ./testcases/files/config/apache-auth/digest.py
# failJSON: { "time": "2013-07-28T21:30:02", "match": true , "host": "127.0.0.1" }
[Sun Jul 28 21:30:02 2013] [error] [client 127.0.0.1] Digest: realm mismatch - got `so far away' but expected `digest private area'
# failJSON: { "time": "2013-07-28T21:27:56", "match": true , "host": "127.0.0.1" }
[Sun Jul 28 21:27:56.549667 2013] [auth_digest:error] [pid 24835:tid 139895297222400] [client 127.0.0.1:57052] AH01788: realm mismatch - got `so far away' but expected `digest private area'
# ./testcases/files/config/apache-auth/digest.py
# failJSON: { "time": "2013-07-28T21:41:20", "match": true , "host": "127.0.0.1" }
[Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/
# failJSON: { "time": "2013-07-28T21:42:03", "match": true , "host": "127.0.0.1" }
[Sun Jul 28 21:42:03.930190 2013] [auth_digest:error] [pid 24835:tid 139895505884928] [client 127.0.0.1:57115] AH01789: unknown algorithm `super funky chicken' received: /digest/