From 5b2b680bfea74f5083c893677860e0d427faf475 Mon Sep 17 00:00:00 2001 From: benrubson Date: Thu, 2 May 2019 11:42:45 +0200 Subject: [PATCH 1/7] SSHd add Bad protocol version message --- config/filter.d/sshd.conf | 1 + fail2ban/tests/files/logs/sshd | 2 ++ 2 files changed, 3 insertions(+) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 60efead7..418badbf 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -64,6 +64,7 @@ mdre-normal = mdrp-normal-suff-onclosed = (?:%(__suff)s|\s*)$ mdre-ddos = ^Did not receive identification string from + ^Bad protocol version identification '.*' from ^Connection reset by ^Connection closed by%(__authng_user)s %(__on_port_opt)s\s+\[preauth\]\s*$ ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index e2b3d456..68e65901 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -260,6 +260,8 @@ Mar 7 18:53:38 bar sshd[1559]: Connection closed by 192.0.2.116 Jun 7 01:10:56 host sshd[5937]: Did not receive identification string from 69.61.56.114 # failJSON: { "time": "2005-06-07T01:11:57", "match": true , "host": "192.0.2.5", "desc": "refactored message (with port now, gh-2062)" } Jun 7 01:11:57 host sshd[8782]: Did not receive identification string from 192.0.2.5 port 35836 +# failJSON: { "time": "2005-06-07T01:11:58", "match": true , "host": "69.61.56.115" } +Jun 7 01:11:58 host sshd[8783]: Bad protocol version identification 'dummy string' from 69.61.56.115 port 31778 # gh-864(1): # failJSON: { "match": false } From 8b171f7d25c604c6dfae29598f3d4c494d048249 Mon Sep 17 00:00:00 2001 From: benrubson Date: Wed, 26 Jun 2019 18:34:20 +0200 Subject: [PATCH 2/7] Badips key is only used to retrieve list --- config/action.d/badips.py | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/config/action.d/badips.py b/config/action.d/badips.py index a5fa1809..805120e9 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -54,9 +54,6 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable age : str, optional Age of last report for bad IPs, per badips.com syntax. Default "24h" (24 hours) - key : str, optional - Key issued by badips.com to report bans, for later retrieval - of personalised content. banaction : str, optional Name of banaction to use for blacklisting bad IPs. If `None`, no blacklist of IPs will take place. @@ -67,8 +64,8 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable "postfix", but want to use whole "mail" category for blacklist. Default `category`. bankey : str, optional - Key issued by badips.com to blacklist IPs reported with the - associated key. + Key issued by badips.com to retrieve personal list + of blacklist IPs. updateperiod : int, optional Time in seconds between updating bad IPs blacklist. Default 900 (15 minutes) @@ -93,7 +90,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable def _Request(self, url, **argv): return Request(url, headers={'User-Agent': self.agent}, **argv) - def __init__(self, jail, name, category, score=3, age="24h", key=None, + def __init__(self, jail, name, category, score=3, age="24h", banaction=None, bancategory=None, bankey=None, updateperiod=900, loglevel='DEBUG', agent="Fail2Ban", timeout=TIMEOUT): super(BadIPsAction, self).__init__(jail, name) @@ -103,7 +100,6 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable self.category = category self.score = score self.age = age - self.key = key self.banaction = banaction self.bancategory = bancategory or category self.bankey = bankey @@ -381,8 +377,6 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable """ try: url = "/".join([self._badips, "add", self.category, str(aInfo['ip'])]) - if self.key: - url = "?".join([url, urlencode({'key': self.key})]) self._logSys.debug('badips.com: ban, url: %r', url) response = urlopen(self._Request(url), timeout=self.timeout) except HTTPError as response: # pragma: no cover From 5bc8d73220831fdbb9abad4e427850c02ea31bc2 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Wed, 26 Jun 2019 20:52:37 +0200 Subject: [PATCH 3/7] test_badips.py: parameter `key` is removed in #2452 --- fail2ban/tests/action_d/test_badips.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/action_d/test_badips.py b/fail2ban/tests/action_d/test_badips.py index 7f2222e1..013c0fdb 100644 --- a/fail2ban/tests/action_d/test_badips.py +++ b/fail2ban/tests/action_d/test_badips.py @@ -83,7 +83,7 @@ if sys.version_info >= (2,7): # pragma: no cover - may be unavailable 'banaction': "test", 'age': "2w", 'score': 5, - 'key': "fail2ban-test-suite", + #'key': "fail2ban-test-suite", #'bankey': "fail2ban-test-suite", 'timeout': (3 if unittest.F2B.fast else 60), }) From d5a5efcd5af272372153e86436d7c8cde2ddf66d Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Wed, 17 Jul 2019 13:38:42 +0200 Subject: [PATCH 4/7] amend to #2174 for fail2ban.service, fix legacy path, closes gh-2474 --- files/fail2ban.service.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/fail2ban.service.in b/files/fail2ban.service.in index f00a3a23..5e540545 100644 --- a/files/fail2ban.service.in +++ b/files/fail2ban.service.in @@ -6,13 +6,13 @@ PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftabl [Service] Type=simple -ExecStartPre=/bin/mkdir -p /var/run/fail2ban +ExecStartPre=/bin/mkdir -p /run/fail2ban ExecStart=@BINDIR@/fail2ban-server -xf start # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start ExecStop=@BINDIR@/fail2ban-client stop ExecReload=@BINDIR@/fail2ban-client reload -PIDFile=/var/run/fail2ban/fail2ban.pid +PIDFile=/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 From a98315386d9155f721fc4e7892192ccea1d89f74 Mon Sep 17 00:00:00 2001 From: Ben RUBSON <6764151+benrubson@users.noreply.github.com> Date: Fri, 19 Jul 2019 17:59:16 +0200 Subject: [PATCH 5/7] Update zzz-sshd-obsolete-multiline.conf --- fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf index 98fca7f5..b158e347 100644 --- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf +++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf @@ -56,6 +56,7 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for mdre-normal = mdre-ddos = ^%(__prefix_line_sl)sDid not receive identification string from + ^%(__prefix_line_sl)sBad protocol version identification '.*' from ^%(__prefix_line_sl)sConnection closed by%(__authng_user)s %(__on_port_opt)s\s+\[preauth\]\s*$ ^%(__prefix_line_sl)sConnection reset by ^%(__prefix_line_ml1)sSSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+:.*%(__prefix_line_ml2)sRead from socket failed: Connection reset by peer%(__suff)s$ From eb308d0fc86709dbb638618c76d10f1bd23e57f2 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Mon, 22 Jul 2019 11:50:01 +0200 Subject: [PATCH 6/7] add test for injection on version identification --- fail2ban/tests/files/logs/sshd | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index 68e65901..ffce2844 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -260,8 +260,10 @@ Mar 7 18:53:38 bar sshd[1559]: Connection closed by 192.0.2.116 Jun 7 01:10:56 host sshd[5937]: Did not receive identification string from 69.61.56.114 # failJSON: { "time": "2005-06-07T01:11:57", "match": true , "host": "192.0.2.5", "desc": "refactored message (with port now, gh-2062)" } Jun 7 01:11:57 host sshd[8782]: Did not receive identification string from 192.0.2.5 port 35836 -# failJSON: { "time": "2005-06-07T01:11:58", "match": true , "host": "69.61.56.115" } +# failJSON: { "time": "2005-06-07T01:11:58", "match": true , "host": "69.61.56.115", "desc": "bad protocol version, gh-2404" } Jun 7 01:11:58 host sshd[8783]: Bad protocol version identification 'dummy string' from 69.61.56.115 port 31778 +# failJSON: { "time": "2005-06-07T01:11:58", "match": true , "host": "69.61.56.115", "desc": "check inject on ident" } +Jun 7 01:11:58 host sshd[8783]: Bad protocol version identification 'dummy string' from 192.0.2.1' from 69.61.56.115 port 31778 # gh-864(1): # failJSON: { "match": false } From d3b5befe44a87fb02087a6914dbc4148279ddfb3 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Mon, 22 Jul 2019 12:50:48 +0200 Subject: [PATCH 7/7] update changelog (#2404) --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index f03b2b13..be2c24d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,6 +52,7 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition * `action.d/helpers-common.conf`: rewritten grep arguments, now options `-wF` used to match only whole words and fixed string (not as pattern), gh-2298 * `filter.d/sshd.conf`: + - matches `Bad protocol version identification` in `ddos` and `aggressive` modes (gh-2404). - captures `Disconnecting ...: Change of username or service not allowed` (gh-2239, gh-2279) - captures `Disconnected from ... [preauth]` (`extra`/`aggressive` mode and preauth phase only, gh-2239, gh-2279) * `filter.d/mysqld-auth.conf`: