github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

* Adjusted failregex for sshd filter: 

- anchored properly at the end of line, and source code has .examples
    files to perform testing of the rules.
  - added new explicit rule for users not in the AllowUsers lists
pull/3/head
Yaroslav Halchenko 2007-07-29 17:20:23 +00:00
parent 3aef16b773
commit 95d17ee318
4 changed files with 71 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
debian/changelog vendored
View File

@ -1,4 +1,4 @@
fail2ban (0.8.0-3~pre4) unstable; urgency=low fail2ban (0.8.0-4) unstable; urgency=low
* Moved <HOST> expansion into regex.py (closes: #429263). Thanks James * Moved <HOST> expansion into regex.py (closes: #429263). Thanks James
Andrewartha. Andrewartha.
@ -10,6 +10,11 @@ fail2ban (0.8.0-3~pre4) unstable; urgency=low
* Added a filter for named to catch refused/denied queries * Added a filter for named to catch refused/denied queries
* jail.conf has specification of protocol (default to tcp) to be provided to * jail.conf has specification of protocol (default to tcp) to be provided to
banaction banaction
* Adjusted failregex for sshd filter:
- anchored properly at the end of line, and source code has .examples
files to perform testing of the rules.
- added new explicit rule for users not in the AllowUsers lists
-- Yaroslav Halchenko <debian@onerussian.com> Tue, 19 Jun 2007 23:04:02 -0400 -- Yaroslav Halchenko <debian@onerussian.com> Tue, 19 Jun 2007 23:04:02 -0400

17
debian/jail.conf vendored
View File

@ -230,10 +230,23 @@ logpath = /var/log/mail.log
# } # }
# in your named.conf to provide proper logging # in your named.conf to provide proper logging
[named-refused] # Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]
enabled = false enabled = false
port = domain,953 port = domain,953
protocol = udp protocol = udp
filter = named-refused filter = named-refused
logpath = /var/log/named/lame-servers.log logpath = /var/log/named/lame-servers.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/lame-servers.log

49
debian/patches/00_ssh_strong_re.dpatch vendored Executable file
View File

@ -0,0 +1,49 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_ssh_strong_re.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban-0.8.0~/config/filter.d/sshd.conf fail2ban-0.8.0/config/filter.d/sshd.conf
--- fail2ban-0.8.0~/config/filter.d/sshd.conf 2007-02-22 15:52:37.000000000 -0500
+++ fail2ban-0.8.0/config/filter.d/sshd.conf 2007-07-29 13:14:50.000000000 -0400
@@ -14,10 +14,11 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
-failregex = Authentication failure for .* from <HOST>
- Failed [-/\w]+ for .* from <HOST>
- ROOT LOGIN REFUSED .* FROM <HOST>
- [iI](?:llegal|nvalid) user .* from <HOST>
+failregex = (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
+ Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
+ ROOT LOGIN REFUSED.* FROM <HOST>\s*$
+ [iI](?:llegal|nvalid) user .* from <HOST>\s*$
+ User \S+ from <HOST> not allowed because not listed in AllowUsers$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff -urNad fail2ban-0.8.0~/config/filter.d/sshd.examples fail2ban-0.8.0/config/filter.d/sshd.examples
--- fail2ban-0.8.0~/config/filter.d/sshd.examples 1969-12-31 19:00:00.000000000 -0500
+++ fail2ban-0.8.0/config/filter.d/sshd.examples 2007-07-29 13:14:22.000000000 -0400
@@ -0,0 +1,19 @@
+#1
+Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6
+May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com
+
+#2
+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2
+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345
+
+#3
+Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
+
+#4
+Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
+
+
+#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
+Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
+Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers

1
debian/patches/00list vendored
View File

@ -4,5 +4,6 @@
00_daemon_pids 00_daemon_pids
10_dbts_manpages 10_dbts_manpages
00_iptables_allports 00_iptables_allports
00_ssh_strong_re
00_pam_generic 00_pam_generic
00_named_refused 00_named_refused