On Mon, Oct 10, 2005 at 01:56:50PM +0900, kazuki wrote: > Package: fail2ban > Version: 0.5.4-5 > Severity: important
> With the new failregex line in the config file, fail2ban fails to ban ssh > accesses by illegal users. Yeap :-) It has being worked on due to the report from the user who didn't use BTS (bad boy rrr). BTW - when do you experience "Illegal users" but no failed authentication reports? What is your loglevel in sshd_config? do you permit password authentication (also what is UsePAM in sshd_config?) Please try the version from http://itanix.rutgers.edu/rumba/dists/unstable/perspect/binary-all/net/ and report if it works for you Thank you in advance > Furthermore, modifying the failregex probably doesn't prevent the security > breach(#330827). any example when it would leak? If it does, please report and also check with the version from the URL above > fail2ban itself rather than the fairegex must be changed to parse > failure log more strictly so that it can obtain the real IP address at > the end of the line, not the IP-like user name. Well - That is what modified "failregex" is doing. And there was a 2 line modification of code itself ;-) It doesn't scan for an IP in the line (actually it does if a user didn't upgrade config file, but it issues a far warning in that case). But IP can be in any place in the line, so anything simple like "at the end of the line", or "after rhost=", doesn't really work or at least doesn't generalize well ;-)) Failregex now defines a group "host" which is very strict as for defining possible location of the IP. Also in the version from the mentioned URL I've restricted it a bit more (included colon at the beginning), so during my tests, no nasty login could confuse the parser. Thank you in advance for output regarding this issue -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555]
pgpuNUoWMmkXC.pgp
Description: PGP signature
