Package: fail2ban
Version: 0.11.2-2
Severity: important
Tags: patch
Dear Maintainer,
fail2ban did not block logins using an invalid pubkey.
I checked the sshd filter and the default regex does not match with the actual
line when trying to login via ssh with an invalid pubkey.
Attached you'll find the updated filter for "cmnfailre-failed-pub-invalid",
after that update the filter works as expected.
This issue concerns Debian 11 and Debian 12 as well.
Best regards
Daniel
-- System Information:
Debian Release: 11.7
APT prefers oldstable-updates
APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990,
'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-23-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fail2ban depends on:
ii lsb-base 11.1.0
ii python3 3.9.2-3
Versions of packages fail2ban recommends:
ii nftables 0.9.8-3.1+deb11u1
ii python3-pyinotify 0.9.6-1.3
ii python3-systemd 234-3+b4
pn whois <none>
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-2
pn monit <none>
ii rsyslog [system-log-daemon] 8.2102.0-2+deb11u1
pn sqlite3 <none>
-- Configuration Files:
/etc/fail2ban/filter.d/sshd.conf changed:
[INCLUDES]
before = common.conf
[DEFAULT]
_daemon = sshd
__pref = (?:(?:error|fatal): (?:PAM: )?)?
__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
__authng_user = (?: (?:invalid|authenticating) user <F-USER>\S+|.*?</F-USER>)?
__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
__pam_auth = pam_[a-z]+
[Definition]
prefregex =
^<F-MLFID>%(__prefix_line)s</F-MLFID>%(__pref)s<F-CONTENT>.+</F-CONTENT>$
cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER>
from <HOST>( via \S+)?%(__suff)s$
^User not known to the underlying authentication module for
<F-USER>.*</F-USER> from <HOST>%(__suff)s$
<cmnfailre-failed-pub-<publickey>>
^Failed <cmnfailed> for (?P<cond_inv>invalid user
)?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from
<HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>
^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from
<HOST>%(__suff)s$
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not
listed in AllowUsers%(__suff)s$
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because
listed in DenyUsers%(__suff)s$
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not
in any group%(__suff)s$
^refused connect from \S+ \(<HOST>\)
^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from
<HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because a
group is listed in DenyGroups%(__suff)s$
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because none
of user's groups are listed in AllowGroups%(__suff)s$
^<F-NOFAIL>%(__pam_auth)s\(sshd:auth\):\s+authentication
failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$
^maximum authentication attempts exceeded for <F-USER>.*</F-USER>
from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
^User <F-USER>\S+|.*?</F-USER> not allowed because account is
locked%(__suff)s
^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?:
(?:invalid|authenticating)) user <F-USER>\S+</F-USER>
<HOST>%(__on_port_opt)s:\s*Change of username or service not
allowed:\s*.*\[preauth\]\s*$
^Disconnecting: Too many authentication failures(?: for
<F-USER>\S+|.*?</F-USER>)?%(__suff)s$
^<F-NOFAIL>Received
<F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from
<HOST>%(__on_port_opt)s:\s*11:
<mdre-<mode>-other>
^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET>
for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)
cmnfailed-any = \S+
cmnfailed-ignore = \b(?!publickey)\S+
cmnfailed-invalid = <cmnfailed-ignore>
cmnfailed-nofail = (?:<F-NOFAIL>publickey</F-NOFAIL>|\S+)
cmnfailed = <cmnfailed-<publickey>>
mdre-normal =
mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection
closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s
<HOST>(?:%(__suff)s|\s*)$
mdre-ddos = ^Did not receive identification string from <HOST>
^kex_exchange_identification: (?:[Cc]lient sent invalid protocol
identifier|[Cc]onnection closed by remote host)
^Bad protocol version identification '.*' from <HOST>
^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL>
(?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
^Read from socket failed: Connection
<F-MLFFORGET>reset</F-MLFFORGET> by peer
mdre-ddos-other = ^<F-MLFFORGET>(Connection
(?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s
<HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from
<HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods
available
^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching
<__alg_match> found.
^Unable to negotiate a <__alg_match>
^no matching <__alg_match> found:
mdre-extra-other = ^<F-MLFFORGET>Disconnected</F-MLFFORGET>(?: from)?(?:
(?:invalid|authenticating)) user <F-USER>\S+|.*?</F-USER>
<HOST>%(__on_port_opt)s \[preauth\]\s*$
mdre-aggressive = %(mdre-ddos)s
%(mdre-extra)s
mdre-aggressive-other = %(mdre-ddos-other)s
publickey = nofail
cmnfailre-failed-pub-invalid = ^Failed publickey for
<F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from
<HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
cmnfailre-failed-pub-any =
cmnfailre-failed-pub-nofail = <cmnfailre-failed-pub-invalid>
cmnfailre-failed-pub-ignore =
cfooterre = ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
failregex = %(cmnfailre)s
<mdre-<mode>>
%(cfooterre)s
mode = normal
ignoreregex =
maxlines = 1
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
-- no debconf information
