Package: fail2ban Version: 0.8.4+svn20110323-1 Severity: normal
So I when upgrading noticed that a conf file I wrote ages ago has been incorporated into fail2ban. However, the config section in jail.conf is rather broken. The default behaviour of the dropbear package is to install an init script. In this case, the output of dropbear will end up in /var/log/auth.log as with the normal ssh daemon. However, the current config file specifies /var/log/dropbear. /var/log/dropbear is mentioned in the file README.runit in the dropbear package. However, this is only for when dropbear has been installed as a daemontools service. Also, /var/log/dropbear is a folder, not a file, so the actual log-file will be something else. Last but not least, daemontools uses a different logging format that the regular expressions in dropbear.conf wouldn't match anyway. In conclusion, I believe /var/log/dropbear should be changed to /var/log/auth.log. Secondly, I believe the line that reads "filter = sshd" in the dropbear section should read "filter = dropbear". Lastly, it should probably be heavily emphasised at the top of jail.conf that the regexes don't match all the attacks that can be made against dropbear. In particular, they cannot match attacks which use only an ssh key and not a password (which I see all the time). It was my hope that I would get a patch I wrote accepted into dropbear upstream that always printed the IP info of every failed connnection attempt, but I never managed to do this. This is the output matched by the commented-out regex. In it's current state, the dropbear rules might even be considered slightly dangerous because it gives a false sense of security but does not protect against all attacks. It's for this reason I never submitted the file to Debian and to be honest, I think it might be a bad idea for it to be in there (at least until, one day, dropbear prints ip information for *all* failed connection attempts). Francis -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
