Your message dated Wed, 4 Feb 2009 15:49:47 -0500
with message-id <20090204204947.gm28...@washoe.rutgers.edu>
has caused the report #514163,
regarding fail2ban: Included wuftpd.conf matches reverse DNS rather than IP
to be marked as having been forwarded to the upstream software
author(s) Cyril Jaquier <cyril.jaqu...@fail2ban.org>
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
514163: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
O man,
THANKS!
let me postpone dealing with wuftpd for now... just the issue of IP
that is bad... it is a security hazard and makes it easy to perform DoS
attacks... forwarding it upstream.
To replicate it in a matter of seconds, try
fail2ban-regex "Feb 4 14:55:01 washoe CRON[679]: (pam_unix) authentication
failure; logname= uid=0 euid=0 tty= ruser=
rhost=26.232.125.75.gs.dynamic.163data.com.cn"
"\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$"
proper IP should be 218.241.97.60 not 26.232.125.75
Tentative fix is in my git repository:
http://git.onerussian.com/?p=deb/fail2ban.git;a=shortlog;h=refs/heads/up/fix_searchIP
it is as simple as attached patch
there are two commits though -- 1 is actual fix, 1 is added a unittest for it.
If Cyril confirms that indeed it is that bad, I will immediately raise
the severity of the bug. If Cyril agrees on my fix (it needs proper
testing), I will upload a debian package and seek for ability to upload
it into lenny (and etch), since it is RC
btw -- Cyril, am I doing smth wrong or unittests battery is not
maintained? ;)
running
PYTHONPATH=. ./fail2ban-testcases
gives me
FAILED (failures=3, errors=4)
so, to run only my unittest you can use nosetests and run from testcases
directory:
PYTHONPATH=.. nosetests -s filtertestcase:DNSUtilsTests
On Wed, 04 Feb 2009, Chris Butler wrote:
> Package: fail2ban
> Version: 0.7.5-2etch1
> Severity: normal
> The '/etc/fail2ban/filter.d/wuftpd.conf' file shipped in the package
> contains a regex which matches the error message generated by PAM:
> failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.*
> rhost=<HOST>$
> The problem is that the value of 'rhost' is the resolved reverse DNS entry
> for the remote host. Also, fail2ban's checking of the <HOST> entry stops
> after it finds a valid IP address. I noticed this thanks to the following
> log entries:
> (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser=
> rhost=26.232.125.75.gs.dynamic.163data.com.cn
> That reverse DNS entry actually comes from 125.75.232.26, but fail2ban took
> the beginning of that string and banned the IP address 26.232.125.75.
> The attached patch changes the regexp to one that matches the log message
> generated by wu-ftpd itself, which contains the unresolved IP address of the
> remote host. Note that this message is by default written to syslog and not
> auth.log.
> -- System Information:
> Debian Release: 4.0
> APT prefers stable
> APT policy: (900, 'stable'), (200, 'testing'), (100, 'experimental')
> Architecture: amd64 (x86_64)
> Shell: /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18-6-amd64
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored:
> LC_ALL set to en_GB.UTF-8)
> Versions of packages fail2ban depends on:
> ii iptables 1.3.6.0debian1-5 administration tools for packet
> fi
> ii lsb-base 3.1-23.2etch1 Linux Standard Base 3.1 init
> scrip
> ii python 2.4.4-2 An interactive high-level
> object-o
> ii python-central 0.5.12 register and build utility for
> Pyt
> ii python2.4 2.4.4-3+etch2 An interactive high-level
> object-o
> fail2ban recommends no packages.
> -- no debconf information
--
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student Ph.D. @ CS Dept. NJIT
Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171
101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW: http://www.linkedin.com/in/yarik
From a8f963a2803acef984c66cd1910631eb06363ac1 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <deb...@onerussian.com>
Date: Wed, 4 Feb 2009 15:38:11 -0500
Subject: [PATCH] BF: anchoring regex for IP with " *$" at the end
to forbid matching IP encoded in the hostname prior doing actual DNS
lookup.
It is quite important and actually security hazard: DoS is easy to
perform...
---
server/filter.py | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/server/filter.py b/server/filter.py
index 457bb03..77042ad 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -492,7 +492,7 @@ import socket, struct
class DNSUtils:
- IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
+ IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3} *$")
#...@staticmethod
def dnsToIp(dns):
--
1.5.6.5
signature.asc
Description: Digital signature
--- End Message ---
