Your message dated Thu, 05 Feb 2009 15:47:06 +0000
with message-id <e1lv6rw-0001ki...@ries.debian.org>
and subject line Bug#514163: fixed in fail2ban 0.8.3-5
has caused the Debian Bug report #514163,
regarding fail2ban: allows DoS via construction of domain names starting with
IP of a victim
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
514163: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: fail2ban
Version: 0.7.5-2etch1
Severity: normal
The '/etc/fail2ban/filter.d/wuftpd.conf' file shipped in the package
contains a regex which matches the error message generated by PAM:
failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.*
rhost=<HOST>$
The problem is that the value of 'rhost' is the resolved reverse DNS entry
for the remote host. Also, fail2ban's checking of the <HOST> entry stops
after it finds a valid IP address. I noticed this thanks to the following
log entries:
(pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=26.232.125.75.gs.dynamic.163data.com.cn
That reverse DNS entry actually comes from 125.75.232.26, but fail2ban took
the beginning of that string and banned the IP address 26.232.125.75.
The attached patch changes the regexp to one that matches the log message
generated by wu-ftpd itself, which contains the unresolved IP address of the
remote host. Note that this message is by default written to syslog and not
auth.log.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (900, 'stable'), (200, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_GB.UTF-8)
Versions of packages fail2ban depends on:
ii iptables 1.3.6.0debian1-5 administration tools for packet fi
ii lsb-base 3.1-23.2etch1 Linux Standard Base 3.1 init scrip
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.12 register and build utility for Pyt
ii python2.4 2.4.4-3+etch2 An interactive high-level object-o
fail2ban recommends no packages.
-- no debconf information
--
Chris Butler <chr...@debian.org>
GnuPG Key ID: 1024D/D097A261
>From 3f915b680d67690273dd5754d6bfdde87642906b Mon Sep 17 00:00:00 2001
From: Chris Butler <chr...@cob.crustynet.org.uk>
Date: Wed, 4 Feb 2009 14:09:17 +0000
Subject: [PATCH] Changed regex for matching wu-ftpd login failures, as the pam
messages contained resolved reverse DNS, which may be unresolvable or spoofed.
---
config/filter.d/wuftpd.conf | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/config/filter.d/wuftpd.conf b/config/filter.d/wuftpd.conf
index 2d08022..11baef3 100644
--- a/config/filter.d/wuftpd.conf
+++ b/config/filter.d/wuftpd.conf
@@ -11,4 +11,4 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
-failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.*
rhost=<HOST>$
+failregex = wu-ftpd\[\d+\]:\s+failed login from .* \[<HOST>\]$
--
1.4.4.4
--- End Message ---
--- Begin Message ---
Source: fail2ban
Source-Version: 0.8.3-5
We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive:
fail2ban_0.8.3-5.diff.gz
to pool/main/f/fail2ban/fail2ban_0.8.3-5.diff.gz
fail2ban_0.8.3-5.dsc
to pool/main/f/fail2ban/fail2ban_0.8.3-5.dsc
fail2ban_0.8.3-5_all.deb
to pool/main/f/fail2ban/fail2ban_0.8.3-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 514...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yaroslav Halchenko <deb...@onerussian.com> (supplier of updated fail2ban
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 05 Feb 2009 09:51:45 -0500
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.3-5
Distribution: experimental
Urgency: low
Maintainer: Yaroslav Halchenko <deb...@onerussian.com>
Changed-By: Yaroslav Halchenko <deb...@onerussian.com>
Description:
fail2ban - bans IPs that cause multiple authentication errors
Closes: 514163
Changes:
fail2ban (0.8.3-5) experimental; urgency=low
.
* BF: anchoring regex for IP with " *$" at the end + adjust regexp for
<HOST> (closes: #514163)
* NF: adding unittests for previous BF
Checksums-Sha1:
f587f9994e8222166e8695222b040b0d7590c752 1201 fail2ban_0.8.3-5.dsc
081079efb02a10d4be9409722b51982aa43e9dd9 32777 fail2ban_0.8.3-5.diff.gz
5fe3e59bb57ffb6f54e6e242ea5507487ee2a18d 91178 fail2ban_0.8.3-5_all.deb
Checksums-Sha256:
da792e2f73999d8a1070ef63db516d502f8fa5394f3a9f09b5ce0e0402d14cec 1201
fail2ban_0.8.3-5.dsc
40ca9ef8a91ceaafe0ef44d4f26bef1ecb3fedb8649ef3aeb17e835b5ff4a3c0 32777
fail2ban_0.8.3-5.diff.gz
ce43dfc64d4c89fed2e8986319bc22bec6e9568d3f786537207aaa8f71166104 91178
fail2ban_0.8.3-5_all.deb
Files:
49d33da83b29c7862fab05f811ac4c83 1201 net optional fail2ban_0.8.3-5.dsc
d56f7750d88968d163b5884d35da3e8b 32777 net optional fail2ban_0.8.3-5.diff.gz
8c0974b902f2d99f0fdb7b7605e03972 91178 net optional fail2ban_0.8.3-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmLAf0ACgkQjRFFY3XAJMjmnACgjxZuzP4OFcqv0vw8itq85U0I
QXUAnRXzuzjv98mWjWvUGEC5uKajiYbT
=lPOb
-----END PGP SIGNATURE-----
--- End Message ---
