Your message dated Thu, 05 Feb 2009 15:47:04 +0000
with message-id <e1lv6ru-0001jq...@ries.debian.org>
and subject line Bug#514163: fixed in fail2ban 0.8.3-2sid1
has caused the Debian Bug report #514163,
regarding fail2ban: allows DoS via construction of domain names starting with
IP of a victim
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
514163: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: fail2ban
Version: 0.7.5-2etch1
Severity: normal
The '/etc/fail2ban/filter.d/wuftpd.conf' file shipped in the package
contains a regex which matches the error message generated by PAM:
failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.*
rhost=<HOST>$
The problem is that the value of 'rhost' is the resolved reverse DNS entry
for the remote host. Also, fail2ban's checking of the <HOST> entry stops
after it finds a valid IP address. I noticed this thanks to the following
log entries:
(pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=26.232.125.75.gs.dynamic.163data.com.cn
That reverse DNS entry actually comes from 125.75.232.26, but fail2ban took
the beginning of that string and banned the IP address 26.232.125.75.
The attached patch changes the regexp to one that matches the log message
generated by wu-ftpd itself, which contains the unresolved IP address of the
remote host. Note that this message is by default written to syslog and not
auth.log.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (900, 'stable'), (200, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_GB.UTF-8)
Versions of packages fail2ban depends on:
ii iptables 1.3.6.0debian1-5 administration tools for packet fi
ii lsb-base 3.1-23.2etch1 Linux Standard Base 3.1 init scrip
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.12 register and build utility for Pyt
ii python2.4 2.4.4-3+etch2 An interactive high-level object-o
fail2ban recommends no packages.
-- no debconf information
--
Chris Butler <chr...@debian.org>
GnuPG Key ID: 1024D/D097A261
>From 3f915b680d67690273dd5754d6bfdde87642906b Mon Sep 17 00:00:00 2001
From: Chris Butler <chr...@cob.crustynet.org.uk>
Date: Wed, 4 Feb 2009 14:09:17 +0000
Subject: [PATCH] Changed regex for matching wu-ftpd login failures, as the pam
messages contained resolved reverse DNS, which may be unresolvable or spoofed.
---
config/filter.d/wuftpd.conf | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/config/filter.d/wuftpd.conf b/config/filter.d/wuftpd.conf
index 2d08022..11baef3 100644
--- a/config/filter.d/wuftpd.conf
+++ b/config/filter.d/wuftpd.conf
@@ -11,4 +11,4 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
-failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.*
rhost=<HOST>$
+failregex = wu-ftpd\[\d+\]:\s+failed login from .* \[<HOST>\]$
--
1.4.4.4
--- End Message ---
--- Begin Message ---
Source: fail2ban
Source-Version: 0.8.3-2sid1
We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive:
fail2ban_0.8.3-2sid1.diff.gz
to pool/main/f/fail2ban/fail2ban_0.8.3-2sid1.diff.gz
fail2ban_0.8.3-2sid1.dsc
to pool/main/f/fail2ban/fail2ban_0.8.3-2sid1.dsc
fail2ban_0.8.3-2sid1_all.deb
to pool/main/f/fail2ban/fail2ban_0.8.3-2sid1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 514...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yaroslav Halchenko <deb...@onerussian.com> (supplier of updated fail2ban
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 05 Feb 2009 10:23:12 -0500
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.3-2sid1
Distribution: unstable
Urgency: low
Maintainer: Yaroslav Halchenko <deb...@onerussian.com>
Changed-By: Yaroslav Halchenko <deb...@onerussian.com>
Description:
fail2ban - bans IPs that cause multiple authentication errors
Closes: 514163
Changes:
fail2ban (0.8.3-2sid1) unstable; urgency=low
.
* NF: adding unittests for previous commit
* BF: anchoring regex for IP with " *$" at the end + adjust regexp for
<HOST> (closes: #514163)
Checksums-Sha1:
d6dfe405156bcb42a170e58479bf0c5795d9a19b 1217 fail2ban_0.8.3-2sid1.dsc
491b9e72cda1928cb6ba3f6ec789b3284747f535 25064 fail2ban_0.8.3-2sid1.diff.gz
51cbf5ed88005c0700e5563aed1e8e5f0b8e9cbf 86226 fail2ban_0.8.3-2sid1_all.deb
Checksums-Sha256:
a78d769e10911fc26340c05634a017f85a3e41f6e3c375aee11f5ad182ebb197 1217
fail2ban_0.8.3-2sid1.dsc
374d51024cb2e4b879e835149b4cf8e60959a2e5de660496e7529cc591668254 25064
fail2ban_0.8.3-2sid1.diff.gz
04391f2a45f7dce3d4e3928027bc0f0f2536a4889ced4116ff6a77faec8be43b 86226
fail2ban_0.8.3-2sid1_all.deb
Files:
072779324f9ae18a68b485d6ddce7981 1217 net optional fail2ban_0.8.3-2sid1.dsc
7176ea9a77c15c9671d6801fddafcdb7 25064 net optional
fail2ban_0.8.3-2sid1.diff.gz
d4fe88b994aed8e3d53fc1b958eaf870 86226 net optional
fail2ban_0.8.3-2sid1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmLCCIACgkQjRFFY3XAJMhlKwCdHRMd+9r6EI/iJ6Ok4Oe02aHj
MZcAoKlr4PYWoZJ3HN6+c5qaFbOGkgTd
=Sn3c
-----END PGP SIGNATURE-----
--- End Message ---
