Re: fail2ban needs updating ... DoS issue CVE-2006-6302
martin f krafft wrote:
On 2007-02-22 10:05, Stuart Rowan wrote:
As mentioned here:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6302
So I think it would be worth getting the current etch version into
sarge-backports?
The etch version changes the entire configuration file layout and
syntax and requires substantial attention by the admin.
But I agree that this should probably be fixed and I wonder whether
a simple change to the regexp wouldn't do.
I am really busy right now. If you could link up with upstream and
figure out a patch against the 0.6 version on bpo, I will upload
your fix immediately. That would be really nice and help me out
a lot.
Hey Martin,
Having just had a quick look, the fix is in upstream 0.6.2, which seems to
take in a couple of the existing Debian patches and states that it fixes
the CVE-2006-6302 regexp. (Obviously this is just a maintenance release for
the 0.6.x branch)
Anyway I've downloaded upstream tar balls 0.6.2 and 0.6.1, diffed them and
I've isolated the actual security patch hunks (attached).
So it's up to you really, you could rebase to 0.6.2 or apply the attached
to the current package.
Cheers,
Stu.
diff -dru fail2ban-0.6.1/config/fail2ban.conf.hostsdeny fail2ban-0.6.2/config/fail2ban.conf.hostsdeny
--- fail2ban-0.6.1/config/fail2ban.conf.hostsdeny 2006-02-11 15:29:32.000000000 +0000
+++ fail2ban-0.6.2/config/fail2ban.conf.hostsdeny 2006-12-10 21:16:28.000000000 +0000
@@ -248,7 +257,7 @@
# Notes.: regex to match the password failure messages in the logfile.
# Values: TEXT Default: authentication failure|user .* not found
#
-failregex = authentication failure|user .* not found
+failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
[VSFTPD]
@@ -288,7 +297,7 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
-failregex = FAIL LOGIN
+failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S+)
[SSH]
@@ -324,4 +333,4 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
-failregex = Authentication failure|Failed password|Invalid user
+failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)
diff -dru fail2ban-0.6.1/config/fail2ban.conf.iptables fail2ban-0.6.2/config/fail2ban.conf.iptables
--- fail2ban-0.6.1/config/fail2ban.conf.iptables 2006-03-17 16:28:46.000000000 +0000
+++ fail2ban-0.6.2/config/fail2ban.conf.iptables 2006-12-10 21:16:28.000000000 +0000
@@ -276,7 +285,7 @@
# Notes.: regex to match the password failure messages in the logfile.
# Values: TEXT Default: authentication failure|user .* not found
#
-failregex = authentication failure|user .* not found
+failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
[VSFTPD]
@@ -316,7 +325,7 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
-failregex = FAIL LOGIN
+failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S+)
[SSH]
@@ -358,4 +367,4 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
-failregex = Authentication failure|Failed password|Invalid user
+failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)
diff -dru fail2ban-0.6.1/config/fail2ban.conf.shorewall fail2ban-0.6.2/config/fail2ban.conf.shorewall
--- fail2ban-0.6.1/config/fail2ban.conf.shorewall 2006-02-11 15:29:32.000000000 +0000
+++ fail2ban-0.6.2/config/fail2ban.conf.shorewall 2006-12-10 21:16:28.000000000 +0000
@@ -242,7 +251,8 @@
# Notes.: regex to match the password failure messages in the logfile.
# Values: TEXT Default: authentication failure|user .* not found
#
-failregex = authentication failure|user .* not found
+failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
+
[VSFTPD]
# Option: enabled
@@ -275,7 +285,7 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
-failregex = FAIL LOGIN
+failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P<host>\S+)
[SSH]
@@ -311,4 +321,4 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
-failregex = Authentication failure|Failed password|Invalid user
+failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)
diff -dru fail2ban-0.6.1/logreader/logreader.py fail2ban-0.6.2/logreader/logreader.py
--- fail2ban-0.6.1/logreader/logreader.py 2006-01-03 15:13:04.000000000 +0000
+++ fail2ban-0.6.2/logreader/logreader.py 2006-12-10 21:16:26.000000000 +0000
@@ -172,7 +177,16 @@
timeMatch = re.search(self.timeregex, match.string)
if timeMatch:
date = self.getUnixTime(timeMatch.group())
- ipMatch = textToIp(match.string)
+ try:
+ # Fix for CVE-2006-6302
+ matchString = match.group("host")
+ except IndexError:
+ # However does not break the current configuration
+ logSys.warn("No 'host' group defined. This is a security " +
+ "issue. Please fix your configuration file " +
+ "and look at CVE-2006-6302")
+ matchString = match.string
+ ipMatch = textToIp(matchString)
if ipMatch:
for ip in ipMatch:
failList.append([ip, date])
Reply to: