fail2ban in LTS

To: debian-lts@lists.debian.org
Subject: fail2ban in LTS
From: Thorsten Alteholz <alteholz@debian.org>
Date: Sun, 20 Jul 2014 16:57:26 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1407201654050.15615@jupiter.server.alteholz.net>

Hi,

this is my debdiff for fixing CVE-2013-7176 and CVE-2013-7177 in fail2ban.

Please give the packages from [1] some real-world testing before I uploadthem to squeeze-lts.


Thanks!
 Thorsten


[1] http://people.debian.org/~alteholz/packages/fail2ban/




diff -u fail2ban-0.8.4/debian/changelog fail2ban-0.8.4/debian/changelog
--- fail2ban-0.8.4/debian/changelog
+++ fail2ban-0.8.4/debian/changelog
@@ -1,3 +1,20 @@
+fail2ban (0.8.4-3+squeeze3) squeeze-lts; urgency=high
+
+  * Use anchored failregex for filters to avoid possible DoS.  Manually
+    picked up from the current status of 0.8 branch (as of
+    0.8.13-29-g09b2016):
+    - CVE-2013-7176: postfix.conf - anchored on the front, expects
+      "postfix/smtpd" prefix in the log line
+    - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
+      refactored to have a single failregex
+    - couriersmtp.conf - anchored on both sides
+    - exim.conf - front-anchored versions picked up from exim.conf
+      and exim-spam.conf
+    - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf
+    (copied from the Wheezy version)
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sun, 20 Jul 2014 16:00:00 +0200
+
 fail2ban (0.8.4-3+squeeze2) squeeze-security; urgency=high

   * Anchor apache- filters failregexes to avoid possible DoS on servers
only in patch2:
unchanged:
--- fail2ban-0.8.4.orig/config/filter.d/lighttpd-fastcgi.conf
+++ fail2ban-0.8.4/config/filter.d/lighttpd-fastcgi.conf
@@ -3,13 +3,23 @@
 # Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
 #

+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]

 # Option:  failregex
 # Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
 # Values:  TEXT
 #
-failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+_daemon = (?:lighttpd|suhosin)
+
+_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
+
+failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
only in patch2:
unchanged:
--- fail2ban-0.8.4.orig/config/filter.d/exim.conf
+++ fail2ban-0.8.4/config/filter.d/exim.conf
@@ -14,7 +14,14 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
+
+# In versions >= 0.8.11 below strings defined in exim-common.conf
+
+host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
+pid = ( \[\d+\])?
+
+failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: Unrouteable address\s*$
+            ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
only in patch2:
unchanged:
--- fail2ban-0.8.4.orig/config/filter.d/cyrus-imap.conf
+++ fail2ban-0.8.4/config/filter.d/cyrus-imap.conf
@@ -4,6 +4,11 @@
 #
 # $Revision: 728 $
 #
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf

 [Definition]

@@ -14,10 +19,9 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
-	    : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
-	    : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
-	    : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
+_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
+
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
only in patch2:
unchanged:
--- fail2ban-0.8.4.orig/config/filter.d/couriersmtp.conf
+++ fail2ban-0.8.4/config/filter.d/couriersmtp.conf
@@ -5,6 +5,12 @@
 # $Revision: 728 $
 #

+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]

 # Option:  failregex
@@ -14,7 +20,9 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = error,relay=<HOST>,.*550 User unknown
+_daemon = courieresmtpd
+
+failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
only in patch2:
unchanged:
--- fail2ban-0.8.4.orig/config/filter.d/postfix.conf
+++ fail2ban-0.8.4/config/filter.d/postfix.conf
@@ -5,6 +5,12 @@
 # $Revision: 728 $
 #

+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]

 # Option:  failregex
@@ -14,7 +20,9 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = reject: RCPT from (.*)\[<HOST>\]: 554
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

Reply to:

Follow-Ups:
- Re: fail2ban in LTS
  - From: Thorsten Alteholz <alteholz@debian.org>

Prev by Date: Re: libxml2 packages for LTS
Next by Date: Re: fail2ban in LTS
Previous by thread: Re: [SECURITY] [DSA 2974-1] php5 security update
Next by thread: Re: fail2ban in LTS
Index(es):
- Date
- Thread