RFC: fail2ban wheezy security update

[Yaroslav Halchenko <debian@onerussian.com>]

Dear Security Enthusiasts,

Would someone be kind to verify correct operation of a perspective security
update for the Fail2Ban package in wheezy.  Especially if you are using
postfix, cyrus imap, courier smtp, exim, or lighttpd.  Unfortunately amount of
changes to those filters definitions was quite large, and I have tried to do my
best to verify their correct operation on sample log lines we have in recent
Fail2Ban, but I could have missed something obvious since I have no working
deployments of postfix etc.

These changes will later me reapplied (where applicable) on top of the
squeeze LTS version as well (haven't looked into it yet).

I am attaching the debdiff and the .deb package could be found at
http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb
signature: http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb.asc
sha256sum: 815b28ffdfcfbf0c8983facad46d54edffce63df2269ef9dc79b60886e747794

If you prefer to review changes online, here is the corresponding
pull request: https://github.com/fail2ban/fail2ban/pull/757

Corresponding changelog, hinting on those filters which were affected by
the fixes -- the rest of the fail2ban should have not been affected

fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high

  * Use anchored failregex for filters to avoid possible DoS.  Manually
    picked up from the current status of 0.8 branch (as of
    0.8.13-29-g09b2016):
    - CVE-2013-7176: postfix.conf - anchored on the front, expects
      "postfix/smtpd" prefix in the log line
    - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
      refactored to have a single failregex
    - couriersmtp.conf - anchored on both sides
    - exim.conf - front-anchored versions picked up from exim.conf
      and exim-spam.conf
    - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf

 -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 22 Jun 2014 11:56:54 -0400

Thank you very much and please CC me.

Best regards,
-- 
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Research Scientist,            Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik        

diff -u fail2ban-0.8.6/debian/changelog fail2ban-0.8.6/debian/changelog
--- fail2ban-0.8.6/debian/changelog
+++ fail2ban-0.8.6/debian/changelog
@@ -1,3 +1,19 @@
+fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
+
+  * Use anchored failregex for filters to avoid possible DoS.  Manually
+    picked up from the current status of 0.8 branch (as of
+    0.8.13-29-g09b2016):
+    - CVE-2013-7176: postfix.conf - anchored on the front, expects
+      "postfix/smtpd" prefix in the log line
+    - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and
+      refactored to have a single failregex
+    - couriersmtp.conf - anchored on both sides
+    - exim.conf - front-anchored versions picked up from exim.conf
+      and exim-spam.conf
+    - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 22 Jun 2014 11:56:54 -0400
+
 fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high
 
   * Anchor apache- filters failregexes to avoid possible DoS on servers
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/config/filter.d/couriersmtp.conf
+++ fail2ban-0.8.6/config/filter.d/couriersmtp.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,7 +20,10 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = error,relay=<HOST>,.*550 User unknown
+_daemon = courieresmtpd
+
+failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
+
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/config/filter.d/cyrus-imap.conf
+++ fail2ban-0.8.6/config/filter.d/cyrus-imap.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,10 +20,9 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
-	    : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
-	    : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
-	    : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
+_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
+
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/config/filter.d/exim.conf
+++ fail2ban-0.8.6/config/filter.d/exim.conf
@@ -14,7 +14,14 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
+
+# In versions >= 0.8.11 below strings defined in exim-common.conf
+
+host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
+pid = ( \[\d+\])?
+
+failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: Unrouteable address\s*$
+            ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/config/filter.d/lighttpd-fastcgi.conf
+++ fail2ban-0.8.6/config/filter.d/lighttpd-fastcgi.conf
@@ -3,13 +3,24 @@
 # Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
 # Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
 # Values:  TEXT
 #
-failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+_daemon = (?:lighttpd|suhosin)
+
+_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
+
+failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
+
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
only in patch2:
unchanged:
--- fail2ban-0.8.6.orig/config/filter.d/postfix.conf
+++ fail2ban-0.8.6/config/filter.d/postfix.conf
@@ -5,6 +5,12 @@
 # $Revision$
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -14,7 +20,9 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = reject: RCPT from (.*)\[<HOST>\]: 554
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

Attachment: signature.asc
Description: Digital signature