Your message dated Wed, 01 Aug 2012 01:47:10 +0000
with message-id <[email protected]>
and subject line Bug#514239: fixed in fail2ban 0.8.7-1
has caused the Debian Bug report #514239,
regarding fail2ban: wu-ftpd - consider matching entries in syslog, not auth.log
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
514239: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514239
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fail2ban
Version: 0.7.5-2etch1
Severity: normal
The '/etc/fail2ban/filter.d/wuftpd.conf' file shipped in the package
contains a regex which matches the error message generated by PAM:
failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.*
rhost=<HOST>$
The problem is that the value of 'rhost' is the resolved reverse DNS entry
for the remote host. Also, fail2ban's checking of the <HOST> entry stops
after it finds a valid IP address. I noticed this thanks to the following
log entries:
(pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser=
rhost=26.232.125.75.gs.dynamic.163data.com.cn
That reverse DNS entry actually comes from 125.75.232.26, but fail2ban took
the beginning of that string and banned the IP address 26.232.125.75.
The attached patch changes the regexp to one that matches the log message
generated by wu-ftpd itself, which contains the unresolved IP address of the
remote host. Note that this message is by default written to syslog and not
auth.log.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (900, 'stable'), (200, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_GB.UTF-8)
Versions of packages fail2ban depends on:
ii iptables 1.3.6.0debian1-5 administration tools for packet fi
ii lsb-base 3.1-23.2etch1 Linux Standard Base 3.1 init scrip
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.12 register and build utility for Pyt
ii python2.4 2.4.4-3+etch2 An interactive high-level object-o
fail2ban recommends no packages.
-- no debconf information
--
Chris Butler <[email protected]>
GnuPG Key ID: 1024D/D097A261
>From 3f915b680d67690273dd5754d6bfdde87642906b Mon Sep 17 00:00:00 2001
From: Chris Butler <[email protected]>
Date: Wed, 4 Feb 2009 14:09:17 +0000
Subject: [PATCH] Changed regex for matching wu-ftpd login failures, as the pam
messages contained resolved reverse DNS, which may be unresolvable or spoofed.
---
config/filter.d/wuftpd.conf | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/config/filter.d/wuftpd.conf b/config/filter.d/wuftpd.conf
index 2d08022..11baef3 100644
--- a/config/filter.d/wuftpd.conf
+++ b/config/filter.d/wuftpd.conf
@@ -11,4 +11,4 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
-failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.*
rhost=<HOST>$
+failregex = wu-ftpd\[\d+\]:\s+failed login from .* \[<HOST>\]$
--
1.4.4.4
--- End Message ---
--- Begin Message ---
Source: fail2ban
Source-Version: 0.8.7-1
We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yaroslav Halchenko <[email protected]> (supplier of updated fail2ban
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 31 Jul 2012 16:51:40 -0400
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.7-1
Distribution: experimental
Urgency: low
Maintainer: Yaroslav Halchenko <[email protected]>
Changed-By: Yaroslav Halchenko <[email protected]>
Description:
fail2ban - ban hosts that cause multiple authentication errors
Closes: 333557 481265 514239 598109 604843 616803 648020 653074 657286 669063
672228 676146
Changes:
fail2ban (0.8.7-1) experimental; urgency=low
.
* New upstream release:
- inotify backend is supported (and the default if pyinotify is present).
It should bring number of wakeups to minimum (Closes: #481265)
- usedns jail.conf parameter to disable reverse DNS mapping to
avoid of DoS (see #588431, #514239 for related discussions)
- enforces non-unicode logging (Closes: #657286)
- new jail "recidive" to ban repeated offenders (Closes: #333557)
- catch failed ssh logins due to being listed in DenyUsers (Closes:
#669063)
- document in config/*.conf on how to inline comments (Closes: #676146)
- match possibly present "pam_unix(sshd:auth):" portion for sshd
(Closes: #648020)
- wu-ftpd: added failregex for use against syslog. Switch to monitor syslog
(instead of auth.log) by default (Closes: #514239)
- anchor chain name in actioncheck's for iptables actions (Closes: #672228)
* debian/jail.conf:
- adopted few jails from "upstreams" jail.conf: asterisk, recidive,
lighttpd, php-url-open
- provide instructions in jail.conf on how to comment (Closes: #676146)
Thanks Stefano Forli for a report
* debian/fail2ban.init:
- Should-(start|stop): iptables-persistent (Closes: #598109),
ferm (Closes: #604843)
- 'status' exits with code 3 if fail2ban is not running (Closes: #653074)
Thanks Glenn Aaldering for the patch
* debian/source:
- switch to 3.0 (quilt) format
* debian/control,rules:
- switch to use dh_python2 (Closes: #616803)
- boost policy compliance to 3.9.3
- recommend python-pyinotify and only suggest python-gamin
Checksums-Sha1:
e2111e7d537d36f9980e23175e62e8d21c7ff6be 1190 fail2ban_0.8.7-1.dsc
44cd6e29dc54e300e2581104f99d87763c7d7e42 122505 fail2ban_0.8.7.orig.tar.gz
1addea3b04a2b7b850431a83775fdf9f6da033d8 29327 fail2ban_0.8.7-1.debian.tar.gz
b4e6988395db1f13fb4b22b47173dc69979aee13 110388 fail2ban_0.8.7-1_all.deb
Checksums-Sha256:
ea8788f1fe931d8da7c2d67f08f127da8895ff21648a1cab80082e8ffe7dde53 1190
fail2ban_0.8.7-1.dsc
7549ea38ffa3755a41145cc3ecc1149e025465b4db3c3ceed9e59b30903d35e6 122505
fail2ban_0.8.7.orig.tar.gz
c488798420314b2a37ea20d7d431484f638135f14f6133e334a6230c99739229 29327
fail2ban_0.8.7-1.debian.tar.gz
70524db89972550bcd24b4c2d61286017628fc30e49fc1029fc66b430fcd24aa 110388
fail2ban_0.8.7-1_all.deb
Files:
333dd1321b92151a05f7792c2067bbf2 1190 net optional fail2ban_0.8.7-1.dsc
ab7ad37439ca9e4d92d97325b10d85ff 122505 net optional fail2ban_0.8.7.orig.tar.gz
ae2f2d569e1274d5f30e9a3c72861c0b 29327 net optional
fail2ban_0.8.7-1.debian.tar.gz
cf95cf7bba199160298d948cf30c4ee5 110388 net optional fail2ban_0.8.7-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlAYhjwACgkQjRFFY3XAJMg15QCePMCq9AFHgkgVo34DTAoJt96W
CsUAoNTK8OE+mgS9hvAWiKdhARAMQhnt
=VEf6
-----END PGP SIGNATURE-----
--- End Message ---
