Dear Security Enthusiasts, Would someone be kind to verify correct operation of a perspective security update for the Fail2Ban package in wheezy. Especially if you are using postfix, cyrus imap, courier smtp, exim, or lighttpd. Unfortunately amount of changes to those filters definitions was quite large, and I have tried to do my best to verify their correct operation on sample log lines we have in recent Fail2Ban, but I could have missed something obvious since I have no working deployments of postfix etc.
These changes will later me reapplied (where applicable) on top of the squeeze LTS version as well (haven't looked into it yet). I am attaching the debdiff and the .deb package could be found at http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb signature: http://onerussian.com/tmp/fail2ban_0.8.6-3wheezy3_all.deb.asc sha256sum: 815b28ffdfcfbf0c8983facad46d54edffce63df2269ef9dc79b60886e747794 If you prefer to review changes online, here is the corresponding pull request: https://github.com/fail2ban/fail2ban/pull/757 Corresponding changelog, hinting on those filters which were affected by the fixes -- the rest of the fail2ban should have not been affected fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high * Use anchored failregex for filters to avoid possible DoS. Manually picked up from the current status of 0.8 branch (as of 0.8.13-29-g09b2016): - CVE-2013-7176: postfix.conf - anchored on the front, expects "postfix/smtpd" prefix in the log line - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and refactored to have a single failregex - couriersmtp.conf - anchored on both sides - exim.conf - front-anchored versions picked up from exim.conf and exim-spam.conf - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf -- Yaroslav Halchenko <deb...@onerussian.com> Sun, 22 Jun 2014 11:56:54 -0400 Thank you very much and please CC me. Best regards, -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Research Scientist, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik
diff -u fail2ban-0.8.6/debian/changelog fail2ban-0.8.6/debian/changelog --- fail2ban-0.8.6/debian/changelog +++ fail2ban-0.8.6/debian/changelog @@ -1,3 +1,19 @@ +fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high + + * Use anchored failregex for filters to avoid possible DoS. Manually + picked up from the current status of 0.8 branch (as of + 0.8.13-29-g09b2016): + - CVE-2013-7176: postfix.conf - anchored on the front, expects + "postfix/smtpd" prefix in the log line + - CVE-2013-7177: cyrus-imap.conf - anchored on the front, and + refactored to have a single failregex + - couriersmtp.conf - anchored on both sides + - exim.conf - front-anchored versions picked up from exim.conf + and exim-spam.conf + - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf + + -- Yaroslav Halchenko <deb...@onerussian.com> Sun, 22 Jun 2014 11:56:54 -0400 + fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high * Anchor apache- filters failregexes to avoid possible DoS on servers only in patch2: unchanged: --- fail2ban-0.8.6.orig/config/filter.d/couriersmtp.conf +++ fail2ban-0.8.6/config/filter.d/couriersmtp.conf @@ -5,6 +5,12 @@ # $Revision$ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] # Option: failregex @@ -14,7 +20,10 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = error,relay=<HOST>,.*550 User unknown +_daemon = courieresmtpd + +failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$ + # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. only in patch2: unchanged: --- fail2ban-0.8.6.orig/config/filter.d/cyrus-imap.conf +++ fail2ban-0.8.6/config/filter.d/cyrus-imap.conf @@ -5,6 +5,12 @@ # $Revision$ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] # Option: failregex @@ -14,10 +20,9 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$ - : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$ - : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$ - : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$ +_daemon = (?:cyrus/)?(?:imapd?|pop3d?) + +failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. only in patch2: unchanged: --- fail2ban-0.8.6.orig/config/filter.d/exim.conf +++ fail2ban-0.8.6/config/filter.d/exim.conf @@ -14,7 +14,14 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address) + +# In versions >= 0.8.11 below strings defined in exim-common.conf + +host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )? +pid = ( \[\d+\])? + +failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: Unrouteable address\s*$ + ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. only in patch2: unchanged: --- fail2ban-0.8.6.orig/config/filter.d/lighttpd-fastcgi.conf +++ fail2ban-0.8.6/config/filter.d/lighttpd-fastcgi.conf @@ -3,13 +3,24 @@ # Author: Arturo 'Buanzo' Busleiman <bua...@buanzo.com.ar> # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] # Option: failregex # Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module # Values: TEXT # -failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\' +_daemon = (?:lighttpd|suhosin) + +_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s) + +failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$ + # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. only in patch2: unchanged: --- fail2ban-0.8.6.orig/config/filter.d/postfix.conf +++ fail2ban-0.8.6/config/filter.d/postfix.conf @@ -5,6 +5,12 @@ # $Revision$ # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] # Option: failregex @@ -14,7 +20,9 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = reject: RCPT from (.*)\[<HOST>\]: 554 +_daemon = postfix/smtpd + +failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.
signature.asc
Description: Digital signature