Bug 1733363

Summary: The default ssd filter file /etc/fail2ban/filter.d/sshd.conf does not protect against brute force password guessing if using pam_sss for authentication.
Product: [Fedora] Fedora EPEL Reporter: Scott Bruce <bugzilla>
Component: fail2banAssignee: Orion Poplawski <orion>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: anon.amish, axel.thimm, orion, vonsch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: fail2ban-0.10.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-09 02:09:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Scott Bruce 2019-07-25 20:01:46 UTC
Description of problem:

The default ssd filter file /etc/fail2ban/filter.d/sshd.conf, does not protect against brute force password guessing if using pam_sss for authentication. 

Version-Release number of selected component (if applicable):
0.9.7-1.el7

How reproducible:
Every time


Steps to Reproduce:
1. Using the default filter.d/sshd.conf file with using pam_sss.so for password-auth
2. Attempt to login using a valid username but invalid password 
3. The IP address will never be banned as the line below in /var/log/secure will never match a filter in /etc/fail2ban/filter.d/sshd.conf
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=hostname user=username

Actual results:
The IP address will never be banned,


Expected results:
The IP address should be banned after typing in the wrong password 5 times.


Additional info:
the fix is simple
the line
 ^%(__prefix_line_sl)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*%(__suff)s$
should be replaced with,but maybe the .+ in too aggressive? should be tested
 ^%(__prefix_line_sl)spam_.+\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*%(__suff)s$

Comment 1 Fedora Update System 2019-11-23 23:42:22 UTC
FEDORA-EPEL-2019-dac149ad76 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dac149ad76

Comment 2 Fedora Update System 2019-11-24 01:30:51 UTC
fail2ban-0.10.4-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dac149ad76

Comment 3 Fedora Update System 2019-12-09 02:09:08 UTC
fail2ban-0.10.4-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.