Bug 241695
Summary: | Fix sshd filter to spot attempts to log in as a user not in AllowUsers | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jonathan Underwood <jonathan.underwood> | ||||
Component: | fail2ban | Assignee: | Axel Thimm <axel.thimm> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6 | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 0.8.0-8.fc7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-06-08 15:58:21 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jonathan Underwood
2007-05-29 16:43:16 UTC
Created attachment 155601 [details]
Add regex to allow fail2ban to detect attempts to log in under disallowed usernames
Thanks, I've conatcted upstream on this. I'm not sure whether using fail2ban on AllowUsers controlled setup is really improving security, as usually you only have a couple of users anyway. But I'll let upstream decide. :) Yes. I wondered too. Let me explain my thinking on this - I have sshd running ona machine with only a couple of users as AllowedUsers. With fail2ban configured as shipped I can see thousands and thousands of attempts to log in using various usernames, and they don't trigger fail2ban. Clearly there's a brute force attempt going on, which if I hadn't set AllowedUsers would have been detected early and blocked. With the shipped config it will only trigger when the brute force guesses a username in AllowedUsers. And so AllowedUsers ends up sort of working in favour of the hacking attempt. You might argue that sshd should be more consistent in its logging messages in this case, but since that would be a change in behaviour, I tend to think fail2ban, which is designed to cope with this, should be configured to do so. Also, denyhosts is configured to trigger in the manner I describe as desired. My feeling is - it helps users to have this fix, and doesn't break anything, so why not do it. fail2ban-0.8.0-8.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. OK, comment #3 was more than convincing :) Jonathan, could you check the update in updates-testing, so I can push it to the real updates? Thanks! Happy to. However at work I only have FC6 boxes and I don't see an update in updates-testing for FC6 - I suspect you've pushed an updates testing for F7 only? I can check that later when I'm at home, where I do have an F7 install. For FC6 one can only push directly to the extras repo, updates-testing only works for core packages (although the updates system will be backported to FC6, too, just not yet). The FC6 builds are a day old now, I guess someone will push them today into the extras repo. Hm, ok, that's odd. I just did a yum --enablerepo=updates-testing install fail2ban and it installed fail2ban.noarch 0:0.8.0-7.fc7. I wonder if your bodhi magic didn't work :) Well, bodhi says it's pushed on 2007-06-03 21:12:15 (not sure what TZ that is): https://admin.fedoraproject.org/updates/testing/F7/fail2ban-0.8.0-8.fc7 It's also on the master mirror: http://download.fedora.redhat.com/pub/fedora/linux/updates/testing/7/i386/fail2ban-0.8.0-8.fc7.noarch.rpm So perhaps the mirror you use is outdated? Hm. I guess it is. For some reason i thought yum had some voodoo black magic to detect out of date mirrors in this release. Guess not. Anyway, installed the rpm from the master mirror, and am happy to report that all looks fine with it. fail2ban-0.8.0-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. |