Description of problem: The default ssd filter file /etc/fail2ban/filter.d/sshd.conf, does not protect against brute force password guessing if using pam_sss for authentication. Version-Release number of selected component (if applicable): 0.9.7-1.el7 How reproducible: Every time Steps to Reproduce: 1. Using the default filter.d/sshd.conf file with using pam_sss.so for password-auth 2. Attempt to login using a valid username but invalid password 3. The IP address will never be banned as the line below in /var/log/secure will never match a filter in /etc/fail2ban/filter.d/sshd.conf pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=hostname user=username Actual results: The IP address will never be banned, Expected results: The IP address should be banned after typing in the wrong password 5 times. Additional info: the fix is simple the line ^%(__prefix_line_sl)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*%(__suff)s$ should be replaced with,but maybe the .+ in too aggressive? should be tested ^%(__prefix_line_sl)spam_.+\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*%(__suff)s$
FEDORA-EPEL-2019-dac149ad76 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dac149ad76
fail2ban-0.10.4-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-dac149ad76
fail2ban-0.10.4-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.