Red Hat Bugzilla – Bug 241695
Fix sshd filter to spot attempts to log in as a user not in AllowUsers
Last modified: 2007-11-30 17:12:05 EST
Description of problem:
As shipped, fail2ban doesn't trigger on messages which correspond to attempted
log ins as users which are invalid due to not being listed in AllowUsers in
/etc/ssh/sshd_config. The attach one line patch fixes this.
Was going to send it uptream, but can't find a mailing list.
Created attachment 155601 [details]
Add regex to allow fail2ban to detect attempts to log in under disallowed usernames
Thanks, I've conatcted upstream on this.
I'm not sure whether using fail2ban on AllowUsers controlled setup is really
improving security, as usually you only have a couple of users anyway. But I'll
let upstream decide. :)
Yes. I wondered too. Let me explain my thinking on this - I have sshd running
ona machine with only a couple of users as AllowedUsers. With fail2ban
configured as shipped I can see thousands and thousands of attempts to log in
using various usernames, and they don't trigger fail2ban. Clearly there's a
brute force attempt going on, which if I hadn't set AllowedUsers would have been
detected early and blocked. With the shipped config it will only trigger when
the brute force guesses a username in AllowedUsers. And so AllowedUsers ends up
sort of working in favour of the hacking attempt.
You might argue that sshd should be more consistent in its logging messages in
this case, but since that would be a change in behaviour, I tend to think
fail2ban, which is designed to cope with this, should be configured to do so.
Also, denyhosts is configured to trigger in the manner I describe as desired.
My feeling is - it helps users to have this fix, and doesn't break anything, so
why not do it.
fail2ban-0.8.0-8.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
OK, comment #3 was more than convincing :)
Jonathan, could you check the update in updates-testing, so I can push it to the
real updates? Thanks!
Happy to. However at work I only have FC6 boxes and I don't see an update in
updates-testing for FC6 - I suspect you've pushed an updates testing for F7
only? I can check that later when I'm at home, where I do have an F7 install.
For FC6 one can only push directly to the extras repo, updates-testing only
works for core packages (although the updates system will be backported to FC6,
too, just not yet).
The FC6 builds are a day old now, I guess someone will push them today into the
Hm, ok, that's odd. I just did a yum --enablerepo=updates-testing install
fail2ban and it installed fail2ban.noarch 0:0.8.0-7.fc7. I wonder if your bodhi
magic didn't work :)
Well, bodhi says it's pushed on 2007-06-03 21:12:15 (not sure what TZ that is):
It's also on the master mirror:
So perhaps the mirror you use is outdated?
Hm. I guess it is. For some reason i thought yum had some voodoo black magic to
detect out of date mirrors in this release. Guess not.
Anyway, installed the rpm from the master mirror, and am happy to report that
all looks fine with it.
fail2ban-0.8.0-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.