Bug 241695 - Fix sshd filter to spot attempts to log in as a user not in AllowUsers
Fix sshd filter to spot attempts to log in as a user not in AllowUsers
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: fail2ban (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Axel Thimm
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-29 12:43 EDT by Jonathan Underwood
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: 0.8.0-8.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-08 11:58:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Add regex to allow fail2ban to detect attempts to log in under disallowed usernames (453 bytes, patch)
2007-05-29 12:43 EDT, Jonathan Underwood
no flags Details | Diff

  None (edit)
Description Jonathan Underwood 2007-05-29 12:43:16 EDT
Description of problem:
As shipped, fail2ban doesn't trigger on messages which correspond to attempted
log ins as users which are invalid due to not being listed in AllowUsers in
/etc/ssh/sshd_config. The attach one line patch fixes this.

Was going to send it uptream, but can't find a mailing list.
Comment 1 Jonathan Underwood 2007-05-29 12:43:16 EDT
Created attachment 155601 [details]
Add regex to allow fail2ban to detect attempts to log in under disallowed usernames
Comment 2 Axel Thimm 2007-06-03 04:12:44 EDT
Thanks, I've conatcted upstream on this.

I'm not sure whether using fail2ban on AllowUsers controlled setup is really
improving security, as usually you only have a couple of users anyway. But I'll
let upstream decide. :)
Comment 3 Jonathan Underwood 2007-06-03 06:45:53 EDT
Yes. I wondered too. Let me explain my thinking on this - I have sshd running
ona machine with only a couple of users as AllowedUsers. With fail2ban
configured as shipped I can see thousands and thousands of attempts to log in
using various usernames, and they don't trigger fail2ban. Clearly there's a
brute force attempt going on, which if I hadn't set AllowedUsers would have been
detected early and blocked. With the shipped config it will only trigger when
the brute force guesses a username in AllowedUsers. And so AllowedUsers ends up
sort of working in favour of the hacking attempt.

You might argue that sshd should be more consistent in its logging messages in
this case, but since that would be a change in behaviour, I tend to think
fail2ban, which is designed to cope with this, should be configured to do so.

Also, denyhosts is configured to trigger in the manner I describe as desired.

My feeling is - it helps users to have this fix, and doesn't break anything, so
why not do it.
Comment 4 Fedora Update System 2007-06-04 00:12:41 EDT
fail2ban-0.8.0-8.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Axel Thimm 2007-06-04 05:51:49 EDT
OK, comment #3 was more than convincing :)

Jonathan, could you check the update in updates-testing, so I can push it to the
real updates? Thanks!
Comment 6 Jonathan Underwood 2007-06-04 05:57:48 EDT
Happy to. However at work I only have FC6 boxes and I don't see an update in
updates-testing for FC6 - I suspect you've pushed an updates testing for F7
only? I can check that later when I'm at home, where I do have an F7 install.
Comment 7 Axel Thimm 2007-06-04 06:28:24 EDT
For FC6 one can only push directly to the extras repo, updates-testing only
works for core packages (although the updates system will be backported to FC6,
too, just not yet).

The FC6 builds are a day old now, I guess someone will push them today into the
extras repo.
Comment 8 Jonathan Underwood 2007-06-04 18:34:50 EDT
Hm, ok, that's odd. I just did a yum --enablerepo=updates-testing install
fail2ban and it installed fail2ban.noarch 0:0.8.0-7.fc7. I wonder if your bodhi
magic didn't work :)
Comment 9 Axel Thimm 2007-06-04 19:28:00 EDT
Well, bodhi says it's pushed on 2007-06-03 21:12:15 (not sure what TZ that is):

https://admin.fedoraproject.org/updates/testing/F7/fail2ban-0.8.0-8.fc7

It's also on the master mirror:

http://download.fedora.redhat.com/pub/fedora/linux/updates/testing/7/i386/fail2ban-0.8.0-8.fc7.noarch.rpm

So perhaps the mirror you use is outdated?
Comment 10 Jonathan Underwood 2007-06-04 19:37:36 EDT
Hm. I guess it is. For some reason i thought yum had some voodoo black magic to
detect out of date mirrors in this release. Guess not.

Anyway, installed the rpm from the master mirror, and am happy to report that
all looks fine with it.
Comment 11 Fedora Update System 2007-06-08 11:58:17 EDT
fail2ban-0.8.0-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.