Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 213733 - net-analyzer/fail2ban-0.8.0-r1: sshd 'failregex' catches extra messages added by "DenyUsers" in sshd_config
Summary: net-analyzer/fail2ban-0.8.0-r1: sshd 'failregex' catches extra messages added...
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo Netmon project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-17 19:45 UTC by Stephen Allen
Modified: 2010-03-11 16:29 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephen Allen 2008-03-17 19:45:05 UTC 
When using "Allow/Deny Users" in sshd_config, the extra message added to syslog to indicate an invalid user, increases the maxretry failure count even though a failure hasn't yet occured.

Below is the output of a connection attempt where "maxretry" is set to 6 (which I assume means 6 failures are allowed, and the 7th failure triggers the ban).  The extra lines added by sshd when an invalid user *attempts* to make a connection are marked with >>>.  The result is that the IP is banned on the 5th failure (rather than the 7th).


>>> Mar 17 19:25:13 host sshd[3515]: Invalid user banana from 192.168.1.4

Mar 17 19:25:15 host sshd[3517]: pam_unix(sshd:auth): check pass; user unknown
Mar 17 19:25:15 host sshd[3517]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4
Mar 17 19:25:17 host sshd[3515]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4
Mar 17 19:25:17 host sshd[3515]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 57394 ssh2
Mar 17 19:25:18 host sshd[3518]: pam_unix(sshd:auth): check pass; user unknown
Mar 17 19:25:18 host sshd[3518]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4
Mar 17 19:25:20 host sshd[3515]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4
Mar 17 19:25:20 host sshd[3515]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 57394 ssh2
Mar 17 19:25:21 host sshd[3519]: pam_unix(sshd:auth): check pass; user unknown
Mar 17 19:25:21 host sshd[3519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4
Mar 17 19:25:23 host sshd[3515]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4
Mar 17 19:25:23 host sshd[3515]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 57394 ssh2

>>> Mar 17 19:25:24 host sshd[3520]: Invalid user banana from 192.168.1.4

Mar 17 19:25:26 host sshd[3522]: pam_unix(sshd:auth): check pass; user unknown
Mar 17 19:25:26 host sshd[3522]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4
Mar 17 19:25:28 host sshd[3520]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4
Mar 17 19:25:28 host sshd[3520]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 60967 ssh2
Mar 17 19:25:29 host sshd[3523]: pam_unix(sshd:auth): check pass; user unknown
Mar 17 19:25:29 host sshd[3523]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.4
Mar 17 19:25:31 host sshd[3520]: error: PAM: Authentication failure for illegal user banana from 192.168.1.4
Mar 17 19:25:31 host sshd[3520]: Failed keyboard-interactive/pam for invalid user banana from 192.168.1.4 port 60967 ssh2

Reproducible: Always

Steps to Reproduce:
1.
Set "DenyUsers" in /etc/ssh/sshd_config, then attempt to login with that user.
2.
Set "maxretry 6" in the [ssh-iptables] section of /etc/fail2ban/jail.conf
3.
Try to login as banned user
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-11 16:29:25 UTC 
Please reopen this bug report if the problem persists in the current versions.