Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 260337

Summary: net-analyzer/fail2ban-0.8.4: sshd.conf regex not matching recent sshd output
Product: Gentoo Linux Reporter: Robert Trace <bugzilla-gentoo>
Component: Current packagesAssignee: Gentoo Netmon project <netmon>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Fix sshd.conf regex

Description Robert Trace 2009-02-26 05:30:05 UTC 
fail2ban's regex for "POSSIBLE BREAK-IN ATTEMPT" isn't quite matching sshd's output.  I know that it's incorrect for openssh at least 5.1.  I assume the message changed somewhere prior to 5.1.

fail2ban's regex is "Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT"

And sshd says "reverse mapping checking getaddrinfo for <hostname> [<ip>] failed - POSSIBLE BREAK-IN ATTEMPT!"

I don't think upstream has hit this yet, but Debian has encountered it (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512193) and the fix is in their bugtracker.  I'll attach their fix here as well.


Reproducible: Always

Steps to Reproduce:
1. run fail2ban >= 0.8.2 and openssh >= 5.1
2. Make sshd emit a "POSSIBLE BREAK-IN ATTEMPT!" message

Actual Results:  
fail2ban fails to ban the offending host. :-)

Expected Results:  
fail2ban should ban the host causing sshd to emit above messages.
Comment 1 Robert Trace 2009-02-26 05:30:57 UTC 
Created attachment 183217 [details, diff]
Fix sshd.conf regex
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-02-26 14:37:36 UTC 
Reassigning to netmon herd.
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2010-11-03 21:46:11 UTC 
0.8.3 is no longer on tree
Comment 4 Robert Trace 2010-11-03 23:19:32 UTC 
Still relevant for 0.8.4.
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2010-11-05 15:01:17 UTC 
+*fail2ban-0.8.4-r1 (05 Nov 2010)
+
+  05 Nov 2010; Markos Chandras <hwoarang@gentoo.org>
+  +files/fail2ban-0.8.4-hashlib.patch, files/fail2ban-logrotate,
+  +fail2ban-0.8.4-r1.ebuild, +files/fail2ban-0.8.4-sshd-breakin.patch:
+  Bugfix revision. Fixes bug 260337,283629,301139,315073,343955. Thanks to
+  Robert Trace <bugzilla-gentoo@farcaster.org>, Harley Peters
+  <harley@thepetersclan.com> for the patches.
+