260337 – net-analyzer/fail2ban-0.8.4: sshd.conf regex not matching recent sshd output

Bug 260337 - net-analyzer/fail2ban-0.8.4: sshd.conf regex not matching recent sshd output

Summary: net-analyzer/fail2ban-0.8.4: sshd.conf regex not matching recent sshd output

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Netmon project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-02-26 05:30 UTC by Robert Trace
Modified:	2010-11-05 15:01 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Fix sshd.conf regex (sshd-breakin.patch,746 bytes, patch) 2009-02-26 05:30 UTC, Robert Trace	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Trace 2009-02-26 05:30:05 UTC

fail2ban's regex for "POSSIBLE BREAK-IN ATTEMPT" isn't quite matching sshd's output.  I know that it's incorrect for openssh at least 5.1.  I assume the message changed somewhere prior to 5.1.

fail2ban's regex is "Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT"

And sshd says "reverse mapping checking getaddrinfo for <hostname> [<ip>] failed - POSSIBLE BREAK-IN ATTEMPT!"

I don't think upstream has hit this yet, but Debian has encountered it (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512193) and the fix is in their bugtracker.  I'll attach their fix here as well.


Reproducible: Always

Steps to Reproduce:
1. run fail2ban >= 0.8.2 and openssh >= 5.1
2. Make sshd emit a "POSSIBLE BREAK-IN ATTEMPT!" message

Actual Results:  
fail2ban fails to ban the offending host. :-)

Expected Results:  
fail2ban should ban the host causing sshd to emit above messages.

Comment 1 Robert Trace 2009-02-26 05:30:57 UTC

Created attachment 183217 [details, diff]
Fix sshd.conf regex

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2009-02-26 14:37:36 UTC

Reassigning to netmon herd.

Comment 3 Markos Chandras (RETIRED) gentoo-dev

2010-11-03 21:46:11 UTC

0.8.3 is no longer on tree

Comment 4 Robert Trace 2010-11-03 23:19:32 UTC

Still relevant for 0.8.4.

Comment 5 Markos Chandras (RETIRED) gentoo-dev

2010-11-05 15:01:17 UTC

+*fail2ban-0.8.4-r1 (05 Nov 2010)
+
+  05 Nov 2010; Markos Chandras <hwoarang@gentoo.org>
+  +files/fail2ban-0.8.4-hashlib.patch, files/fail2ban-logrotate,
+  +fail2ban-0.8.4-r1.ebuild, +files/fail2ban-0.8.4-sshd-breakin.patch:
+  Bugfix revision. Fixes bug 260337,283629,301139,315073,343955. Thanks to
+  Robert Trace <bugzilla-gentoo@farcaster.org>, Harley Peters
+  <harley@thepetersclan.com> for the patches.
+