[email protected]
[Top] [All Lists]

Bug#514163: marked as forwarded (fail2ban: Included wuftpd.conf matches

Subject: Bug#514163: marked as forwarded fail2ban: Included wuftpd.conf matches reverse DNS rather than IP
From: Debian Bug Tracking System
Date: Wed, 04 Feb 2009 21:06:22 +0000
Your message dated Wed, 4 Feb 2009 15:49:47 -0500
with message-id <[email protected]>
has caused the   report #514163,
regarding fail2ban: Included wuftpd.conf matches reverse DNS rather than IP
to be marked as having been forwarded to the upstream software
author(s) Cyril Jaquier <[email protected]>

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
514163: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514163
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: Re: Bug#514163: fail2ban: Included wuftpd.conf matches reverse DNS rather than IP
From: Yaroslav Halchenko
Date: Wed, 4 Feb 2009 15:49:47 -0500
O man,

THANKS!

let me postpone dealing with wuftpd for now... just the issue of IP
that is bad... it is a security hazard and makes it easy to perform DoS
attacks... forwarding it upstream.

To replicate it in a matter of seconds, try

fail2ban-regex "Feb  4 14:55:01 washoe CRON[679]: (pam_unix) authentication 
failure; logname= uid=0 euid=0 tty= ruser= 
rhost=26.232.125.75.gs.dynamic.163data.com.cn" 
"\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$"

proper IP should be 218.241.97.60 not 26.232.125.75

Tentative fix is in my git repository:

http://git.onerussian.com/?p=deb/fail2ban.git;a=shortlog;h=refs/heads/up/fix_searchIP

it is as simple as attached patch

there are two commits though -- 1 is actual fix, 1 is added a unittest for it.

If Cyril confirms that indeed it is that bad,  I will immediately raise
the severity of the bug.  If Cyril agrees on my fix (it needs proper
testing), I will upload a debian package and seek for ability to upload
it into lenny (and etch), since it is RC

btw -- Cyril, am I doing smth wrong or unittests battery is not
maintained? ;)

running 
PYTHONPATH=. ./fail2ban-testcases

gives me 
FAILED (failures=3, errors=4)

so, to run only my unittest you can use nosetests and run from testcases
directory:

PYTHONPATH=.. nosetests -s filtertestcase:DNSUtilsTests


On Wed, 04 Feb 2009, Chris Butler wrote:

> Package: fail2ban
> Version: 0.7.5-2etch1
> Severity: normal

> The '/etc/fail2ban/filter.d/wuftpd.conf' file shipped in the package
> contains a regex which matches the error message generated by PAM:

> failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* 
> rhost=<HOST>$

> The problem is that the value of 'rhost' is the resolved reverse DNS entry
> for the remote host. Also, fail2ban's checking of the <HOST> entry stops
> after it finds a valid IP address. I noticed this thanks to the following
> log entries:

>  (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= 
> rhost=26.232.125.75.gs.dynamic.163data.com.cn

> That reverse DNS entry actually comes from 125.75.232.26, but fail2ban took
> the beginning of that string and banned the IP address 26.232.125.75.

> The attached patch changes the regexp to one that matches the log message
> generated by wu-ftpd itself, which contains the unresolved IP address of the
> remote host. Note that this message is by default written to syslog and not
> auth.log.

> -- System Information:
> Debian Release: 4.0
>   APT prefers stable
>   APT policy: (900, 'stable'), (200, 'testing'), (100, 'experimental')
> Architecture: amd64 (x86_64)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18-6-amd64
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: 
> LC_ALL set to en_GB.UTF-8)

> Versions of packages fail2ban depends on:
> ii  iptables                1.3.6.0debian1-5 administration tools for packet 
> fi
> ii  lsb-base                3.1-23.2etch1    Linux Standard Base 3.1 init 
> scrip
> ii  python                  2.4.4-2          An interactive high-level 
> object-o
> ii  python-central          0.5.12           register and build utility for 
> Pyt
> ii  python2.4               2.4.4-3+etch2    An interactive high-level 
> object-o

> fail2ban recommends no packages.

> -- no debconf information
-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        

Attachment: 0001-BF-anchoring-regex-for-IP-with-at-the-end.patch
Description: Text Data


--- End Message ---
<Prev in Thread] Current Thread [Next in Thread>
  • Bug#514163: marked as forwarded (fail2ban: Included wuftpd.conf matches reverse DNS rather than IP), Debian Bug Tracking System <=