Your message dated Thu, 02 May 2024 20:34:53 +0000 with message-id <e1s2d8n-003w0n...@fasolo.debian.org> and subject line Bug#1038779: fixed in fail2ban 1.1.0-1 has caused the Debian Bug report #1038779, regarding fail2ban: Filter for invalid pubkey authentication does not match to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1038779: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038779 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: fail2ban Version: 0.11.2-2 Severity: important Tags: patch Dear Maintainer, fail2ban did not block logins using an invalid pubkey. I checked the sshd filter and the default regex does not match with the actual line when trying to login via ssh with an invalid pubkey. Attached you'll find the updated filter for "cmnfailre-failed-pub-invalid", after that update the filter works as expected. This issue concerns Debian 11 and Debian 12 as well. Best regards Daniel -- System Information: Debian Release: 11.7 APT prefers oldstable-updates APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-23-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fail2ban depends on: ii lsb-base 11.1.0 ii python3 3.9.2-3 Versions of packages fail2ban recommends: ii nftables 0.9.8-3.1+deb11u1 ii python3-pyinotify 0.9.6-1.3 ii python3-systemd 234-3+b4 pn whois <none> Versions of packages fail2ban suggests: ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-2 pn monit <none> ii rsyslog [system-log-daemon] 8.2102.0-2+deb11u1 pn sqlite3 <none> -- Configuration Files: /etc/fail2ban/filter.d/sshd.conf changed: [INCLUDES] before = common.conf [DEFAULT] _daemon = sshd __pref = (?:(?:error|fatal): (?:PAM: )?)? __suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s* __on_port_opt = (?: (?:port \d+|on \S+)){0,2} __authng_user = (?: (?:invalid|authenticating) user <F-USER>\S+|.*?</F-USER>)? __alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) __pam_auth = pam_[a-z]+ [Definition] prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID>%(__pref)s<F-CONTENT>.+</F-CONTENT>$ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$ ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>%(__suff)s$ <cmnfailre-failed-pub-<publickey>> ^Failed <cmnfailed> for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) ^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST> ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__suff)s$ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers%(__suff)s$ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers%(__suff)s$ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not in any group%(__suff)s$ ^refused connect from \S+ \(<HOST>\) ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups%(__suff)s$ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ ^<F-NOFAIL>%(__pam_auth)s\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$ ^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ ^User <F-USER>\S+|.*?</F-USER> not allowed because account is locked%(__suff)s ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ ^Disconnecting: Too many authentication failures(?: for <F-USER>\S+|.*?</F-USER>)?%(__suff)s$ ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11: <mdre-<mode>-other> ^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$) cmnfailed-any = \S+ cmnfailed-ignore = \b(?!publickey)\S+ cmnfailed-invalid = <cmnfailed-ignore> cmnfailed-nofail = (?:<F-NOFAIL>publickey</F-NOFAIL>|\S+) cmnfailed = <cmnfailed-<publickey>> mdre-normal = mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$ mdre-ddos = ^Did not receive identification string from <HOST> ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host) ^Bad protocol version identification '.*' from <HOST> ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+: ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$ mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found. ^Unable to negotiate a <__alg_match> ^no matching <__alg_match> found: mdre-extra-other = ^<F-MLFFORGET>Disconnected</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+|.*?</F-USER> <HOST>%(__on_port_opt)s \[preauth\]\s*$ mdre-aggressive = %(mdre-ddos)s %(mdre-extra)s mdre-aggressive-other = %(mdre-ddos-other)s publickey = nofail cmnfailre-failed-pub-invalid = ^Failed publickey for <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) cmnfailre-failed-pub-any = cmnfailre-failed-pub-nofail = <cmnfailre-failed-pub-invalid> cmnfailre-failed-pub-ignore = cfooterre = ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST> failregex = %(cmnfailre)s <mdre-<mode>> %(cfooterre)s mode = normal ignoreregex = maxlines = 1 journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd -- no debconf information
--- End Message ---
--- Begin Message ---Source: fail2ban Source-Version: 1.1.0-1 Done: Sylvestre Ledru <sylves...@debian.org> We believe that the bug you reported is fixed in the latest version of fail2ban, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1038...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sylvestre Ledru <sylves...@debian.org> (supplier of updated fail2ban package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 02 May 2024 13:57:06 +0200 Source: fail2ban Architecture: source Version: 1.1.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Sylvestre Ledru <sylves...@debian.org> Closes: 1038779 Changes: fail2ban (1.1.0-1) unstable; urgency=medium . * New upstream release (LP: #2055114) * Block ssh invalid keys too (Closes: #1038779) * Follow upstream advice https://github.com/fail2ban/fail2ban/issues/3292#issuecomment-2078361360 to only have sshd as enabled = true in jail.d_defaults-debian.conf * Update lintian override info format in d/source/lintian-overrides on line 1-2. * Update standards version to 4.6.2, no changes needed. Checksums-Sha1: 088a28a0ec65d39a673205dd61945d49ac6f8dbf 2053 fail2ban_1.1.0-1.dsc c38ab0abdbd4a29ce9e44b09457d9daf742a4906 603854 fail2ban_1.1.0.orig.tar.gz fd00517830190fea27b6d6d8377119df5eb59713 29932 fail2ban_1.1.0-1.debian.tar.xz 420cbfd32bef08501e703243a45dcb919613c428 6943 fail2ban_1.1.0-1_amd64.buildinfo Checksums-Sha256: efff8ade74ba70fe2bce2be4bb989489ac36fd4c20044446b38df0f73aad052e 2053 fail2ban_1.1.0-1.dsc 474fcc25afdaf929c74329d1e4d24420caabeea1ef2e041a267ce19269570bae 603854 fail2ban_1.1.0.orig.tar.gz 1cd916e9e89bf04c207820b11fa2d9f7d806baca1859b1f0d3f24ed76ac43a7e 29932 fail2ban_1.1.0-1.debian.tar.xz 24e79baed952f7daf88f8392800fb8031f34e07fe68d47056523d5e6b3227dea 6943 fail2ban_1.1.0-1_amd64.buildinfo Files: 7581252b57378c0b9dbdf64934cf108c 2053 net optional fail2ban_1.1.0-1.dsc c1fbcad52a1992085eeeb326db1e849e 603854 net optional fail2ban_1.1.0.orig.tar.gz 084951d684dc043cf7d630a495f6cc6b 29932 net optional fail2ban_1.1.0-1.debian.tar.xz b299febaaae785d14f42fa676e80059c 6943 net optional fail2ban_1.1.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtg21mU05vsTRqVzPfmUo2nUvG+EFAmYz7twACgkQfmUo2nUv G+GG+A//VGJM7L71KgFf5CrwFCBfENgiFMm8ZtvYPl7Xl3/YKhKO5FyoGg0rd7X0 TAnBJLxVXtnfGfgQg4gBOHVntoHEBX2aYk7EblQXnXjzYhKZIgJ02hlqS6Y12y2I nZ+U6W5wvHfu0vyuedxImjkCOz+XvGtCsgieRWAMt2Z2m0oC/VRzDvv3IBHvlFMr IcX8b1xQSXj2TyjoqNjC6ksZWmkY7MCMENLa5DDBS88rICMlMvQVLcwu2c+h7jDC v3+KAAPauLNlYltBspuQ5bZDWZ913Jl6Zk6MPG89d7lU4xF0Q1mXxnDDxQzATY1L CuPElU8MwkyyHKe9Vp1gSr5KpcauMX492XXsJFezgmgKCDIFmGUXD2cZmg4xXVPG rWHlyXsHHwxFbl8YB31djt5jVucjrudLITnqmwCtyET0uukJJKrJL/5Ya923zRIF 5ReK/yXTAYQij3a/WSMmnb9B5ID0mg690ni45u7A46yJF6eNwjRhvnWSFXf3zOLf 3Ffq8Z8cMrw1BBnfh+asXSeVw4uuFayOUEF1DIjIwT0xKnHjmmWj5fyqptUo5r84 NmpTG6TSMG8rl7Co4/9QV2Kd5+5NECOcSUNLIirPfsLQm6BB/GAqGawFwzFz5Idg F+/jQNjhVTzYs6r6Py8vIRlthAu4mvngcz+SBWEJFDlR+lNAhDo= =EkKB -----END PGP SIGNATURE-----pgpzHGs1TDvMZ.pgp
Description: PGP signature
--- End Message ---