Your message dated Sat, 16 Nov 2013 22:40:24 -0500 with message-id <[email protected]> and subject line Re: Bug#720625: fail2ban is too aggressive about pam_unix failures has caused the Debian Bug report #720625, regarding fail2ban is too aggressive about pam_unix failures to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 720625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720625 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: fail2ban Version: 0.8.7.1-1 The Debian filters for SSH include the following: ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ If users have configured more than one authentication module in PAM, e.g. pam_unix and pam_ldap, this filter will lead to spurious "failures" being detected: PAM will log the attempt-and-fail of pam_unix, then will move on to the next module (e.g. pam_ldap), which may very well succeed. With this filter in place, I get locked out of my systems after just three _perfectly successful_ login attempts. For example, here's a successful login in /var/log/auth.log: Aug 23 22:01:55 tucsbuild001 sshd[48740]: Set /proc/self/oom_score_adj to 0 Aug 23 22:01:55 tucsbuild001 sshd[48740]: Connection from 9.80.89.118 port 36465 Aug 23 22:02:02 tucsbuild001 sshd[48740]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=9.80.89.118 user=davisk Aug 23 22:02:02 tucsbuild001 sshd[48740]: Accepted password for davisk from 9.80.89.118 port 36465 ssh2 Aug 23 22:02:02 tucsbuild001 sshd[48740]: pam_unix(sshd:session): session opened for user davisk by (uid=0) Aug 23 22:02:02 tucsbuild001 sshd[48740]: User child is on pid 48876 Note that the successful pam_ldap module attempt doesn't even appear in the log at all, only the preliminary "failure" from the pam_unix module does. This bug was noticed on Ubuntu 13.04, but I'm pretty sure the problem is due to a Debian-specific patch, introduced in Debian Bug #648020 [1]. This pattern does not appear to be in the upstream fail2ban source code [2]. I suggest that this pattern be removed from Debian, as well. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648020 [2] https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/sshd.conf
--- End Message ---
--- Begin Message ---Version: 0.8.9-1 sorry for the delay I believe this one was fixed upstream in 0.8.9... so I guess I better prep the patch for the next stable update to remove it there as well: $> git describe --contains --match 0.8.* bb7628591c124309774d5f4787d2a4f07cf6b906 0.8.9~58^2~9 changes on filesystem: debian/changelog | 2 ++ $> git show bb7628591c124309774d5f4787d2a4f07cf6b906 commit bb7628591c124309774d5f4787d2a4f07cf6b906 Author: Orion Poplawski <[email protected]> Date: Fri Jan 18 14:44:49 2013 -0700 Update config/filter.d/sshd.conf Do not trigger sshd bans on pam_unix authentication failures, this will trigger on successful logins on systems that use non-pam_unix authentication (sssd, ldap, etc.). diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 8861595..e4339c7 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -30,7 +30,6 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ - ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ On Fri, 23 Aug 2013, Karl M. Davis wrote: > Package: fail2ban > Version: 0.8.7.1-1 > The Debian filters for SSH include the following: > ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication > failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* > rhost=<HOST>(?:\s+user=.*)?\s*$ > If users have configured more than one authentication module in PAM, e.g. > pam_unix and pam_ldap, this filter will lead to spurious "failures" being > detected: PAM will log the attempt-and-fail of pam_unix, then will move on to > the next module (e.g. pam_ldap), which may very well succeed. With this > filter in place, I get locked out of my systems after just three _perfectly > successful_ login attempts. > For example, here's a successful login in /var/log/auth.log: > Aug 23 22:01:55 tucsbuild001 sshd[48740]: Set /proc/self/oom_score_adj to 0 > Aug 23 22:01:55 tucsbuild001 sshd[48740]: Connection from 9.80.89.118 port > 36465 > Aug 23 22:02:02 tucsbuild001 sshd[48740]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=9.80.89.118 user=davisk > Aug 23 22:02:02 tucsbuild001 sshd[48740]: Accepted password for davisk from > 9.80.89.118 port 36465 ssh2 > Aug 23 22:02:02 tucsbuild001 sshd[48740]: pam_unix(sshd:session): session > opened for user davisk by (uid=0) > Aug 23 22:02:02 tucsbuild001 sshd[48740]: User child is on pid 48876 > Note that the successful pam_ldap module attempt doesn't even appear in the > log at all, only the preliminary "failure" from the pam_unix module does. > This bug was noticed on Ubuntu 13.04, but I'm pretty sure the problem is due > to a Debian-specific patch, introduced in Debian Bug #648020 [1]. This > pattern does not appear to be in the upstream fail2ban source code [2]. I > suggest that this pattern be removed from Debian, as well. > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648020 > [2] https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/sshd.conf -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Senior Research Associate, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik
--- End Message ---
