Package: fail2ban
Version: 0.10.2-2.1
Followup-For: Bug #873845
Dear Maintainer,
This attack is in active use right now and this TWO YEARS OLD bug is
preventing fail2ban from doing anything about it!
Jul 19 06:59:33 amibe sshd[32728]: Did not receive identification string from
47.96.156.238 port 54886
Jul 19 07:00:21 amibe sshd[1320]: Invalid user nathan from 47.96.156.238 port
58080
Jul 19 07:00:21 amibe sshd[1320]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=47.96.156.238
Jul 19 07:00:23 amibe sshd[1320]: Failed password for invalid user nathan from
47.96.156.238 port 58080 ssh2
Jul 19 07:10:29 amibe sshd[6777]: Connection closed by 47.96.156.238 port 43090
[preauth]
The current OpenSSH server may not be vulnerable to this attack but this
is a missed opportunity for blocking the attacker before it switches to
plain password scanning as shown above.
And yet the fix is very simple, just allow the presence of the source
port at the end of the log line:
(from /etc/fail2ban/filter.d/sshd.conf)
mdre-ddos = ^Did not receive identification string from
<HOST>%(__suff)s%(__on_port_opt)s$
Note that __on_port_opt matches 0 or more characters so this does not
prevent the regexp from matching log lines that don't include the source
port number.
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fail2ban depends on:
ii lsb-base 10.2019051400
ii python3 3.7.3-1
Versions of packages fail2ban recommends:
ii iptables 1.8.2-4
ii nftables 0.9.0-2
ii python 2.7.16-1
ii python3-pyinotify 0.9.6-1
ii python3-systemd 234-2+b1
ii whois 5.4.3
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20180807cvs-1
ii mailutils [mailx] 1:3.5-3
pn monit <none>
ii rsyslog [system-log-daemon] 8.1901.0-1
ii sqlite3 3.27.2-3
-- Configuration Files:
/etc/fail2ban/fail2ban.conf changed:
[Definition]
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 7d
/etc/fail2ban/filter.d/sshd.conf changed:
[INCLUDES]
before = common.conf
[DEFAULT]
_daemon = sshd
__pref = (?:(?:error|fatal): (?:PAM: )?)?
__suff = (?: \[preauth\])?\s*
__on_port_opt = (?: port \d+)?(?: on \S+(?: port \d+)?)?
__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
[Definition]
prefregex =
^<F-MLFID>%(__prefix_line)s</F-MLFID>%(__pref)s<F-CONTENT>.+</F-CONTENT>$
cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER>
from <HOST>( via \S+)?\s*%(__suff)s$
^User not known to the underlying authentication module for
<F-USER>.*</F-USER> from <HOST>\s*%(__suff)s$
^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from
).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user):
|(?:(?:(?! from ).)*)$)
^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user
)?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from
<HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$
^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from
<HOST>%(__on_port_opt)s\s*$
^User <F-USER>.+</F-USER> from <HOST> not allowed because not
listed in AllowUsers\s*%(__suff)s$
^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in
DenyUsers\s*%(__suff)s$
^User <F-USER>.+</F-USER> from <HOST> not allowed because not in
any group\s*%(__suff)s$
^refused connect from \S+ \(<HOST>\)\s*%(__suff)s$
^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from
<HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
^User <F-USER>.+</F-USER> from <HOST> not allowed because a group
is listed in DenyGroups\s*%(__suff)s$
^User <F-USER>.+</F-USER> from <HOST> not allowed because none of
user's groups are listed in AllowGroups\s*%(__suff)s$
^pam_unix\(sshd:auth\):\s+authentication
failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
^(error: )?maximum authentication attempts exceeded for
<F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
^User <F-USER>.+</F-USER> not allowed because account is
locked%(__suff)s
^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication
failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
^<F-NOFAIL>Received
<F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL>
by <HOST>%(__suff)s$
^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET>
for \S+ from <HOST>(?:\s|$)
mdre-normal =
mdre-ddos = ^Did not receive identification string from
<HOST>%(__suff)s%(__on_port_opt)s$
^Connection <F-MLFFORGET>reset</F-MLFFORGET> by
<HOST>%(__on_port_opt)s%(__suff)s
^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL>
(?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
^Read from socket failed: Connection
<F-MLFFORGET>reset</F-MLFFORGET> by peer%(__suff)s
mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from
<HOST>%(__on_port_opt)s:\s*14: No supported authentication methods
available%(__suff)s$
^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching
<__alg_match> found.
^Unable to negotiate a <__alg_match>%(__suff)s$
^no matching <__alg_match> found:
mdre-aggressive = %(mdre-ddos)s
%(mdre-extra)s
cfooterre = ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
failregex = %(cmnfailre)s
<mdre-<mode>>
%(cfooterre)s
mode = normal
ignoreregex =
maxlines = 1
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
datepattern = {^LN-BEG}
-- no debconf information
