On 14/03/2022 07:36, Shamim Shahriar wrote:
Hello
I am using fail2ban on production servers running Alma Linux 8. Our
network security scanner is constantly flagging that system complaining
about outdated/vulnerable python on them. However, if I try to remove
that python (with a view to install a newer version), it removes
fail2ban as well and reinstalling fail2ban re-introduces the removed
version of python.
Any idea on the timeline as to when fail2ban is going to be built with
newer/supported python?
Below are some of the details from an affected host:
*# cat /etc/os-release *
NAME="AlmaLinux"
VERSION="8.5 (Arctic Sphynx)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="AlmaLinux 8.5 (Arctic Sphynx)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:almalinux:almalinux:8::baseos"
HOME_URL="https://almalinux.org/ <https://almalinux.org/>"
DOCUMENTATION_URL="https://wiki.almalinux.org/
<https://wiki.almalinux.org/>"
BUG_REPORT_URL="https://bugs.almalinux.org/ <https://bugs.almalinux.org/>"
ALMALINUX_MANTISBT_PROJECT="AlmaLinux-8"
ALMALINUX_MANTISBT_PROJECT_VERSION="8.5"
#
#
#
*# dnf info fail2ban*
Last metadata expiration check: 1:50:27 ago on Fri 11 Mar 2022 10:03:42 GMT.
Installed Packages
Name : fail2ban
Version : 0.11.2
Release : 1.el8
Architecture : noarch
Size : 0.0
Source : fail2ban-0.11.2-1.el8.src.rpm
Repository : @System
From repo : epel
Summary : Daemon to ban hosts that cause multiple authentication errors
URL : http://fail2ban.sourceforge.net/
<http://fail2ban.sourceforge.net/>
License : GPLv2+
Description : Fail2Ban scans log files and bans IP addresses that makes
too many password
: failures. It updates firewall rules to reject the IP
address. These rules can
: be defined by the user. Fail2Ban can read multiple log
files such as sshd or
: Apache web server ones.
:
: Fail2Ban is able to reduce the rate of incorrect
authentications attempts
: however it cannot eliminate the risk that weak
authentication presents.
: Configure services to use only two factor or
public/private authentication
: mechanisms if you really want to protect services.
:
: This is a meta-package that will install the default
configuration. Other
: sub-packages are available to install support for other
actions and
: configurations.
#
#
#
*# dnf remove python36*
Dependencies resolved.
==============================================================================================================================================================================================================================================
Package
Architecture Version
Repository
Size
==============================================================================================================================================================================================================================================
Removing:
python36 x86_64
3.6.8-38.module_el8.5.0+2569+5c5719bc
@appstream 13 k
Removing dependent packages:
fail2ban noarch
0.11.2-1.el8
@epel
0
Report from scanner
PluginPlugin NameSeverityCVSS V2 Base ScoreRepositoryPlugin Output
148367Python Unsupported Version DetectionCritical10General"Plugin Output:
The following Python installation is unsupported :
Path : /
Port : 80
Installed version : 3.6
Latest version : 3.10Support dates : 2021-12-23 (end of life)"
Thank you for your thoughts and input in this matter.
Best regards
SS
Time to change your network scanner or abandon any o/s based on RHEL.
You need to understand the RHEL philosophy for stability and security.
They freeze an app version then back-port any security updates necessary
into the "older" software, so, if your version of RHEL/Alma/Rocky/Oracle
is current, you should be secure. You can investigate particular apps
for security patches with commands line (for apache) "rpm -q --changelog
httpd | grep -i CVE" and so on.
It is the same thing with the kernel which appears to be old but
contains all the backported security fixes and stability fixes from
upstream.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
