Bug#1038779: fail2ban: Filter for invalid pubkey authentication does not match

2023-06-23 Thread Daniel von Obernitz 

Hi Sylvestre,

I just have submitted the PR.

Best regards
Daniel


On Wed, 21 Jun 2023 14:55:22 +0200 Sylvestre Ledru 
 wrote:

Hello

could you please submit a PR on 
https://salsa.debian.org/python-team/packages/fail2ban/ ?


thanks

Sylvestre




smime.p7s
Description: S/MIME Cryptographic Signature

Bug#1038779: fail2ban: Filter for invalid pubkey authentication does not match

2023-06-21 Thread Sylvestre Ledru 

Hello

could you please submit a PR on 
https://salsa.debian.org/python-team/packages/fail2ban/ ?


thanks

Sylvestre


Le 21/06/2023 à 12:17, Daniel von Obernitz a écrit :

Package: fail2ban
Version: 0.11.2-2
Severity: important
Tags: patch

Dear Maintainer,

fail2ban did not block logins using an invalid pubkey.

I checked the sshd filter and the default regex does not match with the actual 
line when trying to login via ssh with an invalid pubkey.

Attached you'll find the updated filter for "cmnfailre-failed-pub-invalid", 
after that update the filter works as expected.

This issue concerns Debian 11 and Debian 12 as well.

Best regards
Daniel


-- System Information:
Debian Release: 11.7
   APT prefers oldstable-updates
   APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-23-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fail2ban depends on:
ii  lsb-base  11.1.0
ii  python3   3.9.2-3

Versions of packages fail2ban recommends:
ii  nftables   0.9.8-3.1+deb11u1
ii  python3-pyinotify  0.9.6-1.3
ii  python3-systemd234-3+b4
pn  whois  

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]8.1.2-0.20180807cvs-2
pn  monit
ii  rsyslog [system-log-daemon]  8.2102.0-2+deb11u1
pn  sqlite3  

-- Configuration Files:
/etc/fail2ban/filter.d/sshd.conf changed:
[INCLUDES]
before = common.conf
[DEFAULT]
_daemon = sshd
__pref = (?:(?:error|fatal): (?:PAM: )?)?
__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
__authng_user = (?: (?:invalid|authenticating) user \S+|.*?)?
__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
__pam_auth = pam_[a-z]+
[Definition]
prefregex = 
^%(__prefix_line)s%(__pref)s.+$
cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* from 
( via \S+)?%(__suff)s$
 ^User not known to the underlying authentication module for 
.* from %(__suff)s$
 >
 ^Failed  for (?Pinvalid user 
)?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from 
%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
 ^ROOT LOGIN REFUSED FROM 
 ^[iI](?:llegal|nvalid) user .*? from 
%(__suff)s$
 ^User \S+|.*? from  not allowed because not 
listed in AllowUsers%(__suff)s$
 ^User \S+|.*? from  not allowed because 
listed in DenyUsers%(__suff)s$
 ^User \S+|.*? from  not allowed because not 
in any group%(__suff)s$
 ^refused connect from \S+ \(\)
 ^Received disconnect from 
%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
 ^User \S+|.*? from  not allowed because a 
group is listed in DenyGroups%(__suff)s$
 ^User \S+|.*? from  not allowed because 
none of user's groups are listed in AllowGroups%(__suff)s$
 ^%(__pam_auth)s\(sshd:auth\):\s+authentication 
failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$
 ^maximum authentication attempts exceeded for .* from 
%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
 ^User \S+|.*? not allowed because account is 
locked%(__suff)s
 ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) 
user \S+ %(__on_port_opt)s:\s*Change of username or service not 
allowed:\s*.*\[preauth\]\s*$
 ^Disconnecting: Too many authentication failures(?: for 
\S+|.*?)?%(__suff)s$
 ^Received disconnect 
from %(__on_port_opt)s:\s*11:
 -other>
 ^Accepted \w+ for 
\S+ from (?:\s|$)
cmnfailed-any = \S+
cmnfailed-ignore = \b(?!publickey)\S+
cmnfailed-invalid = 
cmnfailed-nofail = (?:publickey|\S+)
cmnfailed = >
mdre-normal =
mdre-normal-other = ^(Connection 
closed|Disconnected) (?:by|from)%(__authng_user)s 
(?:%(__suff)s|\s*)$
mdre-ddos = ^Did not receive identification string from 
 ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol 
identifier|[Cc]onnection closed by remote host)
 ^Bad protocol version identification '.*' from 
 ^SSH: Server;Ltype: 
(?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+:
 ^Read from socket failed: Connection 
reset by peer
mdre-ddos-other = ^(Connection 
(?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s 
%(__on_port_opt)s\s+\[preauth\]\s*$
mdre-extra = ^Received disconnect from 
%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
 ^Unable to negotiate with %(__on_port_opt)s: no matching 
<__alg_match> found.
 ^Unable to negotiate a <__alg_match>
 ^no matching <__alg_match> found:
mdre-extra-other = ^Disconnected(?: from)?(?: 
(?:invalid|authenticating)) user \S+|.*?

Bug#1038779: fail2ban: Filter for invalid pubkey authentication does not match

2023-06-21 Thread Daniel von Obernitz 
Package: fail2ban
Version: 0.11.2-2
Severity: important
Tags: patch

Dear Maintainer,

fail2ban did not block logins using an invalid pubkey.

I checked the sshd filter and the default regex does not match with the actual 
line when trying to login via ssh with an invalid pubkey.

Attached you'll find the updated filter for "cmnfailre-failed-pub-invalid", 
after that update the filter works as expected.

This issue concerns Debian 11 and Debian 12 as well.

Best regards
Daniel


-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-23-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fail2ban depends on:
ii  lsb-base  11.1.0
ii  python3   3.9.2-3

Versions of packages fail2ban recommends:
ii  nftables   0.9.8-3.1+deb11u1
ii  python3-pyinotify  0.9.6-1.3
ii  python3-systemd234-3+b4
pn  whois  

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]8.1.2-0.20180807cvs-2
pn  monit
ii  rsyslog [system-log-daemon]  8.2102.0-2+deb11u1
pn  sqlite3  

-- Configuration Files:
/etc/fail2ban/filter.d/sshd.conf changed:
[INCLUDES]
before = common.conf
[DEFAULT]
_daemon = sshd
__pref = (?:(?:error|fatal): (?:PAM: )?)?
__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
__authng_user = (?: (?:invalid|authenticating) user \S+|.*?)?
__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
__pam_auth = pam_[a-z]+
[Definition]
prefregex = 
^%(__prefix_line)s%(__pref)s.+$
cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* 
from ( via \S+)?%(__suff)s$
^User not known to the underlying authentication module for 
.* from %(__suff)s$
>
^Failed  for (?Pinvalid user 
)?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from 
%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
^ROOT LOGIN REFUSED FROM 
^[iI](?:llegal|nvalid) user .*? from 
%(__suff)s$
^User \S+|.*? from  not allowed because not 
listed in AllowUsers%(__suff)s$
^User \S+|.*? from  not allowed because 
listed in DenyUsers%(__suff)s$
^User \S+|.*? from  not allowed because not 
in any group%(__suff)s$
^refused connect from \S+ \(\)
^Received disconnect from 
%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
^User \S+|.*? from  not allowed because a 
group is listed in DenyGroups%(__suff)s$
^User \S+|.*? from  not allowed because none 
of user's groups are listed in AllowGroups%(__suff)s$
^%(__pam_auth)s\(sshd:auth\):\s+authentication 
failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$
^maximum authentication attempts exceeded for .* 
from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
^User \S+|.*? not allowed because account is 
locked%(__suff)s
^Disconnecting(?: from)?(?: 
(?:invalid|authenticating)) user \S+ 
%(__on_port_opt)s:\s*Change of username or service not 
allowed:\s*.*\[preauth\]\s*$
^Disconnecting: Too many authentication failures(?: for 
\S+|.*?)?%(__suff)s$
^Received 
disconnect from 
%(__on_port_opt)s:\s*11:
-other>
^Accepted \w+ 
for \S+ from (?:\s|$)
cmnfailed-any = \S+
cmnfailed-ignore = \b(?!publickey)\S+
cmnfailed-invalid = 
cmnfailed-nofail = (?:publickey|\S+)
cmnfailed = >
mdre-normal =
mdre-normal-other = ^(Connection 
closed|Disconnected) (?:by|from)%(__authng_user)s 
(?:%(__suff)s|\s*)$
mdre-ddos = ^Did not receive identification string from 
^kex_exchange_identification: (?:[Cc]lient sent invalid protocol 
identifier|[Cc]onnection closed by remote host)
^Bad protocol version identification '.*' from 
^SSH: Server;Ltype: 
(?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+:
^Read from socket failed: Connection 
reset by peer
mdre-ddos-other = ^(Connection 
(?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s 
%(__on_port_opt)s\s+\[preauth\]\s*$
mdre-extra = ^Received disconnect from 
%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods 
available
^Unable to negotiate with %(__on_port_opt)s: no matching 
<__alg_match> found.
^Unable to negotiate a <__alg_match>
^no matching <__alg_match> found:
mdre-extra-other = ^Disconnected(?: from)?(?: 
(?:invalid|authenticating)) user \S+|.*? 
%(__on_port_opt)s \[preauth\]\s*$
mdre-aggressive = %(mdre-ddos)s
  %(mdre-extra)s
mdre-aggressive-other = %(mdre-ddos-other)s
publickey = nofail
cmnfailre-failed-pub-invalid = ^Failed