Bug#1038779: fail2ban: Filter for invalid pubkey authentication does not match
Hi Sylvestre, I just have submitted the PR. Best regards Daniel On Wed, 21 Jun 2023 14:55:22 +0200 Sylvestre Ledru wrote: Hello could you please submit a PR on https://salsa.debian.org/python-team/packages/fail2ban/ ? thanks Sylvestre smime.p7s Description: S/MIME Cryptographic Signature
Bug#1038779: fail2ban: Filter for invalid pubkey authentication does not match
Hello could you please submit a PR on https://salsa.debian.org/python-team/packages/fail2ban/ ? thanks Sylvestre Le 21/06/2023 à 12:17, Daniel von Obernitz a écrit : Package: fail2ban Version: 0.11.2-2 Severity: important Tags: patch Dear Maintainer, fail2ban did not block logins using an invalid pubkey. I checked the sshd filter and the default regex does not match with the actual line when trying to login via ssh with an invalid pubkey. Attached you'll find the updated filter for "cmnfailre-failed-pub-invalid", after that update the filter works as expected. This issue concerns Debian 11 and Debian 12 as well. Best regards Daniel -- System Information: Debian Release: 11.7 APT prefers oldstable-updates APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-23-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fail2ban depends on: ii lsb-base 11.1.0 ii python3 3.9.2-3 Versions of packages fail2ban recommends: ii nftables 0.9.8-3.1+deb11u1 ii python3-pyinotify 0.9.6-1.3 ii python3-systemd234-3+b4 pn whois Versions of packages fail2ban suggests: ii bsd-mailx [mailx]8.1.2-0.20180807cvs-2 pn monit ii rsyslog [system-log-daemon] 8.2102.0-2+deb11u1 pn sqlite3 -- Configuration Files: /etc/fail2ban/filter.d/sshd.conf changed: [INCLUDES] before = common.conf [DEFAULT] _daemon = sshd __pref = (?:(?:error|fatal): (?:PAM: )?)? __suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s* __on_port_opt = (?: (?:port \d+|on \S+)){0,2} __authng_user = (?: (?:invalid|authenticating) user \S+|.*?)? __alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) __pam_auth = pam_[a-z]+ [Definition] prefregex = ^%(__prefix_line)s%(__pref)s.+$ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?%(__suff)s$ ^User not known to the underlying authentication module for .* from %(__suff)s$ > ^Failed for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) ^ROOT LOGIN REFUSED FROM ^[iI](?:llegal|nvalid) user .*? from %(__suff)s$ ^User \S+|.*? from not allowed because not listed in AllowUsers%(__suff)s$ ^User \S+|.*? from not allowed because listed in DenyUsers%(__suff)s$ ^User \S+|.*? from not allowed because not in any group%(__suff)s$ ^refused connect from \S+ \(\) ^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ ^User \S+|.*? from not allowed because a group is listed in DenyGroups%(__suff)s$ ^User \S+|.*? from not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ ^%(__pam_auth)s\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$ ^maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ ^User \S+|.*? not allowed because account is locked%(__suff)s ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ ^Disconnecting: Too many authentication failures(?: for \S+|.*?)?%(__suff)s$ ^Received disconnect from %(__on_port_opt)s:\s*11: -other> ^Accepted \w+ for \S+ from (?:\s|$) cmnfailed-any = \S+ cmnfailed-ignore = \b(?!publickey)\S+ cmnfailed-invalid = cmnfailed-nofail = (?:publickey|\S+) cmnfailed = > mdre-normal = mdre-normal-other = ^(Connection closed|Disconnected) (?:by|from)%(__authng_user)s (?:%(__suff)s|\s*)$ mdre-ddos = ^Did not receive identification string from ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host) ^Bad protocol version identification '.*' from ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: ^Read from socket failed: Connection reset by peer mdre-ddos-other = ^(Connection (?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s %(__on_port_opt)s\s+\[preauth\]\s*$ mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available ^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found. ^Unable to negotiate a <__alg_match> ^no matching <__alg_match> found: mdre-extra-other = ^Disconnected(?: from)?(?: (?:invalid|authenticating)) user \S+|.*?
Bug#1038779: fail2ban: Filter for invalid pubkey authentication does not match
Package: fail2ban Version: 0.11.2-2 Severity: important Tags: patch Dear Maintainer, fail2ban did not block logins using an invalid pubkey. I checked the sshd filter and the default regex does not match with the actual line when trying to login via ssh with an invalid pubkey. Attached you'll find the updated filter for "cmnfailre-failed-pub-invalid", after that update the filter works as expected. This issue concerns Debian 11 and Debian 12 as well. Best regards Daniel -- System Information: Debian Release: 11.7 APT prefers oldstable-updates APT policy: (990, 'oldstable-updates'), (990, 'oldstable-security'), (990, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-23-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fail2ban depends on: ii lsb-base 11.1.0 ii python3 3.9.2-3 Versions of packages fail2ban recommends: ii nftables 0.9.8-3.1+deb11u1 ii python3-pyinotify 0.9.6-1.3 ii python3-systemd234-3+b4 pn whois Versions of packages fail2ban suggests: ii bsd-mailx [mailx]8.1.2-0.20180807cvs-2 pn monit ii rsyslog [system-log-daemon] 8.2102.0-2+deb11u1 pn sqlite3 -- Configuration Files: /etc/fail2ban/filter.d/sshd.conf changed: [INCLUDES] before = common.conf [DEFAULT] _daemon = sshd __pref = (?:(?:error|fatal): (?:PAM: )?)? __suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s* __on_port_opt = (?: (?:port \d+|on \S+)){0,2} __authng_user = (?: (?:invalid|authenticating) user \S+|.*?)? __alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) __pam_auth = pam_[a-z]+ [Definition] prefregex = ^%(__prefix_line)s%(__pref)s.+$ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?%(__suff)s$ ^User not known to the underlying authentication module for .* from %(__suff)s$ > ^Failed for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) ^ROOT LOGIN REFUSED FROM ^[iI](?:llegal|nvalid) user .*? from %(__suff)s$ ^User \S+|.*? from not allowed because not listed in AllowUsers%(__suff)s$ ^User \S+|.*? from not allowed because listed in DenyUsers%(__suff)s$ ^User \S+|.*? from not allowed because not in any group%(__suff)s$ ^refused connect from \S+ \(\) ^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ ^User \S+|.*? from not allowed because a group is listed in DenyGroups%(__suff)s$ ^User \S+|.*? from not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ ^%(__pam_auth)s\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$ ^maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ ^User \S+|.*? not allowed because account is locked%(__suff)s ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ ^Disconnecting: Too many authentication failures(?: for \S+|.*?)?%(__suff)s$ ^Received disconnect from %(__on_port_opt)s:\s*11: -other> ^Accepted \w+ for \S+ from (?:\s|$) cmnfailed-any = \S+ cmnfailed-ignore = \b(?!publickey)\S+ cmnfailed-invalid = cmnfailed-nofail = (?:publickey|\S+) cmnfailed = > mdre-normal = mdre-normal-other = ^(Connection closed|Disconnected) (?:by|from)%(__authng_user)s (?:%(__suff)s|\s*)$ mdre-ddos = ^Did not receive identification string from ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host) ^Bad protocol version identification '.*' from ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: ^Read from socket failed: Connection reset by peer mdre-ddos-other = ^(Connection (?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s %(__on_port_opt)s\s+\[preauth\]\s*$ mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available ^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found. ^Unable to negotiate a <__alg_match> ^no matching <__alg_match> found: mdre-extra-other = ^Disconnected(?: from)?(?: (?:invalid|authenticating)) user \S+|.*? %(__on_port_opt)s \[preauth\]\s*$ mdre-aggressive = %(mdre-ddos)s %(mdre-extra)s mdre-aggressive-other = %(mdre-ddos-other)s publickey = nofail cmnfailre-failed-pub-invalid = ^Failed