Attacks against valid users don't get caught
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fail2ban (Debian) |
Fix Released
|
Unknown
|
|||
fail2ban (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
Binary package hint: fail2ban
The current configuration shipped with version 0.7.6-3ubuntu1 of fail2ban fails to catch failed login attempts for valid users. Example line of my /var/log/auth.log that didn't get matched:
Oct 13 10:16:34 tardis sshd[18845]: Failed password for nighty from 87.238.161.11 port 38046 ssh2
Replacing the following line in /etc/fail2ban/
(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:
with
(?:Authentication failure|Failed [-/\w+]+) for .*(?: from|FROM) <HOST>
remedies this. Just tested it from 2 remote hosts to my machine, and it catches wrong passwords as well as empty passwords, like the old rule did, but this time also for existing users.
Changed in fail2ban: | |
assignee: | nobody → jamie-strandboge |
Changed in fail2ban: | |
status: | Unknown → Fix Released |
According to the upstream bug report, this bug was no in the debian version of the package, which was later synced to ubuntu. So it should be fixed now.