Incorrect patch for fail2ban log injection vulnerability
joel at peshkin.net
joel at peshkin.net
Thu Jul 5 19:23:04 BST 2007
Daniel,
First, thanks for the excellent article. Prior to that, I had always
rolled my own fail2ban equivalents and this work made it possible for
me to use fail2ban instead.
I did find an error in the patch.
The patch changes the pattern to...
Failed [-/\w]+ for .* from $
which will not match....
Jun 2 14:49:00 crazymom sshd[5862]: Failed password for root from
192.168.50.65 port 34780 ssh2
or
Jun 2 14:49:46 crazymom sshd[5866]: Failed password for invalid user
invuser from 192.168.50.65 port 34786 ssh2
I think a more appropriate pattern my own patch built on top of the
ubuntu-packaged version) would be....
failregex = (?:Authentication failure|Failed [-/\w+]+)
for(?:[iI](?:llegal|nvalid))? (?:user )?\w+(?: from|FROM) <HOST> *port
+\d+ +ssh2 *$
My change seems to work well on my own machine. I am not totally
certain that the last string would always be "ssh2" so it might pay to
make that a \w+ or something.
[This is with respect to the article at
http://www.ossec.net/en/attacking-loganalysis.html ]
Regards,
Joel Peshkin
More information about the Ubuntu-motu
mailing list