Incorrect patch for fail2ban log injection vulnerability

joel at joel at
Thu Jul 5 19:23:04 BST 2007


   First, thanks for the excellent article.  Prior to that, I had always
rolled my own fail2ban equivalents and this work made it possible for
me to use fail2ban instead.

   I did find an error in the patch.

   The patch changes the pattern to...
Failed [-/\w]+ for .* from $

   which will not match....

 Jun 2 14:49:00 crazymom sshd[5862]: Failed password for root from port 34780 ssh2
Jun 2 14:49:46 crazymom sshd[5866]: Failed password for invalid user
invuser from port 34786 ssh2

   I think a more appropriate pattern my own patch built on top of the
ubuntu-packaged version) would be....

failregex = (?:Authentication failure|Failed [-/\w+]+)
for(?:[iI](?:llegal|nvalid))? (?:user )?\w+(?: from|FROM) <HOST> *port
+\d+ +ssh2 *$

   My change seems to work well on my own machine.  I am not totally
certain that the last string would always be "ssh2" so it might pay to
make that a \w+ or something.

[This is with respect to the article at ]


Joel Peshkin

More information about the Ubuntu-motu mailing list