Incorrect patch for fail2ban log injection vulnerability
Yaroslav Halchenko
debian at onerussian.com
Thu Jul 5 19:42:12 BST 2007
Just a small note -- it is just a matter of html code dropping <HOST>
;-) -- just see the source of that html ;-)
And as Joel mentioned, patch is not 100% correct due to possible(!)
ending with port and protocol.
Fixed failregexes are coming with a fresh debian release of fail2ban
very soon.
On Thu, 05 Jul 2007, joel at peshkin.net wrote:
> Daniel,
> First, thanks for the excellent article. Prior to that, I had always
> rolled my own fail2ban equivalents and this work made it possible for
> me to use fail2ban instead.
> I did find an error in the patch.
> The patch changes the pattern to...
> Failed [-/\w]+ for .* from $
> which will not match....
> Jun 2 14:49:00 crazymom sshd[5862]: Failed password for root from
> 192.168.50.65 port 34780 ssh2
> or
> Jun 2 14:49:46 crazymom sshd[5866]: Failed password for invalid user
> invuser from 192.168.50.65 port 34786 ssh2
> I think a more appropriate pattern my own patch built on top of the
> ubuntu-packaged version) would be....
> failregex = (?:Authentication failure|Failed [-/\w+]+)
> for(?:[iI](?:llegal|nvalid))? (?:user )?\w+(?: from|FROM) <HOST> *port
> +\d+ +ssh2 *$
> My change seems to work well on my own machine. I am not totally
> certain that the last string would always be "ssh2" so it might pay to
> make that a \w+ or something.
> [This is with respect to the article at
> http://www.ossec.net/en/attacking-loganalysis.html ]
> Regards,
> Joel Peshkin
--
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW: http://www.linkedin.com/in/yarik
More information about the Ubuntu-motu
mailing list