Incorrect patch for fail2ban log injection vulnerability

Yaroslav Halchenko debian at
Thu Jul 5 19:42:12 BST 2007

Just a small note -- it is just a matter of html code dropping <HOST>
;-) -- just see the source of that html ;-)

And as Joel mentioned, patch is not 100% correct due to possible(!)
ending with port and protocol.
Fixed failregexes are coming with a fresh debian release of fail2ban
very soon.

On Thu, 05 Jul 2007, joel at wrote:

> Daniel,

>    First, thanks for the excellent article.  Prior to that, I had always
> rolled my own fail2ban equivalents and this work made it possible for
> me to use fail2ban instead.

>    I did find an error in the patch.

>    The patch changes the pattern to...
> Failed [-/\w]+ for .* from $

>    which will not match....

>  Jun 2 14:49:00 crazymom sshd[5862]: Failed password for root from
> port 34780 ssh2
> or
> Jun 2 14:49:46 crazymom sshd[5866]: Failed password for invalid user
> invuser from port 34786 ssh2

>    I think a more appropriate pattern my own patch built on top of the
> ubuntu-packaged version) would be....

> failregex = (?:Authentication failure|Failed [-/\w+]+)
> for(?:[iI](?:llegal|nvalid))? (?:user )?\w+(?: from|FROM) <HOST> *port
> +\d+ +ssh2 *$

>    My change seems to work well on my own machine.  I am not totally
> certain that the last string would always be "ssh2" so it might pay to
> make that a \w+ or something.

> [This is with respect to the article at
> ]

> Regards,

> Joel Peshkin

Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102

More information about the Ubuntu-motu mailing list