fail2ban: missing regexp for ssh

Rial Juan nighty at safehex.be
Sat Oct 13 10:11:18 BST 2007


Hi,

The current configuration shipped with version 0.7.6-3ubuntu1 of
fail2ban fails to catch failed login attempts for valid users. Example
line of my /var/log/auth.log that didn't get matched:

Oct 13 10:16:34 tardis sshd[18845]: Failed password for nighty from
87.238.161.11 port 38046 ssh2

Replacing the following line in /etc/fail2ban/filter.d/sshd.conf:

(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|
nvalid))? user .*(?: from|FROM) <HOST>

with

(?:Authentication failure|Failed [-/\w+]+) for .*(?: from|FROM) <HOST>

remedies this. Just tested it from 2 remote hosts to my machine, and it
catches wrong passwords as well as empty passwords, like the old rule
did, but this time also for existing users.



I don't know if this can be considered a bug or not; are valid users
within the scope anyway? I for one feel safer, though, knowing that
password attacks against the passwords of valid users will be stopped at
the gates as well as random login attempts for invalid users.

In case of feedback, please include me in cc as I'm not subscribed.

ps: package info tells me to mail the bugs to
ubuntu-users at lists.ubuntu.com but I chose to mail the address specified
under "maintainer" instead; I don't see why ubuntu-users needs this bug
report anyway... Perhaps an error in the package definition?

Kind regards,

Rial Juan

-- 
Welcome to text-only Counterstrike.
You are in a dark, outdoor map.

> go north
You have been pwned by a grue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-motu/attachments/20071013/347d0ed6/attachment.htm 


More information about the Ubuntu-motu mailing list