Comments (1)
Because of the "$" at the end, this regex will fail if, for whatever reason, there is unexpected text at the end of the line; even something like " (second attempt)" would break it.
The issue is - without end-anchor the RE containing catch-alls (like here .*
in user name) is weak if one would not say vulnerable (for example on injections against user input) and so cannot be used safe without end-anchor, because from <HOST>
may be found in some user-input, e. g. if user name would be artificially constructed by attacker as something like user from 192.0.2.123 ...
in order to cause failure from IP 192.0.2.123
.
Some of such injection attempts can be found in our test suite (it is covered), e. g.:
fail2ban/fail2ban/tests/files/logs/sshd
Lines 131 to 132 in 7b528a6
I find I get best results if I remove the "$" from the ends of the regexes.
You can use everything what you want, but it is not (and will be never) strategy of fail2ban stock filters.
Because fail2ban would always prefer not to match on (unsafe) messages by changed format to theoretical match of wrong legitimate user or IP. Emphasis on word "always".
The only possibilities to fix that:
- provide the message with that "unexpected text" here, so we could add it as optional part to the RE
- write very complex and slow, multi-storey REs with negative lookaheads, that ensure there is only one
from host/IP
, e. g. excludefrom <something looking like host/IP>
afterfrom <HOST>
orfrom <something looking like IP>
afterfrom <ADDR>
, so a removal of end-anchor would not break the "safety" of RE; - go to openssh repository
and thank the devs for vulnerable message formatsand ask there for a proper escape of foreign user-inputs like user-name, for instance if they'd enclose username into quotes and disallow quote-char in username or escape it somehow (e. g. like url-encode with%22
or like html-escape with"
):
# so if the message would look like this (and quote-char is impossible inside user-name):
Authentication failure for "some user name whatever" from 192.0.2.1
# the RE may be rewritten like:
- ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$
+ ^[aA]uthentication (?:failure|error|failed) for <F-USER>"[^"]*"</F-USER> from <ADDR>
- alternatively the format can be changed in the way (following best practice) that IP becomes moved before ANY foreign input in the log (so
from <ADDR>
can be placed before user name)...
# so if the message would look like this (and quote-char is impossible inside user-name):
Authentication failure from 192.0.2.1 for user "no matter what we'll see here"
# the RE may be rewritten like:
- ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$
+ ^[aA]uthentication (?:failure|error|failed) from <ADDR> for <F-USER>"[^"]*|.*?"</F-USER>
Thus close for now (unless you'd not provide the messages that didn't match by stock filter).
from fail2ban.
Related Issues (20)
- [BR]: ERROR: cannot import name 'MutableMapping' from 'collections' (/usr/lib/python3.11/collections/__init__.py) HOT 4
- [BR]: Jail works but no chain created in iptables HOT 4
- [BR]: STDIN is closed and triggers libuv error in external programs during actionban HOT 8
- [FR]: sshd failed login attempts not detected? HOT 1
- [RFE]: multi-line ignoreip doesn't handle end-of-line comments HOT 1
- Request new release HOT 1
- Active : failed HOT 1
- [FR]: sshd_filter not matching password authentication failed log line HOT 2
- [FR]: nginx-bad-request.conf nginx-botsearch.conf should also support the new journalctl format introduced in the other nginx filters
- New jail matches but doesn't ban nginx-limit-req.conf HOT 3
- [RFE]: Change cloudflare.conf to use WAF Custom Rules rather than Firewall Access Rules due to deprecation
- [BR]: basic setup fail HOT 2
- Not working filter apache logs HOT 1
- [FR]: qbittorrent-nox HOT 8
- [BR]: README.md typos
- Fail2ban - Raspberry Pi5 64bit Bookworm - not working as expected, not reading systemd logs? HOT 6
- [FR]: Ubuntu 22.04.4 LTS fail2ban Unable to match some authentication failure logs HOT 4
- [BR]: Test testStatusStats fails with 1.1.0 on Fedora Rawhide HOT 10
- Help Needed: Creating Fail2ban Filter for Exchange Autodiscover Failed Login Attempts HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban.