Debian Bug report logs - #514163
fail2ban: allows DoS via construction of domain names starting with IP of a victim

version graph

Package: fail2ban; Maintainer for fail2ban is Yaroslav Halchenko <debian@onerussian.com>; Source for fail2ban is src:fail2ban.

Reported by: Chris Butler <chrisb@debian.org>

Date: Wed, 4 Feb 2009 19:57:01 UTC

Severity: critical

Found in version fail2ban/0.7.5-2etch1

Fixed in versions fail2ban/0.8.3-5, fail2ban/0.8.3-2sid1

Done: Yaroslav Halchenko <debian@onerussian.com>

Bug is archived. No further changes may be made.

Forwarded to Cyril Jaquier <cyril.jaquier@fail2ban.org>

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#514163; Package fail2ban. (Wed, 04 Feb 2009 19:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris Butler <chrisb@debian.org>:
New Bug report received and forwarded. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Wed, 04 Feb 2009 19:57:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Chris Butler <chrisb@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fail2ban: Included wuftpd.conf matches reverse DNS rather than IP
Date: Wed, 4 Feb 2009 19:56:16 +0000
[Message part 1 (text/plain, inline)]
Package: fail2ban
Version: 0.7.5-2etch1
Severity: normal

The '/etc/fail2ban/filter.d/wuftpd.conf' file shipped in the package
contains a regex which matches the error message generated by PAM:

failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$

The problem is that the value of 'rhost' is the resolved reverse DNS entry
for the remote host. Also, fail2ban's checking of the <HOST> entry stops
after it finds a valid IP address. I noticed this thanks to the following
log entries:

 (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=26.232.125.75.gs.dynamic.163data.com.cn

That reverse DNS entry actually comes from 125.75.232.26, but fail2ban took
the beginning of that string and banned the IP address 26.232.125.75.

The attached patch changes the regexp to one that matches the log message
generated by wu-ftpd itself, which contains the unresolved IP address of the
remote host. Note that this message is by default written to syslog and not
auth.log.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (900, 'stable'), (200, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)

Versions of packages fail2ban depends on:
ii  iptables                1.3.6.0debian1-5 administration tools for packet fi
ii  lsb-base                3.1-23.2etch1    Linux Standard Base 3.1 init scrip
ii  python                  2.4.4-2          An interactive high-level object-o
ii  python-central          0.5.12           register and build utility for Pyt
ii  python2.4               2.4.4-3+etch2    An interactive high-level object-o

fail2ban recommends no packages.

-- no debconf information

-- 
Chris Butler <chrisb@debian.org>
  GnuPG Key ID: 1024D/D097A261
[0001-Changed-regex-for-matching-wu-ftpd-login-failures-as-the-pam-messages-contained-resolved-reverse-DNS-which-may-be-unresolvable-or-spoofed.txt (text/plain, attachment)]

Reply sent to Yaroslav Halchenko <debian@onerussian.com>:
You have marked Bug as forwarded. (Wed, 04 Feb 2009 21:06:22 GMT) Full text and rfc822 format available.

Message #8 received at 514163-forwarded@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Cc: Chris Butler <chrisb@debian.org>, 514163-forwarded@bugs.debian.org
Subject: Re: Bug#514163: fail2ban: Included wuftpd.conf matches reverse DNS rather than IP
Date: Wed, 4 Feb 2009 15:49:47 -0500
[Message part 1 (text/plain, inline)]
O man,

THANKS!

let me postpone dealing with wuftpd for now... just the issue of IP
that is bad... it is a security hazard and makes it easy to perform DoS
attacks... forwarding it upstream.

To replicate it in a matter of seconds, try

fail2ban-regex "Feb  4 14:55:01 washoe CRON[679]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=26.232.125.75.gs.dynamic.163data.com.cn" "\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$"

proper IP should be 218.241.97.60 not 26.232.125.75

Tentative fix is in my git repository:

http://git.onerussian.com/?p=deb/fail2ban.git;a=shortlog;h=refs/heads/up/fix_searchIP

it is as simple as attached patch

there are two commits though -- 1 is actual fix, 1 is added a unittest for it.

If Cyril confirms that indeed it is that bad,  I will immediately raise
the severity of the bug.  If Cyril agrees on my fix (it needs proper
testing), I will upload a debian package and seek for ability to upload
it into lenny (and etch), since it is RC

btw -- Cyril, am I doing smth wrong or unittests battery is not
maintained? ;)

running 
PYTHONPATH=. ./fail2ban-testcases

gives me 
FAILED (failures=3, errors=4)

so, to run only my unittest you can use nosetests and run from testcases
directory:

PYTHONPATH=.. nosetests -s filtertestcase:DNSUtilsTests


On Wed, 04 Feb 2009, Chris Butler wrote:

> Package: fail2ban
> Version: 0.7.5-2etch1
> Severity: normal

> The '/etc/fail2ban/filter.d/wuftpd.conf' file shipped in the package
> contains a regex which matches the error message generated by PAM:

> failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$

> The problem is that the value of 'rhost' is the resolved reverse DNS entry
> for the remote host. Also, fail2ban's checking of the <HOST> entry stops
> after it finds a valid IP address. I noticed this thanks to the following
> log entries:

>  (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=26.232.125.75.gs.dynamic.163data.com.cn

> That reverse DNS entry actually comes from 125.75.232.26, but fail2ban took
> the beginning of that string and banned the IP address 26.232.125.75.

> The attached patch changes the regexp to one that matches the log message
> generated by wu-ftpd itself, which contains the unresolved IP address of the
> remote host. Note that this message is by default written to syslog and not
> auth.log.

> -- System Information:
> Debian Release: 4.0
>   APT prefers stable
>   APT policy: (900, 'stable'), (200, 'testing'), (100, 'experimental')
> Architecture: amd64 (x86_64)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18-6-amd64
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)

> Versions of packages fail2ban depends on:
> ii  iptables                1.3.6.0debian1-5 administration tools for packet fi
> ii  lsb-base                3.1-23.2etch1    Linux Standard Base 3.1 init scrip
> ii  python                  2.4.4-2          An interactive high-level object-o
> ii  python-central          0.5.12           register and build utility for Pyt
> ii  python2.4               2.4.4-3+etch2    An interactive high-level object-o

> fail2ban recommends no packages.

> -- no debconf information
-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        
[0001-BF-anchoring-regex-for-IP-with-at-the-end.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#514163; Package fail2ban. (Thu, 05 Feb 2009 15:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Thu, 05 Feb 2009 15:09:02 GMT) Full text and rfc822 format available.

Message #13 received at 514163@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Chris Butler <chrisb@debian.org>, 514163@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#514163: fail2ban: Included wuftpd.conf matches reverse DNS rather than IP
Date: Thu, 5 Feb 2009 10:05:11 -0500
clone 514163 -1
severity -1 normal
retitle -1 fail2ban: wu-ftpd - consider matching entries in syslog, not auth.log
severity 514163 critical
retitle 514163 fail2ban: allows DoS via construction of domain names starting with IP of a victim
thanks

heh heh

packages with a tentative fix are on the way


On Wed, 04 Feb 2009, Chris Butler wrote:

> Package: fail2ban
> Version: 0.7.5-2etch1
> Severity: normal

-- 
Yaroslav Halchenko
Research Assistant, Psychology Department, Rutgers-Newark
Student  Ph.D. @ CS Dept. NJIT
Office: (973) 353-1412 | FWD: 82823 | Fax: (973) 353-1171
        101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102
WWW:     http://www.linkedin.com/in/yarik        




Bug 514163 cloned as bug 514239. Request was from Yaroslav Halchenko <debian@onerussian.com> to control@bugs.debian.org. (Thu, 05 Feb 2009 15:09:02 GMT) Full text and rfc822 format available.

Severity set to `critical' from `normal' Request was from Yaroslav Halchenko <debian@onerussian.com> to control@bugs.debian.org. (Thu, 05 Feb 2009 15:09:06 GMT) Full text and rfc822 format available.

Changed Bug title to `fail2ban: allows DoS via construction of domain names starting with IP of a victim' from `fail2ban: Included wuftpd.conf matches reverse DNS rather than IP'. Request was from Yaroslav Halchenko <debian@onerussian.com> to control@bugs.debian.org. (Thu, 05 Feb 2009 15:09:07 GMT) Full text and rfc822 format available.

Reply sent to Yaroslav Halchenko <debian@onerussian.com>:
You have taken responsibility. (Thu, 05 Feb 2009 15:57:14 GMT) Full text and rfc822 format available.

Notification sent to Chris Butler <chrisb@debian.org>:
Bug acknowledged by developer. (Thu, 05 Feb 2009 15:57:15 GMT) Full text and rfc822 format available.

Message #24 received at 514163-close@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: 514163-close@bugs.debian.org
Subject: Bug#514163: fixed in fail2ban 0.8.3-5
Date: Thu, 05 Feb 2009 15:47:06 +0000
Source: fail2ban
Source-Version: 0.8.3-5

We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive:

fail2ban_0.8.3-5.diff.gz
  to pool/main/f/fail2ban/fail2ban_0.8.3-5.diff.gz
fail2ban_0.8.3-5.dsc
  to pool/main/f/fail2ban/fail2ban_0.8.3-5.dsc
fail2ban_0.8.3-5_all.deb
  to pool/main/f/fail2ban/fail2ban_0.8.3-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 514163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yaroslav Halchenko <debian@onerussian.com> (supplier of updated fail2ban package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 05 Feb 2009 09:51:45 -0500
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.3-5
Distribution: experimental
Urgency: low
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Changed-By: Yaroslav Halchenko <debian@onerussian.com>
Description: 
 fail2ban   - bans IPs that cause multiple authentication errors
Closes: 514163
Changes: 
 fail2ban (0.8.3-5) experimental; urgency=low
 .
   * BF: anchoring regex for IP with " *$" at the end + adjust regexp for
     <HOST> (closes: #514163)
   * NF: adding unittests for previous BF
Checksums-Sha1: 
 f587f9994e8222166e8695222b040b0d7590c752 1201 fail2ban_0.8.3-5.dsc
 081079efb02a10d4be9409722b51982aa43e9dd9 32777 fail2ban_0.8.3-5.diff.gz
 5fe3e59bb57ffb6f54e6e242ea5507487ee2a18d 91178 fail2ban_0.8.3-5_all.deb
Checksums-Sha256: 
 da792e2f73999d8a1070ef63db516d502f8fa5394f3a9f09b5ce0e0402d14cec 1201 fail2ban_0.8.3-5.dsc
 40ca9ef8a91ceaafe0ef44d4f26bef1ecb3fedb8649ef3aeb17e835b5ff4a3c0 32777 fail2ban_0.8.3-5.diff.gz
 ce43dfc64d4c89fed2e8986319bc22bec6e9568d3f786537207aaa8f71166104 91178 fail2ban_0.8.3-5_all.deb
Files: 
 49d33da83b29c7862fab05f811ac4c83 1201 net optional fail2ban_0.8.3-5.dsc
 d56f7750d88968d163b5884d35da3e8b 32777 net optional fail2ban_0.8.3-5.diff.gz
 8c0974b902f2d99f0fdb7b7605e03972 91178 net optional fail2ban_0.8.3-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmLAf0ACgkQjRFFY3XAJMjmnACgjxZuzP4OFcqv0vw8itq85U0I
QXUAnRXzuzjv98mWjWvUGEC5uKajiYbT
=lPOb
-----END PGP SIGNATURE-----





Reply sent to Yaroslav Halchenko <debian@onerussian.com>:
You have taken responsibility. (Thu, 05 Feb 2009 15:57:16 GMT) Full text and rfc822 format available.

Notification sent to Chris Butler <chrisb@debian.org>:
Bug acknowledged by developer. (Thu, 05 Feb 2009 15:57:16 GMT) Full text and rfc822 format available.

Message #29 received at 514163-close@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: 514163-close@bugs.debian.org
Subject: Bug#514163: fixed in fail2ban 0.8.3-2sid1
Date: Thu, 05 Feb 2009 15:47:04 +0000
Source: fail2ban
Source-Version: 0.8.3-2sid1

We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive:

fail2ban_0.8.3-2sid1.diff.gz
  to pool/main/f/fail2ban/fail2ban_0.8.3-2sid1.diff.gz
fail2ban_0.8.3-2sid1.dsc
  to pool/main/f/fail2ban/fail2ban_0.8.3-2sid1.dsc
fail2ban_0.8.3-2sid1_all.deb
  to pool/main/f/fail2ban/fail2ban_0.8.3-2sid1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 514163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yaroslav Halchenko <debian@onerussian.com> (supplier of updated fail2ban package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 05 Feb 2009 10:23:12 -0500
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.3-2sid1
Distribution: unstable
Urgency: low
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Changed-By: Yaroslav Halchenko <debian@onerussian.com>
Description: 
 fail2ban   - bans IPs that cause multiple authentication errors
Closes: 514163
Changes: 
 fail2ban (0.8.3-2sid1) unstable; urgency=low
 .
   * NF: adding unittests for previous commit
   * BF: anchoring regex for IP with " *$" at the end + adjust regexp for
     <HOST> (closes: #514163)
Checksums-Sha1: 
 d6dfe405156bcb42a170e58479bf0c5795d9a19b 1217 fail2ban_0.8.3-2sid1.dsc
 491b9e72cda1928cb6ba3f6ec789b3284747f535 25064 fail2ban_0.8.3-2sid1.diff.gz
 51cbf5ed88005c0700e5563aed1e8e5f0b8e9cbf 86226 fail2ban_0.8.3-2sid1_all.deb
Checksums-Sha256: 
 a78d769e10911fc26340c05634a017f85a3e41f6e3c375aee11f5ad182ebb197 1217 fail2ban_0.8.3-2sid1.dsc
 374d51024cb2e4b879e835149b4cf8e60959a2e5de660496e7529cc591668254 25064 fail2ban_0.8.3-2sid1.diff.gz
 04391f2a45f7dce3d4e3928027bc0f0f2536a4889ced4116ff6a77faec8be43b 86226 fail2ban_0.8.3-2sid1_all.deb
Files: 
 072779324f9ae18a68b485d6ddce7981 1217 net optional fail2ban_0.8.3-2sid1.dsc
 7176ea9a77c15c9671d6801fddafcdb7 25064 net optional fail2ban_0.8.3-2sid1.diff.gz
 d4fe88b994aed8e3d53fc1b958eaf870 86226 net optional fail2ban_0.8.3-2sid1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmLCCIACgkQjRFFY3XAJMhlKwCdHRMd+9r6EI/iJ6Ok4Oe02aHj
MZcAoKlr4PYWoZJ3HN6+c5qaFbOGkgTd
=Sn3c
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 06 Mar 2009 07:30:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:08:27 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.