[fail2ban] Add patch to prevent sshd blocks of successful logins for systems that use sssd or ldap

Orion Poplawski orion at fedoraproject.org
Wed Jan 23 23:47:12 UTC 2013 

commit 260f069b94fed7118847cbd29fd4bda9f0818c28
Author: Orion Poplawski <orion at nwra.com>
Date:   Wed Jan 23 16:46:59 2013 -0700

    Add patch to prevent sshd blocks of successful logins for systems that use
    sssd or ldap

 fail2ban-0.8.8-sshd-pam.patch |   11 +++++++++++
 fail2ban.spec                 |   10 +++++++++-
 2 files changed, 20 insertions(+), 1 deletions(-)
---
diff --git a/fail2ban-0.8.8-sshd-pam.patch b/fail2ban-0.8.8-sshd-pam.patch
new file mode 100644
index 0000000..cfe0772
--- /dev/null
+++ b/fail2ban-0.8.8-sshd-pam.patch
@@ -0,0 +1,11 @@
+diff -up fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam fail2ban-0.8.8/config/filter.d/sshd.conf
+--- fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam	2012-12-05 20:51:29.000000000 -0700
++++ fail2ban-0.8.8/config/filter.d/sshd.conf	2013-01-18 14:29:00.300902426 -0700
+@@ -30,7 +30,6 @@ failregex = ^%(__prefix_line)s(?:error:
+             ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+             ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+             ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+-            ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+             ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+             ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+ 
diff --git a/fail2ban.spec b/fail2ban.spec
index 92ec5f4..4412ef2 100644
--- a/fail2ban.spec
+++ b/fail2ban.spec
@@ -1,7 +1,7 @@
 Summary: Ban IPs that make too many password failures
 Name: fail2ban
 Version: 0.8.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Daemons
 URL: http://fail2ban.sourceforge.net/
@@ -10,6 +10,9 @@ Source1: fail2ban-logrotate
 Source2: fail2ban-tmpfiles.conf
 Patch0: fail2ban-0.8.3-init.patch
 Patch1: fail2ban-0.8.7.1-sshd.patch
+# Do not use pam_unix failure messages to ban sshd
+# https://github.com/fail2ban/fail2ban/issues/106
+Patch2: fail2ban-0.8.8-sshd-pam.patch
 Patch6: fail2ban-0.8.3-log2syslog.patch
 Patch7: asyncserver.start_selinux.patch
 Patch8: fail2ban-0.8.7.1-notmp.patch
@@ -34,6 +37,7 @@ failures. It updates firewall rules to reject the IP address.
 %setup -q
 %patch0 -p1 -b .init
 %patch1 -p1 -b .sshd
+%patch2 -p1 -b .sshd-pam
 %patch6 -p1 -b .log2syslog
 %patch7 -p1 -b .fd_cloexec2
 %patch8 -p1 -b .notmp
@@ -93,6 +97,10 @@ fi
 %dir %{_localstatedir}/lib/fail2ban/
 
 %changelog
+* Fri Jan 18 2013 Orion Poplawski <orion at cora.nwra.com> - 0.8.8-2
+- Add patch to prevent sshd blocks of successful logins for systems that use
+  sssd or ldap
+
 * Mon Dec 17 2012 Orion Poplawski <orion at cora.nwra.com> - 0.8.8-1
 - Update to 0.8.8 (CVE-2012-5642 Bug #887914)

More information about the scm-commits mailing list