[fail2ban] Add patch to prevent sshd blocks of successful logins for systems that use sssd or ldap
Orion Poplawski
orion at fedoraproject.org
Wed Jan 23 23:47:12 UTC 2013
commit 260f069b94fed7118847cbd29fd4bda9f0818c28
Author: Orion Poplawski <orion at nwra.com>
Date: Wed Jan 23 16:46:59 2013 -0700
Add patch to prevent sshd blocks of successful logins for systems that use
sssd or ldap
fail2ban-0.8.8-sshd-pam.patch | 11 +++++++++++
fail2ban.spec | 10 +++++++++-
2 files changed, 20 insertions(+), 1 deletions(-)
---
diff --git a/fail2ban-0.8.8-sshd-pam.patch b/fail2ban-0.8.8-sshd-pam.patch
new file mode 100644
index 0000000..cfe0772
--- /dev/null
+++ b/fail2ban-0.8.8-sshd-pam.patch
@@ -0,0 +1,11 @@
+diff -up fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam fail2ban-0.8.8/config/filter.d/sshd.conf
+--- fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam 2012-12-05 20:51:29.000000000 -0700
++++ fail2ban-0.8.8/config/filter.d/sshd.conf 2013-01-18 14:29:00.300902426 -0700
+@@ -30,7 +30,6 @@ failregex = ^%(__prefix_line)s(?:error:
+ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+- ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+
diff --git a/fail2ban.spec b/fail2ban.spec
index 92ec5f4..4412ef2 100644
--- a/fail2ban.spec
+++ b/fail2ban.spec
@@ -1,7 +1,7 @@
Summary: Ban IPs that make too many password failures
Name: fail2ban
Version: 0.8.8
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://fail2ban.sourceforge.net/
@@ -10,6 +10,9 @@ Source1: fail2ban-logrotate
Source2: fail2ban-tmpfiles.conf
Patch0: fail2ban-0.8.3-init.patch
Patch1: fail2ban-0.8.7.1-sshd.patch
+# Do not use pam_unix failure messages to ban sshd
+# https://github.com/fail2ban/fail2ban/issues/106
+Patch2: fail2ban-0.8.8-sshd-pam.patch
Patch6: fail2ban-0.8.3-log2syslog.patch
Patch7: asyncserver.start_selinux.patch
Patch8: fail2ban-0.8.7.1-notmp.patch
@@ -34,6 +37,7 @@ failures. It updates firewall rules to reject the IP address.
%setup -q
%patch0 -p1 -b .init
%patch1 -p1 -b .sshd
+%patch2 -p1 -b .sshd-pam
%patch6 -p1 -b .log2syslog
%patch7 -p1 -b .fd_cloexec2
%patch8 -p1 -b .notmp
@@ -93,6 +97,10 @@ fi
%dir %{_localstatedir}/lib/fail2ban/
%changelog
+* Fri Jan 18 2013 Orion Poplawski <orion at cora.nwra.com> - 0.8.8-2
+- Add patch to prevent sshd blocks of successful logins for systems that use
+ sssd or ldap
+
* Mon Dec 17 2012 Orion Poplawski <orion at cora.nwra.com> - 0.8.8-1
- Update to 0.8.8 (CVE-2012-5642 Bug #887914)
More information about the scm-commits
mailing list