Add patch to prevent sshd blocks of successful logins for systems that use

sssd or ldap
12 years ago · 260f069b94
parent d1c947a719
commit 260f069b94
2 changed files with 20 additions and 1 deletions
--- a/fail2ban-0.8.8-sshd-pam.patch
+++ b/fail2ban-0.8.8-sshd-pam.patch
@ -0,0 +1,11 @@
+diff -up fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam fail2ban-0.8.8/config/filter.d/sshd.conf
+--- fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam	2012-12-05 20:51:29.000000000 -0700
+++ fail2ban-0.8.8/config/filter.d/sshd.conf	2013-01-18 14:29:00.300902426 -0700
+@@ -30,7 +30,6 @@ failregex = ^%(__prefix_line)s(?:error:
+             ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+             ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+             ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+-            ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+             ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+             ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+ 
--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -1,7 +1,7 @@
 Summary: Ban IPs that make too many password failures
 Name: fail2ban
 Version: 0.8.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Daemons
 URL: http://fail2ban.sourceforge.net/
@ -10,6 +10,9 @@ Source1: fail2ban-logrotate
 Source2: fail2ban-tmpfiles.conf
 Patch0: fail2ban-0.8.3-init.patch
 Patch1: fail2ban-0.8.7.1-sshd.patch
+# Do not use pam_unix failure messages to ban sshd
+# https://github.com/fail2ban/fail2ban/issues/106
+Patch2: fail2ban-0.8.8-sshd-pam.patch
 Patch6: fail2ban-0.8.3-log2syslog.patch
 Patch7: asyncserver.start_selinux.patch
 Patch8: fail2ban-0.8.7.1-notmp.patch
@ -34,6 +37,7 @@ failures. It updates firewall rules to reject the IP address.
 %setup -q
 %patch0 -p1 -b .init
 %patch1 -p1 -b .sshd
+%patch2 -p1 -b .sshd-pam
 %patch6 -p1 -b .log2syslog
 %patch7 -p1 -b .fd_cloexec2
 %patch8 -p1 -b .notmp
@ -93,6 +97,10 @@ fi
 %dir %{_localstatedir}/lib/fail2ban/

 %changelog
+* Fri Jan 18 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-2
+- Add patch to prevent sshd blocks of successful logins for systems that use
+  sssd or ldap
+
 * Mon Dec 17 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-1
 - Update to 0.8.8 (CVE-2012-5642 Bug #887914)