diff --git a/fail2ban-0.8.8-sshd-pam.patch b/fail2ban-0.8.8-sshd-pam.patch new file mode 100644 index 0000000..cfe0772 --- /dev/null +++ b/fail2ban-0.8.8-sshd-pam.patch @@ -0,0 +1,11 @@ +diff -up fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam fail2ban-0.8.8/config/filter.d/sshd.conf +--- fail2ban-0.8.8/config/filter.d/sshd.conf.sshd-pam 2012-12-05 20:51:29.000000000 -0700 ++++ fail2ban-0.8.8/config/filter.d/sshd.conf 2013-01-18 14:29:00.300902426 -0700 +@@ -30,7 +30,6 @@ failregex = ^%(__prefix_line)s(?:error: + ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ + ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ + ^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$ +- ^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ + ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ + ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ + diff --git a/fail2ban.spec b/fail2ban.spec index 92ec5f4..4412ef2 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Ban IPs that make too many password failures Name: fail2ban Version: 0.8.8 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://fail2ban.sourceforge.net/ @@ -10,6 +10,9 @@ Source1: fail2ban-logrotate Source2: fail2ban-tmpfiles.conf Patch0: fail2ban-0.8.3-init.patch Patch1: fail2ban-0.8.7.1-sshd.patch +# Do not use pam_unix failure messages to ban sshd +# https://github.com/fail2ban/fail2ban/issues/106 +Patch2: fail2ban-0.8.8-sshd-pam.patch Patch6: fail2ban-0.8.3-log2syslog.patch Patch7: asyncserver.start_selinux.patch Patch8: fail2ban-0.8.7.1-notmp.patch @@ -34,6 +37,7 @@ failures. It updates firewall rules to reject the IP address. %setup -q %patch0 -p1 -b .init %patch1 -p1 -b .sshd +%patch2 -p1 -b .sshd-pam %patch6 -p1 -b .log2syslog %patch7 -p1 -b .fd_cloexec2 %patch8 -p1 -b .notmp @@ -93,6 +97,10 @@ fi %dir %{_localstatedir}/lib/fail2ban/ %changelog +* Fri Jan 18 2013 Orion Poplawski - 0.8.8-2 +- Add patch to prevent sshd blocks of successful logins for systems that use + sssd or ldap + * Mon Dec 17 2012 Orion Poplawski - 0.8.8-1 - Update to 0.8.8 (CVE-2012-5642 Bug #887914)