diff --git a/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch b/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch new file mode 100644 index 0000000..a00358f --- /dev/null +++ b/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch @@ -0,0 +1,99 @@ +From ca2b94c5229bd474f612b57b67d796252a4aab7a Mon Sep 17 00:00:00 2001 +From: sebres +Date: Tue, 4 Oct 2022 14:03:07 +0200 +Subject: [PATCH] fixes gh-3370: resolve extremely long search by repeated + apply of non-greedy RE `(?:: (?:[^\(]+|\w+\([^\)]*\))+)?` with following + branches (it may be extremely slow up to infinite search depending on + message); added new regression tests amend to gh-3210: fixes regression and + matches new format in aggressive mode too + +--- + ChangeLog | 4 ++++ + config/filter.d/dovecot.conf | 8 +++++--- + fail2ban/tests/files/logs/dovecot | 22 ++++++++++++++++++++++ + 3 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index fc4beade6e..04401ea866 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -11,6 +11,10 @@ ver. 1.0.2-dev-1 (20??/??/??) - development nightly edition + ----------- + + ### Fixes ++* `filter.d/dovecot.conf`: ++ - fixes regression introduced in gh-3210: resolve extremely long search by repeated apply of non-greedy RE-part ++ with following branches (it may be extremely slow up to infinite search depending on message), gh-3370 ++ - fixes regression and matches new format in aggressive mode too (amend to gh-3210) + + ### New Features and Enhancements + +diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf +index 0415ecb40a..dc3ebbcd42 100644 +--- a/config/filter.d/dovecot.conf ++++ b/config/filter.d/dovecot.conf +@@ -7,19 +7,21 @@ before = common.conf + + [Definition] + ++_daemon = (?:dovecot(?:-auth)?|auth) ++ + _auth_worker = (?:dovecot: )?auth(?:-worker)? + _auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )? +-_daemon = (?:dovecot(?:-auth)?|auth) ++_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))* + + prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?%(_auth_worker_info)s.+$ + + failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ +- ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?:: (?:[^\(]+|\w+\([^\)]*\))+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ ++ ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$ + ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch) + > + +-mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ ++mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + + mdre-normal = + +diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot +index 75934c37bb..0e33296129 100644 +--- a/fail2ban/tests/files/logs/dovecot ++++ b/fail2ban/tests/files/logs/dovecot +@@ -115,6 +115,17 @@ Aug 28 06:38:51 s166-62-100-187 dovecot: imap-login: Disconnected (auth failed, + # failJSON: { "time": "2004-08-28T06:38:52", "match": true , "host": "192.0.2.4", "desc": "open parenthesis in optional part between Disconnected and (auth failed ...), gh-3210" } + Aug 28 06:38:52 s166-62-100-187 dovecot: imap-login: Disconnected: Connection closed: read(size=1003) failed: Connection reset by peer (auth failed, 1 attempts in 0 secs): user=, rip=192.0.2.4, lip=127.0.0.19, session= + ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol ++ + # failJSON: { "time": "2004-08-29T03:17:18", "match": true , "host": "192.0.2.133" } + Aug 29 03:17:18 server dovecot: submission-login: Client has quit the connection (auth failed, 1 attempts in 2 secs): user=, method=LOGIN, rip=192.0.2.133, lip=0.0.0.0 + # failJSON: { "time": "2004-08-29T03:53:52", "match": true , "host": "192.0.2.169" } +@@ -128,6 +139,17 @@ Aug 29 15:33:53 server dovecot: managesieve-login: Disconnected: Too many invali + + # filterOptions: [{"mode": "aggressive"}] + ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol ++ + # failJSON: { "time": "2004-08-29T16:06:58", "match": true , "host": "192.0.2.5" } + Aug 29 16:06:58 s166-62-100-187 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.0.2.5, lip=192.168.1.2, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer + # failJSON: { "time": "2004-08-31T16:15:10", "match": true , "host": "192.0.2.6" } diff --git a/fail2ban.spec b/fail2ban.spec index ab21ecf..8bada15 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 1.0.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -17,6 +17,8 @@ Source4: Makefile Patch0: fail2ban-partof.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2034205 Patch1: fail2ban-python311.patch +# Patch for dovecot jail eating 100% CPU +Patch2: https://github.com/fail2ban/fail2ban/commit/ca2b94c5229bd474f612b57b67d796252a4aab7a.patch BuildArch: noarch @@ -403,6 +405,9 @@ fi %changelog +* Wed Nov 02 2022 Richard Shaw - 1.0.1-2 +- Add patch for dovecot eating 100% CPU. + * Sun Oct 02 2022 Richard Shaw - 1.0.1-1 - Update to 1.0.1.