Since the last update of June, 11 2011 fail2ban fails to recognize "SSH intruders" with the filter filter.d/bsd-sshd.conf. I guess the bug was introduced with the introduction of supporting verbose output of syslog, the patch from June 11. In filter.d/common.conf the __prefix_line is now defined as __prefix_line = \s*%(__bsd_verbose_mode)s(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s* But isn't the __bsd_verbose_mode this way not now mandatory? I think __prefix_line shall be defined as __prefix_line = \s*%(__bsd_verbose_mode)s?(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s* ( add a "?" after "%(__bsd_verbose_mode)s" ) I tested with fail2ban-regex: With the original line from the ports I get 0 hits on the log file, with my modified line I get > 1000 hits. And the comment above that line still reads # [hostname] [vserver tag] daemon_id spaces But shouldn't it read # [verbose] [hostname] [vserver tag] daemon_id spaces Fix: See above: __bsd_verbose_mode shall be optional (add an "?" added after it) How-To-Repeat: In /usr/local/etc/fail2ban run fail2ban-regex /var/log/auth.log filter.d/bsd-sshd.conf filter.d/bsd-sshd.conf and check for the number of hits
I have the same issue with fail2ban. After adding "?" to the end of "%(__bsd_verbose_mode)s", fail2ban works again and bans attackers succesfully! Please, inspect filter.d/common.conf for correct support of syslogd verbose mode.
State Changed From-To: open->feedback I'll take it!
Responsible Changed From-To: freebsd-ports-bugs->ohauer I'll take it!
Hi Anton, can you send a "diff -u" of the changed line? It seems the maintainer (tony) got no notice of the PR, so I added him to this mail. -- olli
Folks, I am not so sure why pgollucci added me as the maintainer for the port, wishful thinking on his part I think. I think a new maintainer should be sourced. On Tue, Jul 19, 2011 at 12:18:29AM +0200, Olli Hauer wrote: > Hi Anton, > > can you send a "diff -u" of the changed line? > > It seems the maintainer (tony) got no notice of > the PR, so I added him to this mail. > > -- > olli > -- Cheers, Tony --------------------------------------- Tony Stevenson tony@pc-tony.com // pctony@apache.org tony@caret.cam.ac.uk http://blog.pc-tony.com GPG - 1024D/51047D66 --------------------------------------"
On 2011-07-19 00:21, Tony Stevenson wrote: > Folks, > > I am not so sure why pgollucci added me as the maintainer for the port, wishful thinking on his part I think. > I think a new maintainer should be sourced. Hi Tony, I will transfer the port to ports@. @Christoph, Anton Anyone interested to take over maintainer for the port? > On Tue, Jul 19, 2011 at 12:18:29AM +0200, Olli Hauer wrote: >> Hi Anton, >> >> can you send a "diff -u" of the changed line? >> >> It seems the maintainer (tony) got no notice of >> the PR, so I added him to this mail. >> >> -- >> olli >> >
Hi! Am 19.07.2011 07:39, schrieb Olli Hauer: > @Christoph, Anton > Anyone interested to take over maintainer for the port? If no one else is volunteering, I can do so. fail2ban semms to be a quiet port with not so much changes in the past. Best regards Christoph
ohauer 2011-07-31 22:23:40 UTC FreeBSD ports repository Modified files: security/py-fail2ban Makefile security/py-fail2ban/files patch-common.conf Log: - fix reg. expression in filter.d/common.conf - over to new maintainer PR: ports/157979 Submitted by: Christoph Theis <theis _at_ gmx.at> (new maintainer) Revision Changes Path 1.11 +2 -2 ports/security/py-fail2ban/Makefile 1.2 +1 -1 ports/security/py-fail2ban/files/patch-common.conf _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed and over to new volunteer. Thanks!