#17 "Last output repeated -xxx- times" problems

open
None
5
2006-12-22
2006-12-22
No

Hi Cyril ;)

Fail2Ban 0.7.5 fails to quickly detect intrusion burst with the same user. My pwdfail log presents the lines below. Fail2Ban actually bans the intruders but only after 14*3 attempts. This case doesn't seem to be handled yet.

Et bonne année ;)

Dec 21 12:35:22 [sshd] Invalid user test from 210.209.130.230
- Last output repeated 14 times -
Dec 21 12:36:11 [sshd] Invalid user tester from 210.209.130.230
- Last output repeated 14 times -
Dec 21 12:36:52 [sshd] Invalid user testing from 210.209.130.230
- Last output repeated 14 times -
Dec 21 12:37:33 [sshd] Invalid user testbox from 210.209.130.230
Dec 21 12:37:36 [sshd] Invalid user guest from 210.209.130.230
Dec 21 16:53:45 [sshd] Invalid user test from 82.165.182.220
- Last output repeated 14 times -
Dec 21 16:54:04 [sshd] Invalid user tester from 82.165.182.220
- Last output repeated 14 times -
Dec 21 16:54:24 [sshd] Invalid user testing from 82.165.182.220
- Last output repeated 14 times -
Dec 21 16:54:44 [sshd] Invalid user testbox from 82.165.182.220
Dec 21 16:54:46 [sshd] Invalid user guest from 82.165.182.220

Discussion

  • Cyril Jaquier

    Cyril Jaquier - 2006-12-22

    Logged In: YES
    user_id=933467
    Originator: NO

    Hi Kévin ;)

    You're right, this case is not handled yet. This is more a problem with your syslog daemon. Some syslog daemon have an option to disable this. But I don't know such one on Linux :( The problem is that when "Last output repeated X times" is written to the log file, there were X+1 attempts already which can be higher than "maxretry".

    I will try to fix this but I will be probably in the next development branch (0.9).

    Thank you and bonne année ;)

    P.S. I move this to "Bugs"

     
  • Cyril Jaquier

    Cyril Jaquier - 2006-12-22
    • assigned_to: nobody --> lostcontrol
     
  • Kevin Drapel

    Kevin Drapel - 2006-12-22

    Logged In: YES
    user_id=1128141
    Originator: YES

    I checked what was going on in Metalog (which is slowly being unsupported.. last official release on SF in late 2005..). It is actually related to the logger but there is no way to easily disable this behavior which seems to be hardcoded. A patch is necessary (for those interested, search for "LAST_OUTPUT" in metalog.c)

    Maybe something to report in the documentation of Fail2Ban. I didn't notice this thing before because most kiddies use a script that changes the username for each connection - that results in one line per attempt in the log. This exotic hacker kept the same username with various passwords across the connections, producing a compressed output. How nice and efficient :)

    I swill switch to another logger.

     
  • Serge Chernyavsky

    Hi Cyril,

    I saw a patch submitted for this issue long time ago (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440037) which seem to be irrelevant with the code of 0.8.4 version.

    Is it still going to be fixed in 0.9 branch or there's a slight chance to fix in 0.8?

     

Log in to post a comment.