Menu

#57 Action includes not working

v1.0 (example)
open
nobody
Interface (example) (3)
5
2010-10-07
2010-10-07
John Bayly
No

I'm running the FreeBSD fail2ban port and discovered a problem after finding that failed ssh logins weren't be being banned. After using fail2ban-regex on the bsd-ssh filter, I found there was a "Bad value substitution" error. Thinking this was a bug in the ported config, I tested against the stock sshd filter and found the same error:

Running tests

Use regex file : sshd.conf
Traceback (most recent call last):
File "/usr/local/bin/fail2ban-regex", line 362, in <module>
if fail2banRegex.readRegex(sys.argv[2]) == False:
File "/usr/local/bin/fail2ban-regex", line 177, in readRegex
for m in reader.get("Definition", "failregex").split('\n')]
File "/usr/local/lib/python2.6/ConfigParser.py", line 546, in get
return self._interpolate(section, option, value, d)
File "/usr/local/lib/python2.6/ConfigParser.py", line 614, in _interpolate
self._interpolate_some(option, L, rawval, section, vars, 1)
File "/usr/local/lib/python2.6/ConfigParser.py", line 646, in _interpolate_some
option, section, rest, var)
ConfigParser.InterpolationMissingOptionError: Bad value substitution:
section: [Definition]
option : failregex
key : __prefix_line
rawval : (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$

The __prefix_line variable is defined in common.conf, and sshd.conf includes common.conf. However it appears that common.conf isn't being included. If I simply copy & paste the definitions from common.conf into sshd.conf the filter executes properly.

The FreeBSD port isn't patching any of the stock fail2ban files, merely adding additional filters. Has anyone else experienced this problem?

John

Discussion

Log in to post a comment.