diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile index dd076aeb1a05..789a7f54c903 100644 --- a/security/py-fail2ban/Makefile +++ b/security/py-fail2ban/Makefile @@ -1,84 +1,84 @@ PORTNAME= fail2ban DISTVERSION= 1.0.1 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} MAINTAINER= cy@FreeBSD.org COMMENT= Scans log files and bans IP that makes too many password failures WWW= https://www.fail2ban.org/wiki/index.php/Main_Page LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYING RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}sqlite3>0:databases/py-sqlite3@${PY_FLAVOR} USES= cpe python:3.6+,patch,run shebangfix USE_GITHUB= yes USE_PYTHON= autoplist distutils PYDISTUTILS_BUILDARGS+= --without-tests PYDISTUTILS_INSTALLARGS+= --install-data=${ETCDIR} USE_RC_SUBR= fail2ban SHEBANG_FILES= config/filter.d/ignorecommands/apache-fakegooglebot SHEBANG_LANG= fail2ban-python NO_ARCH= yes SUB_LIST+= PYTHON_CMD=${PYTHON_CMD} PORTDOCS= DEVELOP README.md OPTIONS_DEFINE= DOCS INOTIFY OPTIONS_DEFAULT= INOTIFY INOTIFY_DESC= Support for (lib)inotify to monitor filesystem changes INOTIFY_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pyinotify>=0.8.3:devel/py-pyinotify@${PY_FLAVOR} FILES= ${WRKSRC}/bin/fail2ban-client \ ${WRKSRC}/fail2ban/client/configreader.py \ ${WRKSRC}/fail2ban/client/fail2bancmdline.py \ ${WRKSRC}/fail2ban/client/fail2banregex.py \ ${WRKSRC}/man/fail2ban-client.1 \ ${WRKSRC}/man/fail2ban-client.h2m ${WRKSRC}/setup.py MAN_FILES= ${WRKSRC}/man/fail2ban-client.1 \ ${WRKSRC}/man/fail2ban-client.h2m \ ${WRKSRC}/man/fail2ban-regex.1 ${WRKSRC}/man/fail2ban-server.1 \ ${WRKSRC}/man/fail2ban.1 FAIL2BAN_DBDIR= /var/db/${PORTNAME} PY2TO3_CMD= ${LOCALBASE}/bin/2to3-${PYTHON_VER} PY2TO3_ARG= --no-diffs --write --nobackups --fix=all post-patch: @${REINPLACE_CMD} -e 's,/etc/fail2ban,${ETCDIR},g' ${FILES} @${REINPLACE_CMD} -e 's,paths-debian.conf,paths-freebsd.conf,g' \ ${WRKSRC}/config/jail.conf @${REINPLACE_CMD} -e 's,/var/lib/fail2ban/,${FAIL2BAN_DBDIR}/,g' \ ${WRKSRC}/config/fail2ban.conf @${REINPLACE_CMD} -e 's,jail.conf(5),fail2ban-jail.conf(5),g' \ ${MAN_FILES} @${REINPLACE_CMD} -e 's, sed , ${SED} ,g' \ ${WRKSRC}/config/action.d/hostsdeny.conf # XXX Ideally this should be in do-build but it only works in # XXX post-patch (cd ${WRKSRC}/ && ${PY2TO3_CMD} ${PY2TO3_ARG} bin/* fail2ban) post-install: @${MKDIR} ${STAGEDIR}${FAIL2BAN_DBDIR} ${STAGEDIR}/var/run/fail2ban .for file in fail2ban-client fail2ban-regex fail2ban-server fail2ban ${INSTALL_MAN} ${WRKSRC}/man/${file}.1 ${STAGEDIR}${MANPREFIX}/man/man1 .endfor ${INSTALL_MAN} ${WRKSRC}/man/jail.conf.5 ${STAGEDIR}${MANPREFIX}/man/man5/fail2ban-jail.conf.5 post-install-DOCS-on: @${MKDIR} ${STAGEDIR}${DOCSDIR} (cd ${WRKSRC}/ && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}) do-test: @cd ${WRKSRC} && ${PYTHON_CMD} ${PYDISTUTILS_SETUP} test .include diff --git a/security/py-fail2ban/files/patch-ISSUE-3370 b/security/py-fail2ban/files/patch-ISSUE-3370 new file mode 100644 index 000000000000..74e5a98cad01 --- /dev/null +++ b/security/py-fail2ban/files/patch-ISSUE-3370 @@ -0,0 +1,87 @@ +From ca2b94c5229bd474f612b57b67d796252a4aab7a Mon Sep 17 00:00:00 2001 +From: sebres +Date: Tue, 4 Oct 2022 14:03:07 +0200 +Subject: [PATCH] fixes gh-3370: resolve extremely long search by repeated + apply of non-greedy RE `(?:: (?:[^\(]+|\w+\([^\)]*\))+)?` with following + branches (it may be extremely slow up to infinite search depending on + message); added new regression tests amend to gh-3210: fixes regression and + matches new format in aggressive mode too + +--- + ChangeLog | 4 ++++ + config/filter.d/dovecot.conf | 8 +++++--- + fail2ban/tests/files/logs/dovecot | 22 ++++++++++++++++++++++ + 3 files changed, 31 insertions(+), 3 deletions(-) + +diff --git config/filter.d/dovecot.conf config/filter.d/dovecot.conf +index 0415ecb4..dc3ebbcd 100644 +--- config/filter.d/dovecot.conf ++++ config/filter.d/dovecot.conf +@@ -7,19 +7,21 @@ before = common.conf + + [Definition] + ++_daemon = (?:dovecot(?:-auth)?|auth) ++ + _auth_worker = (?:dovecot: )?auth(?:-worker)? + _auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )? +-_daemon = (?:dovecot(?:-auth)?|auth) ++_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))* + + prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?%(_auth_worker_info)s.+$ + + failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ +- ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?:: (?:[^\(]+|\w+\([^\)]*\))+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ ++ ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$ + ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch) + > + +-mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ ++mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + + mdre-normal = + +diff --git fail2ban/tests/files/logs/dovecot fail2ban/tests/files/logs/dovecot +index 75934c37..0e332961 100644 +--- fail2ban/tests/files/logs/dovecot ++++ fail2ban/tests/files/logs/dovecot +@@ -115,6 +115,17 @@ Aug 28 06:38:51 s166-62-100-187 dovecot: imap-login: Disconnected (auth failed, + # failJSON: { "time": "2004-08-28T06:38:52", "match": true , "host": "192.0.2.4", "desc": "open parenthesis in optional part between Disconnected and (auth failed ...), gh-3210" } + Aug 28 06:38:52 s166-62-100-187 dovecot: imap-login: Disconnected: Connection closed: read(size=1003) failed: Connection reset by peer (auth failed, 1 attempts in 0 secs): user=, rip=192.0.2.4, lip=127.0.0.19, session= + ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol ++ + # failJSON: { "time": "2004-08-29T03:17:18", "match": true , "host": "192.0.2.133" } + Aug 29 03:17:18 server dovecot: submission-login: Client has quit the connection (auth failed, 1 attempts in 2 secs): user=, method=LOGIN, rip=192.0.2.133, lip=0.0.0.0 + # failJSON: { "time": "2004-08-29T03:53:52", "match": true , "host": "192.0.2.169" } +@@ -128,6 +139,17 @@ Aug 29 15:33:53 server dovecot: managesieve-login: Disconnected: Too many invali + + # filterOptions: [{"mode": "aggressive"}] + ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1 ++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" } ++Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol ++ + # failJSON: { "time": "2004-08-29T16:06:58", "match": true , "host": "192.0.2.5" } + Aug 29 16:06:58 s166-62-100-187 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.0.2.5, lip=192.168.1.2, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer + # failJSON: { "time": "2004-08-31T16:15:10", "match": true , "host": "192.0.2.6" } +-- +2.38.0 +