fail2ban is insecure by design

To quote the fail2ban web site:

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

Well, it also scans /var/log/auth.log which is a file written by syslog. Combined with my previous blog entry, you can already see where this is going.

fail2ban uses a simple regex based scheme for parsing the login failure logs, for example for the sshd service (one of many):

^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$


You can easily turn around fail2ban to work for you, an unprivileged user (do this 5 times or so):

logger -p auth.info -i -t sshd "Failed password for root from 10.3.3.3 port 3333 ssh2"

If fail2ban runs in it’s default configuration you have now inhibited all traffic from 10.3.3.3.

Congratulations.