Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New filter for vnc or screensharingd on OS X 10.9 #1008

Open
peter021 opened this issue Mar 28, 2015 · 6 comments
Open

New filter for vnc or screensharingd on OS X 10.9 #1008

peter021 opened this issue Mar 28, 2015 · 6 comments

Comments

@peter021
Copy link

peter021 commented Mar 28, 2015
edited by sebres

I created this filter and it seems to work:

# Fail2Ban filter for screensharingd or vnc
# 

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:screensharingd|vnc)

failregex = Authentication: FAILED :: User Name: .\* :: Viewer Address: <HOST> :: Type: .\* 

ignoreregex = 
# Author: Peter Franzén
@leeclemens
Copy link
Contributor

Awesome, care to share with a pull request?

@yarikoptic
Copy link
Member

yarikoptic commented Jul 8, 2015
edited by sebres

note that .* on both sides of is a bad sign making possible to
inject victim IPs... make .* more specific and anchor (ideally on both
ends ;) )

Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Research Scientist, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

@peter021
Copy link
Author

peter021 commented Jul 8, 2015
edited by sebres

I'd be happy to share, but how do I perform a "pull request"? (Please forgive the non-developer newbie..)
Here's what I did instead, is it better? :)

# Fail2Ban filter for vnc or screensharingd
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:screensharingd|vnc)

failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .*? :: Viewer Address: <HOST> :: Type: (?:DH|.*?)$  

ignoreregex = 

# Author: Peter Franzén, 2015

I've tested it, using fail2ban-regex, and it still matches the occurrances in my log:

Jul  8 11:16:06 MYHOST screensharingd[MYPID]: Authentication: FAILED :: User Name: SOMEUSER :: Viewer Address: MYSUBNET.202 :: Type: DH

As for the jail, it is configured like this:

[vnc]
enabled = true
filter = vnc
port = 5900
action = osx-ipfw[protocol=all,port=5900,localhost=me]
logpath = /var/log/system.log
maxretry = 8

Note the keyword "me"..

As for the action I made this change:

[Init]

# Option:  port
# Notes.:  specifies port to block. Can be blank however may require block="ip"
# Values:  [ NUM | STRING ]
#
# port = ssh
port =

# Option:  dst
# Notes.:  the local IP address of the network interface
# Values:  IP, any, me or anything support by ipfw as a dst
#
dst = me

Kind regards,
Peter

@timlukens
Copy link

How do I go about adding this to my fail2ban installation? I'm a little confused on this stuff.

@peter021
Copy link
Author

In my case I've got the fail2ban config siituated at /usr/local/etc/fail2ban. There is a subfolder named 'filter'. Look whats in there, and save a file that looks like the others with the contents above.
Edit your jail.local och jail.conf to like above to call the new filter. You may need different actions, etc.
In the subfolder 'action' open the corresponding file and make sure there is no restriction in there as to what port is to be blocked. That will ensure the block is actually enforced.
Restart fail2ban and verify.

@timlukens
Copy link

Awesome, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yarikoptic @timlukens @leeclemens @peter021