In message <pqrnp6nq-7p8o-19o4-pq24-26p19qr73...@mx.roble.com>, Roger 
Marquis w
rites:
> Cy Schubert wrote:
> > Michael Grimm writes:
> >> this is a recent stable/13-n252672-2bd3dbe3dd6 running =
> >> py39-fail2ban-1.0.1_2 and python39-3.9.14
> >> I have been running fail2ban for years now, but immediately after =
> >> upgrading py39-fail2ban fron 0.11.2 to 1.0.1 the fail2ban-server will =
> >> end up as a runaway process consuming all CPU time. This happens between =
> >> 4 to 24 hours after initial fail2ban-server startup.
>
> Am running fail2ban-1.0.1_2 and python38-3.8.14 did have a similar
> startup issue.  Could not use the 'service' command and had to restort
> to 'kill -9' to stop.  Fix for that was to delete /var/{run,db}/fail2ban/*
> and restart.
>
> Still seeing relatively high CPU utilization compared to the previous
> version though it rotates cores quickly.
>
>      PID USERNAME THR PRI NICE SIZE RES STATE C  TIME    WCPU COMMAND
>    67125 root      17  20    0  74M 12M uwait 8 23.7H 102.94% python3.8
>
> Voluntary Context SWitches seem high compared to other processes though
> have no previous benchmark to compare.
>
>      PID USERNAME VCSW IVCSW  READ WRITE FAULT TOTAL PERCENT COMMAND
>    67125 root     5907    23     0     0     0     0   0.00% python3.8
>
> Only reading from 5 logfiles; kernel is 12.3-RELEASE-p7; fail2ban built
> from ports; truss reporting mostly "ERR#60 'Operation timed out'"...
>
> Roger Marquis
>

I've been able to reproduce the problem here. Please try the attached patch 
obtained from our upstream. It fixes a dovecot regression that crept into 
the latest release.



From 5238999eb7b9383215feaff59d75b21981497653 Mon Sep 17 00:00:00 2001
From: Cy Schubert <cy@FreeBSD.org>
Date: Mon, 10 Oct 2022 21:03:28 -0700
Subject: [PATCH] security/py-fail2ban: Import fix for upsteam issue gh-3370

Fix dovecot jail causes 100% CPU usage (upstream GH issue 3370)

Reported by:	Michael Grimm <trashcan@ellael.org>
		Roger Marquis <marquis@roble.com>
Obtained from:	https://github.com/fail2ban/fail2ban/issues/3370
		Upstream commit ca2b94c5
MFH		2022Q4
---
 security/py-fail2ban/Makefile               |  2 +-
 security/py-fail2ban/files/patch-ISSUE-3370 | 87 +++++++++++++++++++++
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 security/py-fail2ban/files/patch-ISSUE-3370

diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile
index dd076aeb1a05..789a7f54c903 100644
--- a/security/py-fail2ban/Makefile
+++ b/security/py-fail2ban/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	fail2ban
 DISTVERSION=	1.0.1
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
diff --git a/security/py-fail2ban/files/patch-ISSUE-3370 b/security/py-fail2ban/files/patch-ISSUE-3370
new file mode 100644
index 000000000000..74e5a98cad01
--- /dev/null
+++ b/security/py-fail2ban/files/patch-ISSUE-3370
@@ -0,0 +1,87 @@
+From ca2b94c5229bd474f612b57b67d796252a4aab7a Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Tue, 4 Oct 2022 14:03:07 +0200
+Subject: [PATCH] fixes gh-3370: resolve extremely long search by repeated
+ apply of non-greedy RE `(?:: (?:[^\(]+|\w+\([^\)]*\))+)?` with following
+ branches (it may be extremely slow up to infinite search depending on
+ message); added new regression tests amend to gh-3210: fixes regression and
+ matches new format in aggressive mode too
+
+---
+ ChangeLog                         |  4 ++++
+ config/filter.d/dovecot.conf      |  8 +++++---
+ fail2ban/tests/files/logs/dovecot | 22 ++++++++++++++++++++++
+ 3 files changed, 31 insertions(+), 3 deletions(-)
+
+diff --git config/filter.d/dovecot.conf config/filter.d/dovecot.conf
+index 0415ecb4..dc3ebbcd 100644
+--- config/filter.d/dovecot.conf
++++ config/filter.d/dovecot.conf
+@@ -7,19 +7,21 @@ before = common.conf
+ 
+ [Definition]
+ 
++_daemon = (?:dovecot(?:-auth)?|auth)
++
+ _auth_worker = (?:dovecot: )?auth(?:-worker)?
+ _auth_worker_info = (?:conn \w+:auth(?:-worker)? \([^\)]+\): auth(?:-worker)?<\d+>: )?
+-_daemon = (?:dovecot(?:-auth)?|auth)
++_bypass_reject_reason = (?:: (?:\w+\([^\):]*\) \w+|[^\(]+))*
+ 
+ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?%(_auth_worker_info)s<F-CONTENT>.+</F-CONTENT>$
+ 
+ failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
+-            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?:: (?:[^\(]+|\w+\([^\)]*\))+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
++            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+             ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
+             ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
+             <mdre-<mode>>
+ 
+-mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
++mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+ 
+ mdre-normal = 
+ 
+diff --git fail2ban/tests/files/logs/dovecot fail2ban/tests/files/logs/dovecot
+index 75934c37..0e332961 100644
+--- fail2ban/tests/files/logs/dovecot
++++ fail2ban/tests/files/logs/dovecot
+@@ -115,6 +115,17 @@ Aug 28 06:38:51 s166-62-100-187 dovecot: imap-login: Disconnected (auth failed,
+ # failJSON: { "time": "2004-08-28T06:38:52", "match": true , "host": "192.0.2.4", "desc": "open parenthesis in optional part between Disconnected and (auth failed ...), gh-3210" }
+ Aug 28 06:38:52 s166-62-100-187 dovecot: imap-login: Disconnected: Connection closed: read(size=1003) failed: Connection reset by peer (auth failed, 1 attempts in 0 secs): user=<test@example.com>, rip=192.0.2.4, lip=127.0.0.19, session=<Lsz0Oo7WXti3b7xe>
+ 
++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer
++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1
++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1
++# failJSON: { "time": "2004-08-29T01:49:33", "match": false , "desc": "avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
++
+ # failJSON: { "time": "2004-08-29T03:17:18", "match": true , "host": "192.0.2.133" }
+ Aug 29 03:17:18 server dovecot: submission-login: Client has quit the connection (auth failed, 1 attempts in 2 secs): user=<user1>, method=LOGIN, rip=192.0.2.133, lip=0.0.0.0
+ # failJSON: { "time": "2004-08-29T03:53:52", "match": true , "host": "192.0.2.169" }
+@@ -128,6 +139,17 @@ Aug 29 15:33:53 server dovecot: managesieve-login: Disconnected: Too many invali
+ 
+ # filterOptions: [{"mode": "aggressive"}]
+ 
++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: read(size=1026) failed: Connection reset by peer (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: read(size=1026) failed: Connection reset by peer
++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[459]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Too many invalid commands. (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1
++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[459]: managesieve-login: Disconnected: Connection closed: read(size=1007) failed: Connection reset by peer (no auth attempts in 1 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1
++# failJSON: { "time": "2004-08-29T01:49:33", "match": true , "host": "192.0.2.5", "desc": "matches in aggressive mode, avoid slow RE, gh-3370" }
++Aug 29 01:49:33 server dovecot[472]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol (no auth attempts in 0 secs): user=<>, rip=192.0.2.5, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
++
+ # failJSON: { "time": "2004-08-29T16:06:58", "match": true , "host": "192.0.2.5" }
+ Aug 29 16:06:58 s166-62-100-187 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.0.2.5, lip=192.168.1.2, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer
+ # failJSON: { "time": "2004-08-31T16:15:10", "match": true , "host": "192.0.2.6" }
+-- 
+2.38.0
+
-- 
2.38.0

Cheers,
Cy Schubert <cy.schub...@cschubert.com>
FreeBSD UNIX:  <c...@freebsd.org>   Web:  https://FreeBSD.org
NTP:           <c...@nwtime.org>    Web:  https://nwtime.org

                        e^(i*pi)+1=0

Reply via email to