MIT Kerberos

From Fail2ban
Jump to: navigation, search

MIT Kerberos


MIT krb5kdc provided by krb5-kdc-1.4.4-7etch6 (debian)

The following log excerpts include an attempt to authenticate using an invalid principal, followed by an attempt to authenticate using a valid principal with an incorrect password, followed by successful authentication and issue of a ticket granting ticket.

Feb 11 23:48:27 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: CLIENT_NOT_FOUND: nonexistentuser@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL, Client not found in Kerberos database

Feb 11 23:48:58 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: NEEDED_PREAUTH: validuserbadpasswd@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL, Additional pre-authentication required
Feb 11 23:48:58 hostname krb5kdc[19386]: preauth (timestamp) verify failure: Decrypt integrity check failed
Feb 11 23:48:58 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: PREAUTH_FAILED: validuserbadpasswd@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL, Decrypt integrity check failed

Feb 11 23:49:07 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: NEEDED_PREAUTH: validuserokpasswd@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL, Additional pre-authentication required
Feb 11 23:49:07 hostname krb5kdc[19386]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.2: ISSUE: authtime 1234414147, etypes {rep=16 tkt=16 ses=16}, validuserokpasswd@REALM.LOCAL for krbtgt/REALM.LOCAL@REALM.LOCAL


Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.

The following regular expression matches common authentication failures of MIT's krb5kdc when principals are configured with pre-authentication required. The pattern is MIT implementation specific and is not likely to work with Heimdal.

failregex = AS_REQ \([\w\s{}]+\) <HOST>: (PREAUTH_FAILED|CLIENT_NOT_FOUND):
Personal tools