From 1d7aa2ff217737f5958c95f29fca96389020dd19 Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 2 Mar 2018 17:59:25 +0100 Subject: [PATCH] filter.d/sshd.conf: rewrite fix (for new ssh log-format) backwards compatible + test-cases extended to cover both cases --- ChangeLog | 1 + config/filter.d/sshd.conf | 2 +- fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +- fail2ban/tests/files/logs/sshd | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 382ffc4c..4b3de2b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,7 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition ### Fixes * `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060); * `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048); +* `filter.d/sshd.conf`: failregex got an optional space in order to match new log-format (see gh-2061); * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059); * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054); diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 71dbee8b..328ba558 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -49,7 +49,7 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* ^(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ ^User .+ not allowed because account is locked%(__suff)s ^Disconnecting: Too many authentication failures(?: for .+?)?%(__suff)s - ^Received disconnect from :11: + ^Received disconnect from :\s*11: ^Connection closed by %(__suff)s$ ^Accepted publickey for \S+ from (?:\s|$) diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf index f193009f..a1c55cd3 100644 --- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf +++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf @@ -44,7 +44,7 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for ^%(__prefix_line_sl)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$ ^%(__prefix_line_sl)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*%(__suff)s$ ^%(__prefix_line_sl)s(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)? \[preauth\]$ - ^%(__prefix_line_ml1)sUser .+ not allowed because account is locked%(__prefix_line_ml2)sReceived disconnect from : 11: .+%(__suff)s$ + ^%(__prefix_line_ml1)sUser .+ not allowed because account is locked%(__prefix_line_ml2)sReceived disconnect from :\s*11: .+%(__suff)s$ ^%(__prefix_line_ml1)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s%(__prefix_line_ml2)sConnection closed by %(__suff)s$ ^%(__prefix_line_ml1)sConnection from %(__on_port_opt)s%(__prefix_line_ml2)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s$ diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index b0b760ff..5c7f5cfd 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -110,7 +110,7 @@ May 27 00:16:33 host sshd[2364]: User root not allowed because account is locked # failJSON: { "match": false } May 27 00:16:33 host sshd[2364]: input_userauth_request: invalid user root [preauth] # failJSON: { "time": "2005-05-27T00:16:33", "match": true , "host": "198.51.100.76" } -May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76: 11: Bye Bye [preauth] +May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76:11: Bye Bye [preauth] # failJSON: { "time": "2004-09-29T16:28:02", "match": true , "host": "127.0.0.1" } Sep 29 16:28:02 spaceman sshd[16699]: Failed password for dan from 127.0.0.1 port 45416 ssh1