diff --git a/ChangeLog b/ChangeLog
index b6d1c3aa..266ca614 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -62,6 +62,7 @@ ver. 0.11.2-dev (20??/??/??) - development edition
- `normal`: matches 401 with supplied username only
- `ddos`: matches 401 without supplied username only
- `aggressive`: matches 401 and any variant (with and without username)
+* `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh-2749)
### New Features
* new filter and jail for GitLab recognizing failed application logins (gh-2689)
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 31e61b96..4c86dca0 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -25,7 +25,7 @@ __pref = (?:(?:error|fatal): (?:PAM: )?)?
__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
# close by authenticating user:
-__authng_user = (?: (?:invalid|authenticating) user \S+|.+?)?
+__authng_user = (?: (?:invalid|authenticating) user \S+|.*?)?
# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors.
@@ -44,18 +44,18 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*
^Failed for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
^ROOT LOGIN REFUSED FROM
^[iI](?:llegal|nvalid) user .*? from %(__suff)s$
- ^User .+ from not allowed because not listed in AllowUsers%(__suff)s$
- ^User .+ from not allowed because listed in DenyUsers%(__suff)s$
- ^User .+ from not allowed because not in any group%(__suff)s$
+ ^User \S+|.*? from not allowed because not listed in AllowUsers%(__suff)s$
+ ^User \S+|.*? from not allowed because listed in DenyUsers%(__suff)s$
+ ^User \S+|.*? from not allowed because not in any group%(__suff)s$
^refused connect from \S+ \(\)
^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
- ^User .+ from not allowed because a group is listed in DenyGroups%(__suff)s$
- ^User .+ from not allowed because none of user's groups are listed in AllowGroups%(__suff)s$
+ ^User \S+|.*? from not allowed because a group is listed in DenyGroups%(__suff)s$
+ ^User \S+|.*? from not allowed because none of user's groups are listed in AllowGroups%(__suff)s$
^%(__pam_auth)s\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$
^maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
- ^User .+ not allowed because account is locked%(__suff)s
+ ^User \S+|.*? not allowed because account is locked%(__suff)s
^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$
- ^Disconnecting: Too many authentication failures(?: for .+?)?%(__suff)s$
+ ^Disconnecting: Too many authentication failures(?: for \S+|.*?)?%(__suff)s$
^Received disconnect from %(__on_port_opt)s:\s*11:
-other>
^Accepted \w+ for \S+ from (?:\s|$)
diff --git a/fail2ban/helpers.py b/fail2ban/helpers.py
index 6f2bcdd7..3ef7d543 100644
--- a/fail2ban/helpers.py
+++ b/fail2ban/helpers.py
@@ -302,7 +302,7 @@ def getVerbosityFormat(verbosity, fmt=' %(message)s', addtime=True, padding=True
if addtime:
fmt = ' %(asctime)-15s' + fmt
else: # default (not verbose):
- fmt = "%(name)-23.23s [%(process)d]: %(levelname)-7s" + fmt
+ fmt = "%(name)-24s[%(process)d]: %(levelname)-7s" + fmt
if addtime:
fmt = "%(asctime)s " + fmt
# remove padding if not needed:
diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
index 1bf9d913..9fff416a 100644
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@@ -321,6 +321,11 @@ Mar 15 09:21:02 host sshd[2717]: Connection closed by 192.0.2.212 [preauth]
# failJSON: { "time": "2005-07-18T17:19:11", "match": true , "host": "192.0.2.4", "desc": "ddos: disconnect on preauth phase, gh-2115" }
Jul 18 17:19:11 srv sshd[2101]: Disconnected from 192.0.2.4 port 36985 [preauth]
+# failJSON: { "time": "2005-06-06T04:17:04", "match": true , "host": "192.0.2.68", "dns": null, "user": "", "desc": "empty user, gh-2749" }
+Jun 6 04:17:04 host sshd[1189074]: Invalid user from 192.0.2.68 port 34916
+# failJSON: { "time": "2005-06-06T04:17:09", "match": true , "host": "192.0.2.68", "dns": null, "user": "", "desc": "empty user, gh-2749" }
+Jun 6 04:17:09 host sshd[1189074]: Connection closed by invalid user 192.0.2.68 port 34916 [preauth]
+
# filterOptions: [{"mode": "extra"}, {"mode": "aggressive"}]
# several other cases from gh-864:
diff --git a/fail2ban/tests/misctestcase.py b/fail2ban/tests/misctestcase.py
index 43d76802..c1a6a345 100644
--- a/fail2ban/tests/misctestcase.py
+++ b/fail2ban/tests/misctestcase.py
@@ -34,7 +34,7 @@ from StringIO import StringIO
from utils import LogCaptureTestCase, logSys as DefLogSys
from ..helpers import formatExceptionInfo, mbasename, TraceBack, FormatterWithTraceBack, getLogger, \
- splitwords, uni_decode, uni_string
+ getVerbosityFormat, splitwords, uni_decode, uni_string
from ..server.mytime import MyTime
@@ -404,6 +404,14 @@ class TestsUtilsTest(LogCaptureTestCase):
self._testAssertionErrorRE(r"\['A', 'B'\] != \['B', 'C'\]",
self.assertSortedEqual, ['A', 'B'], ['C', 'B'])
+ def testVerbosityFormat(self):
+ self.assertEqual(getVerbosityFormat(1),
+ '%(asctime)s %(name)-24s[%(process)d]: %(levelname)-7s %(message)s')
+ self.assertEqual(getVerbosityFormat(1, padding=False),
+ '%(asctime)s %(name)s[%(process)d]: %(levelname)s %(message)s')
+ self.assertEqual(getVerbosityFormat(1, addtime=False, padding=False),
+ '%(name)s[%(process)d]: %(levelname)s %(message)s')
+
def testFormatterWithTraceBack(self):
strout = StringIO()
Formatter = FormatterWithTraceBack