From dd9f359f5c6bf0f8d397ba920beb1648fcb7c1e2 Mon Sep 17 00:00:00 2001 From: MichaIng Date: Fri, 6 Oct 2023 17:49:39 +0200 Subject: [PATCH 1/4] Fix Dropbear filter when logging to STDOUT Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the `-F` and `-E` flags, to run it in foreground and have it logging to STDOUT instead of syslog. As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix. The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without `-E` flag. Additionally, for performance reasons, this commit adds a `journalmatch` entry, matching Debian's and Fedora's `dropbear.service` with `dropbear` executable/identifier, the most likely match for a Dropbear systemd service. Signed-off-by: MichaIng --- config/filter.d/dropbear.conf | 4 +++- fail2ban/tests/files/logs/dropbear | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf index 930bb128..3523be42 100644 --- a/config/filter.d/dropbear.conf +++ b/config/filter.d/dropbear.conf @@ -23,7 +23,7 @@ before = common.conf _daemon = dropbear -prefregex = ^%(__prefix_line)s(?:[Ll]ogin|[Bb]ad|[Ee]xit).+$ +prefregex = ^%(__prefix_line)s(\[\d+\] [A-Z][a-z]+ \d\d \d\d:\d\d:\d\d )?(?:[Ll]ogin|[Bb]ad|[Ee]xit).+$ failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from :\d+$ ^[Bb]ad (PAM )?password attempt for .+ from (:\d+)?$ @@ -31,6 +31,8 @@ failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from :\d+$ ignoreregex = +journalmatch = _SYSTEMD_UNIT=dropbear.service + _COMM=dropbear + # DEV Notes: # # The first two regexs here match the unmodified dropbear messages. It isn't diff --git a/fail2ban/tests/files/logs/dropbear b/fail2ban/tests/files/logs/dropbear index d8a4d4d3..e165e602 100644 --- a/fail2ban/tests/files/logs/dropbear +++ b/fail2ban/tests/files/logs/dropbear @@ -13,3 +13,6 @@ Jul 27 01:04:12 fail2ban-test dropbear[1335]: Bad password attempt for 'root' fr Jul 27 01:04:22 fail2ban-test dropbear[1335]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 1.2.3.4:60588 # failJSON: { "time": "2005-07-27T01:18:59", "match": true , "host": "1.2.3.4" } Jul 27 01:18:59 fail2ban-test dropbear[1477]: Login attempt for nonexistent user from 1.2.3.4:60794 + +# failJSON: { "time": "2005-07-10T23:53:52", "match": true , "host": "1.2.3.4" } +Jul 10 23:53:52 fail2ban-test dropbear[825]: [825] Jul 10 23:53:52 Bad password attempt for 'root' from 1.2.3.4:52289 From 62aeb55b63c9ead79ebf66c1c726baac85017aa8 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 11 Jul 2024 15:27:36 +0200 Subject: [PATCH 2/4] dropbear test: added description --- fail2ban/tests/files/logs/dropbear | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/dropbear b/fail2ban/tests/files/logs/dropbear index e165e602..c945e3af 100644 --- a/fail2ban/tests/files/logs/dropbear +++ b/fail2ban/tests/files/logs/dropbear @@ -14,5 +14,5 @@ Jul 27 01:04:22 fail2ban-test dropbear[1335]: Exit before auth (user 'root', 10 # failJSON: { "time": "2005-07-27T01:18:59", "match": true , "host": "1.2.3.4" } Jul 27 01:18:59 fail2ban-test dropbear[1477]: Login attempt for nonexistent user from 1.2.3.4:60794 -# failJSON: { "time": "2005-07-10T23:53:52", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-07-10T23:53:52", "match": true , "host": "1.2.3.4", "desc": "extra pid/timestamp may be logged into journal, gh-3597" } Jul 10 23:53:52 fail2ban-test dropbear[825]: [825] Jul 10 23:53:52 Bad password attempt for 'root' from 1.2.3.4:52289 From b7b1fff53c66cefcc7c4a608b88b1dce52894eff Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 11 Jul 2024 15:44:20 +0200 Subject: [PATCH 3/4] Update ChangeLog --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 85b1867b..42faaa5c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition * `filter.d/freeswitch.conf` - bypass some new info in prefix before [WARNING] (changed default `_pref_line`), FreeSWITCH log line prefix has changed in newer versions (gh-3143) * `filter.d/postfix.conf` - consider CONNECT and other rejected commands as a valid `_pref` (gh-3800) +* `filter.d/dropbear.conf`: + - recognizes extra pid/timestamp if logged into stdout/journal, added `journalmatch` (gh-3597) * `filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (gh-3769) * `filter.d/roundcube-auth.conf` - improved RE better matching log format of roundcube version 1.4+ (gh-3816) * `filter.d/sshd.conf`: From eb8b44370ae93794208de1c60220d45a57b44018 Mon Sep 17 00:00:00 2001 From: MichaIng Date: Thu, 11 Jul 2024 19:33:44 +0200 Subject: [PATCH 4/4] Make Dropbear regex more compatible and simpler Dropbear uses `strftime` `"%b %d %H:%M:%S` to print its timestamps, hence we know the day and time format, but the month could be localized. We hence allow any 3 word characters for it, and additionally simplify the day and time pattern into a single group. Signed-off-by: MichaIng --- config/filter.d/dropbear.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf index 3523be42..b5329555 100644 --- a/config/filter.d/dropbear.conf +++ b/config/filter.d/dropbear.conf @@ -23,7 +23,7 @@ before = common.conf _daemon = dropbear -prefregex = ^%(__prefix_line)s(\[\d+\] [A-Z][a-z]+ \d\d \d\d:\d\d:\d\d )?(?:[Ll]ogin|[Bb]ad|[Ee]xit).+$ +prefregex = ^%(__prefix_line)s(?:\[\d+\] \w{2,3} [\d:\s]+)?(?:[Ll]ogin|[Bb]ad|[Ee]xit).+$ failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from :\d+$ ^[Bb]ad (PAM )?password attempt for .+ from (:\d+)?$