From 2fed408c05ac5206b490368d94599869bd6a056d Mon Sep 17 00:00:00 2001
From: Fabian Dellwing <fabian.dellwing@mbconnectline.de>
Date: Tue, 2 Jul 2024 07:54:15 +0200
Subject: [PATCH 1/5] Adjust sshd filter for OpenSSH 9.8 new daemon name

---
 config/filter.d/sshd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 1c8a02de..a1fd749a 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -16,7 +16,7 @@ before = common.conf
 
 [DEFAULT]
 
-_daemon = sshd
+_daemon = (?:sshd(?:-session)?)
 
 # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
 __pref = (?:(?:error|fatal): (?:PAM: )?)?

From 7b335f47ea112e2a36e59287582e613aef2fa0a3 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Wed, 3 Jul 2024 19:09:28 +0200
Subject: [PATCH 2/5] sshd: add test coverage for new format, gh-3782

---
 fail2ban/tests/files/logs/sshd | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
index ed54ded4..7d3948ed 100644
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@@ -20,6 +20,9 @@ Feb 25 14:34:10 belka sshd[31603]: Failed password for invalid user ROOT from aa
 # failJSON: { "time": "2005-02-25T14:34:11", "match": true , "host": "aaaa:bbbb:cccc:1234::1:1" }
 Feb 25 14:34:11 belka sshd[31603]: Failed password for invalid user ROOT from aaaa:bbbb:cccc:1234::1:1
 
+# failJSON: { "time": "2005-07-03T14:59:17", "match": true , "host": "192.0.2.1", "desc": "new log with session in daemon prefix, gh-3782" }
+Jul  3 14:59:17 host sshd-session[1571]: Failed password for root from 192.0.2.1 port 56502 ssh2
+
 #3
 # failJSON: { "time": "2005-01-05T01:31:41", "match": true , "host": "1.2.3.4" }
 Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4

From 8360776ce1b119d519a842069c73bec7f5e24fad Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Wed, 3 Jul 2024 19:33:39 +0200
Subject: [PATCH 3/5] zzz-sshd-obsolete-multiline.conf: adjusted to new
 sshd-session log format

---
 fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
index ad8adeb6..14256ba6 100644
--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
@@ -9,7 +9,7 @@ before = ../../../../config/filter.d/common.conf
 
 [DEFAULT]
 
-_daemon = sshd
+_daemon = sshd(?:-session)?
 
 # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
 __pref = (?:(?:error|fatal): (?:PAM: )?)?

From 50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Wed, 3 Jul 2024 19:35:28 +0200
Subject: [PATCH 4/5] filter.d/sshd.conf: ungroup (unneeded for _daemon)

---
 config/filter.d/sshd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index a1fd749a..3a84b1ba 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -16,7 +16,7 @@ before = common.conf
 
 [DEFAULT]
 
-_daemon = (?:sshd(?:-session)?)
+_daemon = sshd(?:-session)?
 
 # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
 __pref = (?:(?:error|fatal): (?:PAM: )?)?

From 216622adb2f2ff1c151ab905db23c5508e2416b3 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Wed, 3 Jul 2024 19:42:19 +0200
Subject: [PATCH 5/5] Update ChangeLog

---
 ChangeLog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index a34921b6..ec52d5ba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
   - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760)
 * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778)
 * `filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (gh-3769)
+* `filter.d/sshd.conf` - adapted to conform possible new daemon name sshd-session, since OpenSSH 9.8 
+  several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782)
 
 ### New Features and Enhancements
 * `action.d/*-ipset.conf`: