From 4f6532f810921c1d210db0c30baba7fb5ff91991 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 20 Mar 2018 17:36:32 +0100
Subject: [PATCH 1/2] filter.d/sshd.conf: mode `ddos` (and `aggressive`)
 extended to catch `Connection closed by ... [preauth]`, so in DDOS mode it
 causes failure now on closed within preauth stage; at least using both modes
 can ban port-scanners and prevent for other annoying "intruders", closing
 connection within preauth-stage (see gh-2085 for example).

---
 config/filter.d/sshd.conf      |  8 +++++++-
 fail2ban/tests/files/logs/sshd | 16 ++++++++++++----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index d6f39bc5e..60b61241f 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -54,23 +54,29 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER>
             ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
             ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s$
             ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:
-            ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>
+            ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST><mdrp-<mode>-suff-onclosed>
             ^<F-MLFFORGET><F-NOFAIL>Accepted \w+</F-NOFAIL></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)
 
 mdre-normal =
+# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
+mdrp-normal-suff-onclosed =
 
 mdre-ddos = ^Did not receive identification string from <HOST>
             ^Connection <F-MLFFORGET>reset</F-MLFFORGET> by <HOST>
+            ^Connection <F-MLFFORGET>closed</F-MLFFORGET> by <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
             ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
             ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
+mdrp-ddos-suff-onclosed = %(__on_port_opt)s\s*$
 
 mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No supported authentication methods available
             ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
             ^Unable to negotiate a <__alg_match>
             ^no matching <__alg_match> found:
+mdrp-extra-suff-onclosed = %(mdrp-normal-suff-onclosed)s
 
 mdre-aggressive = %(mdre-ddos)s
                   %(mdre-extra)s
+mdrp-aggressive-suff-onclosed = %(mdrp-ddos-suff-onclosed)s
 
 cfooterre = ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
 
diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
index 7526c32bd..5cf8a44aa 100644
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@@ -120,7 +120,7 @@ Sep 29 16:28:02 spaceman sshd[16699]: Failed password for dan from 127.0.0.1 por
 # failJSON: { "match": false, "desc": "no failure, just cache mlfid (conn-id)" }
 Sep 29 16:28:05 localhost sshd[16700]: Connection from 192.0.2.5
 # failJSON: { "match": false, "desc": "no failure, just covering mlfid (conn-id) forget" }
-Sep 29 16:28:05 localhost sshd[16700]: Connection closed by 192.0.2.5 [preauth]
+Sep 29 16:28:05 localhost sshd[16700]: Connection closed by 192.0.2.5
 
 # failJSON: { "time": "2004-09-29T17:15:02", "match": true , "host": "127.0.0.1" }
 Sep 29 17:15:02 spaceman sshd[12946]: Failed hostbased for dan from 127.0.0.1 port 45785 ssh2: RSA 8c:e3:aa:0f:64:51:02:f7:14:79:89:3f:65:84:7c:30, client user "dan", client host "localhost.localdomain"
@@ -159,7 +159,7 @@ Nov 28 09:16:03 srv sshd[32307]: Postponed publickey for git from 192.0.2.1 port
 # failJSON: { "match": false }
 Nov 28 09:16:03 srv sshd[32307]: Accepted publickey for git from 192.0.2.1 port 57904 ssh2: DSA 36:48:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
 # failJSON: { "match": false, "desc": "Should be forgotten by success/accepted public key" }
-Nov 28 09:16:03 srv sshd[32307]: Connection closed by 192.0.2.1 [preauth]
+Nov 28 09:16:03 srv sshd[32307]: Connection closed by 192.0.2.1
 
 # Failure on connect with valid user-name but wrong public keys (retarded to disconnect/too many errors, because of gh-1263):
 # failJSON: { "match": false }
@@ -179,7 +179,7 @@ Nov 23 21:50:37 sshd[8148]: Connection closed by 61.0.0.1 [preauth]
 # failJSON: { "match": false }
 Nov 23 21:50:19 sshd[9148]: Disconnecting: Too many authentication failures for root [preauth]
 # failJSON: { "match": false , "desc": "Pids don't match" }
-Nov 23 21:50:37 sshd[7148]: Connection closed by 61.0.0.1 [preauth]
+Nov 23 21:50:37 sshd[7148]: Connection closed by 61.0.0.1
 
 # failJSON: { "time": "2005-07-13T18:44:28", "match": true , "host": "89.24.13.192", "desc": "from gh-289" }
 Jul 13 18:44:28 mdop sshd[4931]: Received disconnect from 89.24.13.192: 3: com.jcraft.jsch.JSchException: Auth fail
@@ -216,7 +216,7 @@ Apr 27 13:02:04 host sshd[29116]: Received disconnect from 1.2.3.4: 11: Normal S
 # failJSON: { "match": false, "desc": "No failure until closed or another fail (e. g. F-MLFFORGET by success/accepted password can avoid failure, see gh-2070)" }
 2015-04-16T18:02:50.321974+00:00 host sshd[2716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.0.2.112  user=root
 # failJSON: { "time": "2015-04-16T20:02:50", "match": true , "host": "192.0.2.112", "desc": "Should catch failure - no success/no accepted password" }
-2015-04-16T18:02:50.568798+00:00 host sshd[2716]: Connection closed by 192.0.2.112
+2015-04-16T18:02:50.568798+00:00 host sshd[2716]: Connection closed by 192.0.2.112 [preauth]
 
 # disable this case for obsolete multi-line filter (zzz-sshd-obsolete...):
 # filterOptions: [{"test.condition": "name == 'sshd'"}]
@@ -283,6 +283,14 @@ Nov 24 23:46:43 host sshd[32686]: fatal: Read from socket failed: Connection res
 # failJSON: { "time": "2005-03-15T09:20:57", "match": true , "host": "192.0.2.39", "desc": "Singleline for connection reset by" }
 Mar 15 09:20:57 host sshd[28972]: Connection reset by 192.0.2.39 port 14282 [preauth]
 
+# filterOptions: [{"test.condition":"name=='sshd'", "mode": "ddos"}, {"test.condition":"name=='sshd'", "mode": "aggressive"}]
+
+# failJSON: { "time": "2005-03-15T09:21:01", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }
+Mar 15 09:21:01 host sshd[2717]: Connection closed by 192.0.2.212 [preauth]
+# failJSON: { "time": "2005-03-15T09:21:02", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }
+Mar 15 09:21:02 host sshd[2717]: Connection closed by 192.0.2.212 [preauth]
+
+
 
 # filterOptions: [{"mode": "extra"}, {"mode": "aggressive"}]
 

From e5735b995125a38b5899709a63d8573f9ea20af0 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 20 Mar 2018 17:49:16 +0100
Subject: [PATCH 2/2] ChangeLog updated

---
 ChangeLog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index beb38482b..40dd41a7d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -45,6 +45,8 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition
   - avoid banning of legitimate users when pam_unix used in combination with other password method, so
     bypass pam_unix failures if accepted available for this user gh-2070;
   - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly);
+  - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
+    it counts failure on closing connection within preauth-stage (gh-2085);
 * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
 * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
 * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);