`filter.d/sshd.conf`: `ddos` and `aggressive` modes, regex extended for timeout before authentication (optional connection from part);

closes gh-3907
2024-12-26 14:24:15 +01:00 · 2024-12-26 14:24:15 +01:00 · 89b5f3bb1e
parent 51358e1587
commit 89b5f3bb1e
3 changed files with 8 additions and 3 deletions
--- a/6
+++ b/6
@ -26,8 +26,10 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
 * `filter.d/postfix.conf` - consider CONNECT and other rejected commands as a valid `_pref` (gh-3800)
 * `filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (gh-3769)
 * `filter.d/roundcube-auth.conf` - improved RE better matching log format of roundcube version 1.4+ (gh-3816)
-* `filter.d/sshd.conf` - adapted to conform possible new daemon name sshd-session, since OpenSSH 9.8 
-  several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782)
+* `filter.d/sshd.conf`:
+  - adapted to conform possible new daemon name sshd-session, since OpenSSH 9.8 
+    several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782)
+  - `ddos` and `aggressive` modes: regex extended for timeout before authentication (optional connection from part, gh-3907)

 ### New Features and Enhancements
 * new jail option `skip_if_nologs` to ignore jail if no `logpath` matches found, fail2ban continue to start with warnings/errors,
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -70,7 +70,7 @@ mdre-normal =
 # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
 mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$

-mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for) <HOST>
+mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for(?: connection from)?) <HOST>
            ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer))
            ^Bad protocol version identification '(?:[^']|.*?)' (?:from )?<HOST>%(__suff)s$
            ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@ -360,6 +360,9 @@ Jun  7 04:29:10 host sshd[649921]: error: kex_exchange_identification: read: Con
 # failJSON: { "match": false, "desc": "Connection reset already triggered above (known IP, no-fail helper unused here)" }
 Jun  7 04:29:10 host sshd[649921]: Connection reset by 192.0.2.16 port 51280

+# failJSON: { "time": "2005-06-10T09:43:06", "match": true , "host": "192.0.2.17", "desc": "ddos: timeout ... connection from, gh-3907" }
+Jun 10 09:43:06 host sshd[3801]: Timeout before authentication for connection from 192.0.2.17 to 127.0.0.1, pid = 29098
+
 # filterOptions: [{"mode": "extra"}, {"mode": "aggressive"}]

 # several other cases from gh-864: