https://github.com/fail2ban/fail2ban/issues/306

Fix regex for latest dropbear (keep backwards compatibility). Add test case logfiles. Signed-off-by: Jamyn Shanley <jshanley@gmail.com>
12 years ago · a355fab91b
parent 8936f2cd02
commit a355fab91b
2 changed files with 9 additions and 2 deletions
--- a/config/filter.d/dropbear.conf
+++ b/config/filter.d/dropbear.conf
@ -27,8 +27,9 @@ _daemon = dropbear
 # These match the unmodified dropbear messages. It isn't possible to
 # match the source of the 'exit before auth' messages from dropbear.
 #
-failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
-            ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$
+failregex = ^%(__prefix_line)s(L|l)ogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
+            ^%(__prefix_line)s(B|b)ad password attempt for .+ from <HOST>:.*\s*$
+	     ^%(__prefix_line)sExit before auth \(user .+, \d+ fails\): Max auth tries reached - user .+ from <HOST>:.*\s*$

 # The only line we need to match with the modified dropbear.

--- a/testcases/files/logs/dropbear
+++ b/testcases/files/logs/dropbear
@ -0,0 +1,6 @@
+# failJSON: { "time": "2005-07-27T01:04:12", "match": true , "host": "1.2.3.4" }
+Jul 27 01:04:12 fail2ban-test dropbear[1335]: Bad password attempt for 'root' from 1.2.3.4:60588
+# failJSON: { "time": "2005-07-27T01:04:22", "match": true , "host": "1.2.3.4" }
+Jul 27 01:04:22 fail2ban-test dropbear[1335]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 1.2.3.4:60588
+# failJSON: { "time": "2005-07-27T01:18:59", "match": true , "host": "1.2.3.4" }
+Jul 27 01:18:59 fail2ban-test dropbear[1477]: Login attempt for nonexistent user from 1.2.3.4:60794