Merge branch '0.10' into 0.11

ChangeLog

@@ -62,8 +62,13 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition
 -----------
 
 ### Fixes
+* `filter.d/sshd.conf`:
+  - captures `Disconnecting ...: Change of username or service not allowed` (gh-2239, gh-2279)
+  - captures `Disconnected from ... [preauth]` (`extra`/`aggressive` mode and preauth phase only, gh-2239, gh-2279)
 
 ### New Features
+* new failregex-flag tag `<F-MLFGAINED>` for failregex, signaled that the access to service was gained
+  (ATM used similar to tag `<F-NOFAIL>`, but it does not add the log-line to matches, gh-2279)
 
 ### Enhancements
 

config/action.d/shorewall.conf

@@ -9,7 +9,7 @@
 # connections. So if the attempter goes on trying using the same connection
 # he could even log in. In order to get the same behavior of the iptable
 # action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
-# file should me modified with "BLACKLISTNEWONLY=No". Note that as of
+# file should be modified with "BLACKLISTNEWONLY=No". Note that as of
 # Shorewall 4.5.13 BLACKLISTNEWONLY is deprecated; however the equivalent
 # of BLACKLISTNEWONLY=No can now be achieved by setting BLACKLIST="ALL".
 # 

config/filter.d/sshd.conf

@@ -54,10 +54,11 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER>
             ^<F-NOFAIL>%(__pam_auth)s\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$
             ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
             ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
+            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$
             ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s$
             ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:
             ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by%(__authng_user)s <HOST><mdrp-<mode>-suff-onclosed>
-            ^<F-MLFFORGET><F-NOFAIL>Accepted \w+</F-NOFAIL></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)
+            ^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)
 
 mdre-normal =
 # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
@@ -74,6 +75,7 @@ mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_p
             ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
             ^Unable to negotiate a <__alg_match>
             ^no matching <__alg_match> found:
+            ^<F-MLFFORGET>Disconnected</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s \[preauth\]\s*$
 mdrp-extra-suff-onclosed = %(mdrp-normal-suff-onclosed)s
 
 mdre-aggressive = %(mdre-ddos)s

fail2ban/__init__.py

@@ -82,7 +82,7 @@ strptime("2012", "%Y")
 
 # short names for pure numeric log-level ("Level 25" could be truncated by short formats):
 def _init():
-	for i in xrange(50):
+	for i in range(50):
 		if logging.getLevelName(i).startswith('Level'):
 			logging.addLevelName(i, '#%02d-Lev.' % i)
 _init()

fail2ban/server/filter.py

@@ -674,16 +674,21 @@ class Filter(JailThread):
 		mlfidFail = self.mlfidCache.get(mlfid) if self.__mlfidCache else None
 		users = None
 		nfflgs = 0
-		if fail.get('nofail'): nfflgs |= 1
+		if fail.get("mlfgained"):
+			nfflgs |= 9
+			if not fail.get('nofail'):
+				fail['nofail'] = fail["mlfgained"]
+		elif fail.get('nofail'): nfflgs |= 1
 		if fail.get('mlfforget'): nfflgs |= 2
 		# if multi-line failure id (connection id) known:
 		if mlfidFail:
 			mlfidGroups = mlfidFail[1]
 			# update users set (hold all users of connect):
 			users = self._updateUsers(mlfidGroups, fail.get('user'))
-			# be sure we've correct current state ('nofail' only from last failure)
+			# be sure we've correct current state ('nofail' and 'mlfgained' only from last failure)
 			try:
 				del mlfidGroups['nofail']
+				del mlfidGroups['mlfgained']
 			except KeyError:
 				pass
 			# # ATM incremental (non-empty only) merge deactivated (for future version only),
@@ -707,16 +712,17 @@ class Filter(JailThread):
 			# we've new user, reset 'nofail' because of multiple users attempts:
 			try:
 				del fail['nofail']
+				nfflgs &= ~1 # reset nofail
 			except KeyError:
 				pass
 		# merge matches:
-		if not fail.get('nofail'): # current state (corresponding users)
+		if not (nfflgs & 1): # current nofail state (corresponding users)
 			try:
 				m = fail.pop("nofail-matches")
 				m += fail.get("matches", [])
 			except KeyError:
 				m = fail.get("matches", [])
-			if not (nfflgs & 2): # not mlfforget:
+			if not (nfflgs & 8): # no gain signaled
 				m += failRegex.getMatchedTupleLines()
 			fail["matches"] = m
 		elif not (nfflgs & 2) and (nfflgs & 1): # not mlfforget and nofail:

fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf

@@ -64,6 +64,7 @@ mdre-extra = ^%(__prefix_line_sl)sReceived disconnect from <HOST>%(__on_port_opt
              ^%(__prefix_line_sl)sUnable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
              ^%(__prefix_line_ml1)sConnection from <HOST>%(__on_port_opt)s%(__prefix_line_ml2)sUnable to negotiate a <__alg_match>
              ^%(__prefix_line_ml1)sConnection from <HOST>%(__on_port_opt)s%(__prefix_line_ml2)sno matching <__alg_match> found:
+             ^%(__prefix_line_sl)sDisconnected(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s \[preauth\]\s*$
 
 mdre-aggressive = %(mdre-ddos)s
                   %(mdre-extra)s

fail2ban/tests/files/logs/sshd

@@ -253,6 +253,13 @@ Mar  7 18:53:34 bar sshd[1559]: Accepted password for known from 192.0.2.116 por
 # failJSON: { "match": false , "desc": "No failure" }
 Mar  7 18:53:38 bar sshd[1559]: Connection closed by 192.0.2.116
 
+# failJSON: { "time": "2005-03-19T16:47:48", "match": true , "attempts": 1, "user": "admin", "host": "192.0.2.117", "desc": "Failure: attempt invalid user" }
+Mar 19 16:47:48 test sshd[5672]: Invalid user admin from 192.0.2.117 port 44004
+# failJSON: { "time": "2005-03-19T16:47:49", "match": true , "attempts": 2, "user": "admin", "host": "192.0.2.117", "desc": "Failure: attempt to change user (disallowed)" }
+Mar 19 16:47:49 test sshd[5672]: Disconnecting invalid user admin 192.0.2.117 port 44004: Change of username or service not allowed: (admin,ssh-connection) -> (user,ssh-connection) [preauth]
+# failJSON: { "time": "2005-03-19T16:47:50", "match": false, "desc": "Disconnected during preauth phase (no failure in normal mode)" }
+Mar 19 16:47:50 srv sshd[5672]: Disconnected from authenticating user admin 192.0.2.6 port 33553 [preauth]
+
 # filterOptions: [{"mode": "ddos"}, {"mode": "aggressive"}]
 
 # http://forums.powervps.com/showthread.php?t=1667
@@ -334,3 +341,6 @@ Oct 26 15:30:40 localhost sshd[14737]: Unable to negotiate with 192.0.2.2 port 5
 Nov 26 13:03:38 srv sshd[14737]: Unable to negotiate with 192.0.2.4 port 50404: no matching host key type found. Their offer: ssh-dss
 # failJSON: { "time": "2004-11-26T13:03:39", "match": true , "host": "192.0.2.5", "desc": "No matching everything ... found." }
 Nov 26 13:03:39 srv sshd[14738]: fatal: Unable to negotiate with 192.0.2.5 port 55555: no matching everything new here found. Their offer: ...
+
+# failJSON: { "time": "2004-11-26T16:47:51", "match": true , "host": "192.0.2.6", "desc": "Disconnected during preauth phase (in extra/aggressive mode)" }
+Nov 26 16:47:51 srv sshd[19320]: Disconnected from authenticating user root 192.0.2.6 port 33553 [preauth]