From 9f5c87352651ed5278d4c27801dc9e70b1166260 Mon Sep 17 00:00:00 2001
From: MatthieuBarbu <30758776+MatthieuBarbu@users.noreply.github.com>
Date: Fri, 2 Mar 2018 14:47:16 +0100
Subject: [PATCH 1/5] fix sshd rule
just remove the space before ":11" line 52 because don't match on my Debian 9 stretch...
I don't know if this is wrong on all OS
---
config/filter.d/sshd.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index ab5fd385..71dbee8b 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -49,7 +49,7 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*
^(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
^User .+ not allowed because account is locked%(__suff)s
^Disconnecting: Too many authentication failures(?: for .+?)?%(__suff)s
- ^Received disconnect from : 11:
+ ^Received disconnect from :11:
^Connection closed by %(__suff)s$
^Accepted publickey for \S+ from (?:\s|$)
From 1d7aa2ff217737f5958c95f29fca96389020dd19 Mon Sep 17 00:00:00 2001
From: sebres
Date: Fri, 2 Mar 2018 17:59:25 +0100
Subject: [PATCH 2/5] filter.d/sshd.conf: rewrite fix (for new ssh log-format)
backwards compatible + test-cases extended to cover both cases
---
ChangeLog | 1 +
config/filter.d/sshd.conf | 2 +-
fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
fail2ban/tests/files/logs/sshd | 2 +-
4 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 382ffc4c..4b3de2b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,7 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition
### Fixes
* `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
* `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
+* `filter.d/sshd.conf`: failregex got an optional space in order to match new log-format (see gh-2061);
* `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
* (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 71dbee8b..328ba558 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -49,7 +49,7 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*
^(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
^User .+ not allowed because account is locked%(__suff)s
^Disconnecting: Too many authentication failures(?: for .+?)?%(__suff)s
- ^Received disconnect from :11:
+ ^Received disconnect from :\s*11:
^Connection closed by %(__suff)s$
^Accepted publickey for \S+ from (?:\s|$)
diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
index f193009f..a1c55cd3 100644
--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
@@ -44,7 +44,7 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for
^%(__prefix_line_sl)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
^%(__prefix_line_sl)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*%(__suff)s$
^%(__prefix_line_sl)s(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)? \[preauth\]$
- ^%(__prefix_line_ml1)sUser .+ not allowed because account is locked%(__prefix_line_ml2)sReceived disconnect from : 11: .+%(__suff)s$
+ ^%(__prefix_line_ml1)sUser .+ not allowed because account is locked%(__prefix_line_ml2)sReceived disconnect from :\s*11: .+%(__suff)s$
^%(__prefix_line_ml1)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s%(__prefix_line_ml2)sConnection closed by %(__suff)s$
^%(__prefix_line_ml1)sConnection from %(__on_port_opt)s%(__prefix_line_ml2)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s$
diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
index b0b760ff..5c7f5cfd 100644
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@@ -110,7 +110,7 @@ May 27 00:16:33 host sshd[2364]: User root not allowed because account is locked
# failJSON: { "match": false }
May 27 00:16:33 host sshd[2364]: input_userauth_request: invalid user root [preauth]
# failJSON: { "time": "2005-05-27T00:16:33", "match": true , "host": "198.51.100.76" }
-May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76: 11: Bye Bye [preauth]
+May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76:11: Bye Bye [preauth]
# failJSON: { "time": "2004-09-29T16:28:02", "match": true , "host": "127.0.0.1" }
Sep 29 16:28:02 spaceman sshd[16699]: Failed password for dan from 127.0.0.1 port 45416 ssh1
From 6b5516b8512e96952a38749c215e9938bf9bf9f0 Mon Sep 17 00:00:00 2001
From: MatthieuBarbu <30758776+MatthieuBarbu@users.noreply.github.com>
Date: Fri, 2 Mar 2018 18:27:06 +0100
Subject: [PATCH 3/5] fix sshd rule #2
in line 58, rule don't match with "%(__suff)s" but work fine if I replace with "%(__on_port_opt)s"
Debian 9 stretch : fail2ban 0.10.3
---
config/filter.d/sshd.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 328ba558..41b76481 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -55,7 +55,7 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*
mdre-normal =
-mdre-ddos = ^Did not receive identification string from %(__suff)s$
+mdre-ddos = ^Did not receive identification string from %(__on_port_opt)s
^Connection reset by %(__on_port_opt)s%(__suff)s
^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+:
^Read from socket failed: Connection reset by peer%(__suff)s
From a3bcbe2d1b7ebe3897894ddc2c400f48806d0a66 Mon Sep 17 00:00:00 2001
From: sebres
Date: Fri, 2 Mar 2018 19:12:09 +0100
Subject: [PATCH 4/5] backwards-compatibility, test-cases and ChangeLog update
---
ChangeLog | 4 +++-
config/filter.d/sshd.conf | 2 +-
.../tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
fail2ban/tests/files/logs/sshd | 2 ++
4 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 4b3de2b7..abbd254b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,7 +37,9 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition
### Fixes
* `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060);
* `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048);
-* `filter.d/sshd.conf`: failregex got an optional space in order to match new log-format (see gh-2061);
+* `filter.d/sshd.conf`:
+ - failregex got an optional space in order to match new log-format (see gh-2061);
+ - fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062);
* `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
* (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 41b76481..f557223c 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -55,7 +55,7 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*
mdre-normal =
-mdre-ddos = ^Did not receive identification string from %(__on_port_opt)s
+mdre-ddos = ^Did not receive identification string from %(__on_port_opt)s%(__suff)s
^Connection reset by %(__on_port_opt)s%(__suff)s
^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+:
^Read from socket failed: Connection reset by peer%(__suff)s
diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
index a1c55cd3..7000e627 100644
--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
@@ -50,7 +50,7 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for
mdre-normal =
-mdre-ddos = ^%(__prefix_line_sl)sDid not receive identification string from %(__suff)s$
+mdre-ddos = ^%(__prefix_line_sl)sDid not receive identification string from %(__on_port_opt)s%(__suff)s
^%(__prefix_line_sl)sConnection reset by %(__on_port_opt)s%(__suff)s
^%(__prefix_line_ml1)sSSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+:.*%(__prefix_line_ml2)sRead from socket failed: Connection reset by peer%(__suff)s$
diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
index 5c7f5cfd..524d2d28 100644
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@@ -219,6 +219,8 @@ Apr 27 13:02:04 host sshd[29116]: Received disconnect from 1.2.3.4: 11: Normal S
# http://forums.powervps.com/showthread.php?t=1667
# failJSON: { "time": "2005-06-07T01:10:56", "match": true , "host": "69.61.56.114" }
Jun 7 01:10:56 host sshd[5937]: Did not receive identification string from 69.61.56.114
+# failJSON: { "time": "2005-06-07T01:11:57", "match": true , "host": "192.0.2.5", "desc": "refactored message (with port now, gh-2062)" }
+Jun 7 01:11:57 host sshd[8782]: Did not receive identification string from 192.0.2.5 port 35836
# gh-864(1):
# failJSON: { "match": false }
From caa2bdfee6afbc78bb42f61633760079bbe472ff Mon Sep 17 00:00:00 2001
From: sebres
Date: Fri, 2 Mar 2018 19:24:47 +0100
Subject: [PATCH 5/5] amendment for gh-2061: it looks like the port was added
here also
---
config/filter.d/sshd.conf | 2 +-
fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 2 +-
fail2ban/tests/files/logs/sshd | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index f557223c..d8bb5edf 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -49,7 +49,7 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*
^(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
^User .+ not allowed because account is locked%(__suff)s
^Disconnecting: Too many authentication failures(?: for .+?)?%(__suff)s
- ^Received disconnect from :\s*11:
+ ^Received disconnect from %(__on_port_opt)s:\s*11:
^Connection closed by %(__suff)s$
^Accepted publickey for \S+ from (?:\s|$)
diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
index 7000e627..5560716d 100644
--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
@@ -44,7 +44,7 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for
^%(__prefix_line_sl)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
^%(__prefix_line_sl)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*%(__suff)s$
^%(__prefix_line_sl)s(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)? \[preauth\]$
- ^%(__prefix_line_ml1)sUser .+ not allowed because account is locked%(__prefix_line_ml2)sReceived disconnect from :\s*11: .+%(__suff)s$
+ ^%(__prefix_line_ml1)sUser .+ not allowed because account is locked%(__prefix_line_ml2)sReceived disconnect from %(__on_port_opt)s:\s*11: .+%(__suff)s$
^%(__prefix_line_ml1)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s%(__prefix_line_ml2)sConnection closed by %(__suff)s$
^%(__prefix_line_ml1)sConnection from %(__on_port_opt)s%(__prefix_line_ml2)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s$
diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
index 524d2d28..e80eb30c 100644
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@@ -110,7 +110,7 @@ May 27 00:16:33 host sshd[2364]: User root not allowed because account is locked
# failJSON: { "match": false }
May 27 00:16:33 host sshd[2364]: input_userauth_request: invalid user root [preauth]
# failJSON: { "time": "2005-05-27T00:16:33", "match": true , "host": "198.51.100.76" }
-May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76:11: Bye Bye [preauth]
+May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76 port 58846:11: Bye Bye [preauth]
# failJSON: { "time": "2004-09-29T16:28:02", "match": true , "host": "127.0.0.1" }
Sep 29 16:28:02 spaceman sshd[16699]: Failed password for dan from 127.0.0.1 port 45416 ssh1