From e73b3dd53edbd961a092a6d737b9c7e8978ce748 Mon Sep 17 00:00:00 2001
From: Steven Hiscocks <steven@hiscocks.me.uk>
Date: Mon, 27 May 2013 18:11:08 +0100
Subject: [PATCH 1/3] BF: fail2ban-regex adding duplicate lines with each regex

This issue was caused by the fact that every "line" is processed for each
regex, meaning each line was duplicated for every regex. This caused
duplicate fail matches and the buffer filling too quickly and possibly
missing failures.
---
 bin/fail2ban-regex | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bin/fail2ban-regex b/bin/fail2ban-regex
index 2b563cae..9302fd6a 100755
--- a/bin/fail2ban-regex
+++ b/bin/fail2ban-regex
@@ -277,7 +277,12 @@ class Fail2banRegex:
 					return False
 			finally:
 				self.__filter.delFailRegex(0)
+				try:
+					del self.__filter._Filter__lineBuffer[-1]
+				except IndexError:
+					pass
 				logging.getLogger("fail2ban").setLevel(logging.CRITICAL)
+		self.__filter.processLine(line)
 		for regex in self.__ignoreregex:
 					self.__filter.delIgnoreRegex(0)
 

From 49261925d762926b88d456dfeafb0bb8c426f861 Mon Sep 17 00:00:00 2001
From: Steven Hiscocks <steven@hiscocks.me.uk>
Date: Mon, 27 May 2013 22:06:49 +0100
Subject: [PATCH 2/3] ENH: Add new regex for locked accounts for sshd

---
 config/filter.d/sshd.conf      | 9 +++++++++
 fail2ban/tests/files/logs/sshd | 8 ++++++++
 2 files changed, 17 insertions(+)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 18ac6668..0d865afc 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -20,6 +20,9 @@ _daemon = sshd
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+#          Multiline regexs should use tag "<SKIPLINES>" to separate lines.
+#          This allows lines between the matching lines to continue to be
+#          searched for other failures. This tag can be used multiple times.
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
@@ -33,9 +36,15 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
             ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \[preauth\]$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10
diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
index 5dab1606..960dd38a 100644
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@@ -46,3 +46,11 @@ Apr 29 15:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication error
 Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201
 Apr 29 17:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.102
 Apr 29 18:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.103
+
+#11
+Apr 24 01:39:19 host sshd[3719]: User root not allowed because account is locked
+Apr 24 01:39:19 host sshd[3719]: input_userauth_request: invalid user root [preauth]
+Apr 24 01:39:19 host sshd[3719]: error: Received disconnect from 198.51.100.34: 11: Bye Bye [preauth]
+May 27 00:16:33 host sshd[2364]: User root not allowed because account is locked
+May 27 00:16:33 host sshd[2364]: input_userauth_request: invalid user root [preauth]
+May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76: 11: Bye Bye [preauth]

From 5f87e5991139db1b3d2961d00ad318cf6cb64272 Mon Sep 17 00:00:00 2001
From: Steven Hiscocks <steven@hiscocks.me.uk>
Date: Mon, 27 May 2013 22:07:30 +0100
Subject: [PATCH 3/3] DOC: Update man page for <SKIPLINES> usage

---
 man/jail.conf.5 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/man/jail.conf.5 b/man/jail.conf.5
index 14dc5663..466172f5 100644
--- a/man/jail.conf.5
+++ b/man/jail.conf.5
@@ -135,8 +135,9 @@ There are two filter definitions used in the [Definition] section:
 
 .TP
 \fBfailregex\fR
-is the regex (\fBreg\fRular \fBex\fRpression) that will match failed attempts. The tag <HOST> is used as part of the regex and is itself a regex
+is the regex (\fBreg\fRular \fBex\fRpression) that will match failed attempts. The tag \fI<HOST>\fR is used as part of the regex and is itself a regex
 for IPv4 addresses and hostnames. fail2ban will work out which one of these it actually is.
+For multiline regexs the tag \fI<SKIPLINES>\fR should be used to separate lines. This allows lines between the matched lines to continue to be searched for other failures. The tag can be used multiple times.
 
 .TP
 \fBignoreregex\fR