- they have basically nothing with authentication;
- they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned;
- to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc);
Dropbear uses `strftime` `"%b %d %H:%M:%S` to print its timestamps, hence we know the day and time format, but the month could be localized. We hence allow any 3 word characters for it, and additionally simplify the day and time pattern into a single group.
Signed-off-by: MichaIng <micha@dietpi.com>
Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the `-F` and `-E` flags, to run it in foreground and have it logging to STDOUT instead of syslog.
As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix.
The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without `-E` flag.
Additionally, for performance reasons, this commit adds a `journalmatch` entry, matching Debian's and Fedora's `dropbear.service` with `dropbear` executable/identifier, the most likely match for a Dropbear systemd service.
Signed-off-by: MichaIng <micha@dietpi.com>
also avoid after-effect with "IndexError: list index out of range" from onIgnoreRegex (the lists of REs are different in filter and fail2banregex);
closes gh-3895
The "after iptables" clause in the OpenRC service script's depend()
function causes fail2ban to start after iptables, if iptables is
scheduled to start. Here we add "after nftables" as well: nftables is
the successor to iptables, and fail2ban supports it out-of-the-box.
If nftables is scheduled to start, we want to wait until it's done
before starting fail2ban.
Sergey G. Brester