Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR]: Fix Dropbear failregexes broken since 2020 #3791

Open
MichaIng opened this issue Jul 10, 2024 · 0 comments
Open

[FR]: Fix Dropbear failregexes broken since 2020 #3791

MichaIng opened this issue Jul 10, 2024 · 0 comments
Labels
filter-request

Comments

@MichaIng
Copy link

MichaIng commented Jul 10, 2024
edited
Loading

Environment:

  • Fail2Ban version :
  • OS, including release name/version :

Service, project or product which log or journal should be monitored

  • Name of filter or jail in Fail2Ban (if already exists) : Dropbear
  • Service, project or product name, including release name/version : v2022.83
  • Repository or URL (if known) : https://github.com/mkj/dropbear
  • Service type : SSH server
  • Ports and protocols the service is listening : 22 TCP

Log or journal information

  • Log file name(s) : /var/log/auth.log
  • Journal identifier or unit name : dropbear.service/dropbear

Any additional information

Dropbear is supported already. This PR adds support for cases where it runs as systemd service with -E flag, where Dropbear itself adds PID and timestamps: #3597

However, while testing it, I recognised that max retry limit and nonexisting users login attempts do not match anymore: #3597 (comment)

Funnily this was caused by a commit (to Dropbear upstream) which was intended to help software like Fail2Ban, while in practice it broke it, due to lack of communication, and since the nonexisting user case was not carefully checked, which misses the host now: mkj/dropbear#83

From below lines, the first case matches with #3597 and when running Dropbear as init.d service (provided by upstream). The 2nd line does not match anymore after the linked PR merged 2020. The 3rd cannot match anymore, because it lacks the host, and the 4th was never supported, but could be additionally added.

EDIT: I sent a PR to have the nonexisting user login log fixed: mkj/dropbear#316
The "Exit before auth" logs are the only thing which can be fixed/added here.

Relevant lines from monitored log files:

failures in sense of fail2ban filter (fail2ban must match):

Jul 10 23:57:29 VM-Bookworm dropbear[825]: [825] Jul 10 23:57:29 Bad password attempt for 'root' from 192.168.1.3:52289
Jul 10 23:57:29 VM-Bookworm dropbear[825]: [825] Jul 10 23:57:29 Exit before auth from <192.168.1.3:52289>: (user 'root', 10 fails): Max auth tries reached - user 'root'
Jul 10 23:58:41 VM-Bookworm dropbear[826]: [826] Jul 10 23:58:41 Login attempt for nonexistent user
Jul 10 23:59:24 VM-Bookworm dropbear[826]: [826] Jul 10 23:59:24 Exit before auth from <192.168.1.3:52325>: Max auth tries reached - user 'is invalid'

legitimate messages (fail2ban should not consider as failures):
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
filter-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MichaIng