Fix Dropbear filter when logging to STDOUT

[MichaIng]

Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the -F and -E flags, to run it in foreground and have it logging to STDOUT instead of syslog.

As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix.

The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without -E flag.

Additionally, for performance reasons, this commit adds a journalmatch entry, matching Debian's and Fedora's dropbear.service with dropbear executable/identifier, the most likely match for a Dropbear systemd service.

Before submitting your PR, please review the following checklist:

• CHOOSE CORRECT BRANCH: if filing a bugfix/enhancement
  against certain release version, choose 0.9, 0.10 or 0.11 branch,
  for dev-edition use master branch

• CONSIDER adding a unit test if your PR resolves an issue

• LIST ISSUES this PR resolves

• MAKE SURE this PR doesn't break existing tests

• KEEP PR small so it could be easily reviewed.

• AVOID making unnecessary stylistic changes in unrelated code

• ACCOMPANY each new failregex for filter X with sample log lines
  within fail2ban/tests/files/logs/X file

• I can add a line to https://github.com/fail2ban/fail2ban/blob/master/fail2ban/tests/files/logs/dropbear, but is there a way to get this failJSON?

[sebres]

I can add a line to fail2ban/tests/files/logs/dropbear, but is there a way to get this failJSON?

The captured values from following lines must simply match the parameter in JSON (time, host etc), so just copy-paste it from another lines and adjust the values inside to the values of your line...
By time it is important to consider that if the line doesn't contain the year or TZ, the test suite is working in

fail2ban/fail2ban/tests/utils.py

Line 52 in 8170e9f

TEST_NOW = 1124013600

what is basically So Aug 14 12:00:00 CEST 2005, so it can be 2004 (if date without year is before that time) and/or in CET if the TZ is different at parsed timestamp.

Or just add it to this PR (or to file direct without failJSON), I'd extended it by myself.

[MichaIng]

Not sure whether I understood in which case it can be 2004. But following the other entries, I think it should work the way I added it now 😅.

While producing those, I recognised two other issues:

Jul 10 23:57:29 VM-Bookworm dropbear[825]: [825] Jul 10 23:57:29 Bad password attempt for 'root' from 192.168.1.3:52289
Jul 10 23:57:29 VM-Bookworm dropbear[825]: [825] Jul 10 23:57:29 Exit before auth from <192.168.1.3:52289>: (user 'root', 10 fails): Max auth tries reached - user 'root'
Jul 10 23:58:41 VM-Bookworm dropbear[826]: [826] Jul 10 23:58:41 Login attempt for nonexistent user
Jul 10 23:59:24 VM-Bookworm dropbear[826]: [826] Jul 10 23:59:24 Exit before auth from <192.168.1.3:52325>: Max auth tries reached - user 'is invalid'

• 🈯 The 1st is the most important one, which does now match.
• 🈴 The 2nd is after 10 failed login attempts, and does not match anymore, since from <HOST> is not located at the end anymore.
• 🈴 Login attempts for nonexistent users do not contain the host anymore.
• 🈺 Max retries for invalid users did never match, but could be consequently added.

This is Independent of systemd vs init.d service, the changed output after prefix is the same in both cases.

Max retry failures are IMO not important, since usually, the failed attempts before this happens match and lead to a ban already, before max retries are even hit. Invalid user logins however IMO are important, and I am not sure why those do not contain the host anymore. I'll check back with Dropbear. This is however unrelated to the systemd/STDOUT /-E matching, i.e. I'll open a new PR, once I verified changed output in recent (upstream) Dropbear versions, and whether the missing host is intended or a bug.

[MichaIng]

I opened an issue about the broken matches: #3791
The 2nd case can be fixed easily, the 4th could be additionally added, the 3rd was a mistake Dropbear end, as far as I can see.

---

Another thing: For systemd services like used on Debian, shall I add the journalmatch right here? Of course we would need to assume that the units and identifiers are the same on other distros, since there is none provided upstream:

journalmatch = _SYSTEMD_UNIT=dropbear.service + _COMM=dropbear

[sebres]

Another thing: For systemd services like used on Debian, shall I add the journalmatch right here?

Sure.