fail2ban - Additional regex for sshd filter

flowks

4/9/23, 8:27 AM

I am currently trying to catch failed SSH login attempts with certificate based authentication (certificate correct but wrong password) using fail2ban version 0.11.2-2 (running on Debian 11).

Therefore I created a new file /etc/fail2ban/filter.d/sshd.local with the content

[Definition]
failregex = %(known/failregex)s
            ^%(__prefix_line)sConnection closed by authenticating user <F-USER>.+</F-USER> <HOST> port \d+ \[preauth\]$

so that the filter rule is not overwritten in future updates.

To test this, I caused the situation myself a few times and can confirm with sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.local that the filter finds the log entries:

[88] ^(?:[])?\s*(?:<[^.]+.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?[ *\d+.\d+]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:[\d+])?:\s+[[(]?sshd(?:(\S+))?[])]?:?|[[(]?sshd(?:(\S+))?[])]?:?(?:[\d+])?:?)\s+)?(?:[ID \d+ \S+]\s+)?Connection closed by authenticating user .+ port \d+ [preauth]$

But nothing happens on the filter status:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|   - File list:        /var/log/auth.log
 - Actions
   |- Currently banned: 0
   |- Total banned:     0
    - Banned IP list:

Do you have any ideas what is not working here or where else I should look?

258

0 + 0

fail2ban

Score:0

Server

sebres

4/14/23, 3:46 PM

can confirm with fail2ban-regex ... /etc/fail2ban/filter.d/sshd.local that the filter finds the log entries

The default filter (in mode normal) will ignore it with other already available RE which is a helper to consider IP of the session (for other messages happening in the same session but without IP) and it stops by first RE matching the message. Whereas fail2ban-regex shows any matching REs, also duplicates.

So you'd also see 20) [88] ... in the output. As well as Lines: N lines, 88 ignored, X matched, Y missed.

To achieve this correctly (without your local modifications at all):

either set filter = %(known/filter)s[publickey=any] in sshd jail (since your version must already support it, see https://github.com/fail2ban/fail2ban/discussions/3176#discussioncomment-1768538 for more information).
or simply set mode = aggressive in sshd jail.

To handle this correctly (with your local modifications):

either rewrite mdre-normal-other, for example in jail.local:

[sshd]
filter = %(known/filter)s[mdre-normal-other=""]
failregex = %(known/failregex)s
            ^Connection closed by ...

or write your custom RE before original REs... Just note that newest fail2ban versions would reorder them (https://github.com/fail2ban/fail2ban/pull/3007):

failregex = ^Connection closed by ...
            %(known/failregex)s

And don't use %(__prefix_line)s in failregex, because it is already handled in prefregex, so one needs to write it like here:

- ^%(__prefix_line)sConnection ...
+ ^Connection ...

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: fail2ban - Additional regex for sshd filter

TH: fail2ban - regex เพิ่มเติมสำหรับตัวกรอง sshd

RO: fail2ban - expresie regex suplimentară pentru filtrul sshd

RU: fail2ban - Дополнительное регулярное выражение для фильтра sshd

VI: fail2ban - Biểu thức chính quy bổ sung cho bộ lọc sshd

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.