Created attachment 212750 [details] patch Hi, I recently noticed fail2ban was not banning ssh failed user logins anymore, so I had a look. I'm on FreeBSD head and failed logins for non existing users now look like this: Mar 25 10:22:08 vogon sshd[1311]: Invalid user mysql from 220.149.231.165 port 40772 There is also the port there. Not sure when the change happened, so I asses a new regexp to the bsd-sshd.conf file. I'm attaching a patch. Thanks!
@Guido Is this (output) contingent on syslog or openssh (in base) versions? Is the output different for non-CURENT (versions) Can this be reported upstream?
(In reply to Kubilay Kocak from comment #1) > Is this (output) contingent on syslog or openssh (in base) versions? AFAIK this depends on openssh in base > Is the output different for non-CURENT (versions) I made a mistake, the output I'm observing is from 12.1. That's the FreeBSD version I have on servers. A quick test shows the same output on HEAD and also on 11.3 (installed in a VM) So this affects all currently supported releases. > Can this be reported upstream? I don't think so, since these filters are only included in the FreeBSD port, and there is no trace of BSD specific filters in the upstream repo. I checked this, because my first try at reporting this was to fork their repo on github.
This could be a regression brought by the 0.11.1 upgrade. I don't have logs going back then, so I can't say for sure.
Comment on attachment 212750 [details] patch If it passes QA (packaging, tunetime), this change is: Approved by: portmgr (blanket: run-time bugfix) If quarterly is affected: MFH: 2020Q1 (blanket: run-time bugfix)
I wouldn't wait for quarterly merge, the ssh filter is one of the more important ones. @Guido: will you report to upstream so they can merge your patch? And on a side note, one patch from me, 244092, is pending. Just saying because we are now both changing the port revision.
(In reply to theis from comment #5) I'm performing proper QA, and will commit ASAP. A quick test shows quarterly is not affected. The regression has not been triggered by any change in logging format. I now think the regression is triggered by the switch to python3, which has a different take on the regexp. I'm not a python expert and don't know how to further check this. Regarding reporting this upstream, as I said, I have had a look at upstream repository, but the file I modified does not exist there and there is no corresponding regexp in their files, so I would not really know what to report.
Not going to merge to quarterly, testing shows it's working fine there.
A commit references this bug: Author: madpilot Date: Fri Mar 27 15:29:21 UTC 2020 New revision: 529264 URL: https://svnweb.freebsd.org/changeset/ports/529264 Log: Add new regexp to match invalid users to bsd-ssh filter. I have observed a regression where the old expression was not working. Looks like the regression was caused by the migration to python 3. As far as I can see the quarterly branch is not affected. PR: 245097 Approved by: portmgr (blanket: run-time bugfix) Changes: head/security/py-fail2ban/Makefile head/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd.conf
Closing bug. To theis@gmx.at (maintainer): Please contact me at my FreeBSD email address for further information on how to report this upstream.