Bug 245097 - security/py-fail2ban: Adapt bsd-sshd filter to newer sshd output on all supported releases and CURRENT
Summary: security/py-fail2ban: Adapt bsd-sshd filter to newer sshd output on all suppo...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Guido Falsi
Depends on:
Reported: 2020-03-27 11:19 UTC by Guido Falsi
Modified: 2020-03-27 15:33 UTC (History)
2 users (show)

See Also:
theis: maintainer-feedback+
madpilot: merge-quarterly-

patch (1.42 KB, patch)
2020-03-27 11:19 UTC, Guido Falsi
theis: maintainer-approval+
koobs: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Guido Falsi freebsd_committer 2020-03-27 11:19:00 UTC
Created attachment 212750 [details]


I recently noticed fail2ban was not banning ssh failed user logins anymore, so I had a look.

I'm on FreeBSD head and failed logins for non existing users now look like this:

Mar 25 10:22:08 vogon sshd[1311]: Invalid user mysql from port 40772

There is also the port there.

Not sure when the change happened, so I asses a new regexp to the bsd-sshd.conf file.

I'm attaching a patch.

Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-27 11:23:52 UTC

Is this (output) contingent on syslog or openssh (in base) versions?
Is the output different for non-CURENT (versions)
Can this be reported upstream?
Comment 2 Guido Falsi freebsd_committer 2020-03-27 11:43:48 UTC
(In reply to Kubilay Kocak from comment #1)

> Is this (output) contingent on syslog or openssh (in base) versions?

AFAIK this depends on openssh in base

> Is the output different for non-CURENT (versions)

I made a mistake, the output I'm observing is from 12.1. That's the FreeBSD version I have on servers.

A quick test shows the same output on HEAD and also on 11.3 (installed in a VM)

So this affects all currently supported releases.

> Can this be reported upstream?

I don't think so, since these filters are only included in the FreeBSD port, and there is no trace of BSD specific filters in the upstream repo. I checked this, because my first try at reporting this was to fork their repo on github.
Comment 3 Guido Falsi freebsd_committer 2020-03-27 11:53:21 UTC
This could be a regression brought by the 0.11.1 upgrade. I don't have logs going back then, so I can't say for sure.
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2020-03-27 11:54:57 UTC
Comment on attachment 212750 [details]

If it passes QA (packaging, tunetime), this change is:

Approved by: portmgr (blanket: run-time bugfix)

If quarterly is affected:

MFH: 2020Q1 (blanket: run-time bugfix)
Comment 5 theis 2020-03-27 12:26:25 UTC
I wouldn't wait for quarterly merge, the ssh filter is one of the more important ones.

@Guido: will you report to upstream so they can merge your patch?

And on a side note, one patch from me, 244092, is pending. Just saying because we are now both changing the port revision.
Comment 6 Guido Falsi freebsd_committer 2020-03-27 14:15:46 UTC
(In reply to theis from comment #5)

I'm performing proper QA, and will commit ASAP.

A quick test shows quarterly is not affected.

The regression has not been triggered by any change in logging format.

I now think the regression is triggered by the switch to python3, which has a different take on the regexp. I'm not a python expert and don't know how to further check this.

Regarding reporting this upstream, as I said, I have had a look at upstream repository, but the file I modified does not exist there and there is no corresponding regexp in their files, so I would not really know what to report.
Comment 7 Guido Falsi freebsd_committer 2020-03-27 15:27:25 UTC
Not going to merge to quarterly, testing shows it's working fine there.
Comment 8 commit-hook freebsd_committer 2020-03-27 15:30:42 UTC
A commit references this bug:

Author: madpilot
Date: Fri Mar 27 15:29:21 UTC 2020
New revision: 529264
URL: https://svnweb.freebsd.org/changeset/ports/529264

  Add new regexp to match invalid users to bsd-ssh filter.

  I have observed a regression where the old expression was not
  working. Looks like the regression was caused by the migration to
  python 3.

  As far as I can see the quarterly branch is not affected.

  PR:		245097
  Approved by: portmgr (blanket: run-time bugfix)

Comment 9 Guido Falsi freebsd_committer 2020-03-27 15:33:58 UTC
Closing bug.

To theis@gmx.at (maintainer):

Please contact me at my FreeBSD email address for further information on how to report this upstream.