From c98813ccb07851890f73f442be26ce530b6744d0 Mon Sep 17 00:00:00 2001 From: Cy Schubert Date: Thu, 27 Mar 2025 08:44:16 -0700 Subject: [PATCH] security/py-fail2ban: Add support for sshd-session Now that sshd has been split into sshd and sshd-session, sshd-session is now the producer of syslog messages. We cannot replace the existing *sshd.conf files because this port must also run on older systems with older OpenSSH. Therefore we add new filters to support both. Reported by: sef (private email) MFH: 2025Q1 --- security/py-fail2ban/Makefile | 2 +- ...atch-config_filter.d_bsd-sshd-session.conf | 44 ++++++ .../patch-config_filter.d_sshd-session.conf | 142 ++++++++++++++++++ 3 files changed, 187 insertions(+), 1 deletion(-) create mode 100644 security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf create mode 100644 security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile index cbc9cd490909..eb08a64c5e1c 100644 --- a/security/py-fail2ban/Makefile +++ b/security/py-fail2ban/Makefile @@ -1,6 +1,6 @@ PORTNAME= fail2ban DISTVERSION= 1.1.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf b/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf new file mode 100644 index 000000000000..ad786447e655 --- /dev/null +++ b/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf @@ -0,0 +1,44 @@ +--- bsd-sshd-session.conf.orig 2025-03-27 08:35:58.483811000 -0700 ++++ bsd-sshd-session.conf 2025-03-27 08:41:34.639425000 -0700 +@@ -0,0 +1,41 @@ ++# Fail2Ban configuration file ++# ++# Author: Cyril Jaquier ++# ++# $Revision: 663 $ ++# ++ ++[INCLUDES] ++ ++# Read common prefixes. If any customizations available -- read them from ++# common.local ++before = common.conf ++ ++ ++[Definition] ++ ++_daemon = sshd-session ++ ++# Option: failregex ++# Notes.: regex to match the password failures messages in the logfile. The ++# host must be matched by a group named "host". The tag "" can ++# be used for standard IP/hostname matching and is only an alias for ++# (?:::f{4,6}:)?(?P\S+) ++# Values: TEXT ++# ++failregex = ^%(__prefix_line)s(?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from \s*$ ++ ^%(__prefix_line)sDid not receive identification string from $ ++ ^%(__prefix_line)sFailed [-/\w]+ for .* from (?: port \d*)?(?: ssh\d*)?$ ++ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ++ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ++ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from port \d*$ ++ ^%(__prefix_line)sUser \S+ from not allowed because not listed in AllowUsers$ ++ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ ++ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ++ ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[\] .* POSSIBLE BREAK-IN ATTEMPT!$ ++ ++# Option: ignoreregex ++# Notes.: regex to ignore. If this regex matches, the line is ignored. ++# Values: TEXT ++# ++ignoreregex = diff --git a/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf b/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf new file mode 100644 index 000000000000..3f4310c54c0f --- /dev/null +++ b/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf @@ -0,0 +1,142 @@ +--- sshd-session.conf.orig 2025-03-27 08:42:15.550403000 -0700 ++++ sshd-session.conf 2025-03-27 08:42:34.056893000 -0700 +@@ -0,0 +1,139 @@ ++# Fail2Ban filter for openssh ++# ++# If you want to protect OpenSSH from being bruteforced by password ++# authentication then get public key authentication working before disabling ++# PasswordAuthentication in sshd_config. ++# ++# ++# "Connection from port \d+" requires LogLevel VERBOSE in sshd_config ++# ++ ++[INCLUDES] ++ ++# Read common prefixes. If any customizations available -- read them from ++# common.local ++before = common.conf ++ ++[DEFAULT] ++ ++_daemon = sshd-session ++ ++# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " ++__pref = (?:(?:error|fatal): (?:PAM: )?)? ++# optional suffix (logged from several ssh versions) like " [preauth]" ++#__suff = (?: port \d+)?(?: \[preauth\])?\s* ++__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s* ++__on_port_opt = (?: (?:port \d+|on \S+)){0,2} ++# close by authenticating user (don't use after %(__authng_user)s because of catch-all `.*?`): ++__authng_user = (?: (?:by|from))?(?: (?:invalid|authenticating) user \S+|.*?)?(?: from)? ++ ++# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", ++# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors. ++__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) ++ ++# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`: ++__pam_auth = pam_[a-z]+ ++ ++[Definition] ++ ++prefregex = ^%(__prefix_line)s%(__pref)s.+$ ++ ++cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*? (?:from )?( via \S+)?%(__suff)s$ ++ ^User not known to the underlying authentication module for .*? (?:from )?%(__suff)s$ ++ > ++ ^Failed for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) ++ ^ROOT LOGIN REFUSED FROM ++ ^[iI](?:llegal|nvalid) user .*? (?:from )?%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because not listed in AllowUsers%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because listed in DenyUsers%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because not in any group%(__suff)s$ ++ ^refused connect from \S+ \(\) ++ ^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because a group is listed in DenyGroups%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ ++ ^%(__pam_auth)s\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$ ++ ^maximum authentication attempts exceeded for (?:invalid user )?.*? (?:from )?%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ ++ ^User \S+|.*? not allowed because account is locked%(__suff)s ++ ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ ++ ^Disconnecting: Too many authentication failures(?: for \S+|.*?)?%(__suff)s$ ++ ^Received disconnect from %(__on_port_opt)s:\s*11: ++ -other> ++ ^Accepted \w+ for \S+ from (?:\s|$) ++ ++cmnfailed-any = \S+ ++cmnfailed-ignore = \b(?!publickey)\S+ ++cmnfailed-invalid = ++cmnfailed-nofail = (?:publickey|\S+) ++cmnfailed = > ++ ++mdre-normal = ++# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) ++mdre-normal-other = ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s %(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$ ++ ++mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for) ++ ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) ++ ^Bad protocol version identification '(?:[^']|.*?)' (?:from )?%(__suff)s$ ++ ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: ++ ^Read from socket failed: Connection reset by peer ++ ^(?:banner exchange|ssh_dispatch_run_fatal): Connection from <__on_port_opt>: (?:invalid format|(?:message authentication code incorrect|[Cc]onnection corrupted) \[preauth\]) ++ ++# same as mdre-normal-other, but as failure (without with [preauth] and with on no preauth phase as helper to identify address): ++mdre-ddos-other = ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s %(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?\s+\[preauth\]\s*$ ++ ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s (?:%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?|\s*)$ ++ ++mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available ++ ^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found. ++ ^Unable to negotiate a <__alg_match> ++ ^no matching <__alg_match> found: ++# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only: ++mdre-extra-other = ^Disconnected(?: from)?(?: (?:invalid|authenticating)) user \S+|.*? (?:from )?%(__on_port_opt)s \[preauth\]\s*$ ++ ++mdre-aggressive = %(mdre-ddos)s ++ %(mdre-extra)s ++# mdre-extra-other is fully included within mdre-ddos-other: ++mdre-aggressive-other = %(mdre-ddos-other)s ++ ++# Parameter "publickey": nofail (default), invalid, any, ignore ++publickey = nofail ++# consider failed publickey for invalid users only: ++cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user (?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) ++# consider failed publickey for valid users too (don't need RE, see cmnfailed): ++cmnfailre-failed-pub-any = ++# same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed): ++cmnfailre-failed-pub-nofail = ++# don't consider failed publickey as failures (don't need RE, see cmnfailed): ++cmnfailre-failed-pub-ignore = ++ ++cfooterre = ^Connection from ++ ++failregex = %(cmnfailre)s ++ > ++ %(cfooterre)s ++ ++# Parameter "mode": normal (default), ddos, extra or aggressive (combines all) ++# Usage example (for jail.local): ++# [sshd] ++# mode = extra ++# # or another jail (rewrite filter parameters of jail): ++# [sshd-aggressive] ++# filter = sshd[mode=aggressive] ++# ++mode = normal ++ ++#filter = sshd[mode=aggressive] ++ ++ignoreregex = ++ ++maxlines = 1 ++ ++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd ++ ++# DEV Notes: ++# ++# "Failed \S+ for .*? from ..." failregex uses non-greedy catch-all because ++# it is coming before use of which is not hard-anchored at the end as well, ++# and later catch-all's could contain user-provided input, which need to be greedily ++# matched away first. ++# ++# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres ++# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester.