gh-mirrors/openwrt-packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-10 20:51:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2a202b2091336cd04d58d797021e278ba9d3f5ae
openwrt-packages/net/fail2ban/patches/010-dropbear-regex-fix.patch
Andrey Zotikov 2a202b2091 fail2ban: bump to 1.1.0 
fail2ban changes:
- nftables support (iptables dependency removed)
- python3 support (old package patches removed)
- Upstream patches backports:
  - filter.d/dropbear.conf: failregex extended to match different format of "Exit before auth" message
  - cherry-pick from debian: debian default banactions are nftables, systemd backend for sshd
- Removed unresponsive/unreachable maintainer.

Fixes: https://github.com/openwrt/packages/issues/23015 ("fail2ban: very old version")

Signed-off-by: Andrey Zotikov <andrey.zotikov@gmail.com>
2025-09-28 14:29:07 -03:00

45 lines
2.8 KiB
Diff
Raw Blame History

From f29a49e39c66e43de6cf1d2a9085c00cca5eca99 Mon Sep 17 00:00:00 2001
From: sebres <info@sebres.de>
Date: Fri, 27 Dec 2024 16:43:33 +0100
Subject: [PATCH] `filter.d/dropbear.conf`: failregex extended to match
different format of "Exit before auth" message; closes gh-3791
Upstream-Status: Backport [https://github.com/fail2ban/fail2ban/commit/a796cc9b91656721fee0d1904911101c678452ad]
Signed-off-by: Andrey Zotikov <andrey.zotikov@gmail.com>
---
config/filter.d/dropbear.conf | 7 ++++---
fail2ban/tests/files/logs/dropbear | 8 ++++++++
2 files changed, 12 insertions(+), 3 deletions(-)
--- a/config/filter.d/dropbear.conf
+++ b/config/filter.d/dropbear.conf
@@ -25,9 +25,10 @@ _daemon = dropbear
prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
-failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
- ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
- ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
+failregex = ^[Ll]ogin attempt for nonexistent user (?:'<F-USER>.*</F-USER>' )?from <HOST>:\d+$
+ ^[Bb]ad (?:PAM )?password attempt for '<F-USER>.+</F-USER>' from <HOST>(?::\d+)?$
+ ^[Ee]xit before auth from \<?<ADDR>:\d+\>?: (?:\([^\)]*\): )?Max auth tries reached - user '<F-USER>.+</F-USER>'\s*$
+ ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '<F-USER>.+</F-USER>' from <HOST>:\d+\s*$
ignoreregex =
--- a/fail2ban/tests/files/logs/dropbear
+++ b/fail2ban/tests/files/logs/dropbear
@@ -13,3 +13,11 @@ Jul 27 01:04:12 fail2ban-test dropbear[1
Jul 27 01:04:22 fail2ban-test dropbear[1335]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 1.2.3.4:60588
# failJSON: { "time": "2005-07-27T01:18:59", "match": true , "host": "1.2.3.4" }
Jul 27 01:18:59 fail2ban-test dropbear[1477]: Login attempt for nonexistent user from 1.2.3.4:60794
+
+# failJSON: { "time": "2005-07-10T23:53:52", "match": true , "host": "1.2.3.4", "desc": "extra pid/timestamp may be logged into journal, gh-3597" }
+Jul 10 23:53:52 fail2ban-test dropbear[825]: [825] Jul 10 23:53:52 Bad password attempt for 'root' from 1.2.3.4:52289
+
+# failJSON: { "time": "2005-07-10T23:57:29", "match": true , "host": "192.0.2.3", "desc": "different message format, gh-3791" }
+Jul 10 23:57:29 fail2ban-test dropbear[825]: [825] Jul 10 23:57:29 Exit before auth from <192.0.2.3:52289>: (user 'root', 10 fails): Max auth tries reached - user 'root'
+# failJSON: { "time": "2005-07-10T23:59:24", "match": true , "host": "192.0.2.3", "desc": "different message format, gh-3791" }
+Jul 10 23:59:24 fail2ban-test dropbear[826]: [826] Jul 10 23:59:24 Exit before auth from <192.0.2.3:52325>: Max auth tries reached - user 'is invalid'
Reference in New Issue View Git Blame Copy Permalink