New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sshd.conf empty username in "Invalid user" regexp leads to ipdns warning #2749
Comments
I did not follow something here - such RE matching
If it is caused by this line, you should provide the regexp matching that. As an interim solution (since I didn't see ever that sshd logging a hostname normally), you can disable this with |
The match comes from attached filter.d sshd.conf supplied with Ubuntu 20 fail2ban package in original, not modified at all. I don't really know, which of the lines match this, but this is the file where the match relates to. What I can see - somehow github made "user from" with two blanks to show as "user from" with only one blank in original post above. That's why the regex does not match, excerpt original comment and lines with proper blanks is attached. |
You are right (sorry overlooked that):
You have to use markdown formatting to enclose the logs (I modified the original issue). And now it finds the match, but it works as expected:
Note that this regex is anchored from left and right, so it does no matter what is the part of user before
I still guess it is the other log-line, so I repeat - please provide "whole log excerpt (all messages for sshd[1189074])". Or even grep it by 34916 (or some timestamp).
* replace systemd-journal with log file name (if it is a log either). Also to be sure the filter has really unmodified state (no locals), provide output of |
Thank you for the formatting hint - attached are the grep'ed lines from the two logs (auth.log and fail2ban.log) auth.log.grepped.txt
So yes, you're right, the "closed" line triggers this, I guessed it wrong. Edited initial post accordingly. |
OK, thx! -__authng_user = (?: (?:invalid|authenticating) user <F-USER>\S+|.+?</F-USER>)?
+__authng_user = (?: (?:invalid|authenticating) user <F-USER>\S+|.*?</F-USER>)? I'll also fix current sshd-filter soon. |
sshd logging with empty username leads the regexp to catch the port instead of the ip address and finally results in ipdns warning.
Environment:
(none, exept jail.local config below)
The issue:
sshd logging with empty username leads the regexp to catch the port instead of the ip address and finally results in ipdns warning.
Steps to reproduce
syslog example line:
fail2ban result:
Expected behavior
determining 65.49.20.68 as IP instead of 34916
Observed behavior
port 34916 is catched as determined IP
Any additional information
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
[sshd]
enabled = true
mode = aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
Relevant parts of /var/log/fail2ban.log file:
Relevant lines from monitored log files in question:
The text was updated successfully, but these errors were encountered: