commit: 9c6262037269150abc0c2d25dc91eb1b5f4f7f32 Author: Ulrich Müller <ulm <AT> gentoo <DOT> org> AuthorDate: Sat Sep 27 16:50:39 2025 +0000 Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org> CommitDate: Sun Sep 28 04:14:56 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c626203
net-analyzer/fail2ban: Fix mdre-ddos regex in filter.d/sshd.conf The current regex doesn't match the following log entry: Sep 27 12:34:56 myhost sshd[12345]: Timeout before authentication for connection from 192.0.2.25 to 203.0.113.78, pid = 6789 Closes: https://bugs.gentoo.org/963511 Reviewed-by: Sam James <sam <AT> gentoo.org> Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org> ...an-1.1.0-r5.ebuild => fail2ban-1.1.0-r6.ebuild} | 1 + .../fail2ban/files/fail2ban-1.1.0-sshd-ddos.patch | 33 ++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild b/net-analyzer/fail2ban/fail2ban-1.1.0-r6.ebuild similarity index 98% rename from net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild rename to net-analyzer/fail2ban/fail2ban-1.1.0-r6.ebuild index b187290650fb..0cd44babae39 100644 --- a/net-analyzer/fail2ban/fail2ban-1.1.0-r5.ebuild +++ b/net-analyzer/fail2ban/fail2ban-1.1.0-r6.ebuild @@ -61,6 +61,7 @@ PATCHES=( "${FILESDIR}"/${PN}-1.1.0-systemd-order.patch "${FILESDIR}"/${PN}-1.1.0-postfix-pref.patch "${FILESDIR}"/${PN}-1.1.0-postfix-ddos.patch + "${FILESDIR}"/${PN}-1.1.0-sshd-ddos.patch ) src_prepare() { diff --git a/net-analyzer/fail2ban/files/fail2ban-1.1.0-sshd-ddos.patch b/net-analyzer/fail2ban/files/fail2ban-1.1.0-sshd-ddos.patch new file mode 100644 index 000000000000..6a19031ca406 --- /dev/null +++ b/net-analyzer/fail2ban/files/fail2ban-1.1.0-sshd-ddos.patch @@ -0,0 +1,33 @@ +https://github.com/fail2ban/fail2ban/issues/3907 +https://bugs.gentoo.org/963511 + +commit 89b5f3bb1ecd3789b3271b648eeb83c620668e6f +Author: Serg G. Brester <[email protected]> +Date: Thu Dec 26 14:24:15 2024 +0100 + + `filter.d/sshd.conf`: `ddos` and `aggressive` modes, regex extended for timeout before authentication (optional connection from part); + closes gh-3907 + +--- a/config/filter.d/sshd.conf ++++ b/config/filter.d/sshd.conf +@@ -70,7 +70,7 @@ + # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) + mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$ + +-mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for) <HOST> ++mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for(?: connection from)?) <HOST> + ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) + ^Bad protocol version identification '(?:[^']|.*?)' (?:from )?<HOST>%(__suff)s$ + ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+: +--- a/fail2ban/tests/files/logs/sshd ++++ b/fail2ban/tests/files/logs/sshd +@@ -360,6 +360,9 @@ + # failJSON: { "match": false, "desc": "Connection reset already triggered above (known IP, no-fail helper unused here)" } + Jun 7 04:29:10 host sshd[649921]: Connection reset by 192.0.2.16 port 51280 + ++# failJSON: { "time": "2005-06-10T09:43:06", "match": true , "host": "192.0.2.17", "desc": "ddos: timeout ... connection from, gh-3907" } ++Jun 10 09:43:06 host sshd[3801]: Timeout before authentication for connection from 192.0.2.17 to 127.0.0.1, pid = 29098 ++ + # filterOptions: [{"mode": "extra"}, {"mode": "aggressive"}] + + # several other cases from gh-864:
