Public bug reported:
auth.log shows entries like this:
2026-03-23T15:45:55.515566+00:00 hostname sshd[2265]: Connection closed by
authenticating user sysadmin 94.16.111.51 port 32964 [preauth]
but does not catch those.
login probes for non-existing usernames are found by fail2ban like:
2026-03-23T15:51:28.603417+00:00 hostname sshd[2443]: Invalid user php
from 94.16.111.51 port 46396
therefore detection-evasion is possible in the current package release
by using existing usernames...
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: fail2ban 1.0.2-3ubuntu0.1
ProcVersionSignature: Ubuntu 6.8.0-106.106-generic 6.8.12
Uname: Linux 6.8.0-106-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudBuildName: server
CloudID: nocloud
CloudName: unknown
CloudPlatform: nocloud
CloudSerial: 20240601
CloudSubPlatform: config-disk (/dev/sr0)
Date: Mon Mar 23 15:58:41 2026
PackageArchitecture: all
ProcEnviron:
LANG=C.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm
XDG_RUNTIME_DIR=<set>
SourcePackage: fail2ban
UpgradeStatus: Upgraded to noble on 2026-03-23 (0 days ago)
** Affects: fail2ban (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug cloud-image noble
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2145542
Title:
fail2ban does not catch login probes for existing user accounts
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/2145542/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
