Modify fail2ban failregex to match failed public key authentications via ssh

Question

fail2ban doesn't recognize failed public key ssh logins and I assume that this can be solved by modifying the failregex of /etc/fail2ban/filter.d/sshd.config to match the following line:

<date> <time> <server-hostname> sshd[25917]: Connection closed by <client-ip> [preauth]

But I can't find a decent introduction on how to correctly modify said failregex. As I don't really know what variables like ^%(__prefix_line)s include it's hard to get a working regex.

I understand that the most recent version 0.9.1 includes the regex to matche the "Connection closed by [preauth]" line, but I'm using fai2ban from the Debian repository and the configuration of 0.9.1 is not compatible with the one I have.

score 19 · Answer 1 · answered Jan 16 '20 at 03:33

No regex hacking is required (at least since fail2ban 0.10.4). In /etc/fail2ban/jail.conf is the following information:

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal

So follow the recommendations by creating /etc/fail2ban/jail.local with your other customisations, along with one of the more stringent modes, for example,

[sshd]
mode   = aggressive

This mode now covers failed public keys.

score 12 · Accepted Answer · answered Apr 29 '15 at 13:04

This line does it:

^%(__prefix_line)sConnection closed by <HOST> \[preauth\]$

Tested with the following logstring:

Apr 29 12:30:12 sendai sshd[25917]: Connection closed by 127.0.0.1 [preauth]

Successfully tested with:

$ fail2ban-regex ~/ssh.log sshd.conf 

Running tests
=============

Use regex file : sshd.conf
Use log file   : /home/user/ssh.log


Results
=======

Failregex
|- Regular expressions:
[...]
|  [12] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Connection closed by <HOST> \[preauth\]$
|
`- Number of matches:
[...]
   [12] 1 match(es)

Summary
=======

Addresses found:
[...]
[12]
    127.0.0.1 (Wed Apr 29 12:30:12 2015)
[..]

Success, the total number of match is 1

score 6 · Answer 3 · answered Feb 21 '17 at 11:48

6

At least in openssh 7.3 the log messages also contain a port number. So I had to modify sebix's solution to the following:

^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$

answered Feb 21 '17 at 11:48

code-chicken

161

score 4 · Answer 4 · answered Apr 14 '19 at 14:03

On Ubuntu 18.04 with OpenSSH 7.6p1 I had to extend the "cmnfailre" rules in /etc/fail2ban/filter.d/sshd.conf by

^%(__prefix_line)sConnection closed by authenticating user <F-USER>.+</F-USER> <HOST> port \d+ \[preauth\]$

to match ssh login attempts without correct ssh key:

Apr 14 15:27:15 ubuntu-server sshd[8719]: Connection closed by authenticating user root x.x.x.x port 42664 [preauth]
Apr 14 15:27:15 ubuntu-server sshd[8721]: Connection closed by authenticating user root x.x.x.x port 42666 [preauth]
Apr 14 15:27:16 ubuntu-server sshd[8723]: Connection closed by authenticating user root x.x.x.x port 42668 [preauth]
Apr 14 15:27:16 ubuntu-server sshd[8725]: Connection closed by authenticating user root x.x.x.x port 42670 [preauth]
Apr 14 15:27:17 ubuntu-server sshd[8727]: Connection closed by authenticating user root x.x.x.x port 42672 [preauth]

score 1 · Answer 5 · answered Sep 03 '17 at 10:39

For me, this works better, as I get tons of legit log entries, matching the "Connection closed" regex, at least in OpenSSH 6.6.1 variations. Believe it also covers the new OpenSSH log format, which includes "port":

^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$

$ cat /etc/*relea* | grep -i desc
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"

$ fail2ban-regex /var/log/auth.log filter.d/sshd.conf

Running tests
=============

Use   failregex file : filter.d/sshd.conf
Use         log file : /var/log/auth.log


Results
=======

Failregex: 39 total
|-  #) [# of hits] regular expression
|  12) [16] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Did not receive identification string from <HOST>\s*$
|  13) [23] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Received disconnect from <HOST>: (port \d*: ){,1}11: (Bye Bye){,1} \[preauth\]\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [62412] MONTH Day Hour:Minute:Second
`-

Lines: 62412 lines, 0 ignored, 39 matched, 62373 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 62373 lines

$ grep "Did not receive identification string from" /var/log/auth.log | wc -l
16
$ grep "Received disconnect from" /var/log/auth.log | grep -v x.x.x.x | wc -l
23

score 0 · Answer 6 · answered Jun 19 '21 at 20:35

In 2021, in Debian with fail2ban=0.11.2-1 (from Bullseye), all you have to do is to add

mode = aggressive

line to /etc/fail2ban/jail.d/defaults-debian.conf file, under [sshd] section. That bans everyone which attempts to login as valid user using wrong public key. No need to do anything else.

Modify fail2ban failregex to match failed public key authentications via ssh

6 Answers6