From nobody Thu Mar 27 15:46:38 2025 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZNp1C0lxBz5rXSf; Thu, 27 Mar 2025 15:46:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZNp1B6pRRz3ZYZ; Thu, 27 Mar 2025 15:46:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1743090399; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cRorUtpgGDRlHYIdvo4beGe91O2Lu/i5BEPQPOug9V4=; b=Doz81Hn0qrrso+zxEU67MjFU6VGEPN7XTqTANqXcg2/di3iDdVE79BC2YG0iX6fxBTXVZm ifbLp+gEmd+ROQ+q7lbDoZBCisgrWP5CGIeWydfW/AEDQYcaoyYrbsMbYsz/QHjfi2vnIG wieba+9ur6+fsMLpt13iEO0MR/LPTB3yt+4kvTgLQJMcYbWZdD3bmekCyy1aceHDZAdyUl Pm0VAJ1TQNctMb9Igwgj86cXTTYfenT1af/0ExOao4kDoHaESjy2n4PLxByUeyNmPJboK3 3C0GBU0oofUKzkq5O8lfydQobkBSrXf4nuP6NWRU+keU4KKECiAoamOg/whUiQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1743090399; a=rsa-sha256; cv=none; b=bIUoLxuFE5Fgoqj5OfUYTdk0XzSoaM7HCZBLc/2VIwElzzbxWKkS5tmb7s6m8IKi3zKBdl O4+Vlkrlj48sdfQdK5efQI8BPTbo5ZcPPP/MI5aFo03YpZAHbueXJP8IWnxHuiqVcSL+7E HTIMBzfpM3GI4HUInS3VFu/GkhKUZMkxz50blA6X0tXvsWvZjfQVGcAN5IfixPJUVIIoAn x5AeI8iSEJ0dipOtpBx9Qafakuh5+k6w2NTrB4n+uhfQOQc349ro0UqJ5nDKTHzH2M9HXH Ig1eXMF1/gCieryrcipzLu17rcLogXgmqkXPBE6OeiUiH97VWMPbl8yu4sN2HQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1743090399; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cRorUtpgGDRlHYIdvo4beGe91O2Lu/i5BEPQPOug9V4=; b=pA94aDzPTum8FHmYwEzZH+xNvyIPNxX53j0W6vEBkbxYF8/AxscA4g704yCgA6edmvpl69 5wtJDAMM3rHJWGxgGUDtGMOnhO0L1tm6UISyNmrwpb4S35l+glUfVrLhygWj+sGHGtxmMz VPKDHE4NHuVcHO4J3fxso+oUVL6d21YfaZ/OJWtYAyGy/7GFMIrJrErQBHs15Jlpm0JNSr yY7B7jyZfBv792kqcCDF16X0F/zu05VciiUycAR3ew7CVRQgGRpGkogjIyqWkLig5qxjtH ottYe22UszB0d1lrWjmnoiPVUhSVc3cHIzu83AaspRTzEXAy1ZOELC6Zwdz16Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZNp1B5xMpz13HS; Thu, 27 Mar 2025 15:46:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 52RFkcsx050748; Thu, 27 Mar 2025 15:46:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 52RFkcc8050745; Thu, 27 Mar 2025 15:46:38 GMT (envelope-from git) Date: Thu, 27 Mar 2025 15:46:38 GMT Message-Id: <202503271546.52RFkcc8050745@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Cy Schubert Subject: git: c98813ccb078 - main - security/py-fail2ban: Add support for sshd-session List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c98813ccb07851890f73f442be26ce530b6744d0 Auto-Submitted: auto-generated The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/ports/commit/?id=c98813ccb07851890f73f442be26ce530b6744d0 commit c98813ccb07851890f73f442be26ce530b6744d0 Author: Cy Schubert AuthorDate: 2025-03-27 15:44:16 +0000 Commit: Cy Schubert CommitDate: 2025-03-27 15:44:16 +0000 security/py-fail2ban: Add support for sshd-session Now that sshd has been split into sshd and sshd-session, sshd-session is now the producer of syslog messages. We cannot replace the existing *sshd.conf files because this port must also run on older systems with older OpenSSH. Therefore we add new filters to support both. Reported by: sef (private email) MFH: 2025Q1 --- security/py-fail2ban/Makefile | 2 +- .../patch-config_filter.d_bsd-sshd-session.conf | 44 +++++++ .../files/patch-config_filter.d_sshd-session.conf | 142 +++++++++++++++++++++ 3 files changed, 187 insertions(+), 1 deletion(-) diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile index cbc9cd490909..eb08a64c5e1c 100644 --- a/security/py-fail2ban/Makefile +++ b/security/py-fail2ban/Makefile @@ -1,6 +1,6 @@ PORTNAME= fail2ban DISTVERSION= 1.1.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf b/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf new file mode 100644 index 000000000000..ad786447e655 --- /dev/null +++ b/security/py-fail2ban/files/patch-config_filter.d_bsd-sshd-session.conf @@ -0,0 +1,44 @@ +--- bsd-sshd-session.conf.orig 2025-03-27 08:35:58.483811000 -0700 ++++ bsd-sshd-session.conf 2025-03-27 08:41:34.639425000 -0700 +@@ -0,0 +1,41 @@ ++# Fail2Ban configuration file ++# ++# Author: Cyril Jaquier ++# ++# $Revision: 663 $ ++# ++ ++[INCLUDES] ++ ++# Read common prefixes. If any customizations available -- read them from ++# common.local ++before = common.conf ++ ++ ++[Definition] ++ ++_daemon = sshd-session ++ ++# Option: failregex ++# Notes.: regex to match the password failures messages in the logfile. The ++# host must be matched by a group named "host". The tag "" can ++# be used for standard IP/hostname matching and is only an alias for ++# (?:::f{4,6}:)?(?P\S+) ++# Values: TEXT ++# ++failregex = ^%(__prefix_line)s(?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from \s*$ ++ ^%(__prefix_line)sDid not receive identification string from $ ++ ^%(__prefix_line)sFailed [-/\w]+ for .* from (?: port \d*)?(?: ssh\d*)?$ ++ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ++ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ++ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from port \d*$ ++ ^%(__prefix_line)sUser \S+ from not allowed because not listed in AllowUsers$ ++ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ ++ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ++ ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[\] .* POSSIBLE BREAK-IN ATTEMPT!$ ++ ++# Option: ignoreregex ++# Notes.: regex to ignore. If this regex matches, the line is ignored. ++# Values: TEXT ++# ++ignoreregex = diff --git a/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf b/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf new file mode 100644 index 000000000000..3f4310c54c0f --- /dev/null +++ b/security/py-fail2ban/files/patch-config_filter.d_sshd-session.conf @@ -0,0 +1,142 @@ +--- sshd-session.conf.orig 2025-03-27 08:42:15.550403000 -0700 ++++ sshd-session.conf 2025-03-27 08:42:34.056893000 -0700 +@@ -0,0 +1,139 @@ ++# Fail2Ban filter for openssh ++# ++# If you want to protect OpenSSH from being bruteforced by password ++# authentication then get public key authentication working before disabling ++# PasswordAuthentication in sshd_config. ++# ++# ++# "Connection from port \d+" requires LogLevel VERBOSE in sshd_config ++# ++ ++[INCLUDES] ++ ++# Read common prefixes. If any customizations available -- read them from ++# common.local ++before = common.conf ++ ++[DEFAULT] ++ ++_daemon = sshd-session ++ ++# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " ++__pref = (?:(?:error|fatal): (?:PAM: )?)? ++# optional suffix (logged from several ssh versions) like " [preauth]" ++#__suff = (?: port \d+)?(?: \[preauth\])?\s* ++__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s* ++__on_port_opt = (?: (?:port \d+|on \S+)){0,2} ++# close by authenticating user (don't use after %(__authng_user)s because of catch-all `.*?`): ++__authng_user = (?: (?:by|from))?(?: (?:invalid|authenticating) user \S+|.*?)?(?: from)? ++ ++# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", ++# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors. ++__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) ++ ++# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`: ++__pam_auth = pam_[a-z]+ ++ ++[Definition] ++ ++prefregex = ^%(__prefix_line)s%(__pref)s.+$ ++ ++cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*? (?:from )?( via \S+)?%(__suff)s$ ++ ^User not known to the underlying authentication module for .*? (?:from )?%(__suff)s$ ++ > ++ ^Failed for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) ++ ^ROOT LOGIN REFUSED FROM ++ ^[iI](?:llegal|nvalid) user .*? (?:from )?%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because not listed in AllowUsers%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because listed in DenyUsers%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because not in any group%(__suff)s$ ++ ^refused connect from \S+ \(\) ++ ^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because a group is listed in DenyGroups%(__suff)s$ ++ ^User \S+|.*? (?:from )? not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ ++ ^%(__pam_auth)s\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$ ++ ^maximum authentication attempts exceeded for (?:invalid user )?.*? (?:from )?%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ ++ ^User \S+|.*? not allowed because account is locked%(__suff)s ++ ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ ++ ^Disconnecting: Too many authentication failures(?: for \S+|.*?)?%(__suff)s$ ++ ^Received disconnect from %(__on_port_opt)s:\s*11: ++ -other> ++ ^Accepted \w+ for \S+ from (?:\s|$) ++ ++cmnfailed-any = \S+ ++cmnfailed-ignore = \b(?!publickey)\S+ ++cmnfailed-invalid = ++cmnfailed-nofail = (?:publickey|\S+) ++cmnfailed = > ++ ++mdre-normal = ++# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) ++mdre-normal-other = ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s %(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$ ++ ++mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for) ++ ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) ++ ^Bad protocol version identification '(?:[^']|.*?)' (?:from )?%(__suff)s$ ++ ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: ++ ^Read from socket failed: Connection reset by peer ++ ^(?:banner exchange|ssh_dispatch_run_fatal): Connection from <__on_port_opt>: (?:invalid format|(?:message authentication code incorrect|[Cc]onnection corrupted) \[preauth\]) ++ ++# same as mdre-normal-other, but as failure (without with [preauth] and with on no preauth phase as helper to identify address): ++mdre-ddos-other = ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s %(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?\s+\[preauth\]\s*$ ++ ^(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))%(__authng_user)s (?:%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?|\s*)$ ++ ++mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available ++ ^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found. ++ ^Unable to negotiate a <__alg_match> ++ ^no matching <__alg_match> found: ++# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only: ++mdre-extra-other = ^Disconnected(?: from)?(?: (?:invalid|authenticating)) user \S+|.*? (?:from )?%(__on_port_opt)s \[preauth\]\s*$ ++ ++mdre-aggressive = %(mdre-ddos)s ++ %(mdre-extra)s ++# mdre-extra-other is fully included within mdre-ddos-other: ++mdre-aggressive-other = %(mdre-ddos-other)s ++ ++# Parameter "publickey": nofail (default), invalid, any, ignore ++publickey = nofail ++# consider failed publickey for invalid users only: ++cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user (?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) ++# consider failed publickey for valid users too (don't need RE, see cmnfailed): ++cmnfailre-failed-pub-any = ++# same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed): ++cmnfailre-failed-pub-nofail = ++# don't consider failed publickey as failures (don't need RE, see cmnfailed): ++cmnfailre-failed-pub-ignore = ++ ++cfooterre = ^Connection from ++ ++failregex = %(cmnfailre)s ++ > ++ %(cfooterre)s ++ ++# Parameter "mode": normal (default), ddos, extra or aggressive (combines all) ++# Usage example (for jail.local): ++# [sshd] ++# mode = extra ++# # or another jail (rewrite filter parameters of jail): ++# [sshd-aggressive] ++# filter = sshd[mode=aggressive] ++# ++mode = normal ++ ++#filter = sshd[mode=aggressive] ++ ++ignoreregex = ++ ++maxlines = 1 ++ ++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd ++ ++# DEV Notes: ++# ++# "Failed \S+ for .*? from ..." failregex uses non-greedy catch-all because ++# it is coming before use of which is not hard-anchored at the end as well, ++# and later catch-all's could contain user-provided input, which need to be greedily ++# matched away first. ++# ++# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres ++# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester.