v9.6

- DietPi-Software | Fail2Ban: Resolved an issue on Debian Bookworm and above, where Dropbear login failures were not detected due to a non-matching default filter. Dropbear runs as native systemd unit since Bookworm, logging to the system journal via STDOUT, which results in a different log entry prefix. The default filter however has not been updated for this. The fix is as well applied to existing Fail2Ban installs, as long as no own override /etc/fail2ban/filter.d/dropbear.local has been created. Many thanks to @ThePlanplan for reporting this issue: #6665
MichaIng · Jul 7, 2024 · 7095f96 · 7095f96
1 parent 88dec15
commit 7095f96
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/.update/patches b/.update/patches
@@ -1710,6 +1710,32 @@ Patch_9_6()
 	# Remove obsolete drop-in config: https://github.com/MichaIng/DietPi/issues/7104
 	[[ -f '/etc/systemd/system/ifup@.service.d/dietpi.conf' ]] && G_EXEC rm -R /etc/systemd/system/ifup@.service.d/dietpi.conf
 	[[ -d '/etc/systemd/system/ifup@.service.d' ]] && G_EXEC rmdir --ignore-fail-on-non-empty /etc/systemd/system/ifup@.service.d
+
+	# Fix filter for STDOUT logging since Bookworm: https://github.com/fail2ban/fail2ban/pull/3597
+	if [[ -f '/etc/fail2ban/filter.d/dropbear.conf' && ! -f '/etc/fail2ban/filter.d/dropbear.local' ]]
+	then
+		G_DIETPI-NOTIFY 2 'Fixing Dropbear Fail2Ban filter for STDOUT logging since Bookworm: https://github.com/fail2ban/fail2ban/pull/3597'
+		cat << '_EOF_' > /etc/fail2ban/filter.d/dropbear.local
+[INCLUDES]
+before = common.conf
+
+[Definition]
+
+_daemon = dropbear
+
+# Fix filter for STDOUT logging since Bookworm: https://github.com/fail2ban/fail2ban/pull/3597
+prefregex = ^%(__prefix_line)s(\[\d+\] [A-Z][a-z]+ \d\d \d\d:\d\d:\d\d )?<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
+
+failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
+            ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
+            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
+
+ignoreregex =
+
+# Add journalmatch to enhance performance since Bookworm
+journalmatch = _SYSTEMD_UNIT=dropbear.service + _COMM=dropbear
+_EOF_
+	fi
 }
 
 # v6.35 => v7 migration

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -22,6 +22,7 @@ Bug fixes:
 - DietPi-Drive_Manager | Resolved an issue, where network drives and potentially mounts in general could be attempted to be unmounted on shutdown, before services which can access them are stopped, leading to hanging shutdown sequences and potentially even data loss. Many thanks to @polite-garlic for reporting this issue: https://dietpi.com/forum/t/20542
 - DietPi-Dashboard | Resolved an issue where the installation on RISC-V systems failed.
 - DietPi-Software | Node-RED: Resolved an issue where reinstalls/updates failed because of incompatibilities between latest Node.js or global modules with older local instances. Many thanks to @thinkbig1979 for reporting this issue: https://github.com/MichaIng/DietPi/issues/7128
+- DietPi-Software | Fail2Ban: Resolved an issue on Debian Bookworm and above, where Dropbear login failures were not detected due to a non-matching default filter. Dropbear runs as native systemd unit since Bookworm, logging to the system journal via STDOUT, which results in a different log entry prefix. The default filter however has not been updated for this. The fix is as well applied to existing Fail2Ban installs, as long as no own override /etc/fail2ban/filter.d/dropbear.local has been created. Many thanks to @ThePlanplan for reporting this issue: https://github.com/MichaIng/DietPi/issues/6665
 
 As always, many smaller code performance and stability improvements, visual and spelling fixes have been done, too much to list all of them here. Check out all code changes of this release on GitHub: https://github.com/MichaIng/DietPi/pull/ADDME
 

diff --git a/dietpi/dietpi-software b/dietpi/dietpi-software
@@ -7295,6 +7295,27 @@ _EOF_
 			# Log to systemd by default
 			G_EXEC eval 'echo -e '\''[Definition]\nlogtarget = SYSOUT'\'' > /etc/fail2ban/fail2ban.d/97_dietpi.conf'
 
+			# Fix Dropbear filter for STDOUT logging since Bookworm: https://github.com/fail2ban/fail2ban/pull/3597
+			[[ -f '/etc/fail2ban/filter.d/dropbear.local' ]] || cat << '_EOF_' > /etc/fail2ban/filter.d/dropbear.local
+[INCLUDES]
+before = common.conf
+
+[Definition]
+
+_daemon = dropbear
+
+# Fix filter for STDOUT logging since Bookworm: https://github.com/fail2ban/fail2ban/pull/3597
+prefregex = ^%(__prefix_line)s(\[\d+\] [A-Z][a-z]+ \d\d \d\d:\d\d:\d\d )?<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
+
+failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
+            ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
+            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
+
+ignoreregex =
+
+# Add journalmatch to enhance performance since Bookworm
+journalmatch = _SYSTEMD_UNIT=dropbear.service + _COMM=dropbear
+_EOF_
 			G_AGI python3-systemd fail2ban
 			Remove_SysV fail2ban 1