I decided to try dropbear for the SSH server on my VPS (edit: moved back to OpenSSH, the saved memory is not worth the configuring of multiple supporting packages (logwatch, fail2ban,...) plus it's not got an AllowUsers equivalent). It's got a smaller memory footprint to be sure, but the support from tools like fail2ban are a bit lacking, not helped by the logging that splits the client address and the failure message into separate lines. A Fail2ban filter file for dropbear is available from http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches. That page also has a patch for dropbear to enable it to log failure messages with the client address on a single line (I did not use this patch, I used the standard Debian package). However, after putting the dropbear.conf file in /etc/fail2ban/filter.d and adding a jail in /etc/fail2ban/jail.conf, it did not work. It turns out that the <HOST> regex (short for (?:::f{4,6}:)?(?P<host>\S+) )from fail2ban is matching the IP address and port, and fail2ban tries to do a reverse lookup of the whole thing (e.g. "127.0.0.1:1234") and fails.To fix this, just add a :\d+ after <HOST> to match the port number. This will ensure fail2ban only gets the IP address, without the port number.Note: I ran dropbear from inetd. Maybe run as a daemon it won't include the port number (doubtful looking at the code). To recap, here are the original failregex lines for unmodified dropbear from the config file: failregex = ^%(__prefix_line)slogin attempt for nonexistent user from <HOST>\s*$ ^%(__prefix_line)sbad password attempt for .+ from <HOST>\s*$ ... and here are the lines after matching the port: failregex = ^%(__prefix_line)slogin attempt for nonexistent user from <HOST>:\d+\s*$ ^%(__prefix_line)sbad password attempt for .+ from <HOST>:\d+\s*$ Also, small note to myself, when running fail2ban-regex from /etc/fail2ban/filter.d e.g. fail2ban-regex "some log line" somefilter.conf I get this error:ConfigParser.InterpolationMissingOptionError: Bad value substitution: section: [Definition] option : failregex key : __prefix_line This is probably caused by fail2ban failing to find the common.conf file which defines __prefix_line Solution: use absolute path /etc/fail2ban/filter.d/somefilter.conf for the filter file name. Strangely running it from /etc/fail2ban e.g. fail2ban-regex "some log line" filter.d/somefilter.conf works fine. Probably just needs to find a slash in the filter file name somewhere. |
Random Notes >