I decided to try dropbear for the SSH server on my VPS (edit: moved back to OpenSSH, the saved memory is not worth the configuring of multiple supporting packages (logwatch, fail2ban,...) plus it's not got an AllowUsers equivalent). It's got a smaller memory footprint to be sure, but the support from tools like fail2ban are a bit lacking, not helped by the logging that splits the client address and the failure message into separate lines.
A Fail2ban filter file for dropbear is available from http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches. That page also has a patch for dropbear to enable it to log failure messages with the client address on a single line (I did not use this patch, I used the standard Debian package).
However, after putting the dropbear.conf file in /etc/fail2ban/filter.d and adding a jail in /etc/fail2ban/jail.conf, it did not work. It turns out that the <HOST> regex (short for
To fix this, just add a
Note: I ran dropbear from inetd. Maybe run as a daemon it won't include the port number (doubtful looking at the code).
To recap, here are the original failregex lines for unmodified dropbear from the config file:
... and here are the lines after matching the port:
This may well fail if the IP address matched is an IPv6 address (which the <HOST> regex does attempt to match), but I won't worry about that since it only listens on IPv4 anyway.
Also, small note to myself, when running fail2ban-regex from /etc/fail2ban/filter.d e.g.
This is probably caused by fail2ban failing to find the common.conf file which defines __prefix_line
Solution: use absolute path /etc/fail2ban/filter.d/somefilter.conf for the filter file name. Strangely running it from /etc/fail2ban e.g.
Random Notes >