Dropbear and fail2ban on Debian Squeeze
Posted Jun 16 2011, 17:33 by William Shallum [updated May 13 2013, 02:18]
I decided to try dropbear for the SSH server on my VPS (edit: moved back to OpenSSH, the saved memory is not worth the configuring of multiple supporting packages (logwatch, fail2ban,…) plus it’s not got an AllowUsers equivalent). It’s got a smaller memory footprint to be sure, but the support from tools like fail2ban are a bit lacking, not helped by the logging that splits the client address and the failure message into separate lines.
A Fail2ban filter file for dropbear is available from http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches. That page also has a patch for dropbear to enable it to log failure messages with the client address on a single line (I did not use this patch, I used the standard Debian package).
However, after putting the dropbear.conf file in /etc/fail2ban/filter.d and adding a jail in /etc/fail2ban/jail.conf, it did not work. It turns out that the <HOST> regex (short for (?:::f{4,6}:)?(?P<host>\S+)
) from fail2ban is matching the IP address and port, and fail2ban tries to do a reverse lookup of the whole thing (e.g. “127.0.0.1:1234”) and fails.
To fix this, just add a :\d+ after to match the port number. This will ensure fail2ban only gets the IP address, without the port number.
Note: I ran dropbear from inetd. Maybe run as a daemon it won’t include the port number (doubtful looking at the code).
To recap, here are the original failregex lines for unmodified dropbear from the config file:
failregex = ^%(__prefix_line)slogin attempt for nonexistent user from <HOST>\s*$
^%(__prefix_line)sbad password attempt for .+ from <HOST>\s*$
… and here are the lines after matching the port:
failregex = ^%(__prefix_line)slogin attempt for nonexistent user from <HOST>:\d+\s*$
^%(__prefix_line)sbad password attempt for .+ from
<HOST>:\d+\s*$
This may well fail if the IP address matched is an IPv6 address (which the <HOST> regex does attempt to match), but I won’t worry about that since it only listens on IPv4 anyway.
Also, small note to myself, when running fail2ban-regex
from /etc/fail2ban/filter.d e.g. fail2ban-regex "some log line" somefilter.conf
I get this error:
ConfigParser.InterpolationMissingOptionError: Bad value substitution:
section: [Definition]
option : failregex
key : __prefix_line
This is probably caused by fail2ban failing to find the common.conf file which defines __prefix_line
Solution: use absolute path /etc/fail2ban/filter.d/somefilter.conf for the filter file name. Strangely running it from /etc/fail2ban e.g. fail2ban-regex "some log line" filter.d/somefilter.conf
works fine. Probably just needs to find a slash in the filter file name somewhere.