William Shallum

Dropbear and fail2ban on Debian Squeeze

Posted Jun 16 2011, 17:33 by William Shallum [updated May 13 2013, 02:18]

I decided to try dropbear for the SSH server on my VPS (edit: moved back to OpenSSH, the saved memory is not worth the configuring of multiple supporting packages (logwatch, fail2ban,…) plus it’s not got an AllowUsers equivalent). It’s got a smaller memory footprint to be sure, but the support from tools like fail2ban are a bit lacking, not helped by the logging that splits the client address and the failure message into separate lines.

A Fail2ban filter file for dropbear is available from http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches. That page also has a patch for dropbear to enable it to log failure messages with the client address on a single line (I did not use this patch, I used the standard Debian package).

However, after putting the dropbear.conf file in /etc/fail2ban/filter.d and adding a jail in /etc/fail2ban/jail.conf, it did not work. It turns out that the <HOST> regex (short for (?:::f{4,6}:)?(?P<host>\S+) ) from fail2ban is matching the IP address and port, and fail2ban tries to do a reverse lookup of the whole thing (e.g. “127.0.0.1:1234”) and fails.

To fix this, just add a :\d+ after to match the port number. This will ensure fail2ban only gets the IP address, without the port number.

Note: I ran dropbear from inetd. Maybe run as a daemon it won’t include the port number (doubtful looking at the code).

To recap, here are the original failregex lines for unmodified dropbear from the config file:

failregex = ^%(__prefix_line)slogin attempt for nonexistent user from <HOST>\s*$
            ^%(__prefix_line)sbad password attempt for .+ from <HOST>\s*$

… and here are the lines after matching the port:

failregex = ^%(__prefix_line)slogin attempt for nonexistent user from <HOST>:\d+\s*$
            ^%(__prefix_line)sbad password attempt for .+ from
<HOST>:\d+\s*$

This may well fail if the IP address matched is an IPv6 address (which the <HOST> regex does attempt to match), but I won’t worry about that since it only listens on IPv4 anyway.

Also, small note to myself, when running fail2ban-regex from /etc/fail2ban/filter.d e.g. fail2ban-regex "some log line" somefilter.conf I get this error:

ConfigParser.InterpolationMissingOptionError: Bad value substitution:
        section: [Definition]
        option : failregex
        key    : __prefix_line

This is probably caused by fail2ban failing to find the common.conf file which defines __prefix_line

Solution: use absolute path /etc/fail2ban/filter.d/somefilter.conf for the filter file name. Strangely running it from /etc/fail2ban e.g. fail2ban-regex "some log line" filter.d/somefilter.conf works fine. Probably just needs to find a slash in the filter file name somewhere.