Fix Dropbear filter when logging to STDOUT

Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the `-F` and `-E` flags, to run it in foreground and have it logging to STDOUT instead of syslog. As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix. The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without `-E` flag. Signed-off-by: MichaIng <[email protected]>
fail2ban · Jul 10, 2024 · c99313c · c99313c
1 parent 8170e9f
commit c99313c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf
@@ -23,7 +23,7 @@ before = common.conf
 
 _daemon = dropbear
 
-prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
+prefregex = ^%(__prefix_line)s(\[\d+\] [A-Z][a-z]+ \d\d \d\d:\d\d:\d\d )?<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
 
 failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
             ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$