Fail2ban is not working for sshd with systemd backend

sevaho · July 12, 2024, 8:45pm

Hello

I am quite new to nixos, so I might miss something, but it seems that fail2ban for sshd is not working with the systemd backend.

The configuration

  services.fail2ban = {
    enable = true;
    maxretry = 3;
    bantime = "1h";
    jails = {
      sshd.settings = {
	backend = "systemd";
	mode = "aggressive";
      };
    };
  };

  services = {
    openssh = {
      ports = [ 54321 ];
      settings = {
        PasswordAuthentication = false;
	    X11Forwarding = true;
        PermitRootLogin = "no";
      };
    };
    sshd = {
      enable = true;
    };
  };

When I try 5 times with invalid public key I get penalized by the ssdh daemon for a couple of minutes but normally after 3 attempts fail2ban should kick in which it does not.

I see these logs 5 times in journal:

Jul 12 22:26:53 host sshd-session[1474587]: error: PAM: Authentication failure for root from x.x.x.
Jul 12 22:26:53 host sshd-session[1474587]: Failed keyboard-interactive/pam for root from x.x.x.x port 20626 ssh2
Jul 12 22:26:53 host sshd-session[1474587]: Connection closed by authenticating user root x.x.x.x port 20626 [preauth]
Jul 12 22:26:53 host sshd[1462738]: srclimit_penalise: ipv4: new x.x.x.x/32 deferred penalty of 5 seconds for penalty: failed authentication
Jul 12 22:27:02 host sshd-session[1474625]: Connection from x.x.x.x port 17694 on 192.168.x.x port 54321 rdomain ""
Jul 12 22:27:02 host sshd-session[1474625]: Failed publickey for root from x.x.x.x port 17694 ssh2

When checking my debian system (where fail2ban works with same config) the logs are completely different for example:

Jul 12 22:33:38 host sshd[3424024]: ROOT LOGIN REFUSED FROM x.x.x.x port 19296
Jul 12 22:33:38 host sshd[3424024]: ROOT LOGIN REFUSED FROM x.x.x.x port 19296 [preauth]
Jul 12 22:33:38 host sshd[3424024]: Connection closed by authenticating user root x.x.x.x port 19296 [preauth]

So I assume it has to do with the fact that fail2ban does not understand nixos sshd journal logs?

I think it has something todo with how fai2ban picks up the logs it does matching based on _SYSTEMD_UNIT=sshd.service + _COMM=sshd where COMM means the service, and with nixos the service is sshd-session which is odd?

Thanks!

vs49688 · July 20, 2024, 1:30pm

I just hit this on my system. It’s not a NixOS issue, the OpenSSH 9.8 upgrade broke fail2ban’s regexes:

github.com/fail2ban/fail2ban

[FR]: SSHD filter doesn't work on Arch to due to daemon name having changed to sshd-session

opened 10:56AM - 04 Jul 24 UTC

closed 11:00AM - 04 Jul 24 UTC

MatthijsSchuurman

closed-as-duplicate implemented-in-newer-version filter-request

It seems that with the latest updates on Arch the daemon name of `sshd` has chan…ged to `sshd-session`. This causes the sshd filter to ignore all sshd lines and consequently not ban any IPs. Changing `/etc/fail2ban/filter.d/sshd.conf` as follows fixes the issue however this is of course a nasty workaround: ```diff - _daemon = sshd + _daemon = sshd-session ``` I used `fail2ban-regex ./sshd.log /etc/fail2ban/filter.d/sshd.conf -v` to trace down the issue which showed the daemon name was in the content section instead of the mlfid: `{'mlfid': ' host ', 'content': 'sshd-session[1234567]: Invalid user nono from 1.2.3.4 port 12345'}` ### Environment: - Fail2Ban version 1.1.0-4 - OS, including release name/version : Arch (up-to-date) #### Service, project or product which log or journal should be monitored - Name of filter or jail in Fail2Ban (if already exists) : sshd - Service, project or product name, including release name/version : sshd - Ports and protocols the service is listening : 22 #### Log or journal information - Log file name(s) : Systemd journal - Journal identifier or unit name : sshd ### Relevant lines from monitored log files: #### failures in sense of fail2ban filter (fail2ban must match): ``` Jul 04 11:48:26 my.host.com sshd-session[1234567]: Failed password for root from 1.2.3.4 port 12345 ssh2 ```

github.com/fail2ban/fail2ban

Adjust sshd.conf filter for OpenSSH 9.8

fail2ban:master ← fdellwing:patch-1

opened 06:50AM - 02 Jul 24 UTC

fdellwing

+7 -2

OpenSSH released version 9.8 yesterday that fixes a critical vulnerability. It a…lso implements a potential new daemon name we need to monitor for. > * [sshd(8)](https://man.openbsd.org/sshd.8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". This change might be worth backporting. Before submitting your PR, please review the following checklist: - [x] **CHOOSE CORRECT BRANCH**: if filing a bugfix/enhancement against certain release version, choose `0.9`, `0.10` or `0.11` branch, for dev-edition use `master` branch - [ ] **CONSIDER adding a unit test** if your PR resolves an issue - [ ] **LIST ISSUES** this PR resolves - [x] **MAKE SURE** this PR doesn't break existing tests - [x] **KEEP PR small** so it could be easily reviewed. - [x] **AVOID** making unnecessary stylistic changes in unrelated code - [ ] **ACCOMPANY** each new `failregex` for filter `X` with sample log lines within `fail2ban/tests/files/logs/X` file

vs49688 · July 22, 2024, 11:48am

Here’s a temporary fix:

  services.fail2ban.package = pkgs.fail2ban.overrideAttrs(old: {
    patches = [
      (pkgs.fetchpatch {
        url = "https://github.com/fail2ban/fail2ban/commit/2fed408c05ac5206b490368d94599869bd6a056d.patch";
        hash = "sha256-uyrCdcBm0QyA97IpHzuGfiQbSSvhGH6YaQluG5jVIiI=";
      })
      (pkgs.fetchpatch {
        url = "https://github.com/fail2ban/fail2ban/commit/50ff131a0fd8f54fdeb14b48353f842ee8ae8c1a.patch";
        hash = "sha256-YGsUPfQRRDVqhBl7LogEfY0JqpLNkwPjihWIjfGdtnQ=";
      })
    ];
  });

sevaho · July 25, 2024, 2:38pm

Hello @vs49688 thanks for your reply, this did the trick! (I did not not know you could do this kind of ‘overlays’ so I learned something new as well thanks!)

Greetings