[FR]: Ubuntu 22.04.4 LTS fail2ban Unable to match some authentication failure logs

[watchingfun]

Environment:

• Fail2Ban version : 0.11.2
• OS, including release name/version :

  Distributor ID: Ubuntu
  Description:    Ubuntu 22.04.4 LTS
  Release:        22.04
  Codename:       jammy

Service, project or product which log or journal should be monitored

• Name of filter or jail in Fail2Ban (if already exists) : sshd
• Service, project or product name, including release name/version :
• Repository or URL (if known) :
• Service type :
• Ports and protocols the service is listening :

Log or journal information

May 17 15:09:59 instance-20240513-1553 sshd[3891]: Disconnected from authenticating user root 103.151.173.102 port 22620 [preauth]
May 17 15:10:06 instance-20240513-1553 sshd[3893]: Received disconnect from 103.151.173.102 port 26126:11:  [preauth]
May 17 15:10:06 instance-20240513-1553 sshd[3893]: Disconnected from authenticating user root 103.151.173.102 port 26126 [preauth]
May 17 15:10:06 instance-20240513-1553 sshd[3895]: Received disconnect from 103.151.173.102 port 22295:11:  [preauth]

May 17 15:55:02 instance-20240513-1553 sshd[4396]: Connection closed by authenticating user root 183.81.169.238 port 50142 [preauth]
May 17 15:55:05 instance-20240513-1553 sshd[4524]: Connection closed by authenticating user root 183.81.169.238 port 50196 [preauth]
May 17 15:55:09 instance-20240513-1553 sshd[4553]: Connection closed by authenticating user root 183.81.169.238 port 44906 [preauth]
May 17 15:55:10 instance-20240513-1553 sshd[4557]: error: kex_exchange_identification: read: Connection reset by peer
May 17 15:55:10 instance-20240513-1553 sshd[4557]: Connection reset by 183.81.169.238 port 44910

• Log file name(s) : /var/log/auth.log

• Journal identifier or unit name :

Any additional information

Relevant lines from monitored log files:

failures in sense of fail2ban filter (fail2ban must match):

legitimate messages (fail2ban should not consider as failures):

extra:

The ip I use is 103.151.173.102 add ^Disconnected from authenticating user <F-USER>.*?</F-USER> <HOST>%(__suff)s$ to /etc/fail2ban/filter.d/sshd.conf , /var/log/fail2ban.log finally has logs, and [found] and [ban] can be normal

[sebres]

This messages are not authentication issues directly, thus don't belong to the failures in normal mode. It is rather a matter of ddos (or aggressive) modes.

Add mode = aggressive to the jail if you want match them together with authentication failures:

  [sshd]
+ mode = aggressive
  enabled = true

[watchingfun]

mode = aggressive

i try in /etc/fail2ban/jail.local and restart fail2ban server, but it's not work, Finally, I edited and modified mode = aggressive in /etc/fail2ban/filter.d/sshd.conf and restarted the service , it's successfully. why jail.local is not work

[watchingfun]

mode = aggressive

i try in /etc/fail2ban/jail.local and restart fail2ban server, but it's not work, Finally, I edited and modified mode = aggressive in /etc/fail2ban/filter.d/sshd.conf and restarted the service , it's successfully. why jail.local is not work

oh my bad, i find reason; filter = sshd can't work with mode = aggressive i change to filter = sshd[mode=aggressive] it's ok

[sebres]

Yes, default filter definition looks like this: https://github.com/fail2ban/fail2ban/blob/65e9c411ef7a78b302e974724bfce782df4eb57e/config/jail.conf#L167

In this case (you haven't overwritten the default filter parameter), setting of mode would work properly.

By the way:

• don't copy jail.conf to jail.local: the later upgrade of jail.conf may not work, because parameters remain overwritten by old (previously copied) values, specified in local;
• don't put all the values to the jail (don't rewrite all of them) - put only parameters you really need to overwrite.

Otherwise exact that things could happen. Let alone you wouldn't know later which parameters are really needed.