Provide PID validation facility about fail2ban HOT 4 CLOSED

At least on CentOS 6, the pid in syslog is of the child (the attempt connection that failed), as opposed to the parent process's pid in /var/run/sshd.pid.

from fail2ban.

Considering fail2ban largely deals with failed login attempts (SSH), the SSH pid is essentially ephemeral and not linked to a parent for very long - I'm not sure how such an association could be reliably be made between the parent pid (SSH) and the failed log in SSH pid's. And if other applications behave differently (thread vs process) fail2ban would also need to understand all of those relationships.

from fail2ban.

I've tried some time ago with a small change on my fail2ban, where #1698 was already implemented, so I could get the PID from the several filters, by adding <F-PID>\S+</F-PID> (and using a simple solution by checking of PID with pid_exists in failmanager).
It works as expected... But not for the services like sshd, because of session- resp. connection-related pid, so fail2ban misses the failure sporadic, if the connection was closed too fast after failure (pid_exists says False).
I can try to cherry-pick it, if someone needed.

from fail2ban.

Playing a bit with this I can judge that this approach is hardly suitable (as for PID validation), at least turns out to be not really practicable, but also too error-prone.
Thus I tend to close it at the moment.
Please reopen if the interest is still existing.

from fail2ban.