[BR]: faulty regexes in sshd.conf? about fail2ban HOT 1 CLOSED

Because of the "$" at the end, this regex will fail if, for whatever reason, there is unexpected text at the end of the line; even something like " (second attempt)" would break it.

The issue is - without end-anchor the RE containing catch-alls (like here .* in user name) is weak if one would not say vulnerable (for example on injections against user input) and so cannot be used safe without end-anchor, because from <HOST> may be found in some user-input, e. g. if user name would be artificially constructed by attacker as something like user from 192.0.2.123 ... in order to cause failure from IP 192.0.2.123.

Some of such injection attempts can be found in our test suite (it is covered), e. g.:

I find I get best results if I remove the "$" from the ends of the regexes.

You can use everything what you want, but it is not (and will be never) strategy of fail2ban stock filters.
Because fail2ban would always prefer not to match on (unsafe) messages by changed format to theoretical match of wrong legitimate user or IP. Emphasis on word "always".

The only possibilities to fix that:

• provide the message with that "unexpected text" here, so we could add it as optional part to the RE
• write very complex and slow, multi-storey REs with negative lookaheads, that ensure there is only one from host/IP, e. g. exclude from <something looking like host/IP> after from <HOST> or from <something looking like IP> after from <ADDR>, so a removal of end-anchor would not break the "safety" of RE;
• go to openssh repository and thank the devs for vulnerable message formats and ask there for a proper escape of foreign user-inputs like user-name, for instance if they'd enclose username into quotes and disallow quote-char in username or escape it somehow (e. g. like url-encode with %22 or like html-escape with "):

  # so if the message would look like this (and quote-char is impossible inside user-name):
  Authentication failure for "some user name whatever" from 192.0.2.1
  # the RE may be rewritten like:
- ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$
+ ^[aA]uthentication (?:failure|error|failed) for <F-USER>"[^"]*"</F-USER> from <ADDR>

• alternatively the format can be changed in the way (following best practice) that IP becomes moved before ANY foreign input in the log (so from <ADDR> can be placed before user name)...

  # so if the message would look like this (and quote-char is impossible inside user-name):
  Authentication failure from 192.0.2.1 for user "no matter what we'll see here" 
  # the RE may be rewritten like:
- ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$
+ ^[aA]uthentication (?:failure|error|failed) from <ADDR> for <F-USER>"[^"]*|.*?"</F-USER>

Thus close for now (unless you'd not provide the messages that didn't match by stock filter).

from fail2ban.