Bug#546913: fail2ban: no filter rules for dropbear

[Zak B. Elep]

Package: fail2ban
Version: 0.8.3-2sid1
Severity: wishlist

Hi there,

I've been using Fail2Ban with an added filter for dropbear, adapted from 
Francis Russell's Uncharted Backwaters.[0]  The linked file requires a 
patch[1] to dropbear for it to work (hence a CC to the dropbear 
maintainer,) although there is a ruleset for the unpatched version, 
albeit commented out.

[0]  http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear.conf

Attached is the filter rule I'm currently using, against unpatched 
dropbear.  I modified the rule a bit so that it works.

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-128.2.1.el5.028stab064.7 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages fail2ban depends on:
ii  lsb-base                      3.2-20     Linux Standard Base 3.2 init scrip
ii  python                        2.5.2-3    An interactive high-level object-o
ii  python-central                0.6.8      register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.2-6    administration tools for packet fi
ii  whois                         4.7.30     an intelligent whois client

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20071201cvs-3 A simple mail user agent
ii  mailx              1:20071201-3          Transitional package for mailx ren
pn  python-gamin       <none>                (no description available)

-- no debconf information

# Fail2Ban configuration file
#
# Author: Francis Russell

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = dropbear

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT

# These match the unmodified dropbear messages. It isn't possible to match the 
source of the 
# 'exit before auth' messages from dropbear.
#
failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from 
<HOST>:.*\s*$
            ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$

# The only line we need to match with the modified dropbear.
# failregex = ^%(__prefix_line)sexit before auth from <HOST>.*\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =