logmngr: implement fail2ban for ssh

* handle both openssh and dropbear for fail2ban

fluent-bit/patches/0002-add_hostname_to_log_dump.patch

@@ -0,0 +1,45 @@
+diff --git a/plugins/out_file/file.c b/plugins/out_file/file.c
+index 2e47c9666..95d28e438 100644
+--- a/plugins/out_file/file.c
++++ b/plugins/out_file/file.c
+@@ -27,6 +27,7 @@
+ #include <msgpack.h>
+ 
+ #include <stdio.h>
++#include <unistd.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+@@ -55,6 +56,7 @@ struct flb_file_conf {
+     int csv_column_names;
+     int mkdir;
+     struct flb_output_instance *ins;
++    char hostname[256];
+ };
+ 
+ static char *check_delimiter(const char *str)
+@@ -141,6 +143,9 @@ static int cb_file_init(struct flb_output_instance *ins,
+         }
+     }
+ 
++    if (gethostname(ctx->hostname, sizeof(ctx->hostname)) != 0)
++	    snprintf(ctx->hostname, sizeof(ctx->hostname), "%s", "localhost");
++
+     tmp = flb_output_get_property("delimiter", ins);
+     ret_str = check_delimiter(tmp);
+     if (ret_str != NULL) {
+@@ -233,12 +238,8 @@ static int template_output_write(struct flb_file_conf *ctx,
+     int i;
+     msgpack_object_kv *kv;
+ 
+-    /*
+-     * Right now we treat "{time}" specially and fill the placeholder
+-     * with the metadata timestamp (formatted as float).
+-     */
+-    if (!strncmp(key, "time", size)) {
+-        fprintf(fp, "%f", flb_time_to_double(tm));
++    if (!strncmp(key, "hostname", size)) {
++        fprintf(fp, "%s", ctx->hostname);
+         return 0;
+     }
+ 

logmngr/Makefile

@@ -69,12 +69,6 @@ ifeq ($(CONFIG_LOGMNGR_LOGROTATE),y)
 	$(INSTALL_DATA) ./files/lib/logmngr/logrotate.sh $(1)/lib/logmngr/.
 	$(BBFDM_INSTALL_CORE_PLUGIN) $(PKG_BUILD_DIR)/bbf_plugin/libbbflogrotate.so $(1)
 endif
-ifeq ($(CONFIG_PACKAGE_fail2ban),y)
-	$(INSTALL_DIR) $(1)/etc/fail2ban
-	$(INSTALL_CONF) ./files/fail2ban/jail.local $(1)/etc/fail2ban/
-	$(INSTALL_DIR) $(1)/etc/fail2ban/filter.d/
-	$(INSTALL_DATA) ./files/fail2ban/iop_sshd.conf $(1)/etc/fail2ban/filter.d/
-endif
 endef
 
 $(eval $(call BuildPackage,logmngr))

logmngr/files/lib/logmngr/fluent-bit.sh

@@ -184,7 +184,9 @@ handle_log_file() {
 	echo "[OUTPUT]" >> ${TMP_CONF_FILE}
 	echo "    name         file" >> ${TMP_CONF_FILE}
 	echo "    match        $match" >> ${TMP_CONF_FILE}
-	echo "    file        $file" >> ${TMP_CONF_FILE}
+	echo "    file         $file" >> ${TMP_CONF_FILE}
+	echo "    format       template" >> ${TMP_CONF_FILE}
+	echo "    template     {time} {hostname} {ident}: {message}" >> ${TMP_CONF_FILE}
 }
 
 handle_log_remote() {

sshmngr/Makefile

@@ -63,6 +63,18 @@ else
 	$(INSTALL_DATA) ./files/openssh_backend/lib/sshmngr/backend.sh $(1)/lib/sshmngr/
 endif
 	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libsshmngr.so $(1) $(PKG_NAME)
+
+ifeq ($(CONFIG_PACKAGE_fail2ban),y)
+	$(INSTALL_DIR) $(1)/etc/fail2ban/jail.d
+	$(INSTALL_DIR) $(1)/etc/fail2ban/filter.d/
+ifeq ($(CONFIG_SSHMNGR_BACKEND_DROPBEAR),y)
+	$(INSTALL_CONF) ./files/dropbear_backend/fail2ban/sshmngr.local $(1)/etc/fail2ban/jail.d/
+	$(INSTALL_DATA) ./files/dropbear_backend/fail2ban/sshmngr.conf $(1)/etc/fail2ban/filter.d/
+else
+	$(INSTALL_CONF) ./files/openssh_backend/fail2ban/sshmngr.local $(1)/etc/fail2ban/jail.d/
+	$(INSTALL_DATA) ./files/openssh_backend/fail2ban/sshmngr.conf $(1)/etc/fail2ban/filter.d/
+endif
+endif
 endef
 
 $(eval $(call BuildPackage,sshmngr))

sshmngr/files/dropbear_backend/fail2ban/sshmngr.conf

@@ -0,0 +1,52 @@
+# Fail2Ban filter for dropbear
+#
+# NOTE: The regex below is ONLY intended to work with a patched
+# version of Dropbear as described here:
+# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
+#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
+#
+# The standard Dropbear output doesn't provide enough information to
+# ban all types of attack.  The Dropbear patch adds IP address
+# information to the 'exit before auth' message which is always
+# produced for any form of non-successful login. It is that message
+# which this file matches.
+#
+# More information: http://bugs.debian.org/546913
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+datepattern = ^%%b %%d %%H:%%M:%%S
+
+_daemon = dropbear
+
+prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
+
+failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
+            ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
+            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# The first two regexs here match the unmodified dropbear messages. It isn't
+# possible to match the source of the 'exit before auth' messages from dropbear
+# as they don't include the "from <HOST>" bit.
+#
+# The second last failregex line we need to match with the modified dropbear.
+#
+# For the second regex the following apply:
+#
+# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
+# http://svn.dd-wrt.com/changeset/16642#file64
+#
+# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
+#
+# Author: Francis Russell
+#         Zak B. Elep

sshmngr/files/dropbear_backend/fail2ban/sshmngr.local

@@ -0,0 +1,9 @@
+[dropbear]
+enabled = true
+port = ssh
+filter = sshmngr
+logpath = /var/log/messages
+maxretry = 3
+findtime = 10
+bantime = 120
+ignoreip = 127.0.0.1

sshmngr/files/openssh_backend/fail2ban/sshmngr.local

@@ -1,7 +1,7 @@
 [sshd]
 enabled = true
 port = ssh
-filter = iop_sshd
+filter = sshmngr
 logpath = /var/log/messages
 maxretry = 3
 findtime = 10