I just noticed that fail2ban was reporting that there had been no failed attempts to connect to my SSH server for a few days, which can't be right because they are almost constantly happening.
This seems to be because of a change in openssh 9.8:


 * sshd(8): the server has been split into a listener binary, sshd(8),
   and a per-session binary "sshd-session". This allows for a much
   smaller listener binary, as it no longer needs to support the SSH
   protocol. As part of this work, support for disabling privilege
   separation (which previously required code changes to disable) and
   disabling re-execution of sshd(8) has been removed. Further
   separation of sshd-session into additional, minimal binaries is
   planned for the future.

 * sshd(8): several log messages have changed. In particular, some
   log messages will be tagged with as originating from a process
   named "sshd-session" rather than "sshd".

It looks like this has already been fixed for the next release of fail2ban in this commit. But until then a quick fix is to modify filter.d/sshd.conf and change the [DEFAULT] section so that

_daemon = sshd

becomes

_daemon = sshd(?:-session)?

There also seems to be another new issue which results in the warning fail2ban.ipdns WARNING Unable to find a corresponding IP address for connection: [Errno -2] Name or service not known.
This is because of new sshd log messages which look like Timeout before authentication for connection from 12.34.56.78 to 218.92.0.51, pid = 17466.
There didn't seem to be any equivalent log messages in openssh before 9.8 though, so it's not really breaking anything - just producing a warning message in the fail2ban logs.

Previous Post Next Post