Is it safe to apply fail2ban on sshd "Received disconnect/Disconnected ... [preauth]" logs?

There is no corresponding rule in /etc/fail2ban/filter.d/sshd.conf, so these attempts don't cause fail2ban to ban the offending IP address.

What version are you using? Fail2Ban comes with a predefined rule about this, included in the common failregex used by all modes.

Fail2Ban v0.10.2 in one of my systems includes this rule:

^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:

And Fail2Ban v0.11.2 includes this one (which is better):

^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:

Apparently the developers thought that any of the following lines

Received disconnect from <HOST>: 11:
Received disconnect from <HOST> port XXXXX:11:

will suffice. The relevant keywords being Received disconnect from and the : 11: part (instead of the [preauth] suffix).

The <F-NOFAIL> means that this line isn't a failure and will expect another match without <F-NOFAIL> to ban the IP, so you will have to remove the surrounding tags.


Is it safe for me to add a Regexp matching some of those lines, or would I risk matching legitimate (key based) login attempts ? Which parts would make a safe combination ? Would matching the words "Disconnected" and the tag "[preauth]" necessarily indicate a failed password-based brute force ?

A legitimate successful connection and authentication does not trigger such log lines. These entries can come from scanners, which do not cause harm, but can be be blocked as well. preauth means, those clients did not start authentication yet.

Even if you yourself cause a failed login, either by using wrong keys or mistyping the password, using fail2ban is still okay. fail2ban only blocks after a configurable number of matching log lines and only for a certain time frame.

You can use this snippet (e.g. as cmdfailre) in Debian buster:

^Received disconnect from <HOST>%(__on_port_opt)s:11: \s* %(__suff)s$
^Disconnected from authenticating user <F-USER>.*?</F-USER> <HOST>%(__on_port_opt)s %(__suff)s$