Why does aggressive mode result in multiple log messages for invalid sshd user logins?

[misterbayne]

I have been using fail2ban successfully with sshd for invalid user logins. However, I noticed the other day that invalid public key logins are not being caught. I looked around online and discovered that I had to change the mode to be aggressive. In aggressive mode, the invalid public key logins are caught as they should be. But now the invalid user logins create 2 logs in fail2ban. This causes 2 retries to trigger when only 1 should trigger. I have run my logs through the fail2ban-regex utility and each condition (invalid user logins and invalid public key logins) result in 1 matched line. This is not the case when I actually attempt to log in with an invalid user. Am I doing something wrong? What am I missing?

Thanks!

[sebres]

I looked around online and discovered that I had to change the mode to be aggressive.

This is conditionally correct. This "limitation" is initially made to avoid issues like #1263 (prevent against false positives for users connecting to git et al via ssh with multiple public keys). The only exception was that an attempt to login (no matter public key or password) with invalid user causes a failure.
But it is not quite true now, since 9137c7b, newer fail2ban versions (>= 0.11.2 or 0.10.6) have a new parameter publickey, so it is possible to enable publickey failures without aggressive mode too, see #2765 (comment) for details.

So setting it to any in jail like below would count any kind of failed publickey attempts as a failure (no matter which mode and whether user is invalid or not), so one could switch back to normal mode:

[sshd]
# mode = aggressive
filter = %(known/filter)s[publickey=any]

You could also try newest sshd-filter variant (replacing the filter file in /etc/fail2ban/filter.d/) with some previous fail2ban version (0.10/0.11 only), but there is no guarantee that it's completely compatible to your fail2ban and/or distribution and that it'd work properly.

But now the invalid user logins create 2 logs in fail2ban.

Well, aggressive mode is called so because it targets many vectors (inclusive ddos similar circumstances, etc). Maybe some additional message triggers that or it is because of abovementioned exception (however I thought we deactivated that in aggressive mode later, but you may have some older filter). Anyway some not-a-failure messages in normal case can be indeed considered as failures in aggressive mode, especially in cases where user name switches (or simply together with another messages) especially without a success at end, so sometimes it is a combination of messages that matters.
To know what exactly happens in your case, we'd need an log excerpt (better for whole session, so for any messages with sshd[12345]) with messages logged by such an attempt. But my assumption - it's something similar to #2765 and co.

This causes 2 retries to trigger when only 1 should trigger.

BTW, is it really so bad that a session rejecting invalid user considered as 2 failures at once? I mean in aggressive mode...
Not to mention it is anyway advisable to increase maxretry for sshd jail if it running in aggressive mode (to avoid some false positives for legitimate users with unstable connections etc).

I have run my logs through the fail2ban-regex utility and each condition (invalid user logins and invalid public key logins) result in 1 matched line.

This is indeed a sign that some other message affecting double counting, so please provide an excerpt for all messages of some session.