Filter: mysqld-auth not compatible with MySQL 8.0.13

[dciwill]

Environment:

• Fail2Ban version (including any possible distribution suffixes):
  0.9.7-1
• OS, including release name/version:
  Centos 7
• Fail2Ban installed via OS/distribution mechanisms
  yum
• You have not applied any additional foreign patches to the codebase
  I have not.
• Some customizations were done to the configuration (provide details below is so)
  Yes, banaction was changed to "route".

The issue: mysqld-auth conf regex is not compatible with the mysqld 8.0.13 error log

The log output has two additional words in brackets after "[Note]", for instance on the system I am using it is, "[MY-010926] [Server]".

Steps to reproduce

Enable the mysqld-auth filter
Enable appropriate logging level in MySQL 8.0.13
(use "log-error-verbosity = 3" not "log_warnings = 2" in my.conf, [mysqld] section)
Emulate failed logins to MySQL

Expected behavior

Fail2Ban should ban the IP.

Observed behavior

Log entry is made but there isn't any expected behavior from fail2ban.

Any customizations done to /etc/fail2ban/ configuration

banaction = route

Configuration, dump and another helpful excerpts

sh-4.2# fail2ban-client -d | grep mysqld-auth
['add', 'mysqld-auth', 'auto']
['set', 'mysqld-auth', 'usedns', 'warn']
['set', 'mysqld-auth', 'addlogpath', '/var/log/mysqld.log', 'head']
['set', 'mysqld-auth', 'maxretry', 5]
['set', 'mysqld-auth', 'addignoreip', '127.0.0.1/8']
['set', 'mysqld-auth', 'logencoding', 'auto']
['set', 'mysqld-auth', 'bantime', 3600]
['set', 'mysqld-auth', 'ignorecommand', '']
['set', 'mysqld-auth', 'findtime', 600]
['set', 'mysqld-auth', 'addfailregex', "^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?mysqld(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?mysqld(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:\\d+ |\\d{6} \\s?\\d{1,2}:\\d{2}:\\d{2} )?\\[\\w+\\] Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\\(using password: (YES|NO)\\))*\\s*$"]
['set', 'mysqld-auth', 'addaction', 'route']
['set', 'mysqld-auth', 'action', 'route', 'actionban', 'ip route add <blocktype> <ip>']
['set', 'mysqld-auth', 'action', 'route', 'actionstop', '']
['set', 'mysqld-auth', 'action', 'route', 'actionstart', '']
['set', 'mysqld-auth', 'action', 'route', 'actionunban', 'ip route del <blocktype> <ip>']
['set', 'mysqld-auth', 'action', 'route', 'actioncheck', '']
['set', 'mysqld-auth', 'action', 'route', 'protocol', 'tcp']
['set', 'mysqld-auth', 'action', 'route', 'name', 'mysqld-auth']
['set', 'mysqld-auth', 'action', 'route', 'chain', 'INPUT']
['set', 'mysqld-auth', 'action', 'route', 'known/blocktype', 'unreachable']
['set', 'mysqld-auth', 'action', 'route', 'blocktype', 'unreachable']
['set', 'mysqld-auth', 'action', 'route', 'port', '6603']
['set', 'mysqld-auth', 'action', 'route', 'bantime', '3600']
['start', 'mysqld-auth'] 

Relevant parts of /var/log/fail2ban.log file:

2019-01-03 08:28:37,593 fail2ban.server         [2033]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.7
2019-01-03 08:28:37,594 fail2ban.database       [2033]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2019-01-03 08:28:37,628 fail2ban.jail           [2033]: INFO    Initiated 'systemd' backend
2019-01-03 08:28:37,629 fail2ban.filter         [2033]: INFO    Set maxRetry = 5
2019-01-03 08:28:37,630 fail2ban.filter         [2033]: INFO    Set jail log file encoding to UTF-8
2019-01-03 08:28:37,630 fail2ban.actions        [2033]: INFO    Set banTime = 3600
2019-01-03 08:28:37,631 fail2ban.filter         [2033]: INFO    Set findtime = 600
2019-01-03 08:28:37,631 fail2ban.filter         [2033]: INFO    Set maxlines = 10
2019-01-03 08:28:37,699 fail2ban.jail           [2033]: INFO    Creating new jail 'mysqld-auth'
2019-01-03 08:28:37,722 fail2ban.jail           [2033]: INFO    Jail 'mysqld-auth' uses pyinotify {}
2019-01-03 08:28:37,728 fail2ban.jail           [2033]: INFO    Initiated 'pyinotify' backend
2019-01-03 08:28:37,730 fail2ban.filter         [2033]: INFO    Added logfile = /var/log/mysqld.log
2019-01-03 08:28:37,732 fail2ban.filter         [2033]: INFO    Set maxRetry = 5
2019-01-03 08:28:37,733 fail2ban.filter         [2033]: INFO    Set jail log file encoding to UTF-8
2019-01-03 08:28:37,733 fail2ban.actions        [2033]: INFO    Set banTime = 3600
2019-01-03 08:28:37,733 fail2ban.filter         [2033]: INFO    Set findtime = 600
2019-01-03 08:28:37,749 fail2ban.jail           [2033]: INFO    Jail 'mysqld-auth' started

Relevant lines from monitored log files in question:

sh-4.2# tail -f /var/log/mysqld.log
2019-01-03T08:50:04.634875Z 113 [Note] [MY-010926] [Server] Access denied for user 'root'@'c-76-121-8-146.hsd1.wa.comcast.net' (using password: NO)
2019-01-03T08:50:23.850165Z 114 [Note] [MY-010926] [Server] Access denied for user 'root'@'c-76-121-8-146.hsd1.wa.comcast.net' (using password: YES)
2019-01-03T08:50:28.300619Z 115 [Note] [MY-010926] [Server] Access denied for user 'root'@'c-76-121-8-146.hsd1.wa.comcast.net' (using password: NO)
2019-01-03T08:50:29.936365Z 116 [Note] [MY-010926] [Server] Access denied for user 'root'@'c-76-121-8-146.hsd1.wa.comcast.net' (using password: YES)
2019-01-03T08:50:32.921245Z 117 [Note] [MY-010926] [Server] Access denied for user 'root'@'c-76-121-8-146.hsd1.wa.comcast.net' (using password: NO)
2019-01-03T08:50:35.639557Z 118 [Note] [MY-010926] [Server] Access denied for user 'root'@'c-76-121-8-146.hsd1.wa.comcast.net' (using password: YES)