Fail2ban double counts failed sshd login attempts?

[n1nj4888]

Environment:

• Fail2Ban version (including any possible distribution suffixes): Fail2Ban v0.10.2
• OS, including release name/version: Raspbian Buster - Linux raspberrypi3 4.19.50-v7+ Monit config #896 SMP Thu Jun 20 16:11:44 BST 2019 armv7l GNU/Linux
• [X] Fail2Ban installed via OS/distribution mechanisms
• [X ] You have not applied any additional foreign patches to the codebase
• [X ] Some customizations were done to the configuration (provide details below is so)

The issue:

After configuring fail2ban for sshd with a retry count of 3, I noticed that failed connections were getting banned after 2 physical login attempts and a 3rd attempt would never be prompted for?

I had originally configured 2FA (Google Auth) on ssh so thought that this maybe a factor but I've since commented this out of the /etc/pam.d/sshd file and I'm still seeing the double counting of failed attempts (and therefore the connection being banned earlier than the configured 3 attempts)?

Steps to reproduce

(1) Attempt connection (1) with deliberate incorrect password and the following is output to the logs:

/var/log/auth.log

Jul  8 13:16:04 [HOSTNAME] sshd[3386]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[IP]  user=[USER]
Jul  8 13:16:06 [HOSTNAME] sshd[3384]: error: PAM: Authentication failure for [USER] from [IP]

/var/log/fail2ban.log

2019-07-08 13:16:04,815 fail2ban.filter         [3288]: INFO    [sshd] Found [IP] - 2019-07-08 13:16:04
2019-07-08 13:16:06,651 fail2ban.filter         [3288]: INFO    [sshd] Found [IP] - 2019-07-08 13:16:06

(2) Attempt connection (2) with deliberate incorrect password and the following is output to the logs:

/var/log/auth.log

Jul  8 13:16:54 [HOSTNAME] sshd[3390]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[IP]  user=[USER]
Jul  8 13:16:55 [HOSTNAME] sshd[3384]: error: PAM: Authentication failure for [USER] from [IP]

/var/log/fail2ban.log

2019-07-08 13:16:54,212 fail2ban.filter         [3288]: INFO    [sshd] Found [IP] - 2019-07-08 13:16:54
2019-07-08 13:16:54,631 fail2ban.actions        [3288]: NOTICE  [sshd] Ban [IP]
2019-07-08 13:16:55,820 fail2ban.filter         [3288]: INFO    [sshd] Found [IP] - 2019-07-08 13:16:55

(3) The 3rd ssh login prompt is not presented and the user is banned after 2 physical login attempts rather than the configured maxretry = 3 in /etc/fail2ban/jail.local

Expected behavior

Expected behaviour is that fail2ban identifies that the two log lines (with IP) per connection attempt are a single connection attempt and therefore respects the maxretry = 3 config value for sshd

Observed behavior

See above info in Issue description

Configuration, dump and another helpful excerpts

/etc/fail2ban/jail.local

[sshd]

enabled = true
filter = sshd
bantime = -1
maxretry = 3

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[sebres]

Expected behaviour is that fail2ban identifies that the two log lines (with IP) per connection attempt are a single connection attempt and therefore respects the maxretry = 3 config value for sshd

The issue is, the intruder can do several attempts during the same session (up to MaxAuthTries configuration value), so counting it as you suggest "per connection" could be too slightly.

Although this one from example is indeed counted double, but as you can see in current sshd-filter:

fail2ban/config/filter.d/sshd.conf

Line 54 in 1c1d2cc

^<F-NOFAIL>%(__pam_auth)s\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$

this was already fixed in 25cc421 (and released in fail2ban >= 0.10.3).
In this config version, the regex is just a helper (multi-line filter) to obtain IP in case other failures don't contain the IP (tag <F-NOFAIL> avoids counting of a failure).
If you'd try fail2ban-regex with this 2 lines and this config, you would get:

$ fail2ban-regex /tmp/gh-2462.log sshd
...
Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   1) [1] ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?(?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*$
|  14) [1] ^<F-NOFAIL>pam_[a-z]+\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?(?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 2 lines, 1 ignored, 1 matched, 0 missed
[processed in 0.00 sec]

|- Ignored line(s):
|  Jul  8 13:16:04 srv sshd[3386]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.0.2.1  user=tester

The regex is matched, but "ignored", so it does not count a failure.

So I'd suggest to update the config or better your fail2ban version (or to increase maxretry unless you get an update to current version).