SSH alert scraping matches a .fail tld

Description

Using a .fail tld for a truenas server means every line in sshd log is sent out as an alert:

Sep 14 17:24:39 myserver 1 2021-09-14T17:24:39.438882+03:00 myserver.mydomain.fail sshd 87608 - - Accepted password for xyz from 192.168.1.236 port 54789 ssh2
Sep 14 17:59:20 myserver 1 2021-09-14T17:59:20.713576+03:00 myserver.mydomain.fail sshd 87610 - - Received disconnect from 192.168.1.236 port 54789:11: disconnected by user
Sep 14 17:59:20 myserver 1 2021-09-14T17:59:20.713630+03:00 myserver.mydomain.fail sshd 87610 - - Disconnected from user xyz 192.168.1.236 port 54789

This seems to be caused by the matcher matching to any `fail` string.

Problem/Justification

None

Impact

None

Activity

Show:

Bug Clerk May 18, 2022 at 9:27 PM

Petteri Torkko September 18, 2021 at 9:23 PM

Not sure what for, the problem seems to be here:

https://github.com/truenas/middleware/blob/6c639bd48a2c080be016e918421b11f41b032dae/src/middlewared/middlewared/alert/source/ssh_login_failures.py#L53

 

\bfail\b

will match my.domain.fail in the current log format in the example

Bonnie Follweiler September 16, 2021 at 1:13 PM

Thank you for the report, .

 Can you please attach a debug file to this ticket? To generate a debug file on TrueNAS CORE, log in to the TrueNAS web interface, go to System > Advanced, then click Save Debug and wait for the file to download to your local system.

Complete

Details

Assignee

Reporter

Labels

Time remaining

0m

Components

Affects versions

Priority

Katalon Platform

Created September 15, 2021 at 4:58 PM
Updated July 6, 2022 at 9:02 PM
Resolved May 18, 2022 at 9:29 PM