Fix Dropbear filter when logging to STDOUT

Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the `-F` and `-E` flags, to run it in foreground and have it logging to STDOUT instead of syslog.

As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix.

The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without `-E` flag.

Signed-off-by: MichaIng <[email protected]>

config/filter.d/dropbear.conf

@@ -23,7 +23,7 @@ before = common.conf
 
 _daemon = dropbear
 
-prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
+prefregex = ^%(__prefix_line)s(\[\d+\] [A-Z][a-z]+ \d\d \d\d:\d\d:\d\d )?<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
 
 failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
             ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$

fail2ban/tests/files/logs/dropbear

@@ -13,3 +13,6 @@ Jul 27 01:04:12 fail2ban-test dropbear[1335]: Bad password attempt for 'root' fr
 Jul 27 01:04:22 fail2ban-test dropbear[1335]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 1.2.3.4:60588
 # failJSON: { "time": "2005-07-27T01:18:59", "match": true , "host": "1.2.3.4" }
 Jul 27 01:18:59 fail2ban-test dropbear[1477]: Login attempt for nonexistent user from 1.2.3.4:60794
+
+# failJSON: { "time": "2005-07-10T23:53:52", "match": true , "host": "1.2.3.4" }
+Jul 10 23:53:52 fail2ban-test dropbear[825]: [825] Jul 10 23:53:52 Bad password attempt for 'root' from 1.2.3.4:52289