PR 88: [BUG] improve sshd regex, sshd log messages changed with openssh >=9.8 to sshd-session

[wolfgangasdf]

Pull Request

Select which topic best describes your contribution:

• Feature
• Bug
• Documentation / Wiki

---

Description

Hi, after updating to Debian 13 my csf installation doesn't notify me of ssh logins and doesn't block ssh attacks. It seems openssh has split up the sshd process, and now the log messages come from sshd-session.
Solution: Replace all occurrences of sshd\[ by sshd(?:[\-0-9a-zA-Z_]*)?\[ in /usr/local/csf/lib/ConfigServer/RegexMain.pm. This works with old and new sshd versions. This regex is probably immune against future changes in openssh.

From https://www.openssh.org/releasenotes.html :

OpenSSH 9.8/9.8p1 (2024-07-01): ...several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd".
OpenSSH 10.0/10.0p2 (2025-04-09): This change should be largely invisible to users, though some log messages may now come from "sshd-auth" instead of "sshd-session"

I wonder a bit if it's something on my side since Debian 13 seems to be supported by csf, but I have a completely standard server installation.

---

Before You Submit

Please ensure you check the following items to indicate that you've read this section and completed each task

• My code follows the Contributor Guidelines
• I give expressed consent for my work to be used in this repo
• I have tested my work and it functions as intended
• I have included docs, if the change requires such; which will be pushed to https://docs.configserver.dev

[BinaryServ]

Automatic Self-Check - #88

The details of our automated scan for your pull request are listed below. If our scan detected errors, they must be corrected before this pull request will be advanced to the review stage:

---

About

This pull request includes the following information:

Category	Value
Title	[BUG] improve sshd regex, sshd log messages changed with openssh >=9.8 to sshd-session
Created	01.25.2026 12:11 PM UTC
ID	#88
Author	wolfgangasdf
Repo	csf-firewall
Branch	main ⇁ main
Added Files	0
Modified Files	1
Renamed Files	0
Copied Files	0
Deleted Files	0

---

📄 src/ConfigServer/RegexMain.pm

Note

The file src/ConfigServer/RegexMain.pm contains no errors

---

^{This check was done automatically. Do NOT open a new PR for re-validation. Instead, to trigger this check again, make a change to your PR and wait a few minutes, or close and re-open it.}

[Aetherinox]

Thanks for the PR.

Could you possibly throw up another PR with just the changes.

I had to re-organize the repo, and it made things go postal in here. Or I can manually track down the changes and apply them.

[Aetherinox]

I released v15.09 with your changes implemented, and added you to the changelog credits.

[wolfgangasdf]

Hi, my apologies for not answering earlier, great, and it works here! Also very nice that the git repository is smaller now :-)

[Aetherinox]

It's fine. I've been busy with other aspects of CSF, so I've been all over the place.

Yeah, the repository size was ridiculous. I just need to finish setting up how the blocklists work, but now it has a fully-dedicated repo and server via https://blocklist.configserver.dev/help

Appreciate the help.