diff options
author | Steven Hiscocks <steven@hiscocks.me.uk> | 2014-06-17 23:43:42 +0100 |
---|---|---|
committer | Steven Hiscocks <steven@hiscocks.me.uk> | 2014-06-17 23:43:42 +0100 |
commit | 94232d7c31a6e7f253654e766375c26a61ca3d82 (patch) | |
tree | 594514424239182b74bbb3b85d2111922bb1d96e | |
parent | 4190a4030ccda7c3c8f5dee3f22c4da20769b996 (diff) | |
parent | 96918acee4d96a7d83992e6ce993faa9d900a97c (diff) | |
download | fail2ban-94232d7c31a6e7f253654e766375c26a61ca3d82.tar.gz |
Merge pull request #726 from pmarrapese/master
Minor improvement to sshd filter
-rw-r--r-- | THANKS | 1 | ||||
-rw-r--r-- | config/filter.d/sshd.conf | 2 | ||||
-rw-r--r-- | fail2ban/tests/files/logs/sshd | 5 |
3 files changed, 7 insertions, 1 deletions
@@ -77,6 +77,7 @@ Michael Hanselmann Mika (mkl) Nick Munger onorua +Paul Marrapese Noel Butler Patrick Börjesson Raphaël Marichez diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 195744f2..6589e21b 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -32,7 +32,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$ - ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ignoreregex = diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index b9d1b9b4..a6e54196 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -138,6 +138,11 @@ Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353 Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth] # failJSON: { "match": false } +Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353 on 127.0.0.1 port 22 +# failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "Multiline match with interface address" } +Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth] + +# failJSON: { "match": false } Apr 27 13:02:04 host sshd[29116]: User root not allowed because account is locked # failJSON: { "match": false } Apr 27 13:02:04 host sshd[29116]: input_userauth_request: invalid user root [preauth] |