diff options
author | sebres <serg.brester@sebres.de> | 2022-01-18 16:17:07 +0100 |
---|---|---|
committer | sebres <serg.brester@sebres.de> | 2022-01-18 16:17:07 +0100 |
commit | 35d73d975856d6a17534db68f4bffbb7d3c7c3a9 (patch) | |
tree | 5298f6282e7c2ecafd1b29fd13f866b61ef3adf4 /config | |
parent | ea7bbb47571ea318baf603e7671a9fa16bfe3c36 (diff) | |
parent | bf689c27b833d4cafc6ce34ada214cd4df2d7d86 (diff) | |
download | fail2ban-35d73d975856d6a17534db68f4bffbb7d3c7c3a9.tar.gz |
Merge branch '0.10' into 0.11
Diffstat (limited to 'config')
-rw-r--r-- | config/filter.d/sshd.conf | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index e7942262..d5d189b0 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -68,15 +68,17 @@ cmnfailed = <cmnfailed-<publickey>> mdre-normal = # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) -mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$ +mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$ mdre-ddos = ^Did not receive identification string from <HOST> - ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host) + ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) ^Bad protocol version identification '.*' from <HOST> ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+: ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer -# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only: + ^banner exchange: Connection from <HOST><__on_port_opt>: invalid format +# same as mdre-normal-other, but as failure (without <F-NOFAIL> with [preauth] and with <F-NOFAIL> on no preauth phase as helper to identify address): mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$ + ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__on_port_opt)s|\s*)$ mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found. |