diff options
| author | sebres <serg.brester@sebres.de> | 2022-01-18 16:17:49 +0100 |
|---|---|---|
| committer | sebres <serg.brester@sebres.de> | 2022-01-18 16:17:49 +0100 |
| commit | 970573d1cbe16907c2eb352cee44b6825524744a (patch) | |
| tree | 21f085dfc2bc6c6ca9f46cf324dc9bf088a90ae4 /config | |
| parent | 095aeda8407b433098df35424cde2764a09566a6 (diff) | |
| parent | 35d73d975856d6a17534db68f4bffbb7d3c7c3a9 (diff) | |
| download | fail2ban-970573d1cbe16907c2eb352cee44b6825524744a.tar.gz | |
Merge branch '0.11'
Diffstat (limited to 'config')
| -rw-r--r-- | config/filter.d/sshd.conf | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index e7942262..d5d189b0 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -68,15 +68,17 @@ cmnfailed = <cmnfailed-<publickey>> mdre-normal = # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) -mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$ +mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$ mdre-ddos = ^Did not receive identification string from <HOST> - ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host) + ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) ^Bad protocol version identification '.*' from <HOST> ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+: ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer -# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only: + ^banner exchange: Connection from <HOST><__on_port_opt>: invalid format +# same as mdre-normal-other, but as failure (without <F-NOFAIL> with [preauth] and with <F-NOFAIL> on no preauth phase as helper to identify address): mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$ + ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__on_port_opt)s|\s*)$ mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found. |