fail2ban/config/filter.d/sshd.conf

# Fail2Ban filter for openssh
#
# If you want to protect OpenSSH from being bruteforced by password
# authentication then get public key authentication working before disabling
# PasswordAuthentication in sshd_config.
#
#
# "Connection from <HOST> port \d+" requires LogLevel VERBOSE in sshd_config
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \d+)?(?: ssh\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$)
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)s(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: \[preauth\])?$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
            ^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \d*)?(?: ssh\d*)? \[preauth\]$
            ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$

ignoreregex = 

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

# DEV Notes:
#
#   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
#   it is coming before use of <HOST> which is not hard-anchored at the end as well,
#   and later catch-all's could contain user-provided input, which need to be greedily
#   matched away first.
#
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter for openssh`
- Added header git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@254 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-07-17 19:26:14 +00:00			`#`
DOC: openssh real protection is pubkey 2014-02-02 04:16:40 +00:00			`# If you want to protect OpenSSH from being bruteforced by password`
			`# authentication then get public key authentication working before disabling`
DOC: document LogLevel requirement for "Connection from" regex" 2014-02-13 05:20:36 +00:00			`# PasswordAuthentication in sshd_config.`
			`#`
			`#`
			`# "Connection from <HOST> port \d+" requires LogLevel VERBOSE in sshd_config`
			`#`
- Added header git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@254 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-07-17 19:26:14 +00:00
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 2007-09-12 21:38:51 +00:00			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
- Fixed fail2ban-regex. It support "includes" in configuration files. - Modified "includes" to be more generic. We will probably support URL in the future. - Small refactoring. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@656 a942ae1a-1317-0410-a47c-b1dcaea8d605 2008-03-04 00:17:56 +00:00			`before = common.conf`
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 2007-09-12 21:38:51 +00:00
- 0.7.0 soon git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@251 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-07-16 21:35:08 +00:00			`[Definition]`
- Initial commit of the new development release 0.7 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@249 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-06-26 20:05:00 +00:00
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 2007-09-12 21:38:51 +00:00			`_daemon = sshd`

Placed failure (illumos) at end of regex 2016-03-24 04:43:15 +00:00			`failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure\|error\|failed) for .* from <HOST>( via \S+)?\s*$`
- Merged patches from Debian package. Thanks to Yaroslav Halchenko. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@706 a942ae1a-1317-0410-a47c-b1dcaea8d605 2008-07-22 22:29:57 +00:00			`^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$`
sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also. 2016-08-18 19:34:09 +00:00			`^%(__prefix_line)sFailed \S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)\|(?(cond_inv)(?:(?! from ).)?\|[^:]+)) from <HOST>(?: port \d+)?(?: ssh\d)?(?(cond_user):\|(?:(?:(?! from ).)*)$)`
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 2007-09-12 21:38:51 +00:00			`^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$`
amend after code review of merge gh-1581 2016-11-11 10:04:10 +00:00			`^%(__prefix_line)s[iI](?:llegal\|nvalid) user .? from <HOST>(?: port \d+)?\s$`
BF: allow trailing whitespace in few missing it regexes for sshd.conf 2012-02-11 02:14:51 +00:00			`^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$`
ENH: catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) 2012-04-17 00:36:53 +00:00			`^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$`
ENH: more openssh fail messages from openssh source code (CVS 20121205) 2013-04-16 14:03:36 +00:00			`^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$`
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko. - Renamed actionend to actionstop. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@658 a942ae1a-1317-0410-a47c-b1dcaea8d605 2008-03-04 22:41:28 +00:00			`^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$`
ssh.conf: Fix disconnect "Auth fail" matching The regex for matching against "Auth fail" disconnect log message does not match against current versions of ssh. OpenSSH 5.9 introduced privilege separation of the pre-auth process, which included [logging through monitor.c](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.113&r2=1.114) which adds " [preauth]" to the end of each message and causes the log level to be prepended to each message. It also fails to match against clients which send a disconnect message with a description that is either empty or includes a space, since this is the content in the log message after the disconnect code, per [packet.c:1785](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c?annotate=1.215), which was matched by \S+. Although I have not observed this yet, I couldn't find anything which would preclude it in [RFC 4253](https://tools.ietf.org/html/rfc4253#section-11.1) and since the message is attacker-controlled it provides a way to avoid getting banned. This commit fixes both issues. Signed-off-by: Kevin Locke <kevin@kevinlocke.name> 2015-10-02 22:19:42 +00:00			`^%(__prefix_line)s(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: \[preauth\])?$`
ENH: more openssh fail messages from openssh source code (CVS 20121205) 2013-04-16 14:03:36 +00:00			`^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$`
ENH: sshd.conf -- allow user names to have spaces and trailing spaces in the line absorbed from patches carried by Debian distribution of f2b 2011-11-18 15:07:13 +00:00			`^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$`
ENH: Match non "Bye Bye" for sshd locked accounts failregex 2014-04-27 12:35:55 +00:00			`^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$`
ENH: added multiline filter for sshd filter 2013-11-25 03:55:41 +00:00			`^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$`
more explicit match for sshd filter & added test 2014-05-20 03:47:16 +00:00			`^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$`
ENH: sshd filter -- match new "maximum auth attempts exceeded" (Closes #1269) 2015-12-14 04:21:04 +00:00			`^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \d)?(?: ssh\d)? \[preauth\]$`
added \s after host 2015-04-17 08:22:01 +00:00			`^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\slogname=\S\suid=\d\seuid=\d\stty=\S\sruser=\S\srhost=<HOST>\s.$`
- Initial commit of the new development release 0.7 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@249 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-06-26 20:05:00 +00:00
- Defined default values in .conf. Should fix Debian bug #398758 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@464 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-15 18:44:28 +00:00			`ignoreregex =`
ENH: Add new regex for locked accounts for sshd 2013-05-27 21:06:49 +00:00
			`[Init]`

			`# "maxlines" is number of log lines to buffer for multi-line regex searches`
			`maxlines = 10`
Merge branch 'systemd-journal' into 0.9 Conflicts: bin/fail2ban-regex config/filter.d/sshd.conf Closes github #224 2013-06-29 12:00:40 +00:00
NF: Add systemd journal backend 2013-05-09 23:15:07 +00:00			`journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd`
MRG: 0.8.11 to 0.9 Epnoc of selinux is now true UTC Merge multiline support and date detection in filter 2013-11-02 04:59:05 +00:00
DOC: adding DEV Notes for for non-greedy matchin within sshd.conf 2013-11-08 22:34:31 +00:00			`# DEV Notes:`
			`#`
			`# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because`
			`# it is coming before use of <HOST> which is not hard-anchored at the end as well,`
			`# and later catch-all's could contain user-provided input, which need to be greedily`
			`# matched away first.`
			`#`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black`
MRG: 0.8.11 to 0.9 Epnoc of selinux is now true UTC Merge multiline support and date detection in filter 2013-11-02 04:59:05 +00:00