fail2ban/config/filter.d/sshd.conf

# Fail2Ban filter for openssh
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

ignoreregex = 

# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 11 years ago			`# Fail2Ban filter for openssh`
- Added header git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@254 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago			`#`

- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
- Fixed fail2ban-regex. It support "includes" in configuration files. - Modified "includes" to be more generic. We will probably support URL in the future. - Small refactoring. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@656 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`before = common.conf`
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago

- 0.7.0 soon git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@251 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago			`[Definition]`
- Initial commit of the new development release 0.7 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@249 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`_daemon = sshd`

ENH: filter.d/sshd.conf -- allow for trailing "via IP" in logs 12 years ago			`failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure\|error) for .* from <HOST>( via \S+)?\s*$`
- Merged patches from Debian package. Thanks to Yaroslav Halchenko. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@706 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$`
BF: fixing injection for OpenSSH 6.3 -- making .* before <HOST> non-greedy 11 years ago			`^%(__prefix_line)sFailed \S+ for .? from <HOST>(?: port \d)?(?: ssh\d)?(: (ruser .{0,100}\|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s$`
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$`
			`^%(__prefix_line)s[iI](?:llegal\|nvalid) user .* from <HOST>\s*$`
BF: allow trailing whitespace in few missing it regexes for sshd.conf 13 years ago			`^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$`
ENH: catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) 13 years ago			`^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$`
ENH: more openssh fail messages from openssh source code (CVS 20121205) 12 years ago			`^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$`
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko. - Renamed actionend to actionstop. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@658 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$`
ENH: more openssh fail messages from openssh source code (CVS 20121205) 12 years ago			`^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$`
ENH: sshd.conf -- allow user names to have spaces and trailing spaces in the line absorbed from patches carried by Debian distribution of f2b 13 years ago			`^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$`
- Initial commit of the new development release 0.7 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@249 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago
- Defined default values in .conf. Should fix Debian bug #398758 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@464 a942ae1a-1317-0410-a47c-b1dcaea8d605 18 years ago			`ignoreregex =`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 11 years ago
			`# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black`