fail2ban/config/filter.d/sshd-ddos.conf

# Fail2Ban ssh filter for at attempted exploit
#
# The regex here also relates to a exploit:
#
#  http://www.securityfocus.com/bid/17958/exploit
#  The example code here shows the pushing of the exploit straight after
#  reading the server version. This is where the client version string normally
#  pushed. As such the server will read this unparsible information as
#  "Did not receive identification string".

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$

ignoreregex = 

[Init]

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

# Author: Yaroslav Halchenko
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban ssh filter for at attempted exploit`
- Added missing svn:keywords - Split failregex in sshd.conf - Added sshd-ddos.conf. Thanks to Yaroslav Halchenko git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@510 a942ae1a-1317-0410-a47c-b1dcaea8d605 2007-01-04 12:21:44 +00:00			`#`
BF: filter.d/sshd "Did not receive identification string" relates to an exploit so document this in sshd-ddos.conf but leave it out of authentication based blocks in sshd.conf 2013-04-17 18:38:03 +00:00			`# The regex here also relates to a exploit:`
			`#`
			`# http://www.securityfocus.com/bid/17958/exploit`
			`# The example code here shows the pushing of the exploit straight after`
			`# reading the server version. This is where the client version string normally`
			`# pushed. As such the server will read this unparsible information as`
			`# "Did not receive identification string".`
ENH: tune up sshd-ddos to use common.conf and allow training spaces 2012-12-07 20:17:08 +00:00
			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
			`before = common.conf`
- Added missing svn:keywords - Split failregex in sshd.conf - Added sshd-ddos.conf. Thanks to Yaroslav Halchenko git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@510 a942ae1a-1317-0410-a47c-b1dcaea8d605 2007-01-04 12:21:44 +00:00
			`[Definition]`

ENH: tune up sshd-ddos to use common.conf and allow training spaces 2012-12-07 20:17:08 +00:00			`_daemon = sshd`

			`failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$`
- Added missing svn:keywords - Split failregex in sshd.conf - Added sshd-ddos.conf. Thanks to Yaroslav Halchenko git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@510 a942ae1a-1317-0410-a47c-b1dcaea8d605 2007-01-04 12:21:44 +00:00
			`ignoreregex =`
NF: Add systemd journal backend 2013-05-09 23:15:07 +00:00
			`[Init]`

			`journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd`
MRG: 0.8.11 to 0.9 Epnoc of selinux is now true UTC Merge multiline support and date detection in filter 2013-11-02 04:59:05 +00:00
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Author: Yaroslav Halchenko`