mirror of https://github.com/fail2ban/fail2ban
`filter.d/sshd.conf`: `extra` or `aggressive` modes consider `Received disconnect ... 11: Bye Bye` with `[preauth]` as a failure and without `[preauth]` it'd be still used as nofail-helper e. g. to obtain IP by multi-line processing;
closes gh-2115gh-2115
parent
9dde3d019e
commit
05ec675305
|
@ -33,6 +33,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
|
|||
- adapted to conform possible new daemon name sshd-session, since OpenSSH 9.8
|
||||
several log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd" (gh-3782)
|
||||
- `ddos` and `aggressive` modes: regex extended for timeout before authentication (optional connection from part, gh-3907)
|
||||
- `extra` and `aggressive` modes: consider `Received disconnect ... 11: Bye Bye` with `[preauth]` as a failure
|
||||
and without `[preauth]` it'd be still used as nofail-helper e. g. to obtain IP by multi-line processing (amend to gh-2115)
|
||||
|
||||
### New Features and Enhancements
|
||||
* new jail option `skip_if_nologs` to ignore jail if no `logpath` matches found, fail2ban continue to start with warnings/errors,
|
||||
|
|
|
@ -56,7 +56,6 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*?</F-USER>
|
|||
^User <F-USER>\S+|.*?</F-USER> not allowed because account is locked%(__suff)s
|
||||
^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$
|
||||
^Disconnecting: Too many authentication failures(?: for <F-USER>\S+|.*?</F-USER>)?%(__suff)s$
|
||||
^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:
|
||||
<mdre-<mode>-other>
|
||||
^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)
|
||||
|
||||
|
@ -69,6 +68,7 @@ cmnfailed = <cmnfailed-<publickey>>
|
|||
mdre-normal =
|
||||
# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
|
||||
mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?(?: \[preauth\])?\s*$
|
||||
^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:
|
||||
|
||||
mdre-ddos = ^(?:Did not receive identification string from|Timeout before authentication for(?: connection from)?) <HOST>
|
||||
^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer))
|
||||
|
@ -81,17 +81,20 @@ mdre-ddos = ^(?:Did not receive identification string from|Timeout before authen
|
|||
mdre-ddos-other = ^<F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET>%(__authng_user)s <ADDR>%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?\s+\[preauth\]\s*$
|
||||
^<F-NOFAIL><F-MLFFORGET>(?:Connection (?:closed|reset)|Disconnect(?:ed|ing))</F-MLFFORGET></F-NOFAIL>%(__authng_user)s <ADDR>(?:%(__on_port_opt)s(?:: (?!Too many authentication failures)[^\[]+)?|\s*)$
|
||||
|
||||
mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
|
||||
mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*(?:14: No(?: supported)? authentication methods available|11:.*\[preauth\]$)
|
||||
^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
|
||||
^Unable to negotiate a <__alg_match>
|
||||
^no matching <__alg_match> found:
|
||||
# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only:
|
||||
mdre-extra-other = ^<F-MLFFORGET>Disconnected</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+|.*?</F-USER> (?:from )?<HOST>%(__on_port_opt)s \[preauth\]\s*$
|
||||
%(mdre-extra-add)s
|
||||
mdre-extra-add = ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:.*(?<!\[preauth\])$
|
||||
|
||||
mdre-aggressive = %(mdre-ddos)s
|
||||
%(mdre-extra)s
|
||||
# mdre-extra-other is fully included within mdre-ddos-other:
|
||||
# mdre-extra-other is fully included within mdre-ddos-other, so use mdre-extra-add instead:
|
||||
mdre-aggressive-other = %(mdre-ddos-other)s
|
||||
%(mdre-extra-add)s
|
||||
|
||||
# Parameter "publickey": nofail (default), invalid, any, ignore
|
||||
publickey = nofail
|
||||
|
|
|
@ -375,6 +375,13 @@ Nov 25 01:35:14 srv sshd[3625]: error: Received disconnect from 192.168.2.92 por
|
|||
# failJSON: { "time": "2004-11-25T01:35:15", "match": true , "host": "192.168.2.93", "desc": "No authentication methods available (supported is optional, gh-2682)" }
|
||||
Nov 25 01:35:15 srv sshd[3626]: error: Received disconnect from 192.168.2.93 port 1883:14: No authentication methods available [preauth]
|
||||
|
||||
# failJSON: { "constraint": "name == 'sshd'", "time": "2004-11-25T01:35:20", "match": true , "host": "192.0.2.182", "desc": "Received disconnect ... Bye Bye [preauth] in extra/aggressive mode, gh-2115" }
|
||||
Nov 25 01:35:20 srv sshd[3627]: error: Received disconnect from 192.0.2.182 port 19709:11: Bye Bye [preauth]
|
||||
# failJSON: { "constraint": "name == 'sshd'", "match": false, "desc": "failure but no IP, matched in next line on no-fail helper" }
|
||||
Nov 25 01:35:25 srv sshd[3628]: fatal: Unable to negotiate a key exchange method [preauth]
|
||||
# failJSON: { "constraint": "name == 'sshd'", "time": "2004-11-25T01:35:25", "match": true , "host": "192.0.2.183", "desc": "Received disconnect ... Bye Bye without [preauth] in extra/aggressive mode, gh-2115" }
|
||||
Nov 25 01:35:25 srv sshd[3628]: error: Received disconnect from 192.0.2.183 port 19709:11: Bye Bye
|
||||
|
||||
# gh-1545:
|
||||
# failJSON: { "time": "2004-11-26T13:03:29", "match": true , "host": "192.0.2.1", "desc": "No matching cipher" }
|
||||
Nov 26 13:03:29 srv sshd[45]: Unable to negotiate with 192.0.2.1 port 55419: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
|
||||
|
|
Loading…
Reference in New Issue