ENH: added multiline filter for sshd filter

2013-11-25 14:55:41 +11:00 · 2013-11-25 14:55:41 +11:00 · 227f27ce6b
parent 84f915c1f7
commit 227f27ce6b
4 changed files with 12 additions and 0 deletions
--- a/3
+++ b/3
@ -36,6 +36,9 @@ code-review and minor additions from Yaroslav Halchenko.
     into logging messages in case of error or at DEBUG loglevel.
   Daniel Black and TESTOVIK
   * Multiline filter for sendmail-spam. Close gh-418
+   Daniel Black and John Thoe
+   * Multiline regex for Disconnecting: Too many authentication failures for
+     root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]

 - Enhancements
  Steven Hiscocks
--- a/1
+++ b/1
@ -33,6 +33,7 @@ Georgiy Mernov
 Guillaume Delvit
 Hanno 'Rince' Wagner
 Iain Lea
+John Thoe
 Jonathan Kamens
 Jonathan Lanning
 Jonathan Underwood
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -23,6 +23,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$

 ignoreregex = 

--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@ -117,3 +117,10 @@ Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 po

 # failJSON: { "time": "2004-11-11T08:04:51", "match": true , "host": "127.0.0.1", "desc": "Injecting on username ssh 'from 10.10.1.1'@localhost" }
 Nov 11 08:04:51 redbamboo sshd[2737]: Failed password for invalid user from 10.10.1.1 from 127.0.0.1 port 58946 ssh2
+
+
+
+# failJSON: { "match": false }
+Nov 23 21:50:19 sshd[8148]: Disconnecting: Too many authentication failures for root [preauth]
+# failJSON: { "time": "2004-11-23T21:50:37", "match": true , "host": "61.0.0.1", "desc": "Multiline match for preauth failures" }
+Nov 23 21:50:37 sshd[8148]: Connection closed by 61.0.0.1 [preauth]