From 3367dbd987dada35438e0583bf0836133368bbf9 Mon Sep 17 00:00:00 2001 From: jamesstout Date: Tue, 30 Apr 2013 04:23:13 +0800 Subject: [PATCH] ENH: fail message matching for OpenSolaris and OS X - OpenSolaris keyboard message matched by new regex 3 - Removed Bye Bye regex per https://github.com/fail2ban/fail2ban/issues/175#issuecomment-16538036 - PAM auth failure or error and first char case-insensitive, can also have chars after the hostname. e.g. Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201 --- config/filter.d/sshd.conf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 2c104073..8d98c675 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -23,17 +23,15 @@ _daemon = sshd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$ +failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA](?:uthentication) (?:failure|error) for .* from .*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ - ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?\s*$ + ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ - ^%(__prefix_line)s\[.*\] Failed keyboard-interactive for .* from (?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ - ^%(__prefix_line)s\[.*\] Received disconnect from .* Bye\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.