From 40077511913a1c346b32cfbf0cfdd5143810971d Mon Sep 17 00:00:00 2001 From: Petr Voralek Date: Mon, 16 Apr 2012 20:36:53 -0400 Subject: [PATCH] ENH: catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) --- config/filter.d/sshd.conf | 1 + testcases/files/logs/sshd | 3 +++ 2 files changed, 4 insertions(+) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 02058ca1a..e838cecc7 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -29,6 +29,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ + ^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ^%(__prefix_line)sAddress .* POSSIBLE BREAK-IN ATTEMPT!*\s*$ diff --git a/testcases/files/logs/sshd b/testcases/files/logs/sshd index 02d33bacc..216a595e0 100644 --- a/testcases/files/logs/sshd +++ b/testcases/files/logs/sshd @@ -24,3 +24,6 @@ Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjL #7 added exclamation mark to BREAK-IN Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! + +#8 DenyUsers https://github.com/fail2ban/fail2ban/issues/47 +Apr 16 22:01:15 al-ribat sshd[5154]: User root from 46.45.128.3 not allowed because listed in DenyUsers