github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

BF: filter.d/sshd "Did not receive identification string" relates to an exploit so document this in sshd-ddos.conf but leave it out of authentication based blocks in sshd.conf

pull/175/head
Daniel Black 2013-04-18 04:38:03 +10:00
parent 32d10e904a
commit 41b9f7b6ac
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
config/filter.d/sshd-ddos.conf
View File

@ -2,6 +2,13 @@
# #
# Author: Yaroslav Halchenko # Author: Yaroslav Halchenko
# #
# The regex here also relates to a exploit:
#
# http://www.securityfocus.com/bid/17958/exploit
# The example code here shows the pushing of the exploit straight after
# reading the server version. This is where the client version string normally
# pushed. As such the server will read this unparsible information as
# "Did not receive identification string".
[INCLUDES] [INCLUDES]

1
config/filter.d/sshd.conf
View File

@ -24,7 +24,6 @@ _daemon = sshd
# Values: TEXT # Values: TEXT
# #
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sDid not receive identification string from <HOST>$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$ ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$