From 1f4571ac886a3b93b31542cbce49a2a7a2687a65 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 23 Nov 2007 08:57:33 -0500
Subject: [PATCH 1/2] NF: ban tcpwrappers 'refused connect' reported IPs

---
 config/filter.d/sshd.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 96a3ae6a..63e5ce2d 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -20,6 +20,7 @@ failregex = (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
             [iI](?:llegal|nvalid) user .* from <HOST>\s*$
             User .+ from <HOST> not allowed because not listed in AllowUsers\s*$
             User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+            sshd(?:\[\d+\])?: refused connect from \S+ \(<HOST>\)\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

From 46cfc2bbd6abed8dd35380a0e2a7b1d759a4bb06 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Fri, 23 Nov 2007 09:00:08 -0500
Subject: [PATCH 2/2] added example for "refused connect"

---
 debian/patches/00_ssh_strong_re.dpatch | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/debian/patches/00_ssh_strong_re.dpatch b/debian/patches/00_ssh_strong_re.dpatch
index 82e8d305..288c11ad 100755
--- a/debian/patches/00_ssh_strong_re.dpatch
+++ b/debian/patches/00_ssh_strong_re.dpatch
@@ -5,10 +5,10 @@
 ## DP: No description.
 
 @DPATCH@
-diff -urNad trunk~/config/filter.d/sshd.examples trunk/config/filter.d/sshd.examples
---- trunk~/config/filter.d/sshd.examples	1969-12-31 19:00:00.000000000 -0500
-+++ trunk/config/filter.d/sshd.examples	2007-08-14 19:40:23.000000000 -0400
-@@ -0,0 +1,19 @@
+diff -urNad fail2ban~/config/filter.d/sshd.examples fail2ban/config/filter.d/sshd.examples
+--- fail2ban~/config/filter.d/sshd.examples	1969-12-31 19:00:00.000000000 -0500
++++ fail2ban/config/filter.d/sshd.examples	2007-11-23 08:59:47.000000000 -0500
+@@ -0,0 +1,22 @@
 +#1
 +Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6
 +May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com
@@ -28,3 +28,6 @@ diff -urNad trunk~/config/filter.d/sshd.examples trunk/config/filter.d/sshd.exam
 +#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
 +Mar  3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
 +Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers
++
++#6 ew filter introduced thanks to report Guido Bozzetto <reportbug@G-B.it>
++Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161)