From 5b2b680bfea74f5083c893677860e0d427faf475 Mon Sep 17 00:00:00 2001
From: benrubson <ben.rubson@gmail.com>
Date: Thu, 2 May 2019 11:42:45 +0200
Subject: [PATCH] SSHd add Bad protocol version message

---
 config/filter.d/sshd.conf      | 1 +
 fail2ban/tests/files/logs/sshd | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 60efead7..418badbf 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -64,6 +64,7 @@ mdre-normal =
 mdrp-normal-suff-onclosed = (?:%(__suff)s|\s*)$
 
 mdre-ddos = ^Did not receive identification string from <HOST>
+            ^Bad protocol version identification '.*' from <HOST>
             ^Connection <F-MLFFORGET>reset</F-MLFFORGET> by <HOST>
             ^Connection <F-MLFFORGET>closed</F-MLFFORGET> by%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
             ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
index e2b3d456..68e65901 100644
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@@ -260,6 +260,8 @@ Mar  7 18:53:38 bar sshd[1559]: Connection closed by 192.0.2.116
 Jun 7 01:10:56 host sshd[5937]: Did not receive identification string from 69.61.56.114
 # failJSON: { "time": "2005-06-07T01:11:57", "match": true , "host": "192.0.2.5", "desc": "refactored message (with port now, gh-2062)" }
 Jun 7 01:11:57 host sshd[8782]: Did not receive identification string from 192.0.2.5 port 35836
+# failJSON: { "time": "2005-06-07T01:11:58", "match": true , "host": "69.61.56.115" }
+Jun 7 01:11:58 host sshd[8783]: Bad protocol version identification 'dummy string' from 69.61.56.115 port 31778
 
 # gh-864(1):
 # failJSON: { "match": false }