diff --git a/ChangeLog b/ChangeLog index ac775a44..ed2add0f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -69,6 +69,9 @@ configuration before relying on it. * Multiline filter for sendmail-spam. Close gh-418 * Multiline regex for Disconnecting: Too many authentication failures for root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth] + * Multiline regex for Disconnecting: Connection from 61.XX.XX.XX port + 51353\nToo many authentication failures for root [preauth]. Thanks + Helmut Grohne. Close gh-457 * Replacing use of deprecated API (.warning, .assertEqual, etc) * [..a648cc2] Filters can have options now too which are substituted into failregex / ignoreregex diff --git a/THANKS b/THANKS index a0132f55..f252edbf 100644 --- a/THANKS +++ b/THANKS @@ -40,6 +40,7 @@ Georgiy Mernov Guilhem Lettron Guillaume Delvit Hanno 'Rince' Wagner +Helmut Grohne Iain Lea Ivo Truxa John Thoe diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 92b6ed19..93a43ea2 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -28,6 +28,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: Bye Bye \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ignoreregex = diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index 53f0cc67..b1559d47 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -132,3 +132,7 @@ Nov 23 21:50:37 sshd[7148]: Connection closed by 61.0.0.1 [preauth] # failJSON: { "time": "2005-07-13T18:44:28", "match": true , "host": "89.24.13.192", "desc": "from gh-289" } Jul 13 18:44:28 mdop sshd[4931]: Received disconnect from 89.24.13.192: 3: com.jcraft.jsch.JSchException: Auth fail +# failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "from gh-457" } +Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353 +# failJSON: { "match": false } +Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth]