From 569c24fe5a361fbd8575295dd77c9b41a5446891 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 21 Jul 2008 10:31:40 -0400 Subject: [PATCH 1/2] Added failregex for "User not known" in sshd.conf. thanks Alexander Gerasiov (closes: #479966) --- config/filter.d/sshd.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 691fb240..25bcba21 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -24,6 +24,7 @@ _daemon = sshd # Values: TEXT # failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$ + ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ ^%(__prefix_line)sFailed [-/\w]+ for .* from (?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ From 53581eed665eaf39f9580b2ffeb262092828ee97 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 21 Jul 2008 10:37:01 -0400 Subject: [PATCH 2/2] BF: Specify explicitely facilities in "Failed .. for". Thanks Dean Gaudet. (closes: #481760) --- config/filter.d/sshd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 25bcba21..6e416d5f 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -25,7 +25,7 @@ _daemon = sshd # failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ - ^%(__prefix_line)sFailed [-/\w]+ for .* from (?: port \d*)?(?: ssh\d*)?$ + ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser \S+ from not allowed because not listed in AllowUsers$