diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 6b75f9dd4..100d918c2 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -21,8 +21,9 @@ _daemon = sshd
# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
__pref = (?:(?:error|fatal): (?:PAM: )?)?
# optional suffix (logged from several ssh versions) like " [preauth]"
-__suff = (?: port \d+)?(?: \[preauth\])?\s*
-__on_port_opt = (?: port \d+)?(?: on \S+(?: port \d+)?)?
+#__suff = (?: port \d+)?(?: \[preauth\])?\s*
+__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
+__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors.
@@ -32,19 +33,19 @@ __alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
prefregex = ^%(__prefix_line)s%(__pref)s.+$
-cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?\s*%(__suff)s$
- ^User not known to the underlying authentication module for .* from \s*%(__suff)s$
+cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?%(__suff)s$
+ ^User not known to the underlying authentication module for .* from %(__suff)s$
^Failed \S+ for invalid user (?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
^Failed \b(?!publickey)\S+ for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
- ^ROOT LOGIN REFUSED FROM \s*%(__suff)s$
- ^[iI](?:llegal|nvalid) user .*? from %(__on_port_opt)s\s*$
- ^User .+ from not allowed because not listed in AllowUsers\s*%(__suff)s$
- ^User .+ from not allowed because listed in DenyUsers\s*%(__suff)s$
- ^User .+ from not allowed because not in any group\s*%(__suff)s$
- ^refused connect from \S+ \(\)\s*%(__suff)s$
+ ^ROOT LOGIN REFUSED FROM %(__suff)s$
+ ^[iI](?:llegal|nvalid) user .*? from %(__suff)s$
+ ^User .+ from not allowed because not listed in AllowUsers%(__suff)s$
+ ^User .+ from not allowed because listed in DenyUsers%(__suff)s$
+ ^User .+ from not allowed because not in any group%(__suff)s$
+ ^refused connect from \S+ \(\)
^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
- ^User .+ from not allowed because a group is listed in DenyGroups\s*%(__suff)s$
- ^User .+ from not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
+ ^User .+ from not allowed because a group is listed in DenyGroups%(__suff)s$
+ ^User .+ from not allowed because none of user's groups are listed in AllowGroups%(__suff)s$
^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*%(__suff)s$
^(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
^User .+ not allowed because account is locked%(__suff)s
@@ -55,14 +56,14 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .*
mdre-normal =
-mdre-ddos = ^Did not receive identification string from %(__on_port_opt)s%(__suff)s
- ^Connection reset by %(__on_port_opt)s%(__suff)s
+mdre-ddos = ^Did not receive identification string from
+ ^Connection reset by
^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+:
- ^Read from socket failed: Connection reset by peer%(__suff)s
+ ^Read from socket failed: Connection reset by peer
-mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No supported authentication methods available%(__suff)s$
+mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No supported authentication methods available
^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found.
- ^Unable to negotiate a <__alg_match>%(__suff)s$
+ ^Unable to negotiate a <__alg_match>
^no matching <__alg_match> found:
mdre-aggressive = %(mdre-ddos)s
diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
index 0379a6267..283e725cb 100644
--- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
+++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
@@ -14,8 +14,8 @@ _daemon = sshd
# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
__pref = (?:(?:error|fatal): (?:PAM: )?)?
# optional suffix (logged from several ssh versions) like " [preauth]"
-__suff = (?: port \d+)?(?: \[preauth\])?\s*
-__on_port_opt = (?: port \d+)?(?: on \S+(?: port \d+)?)?
+__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
+__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
# single line prefix:
__prefix_line_sl = %(__prefix_line)s%(__pref)s
@@ -33,12 +33,12 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for
^%(__prefix_line_sl)sUser not known to the underlying authentication module for .* from \s*%(__suff)s$
^%(__prefix_line_sl)sFailed \S+ for invalid user (?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
^%(__prefix_line_sl)sFailed \b(?!publickey)\S+ for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
- ^%(__prefix_line_sl)sROOT LOGIN REFUSED.* FROM %(__suff)s$
+ ^%(__prefix_line_sl)sROOT LOGIN REFUSED FROM
^%(__prefix_line_sl)s[iI](?:llegal|nvalid) user .*? from %(__suff)s$
^%(__prefix_line_sl)sUser .+ from not allowed because not listed in AllowUsers\s*%(__suff)s$
^%(__prefix_line_sl)sUser .+ from not allowed because listed in DenyUsers\s*%(__suff)s$
^%(__prefix_line_sl)sUser .+ from not allowed because not in any group\s*%(__suff)s$
- ^%(__prefix_line_sl)srefused connect from \S+ \(\)\s*%(__suff)s$
+ ^%(__prefix_line_sl)srefused connect from \S+ \(\)
^%(__prefix_line_sl)sReceived disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
^%(__prefix_line_sl)sUser .+ from not allowed because a group is listed in DenyGroups\s*%(__suff)s$
^%(__prefix_line_sl)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
@@ -50,13 +50,13 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for
mdre-normal =
-mdre-ddos = ^%(__prefix_line_sl)sDid not receive identification string from %(__suff)s
- ^%(__prefix_line_sl)sConnection reset by %(__suff)s
+mdre-ddos = ^%(__prefix_line_sl)sDid not receive identification string from
+ ^%(__prefix_line_sl)sConnection reset by
^%(__prefix_line_ml1)sSSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+:.*%(__prefix_line_ml2)sRead from socket failed: Connection reset by peer%(__suff)s$
-mdre-extra = ^%(__prefix_line_sl)sReceived disconnect from %(__on_port_opt)s:\s*14: No supported authentication methods available%(__suff)s$
+mdre-extra = ^%(__prefix_line_sl)sReceived disconnect from %(__on_port_opt)s:\s*14: No supported authentication methods available
^%(__prefix_line_sl)sUnable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found.
- ^%(__prefix_line_ml1)sConnection from %(__on_port_opt)s%(__prefix_line_ml2)sUnable to negotiate a <__alg_match>%(__suff)s$
+ ^%(__prefix_line_ml1)sConnection from %(__on_port_opt)s%(__prefix_line_ml2)sUnable to negotiate a <__alg_match>
^%(__prefix_line_ml1)sConnection from %(__on_port_opt)s%(__prefix_line_ml2)sno matching <__alg_match> found:
mdre-aggressive = %(mdre-ddos)s