From 46d6e93800ddeb5ad34d2fb62e0aa1f7e3e7d9b0 Mon Sep 17 00:00:00 2001 From: pmarrapese Date: Sun, 18 May 2014 22:12:54 -0700 Subject: [PATCH 1/2] adjusted sshd filter regex to catch more verbose lines --- config/filter.d/sshd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 195744f2..f634d27e 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -32,7 +32,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$ - ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+.*(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ignoreregex = From 96918acee4d96a7d83992e6ce993faa9d900a97c Mon Sep 17 00:00:00 2001 From: pmarrapese Date: Mon, 19 May 2014 20:47:16 -0700 Subject: [PATCH 2/2] more explicit match for sshd filter & added test --- THANKS | 1 + config/filter.d/sshd.conf | 2 +- fail2ban/tests/files/logs/sshd | 5 +++++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/THANKS b/THANKS index 27165492..1741df0f 100644 --- a/THANKS +++ b/THANKS @@ -76,6 +76,7 @@ Michael Hanselmann Mika (mkl) Nick Munger onorua +Paul Marrapese Noel Butler Patrick Börjesson Raphaël Marichez diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index f634d27e..6589e21b 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -32,7 +32,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$ - ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+.*(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?: on \S+ port \d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ignoreregex = diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index b9d1b9b4..a6e54196 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -137,6 +137,11 @@ Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353 # failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "from gh-457" } Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth] +# failJSON: { "match": false } +Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353 on 127.0.0.1 port 22 +# failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "Multiline match with interface address" } +Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth] + # failJSON: { "match": false } Apr 27 13:02:04 host sshd[29116]: User root not allowed because account is locked # failJSON: { "match": false }