- Modified failregex to support new prefix remover.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@695 a942ae1a-1317-0410-a47c-b1dcaea8d605
2008-05-18 20:08:34 +00:00 · 2008-05-18 20:08:34 +00:00 · 9aa7c96b69
parent f9a9d249ef
commit 9aa7c96b69
2 changed files with 9 additions and 18 deletions
--- a/config/filter.d/sshd-ddos.conf
+++ b/config/filter.d/sshd-ddos.conf
@ -14,7 +14,7 @@
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
+failregex = <TIME> <PREFIX> Did not receive identification string from <HOST>$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -5,17 +5,8 @@
 # $Revision$
 #

-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-
 [Definition]

-_daemon = sshd
-
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@ -23,14 +14,14 @@ _daemon = sshd
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
-            ^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
-            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
-            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
-            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
-            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
-            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
-            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
+failregex = <TIME> <PREFIX> (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
+            <TIME> <PREFIX> Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
+            <TIME> <PREFIX> ROOT LOGIN REFUSED.* FROM <HOST>\s*$
+            <TIME> <PREFIX> [iI](?:llegal|nvalid) user .* from <HOST>\s*$
+            <TIME> <PREFIX> User \S+ from <HOST> not allowed because not listed in AllowUsers$
+            <TIME> <PREFIX> authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+            <TIME> <PREFIX> refused connect from \S+ \(<HOST>\)\s*$
+            <TIME> <PREFIX> Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.