From 9f5c87352651ed5278d4c27801dc9e70b1166260 Mon Sep 17 00:00:00 2001
From: MatthieuBarbu <30758776+MatthieuBarbu@users.noreply.github.com>
Date: Fri, 2 Mar 2018 14:47:16 +0100
Subject: [PATCH] fix sshd rule

just remove the space before ":11" line 52 because don't match on my Debian 9 stretch...
I don't know if this is wrong on all OS
---
 config/filter.d/sshd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index ab5fd3852..71dbee8b7 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -49,7 +49,7 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER>
             ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
             ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
             ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
-            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
+            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>:11:
             ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>%(__suff)s$
             ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)