@ -1,8 +1,15 @@
# Fail2Ban configuration file
# Fail2Ban filter for dropbear
#
#
# Author: Francis Russell
# NOTE: The regex below is ONLY intended to work with a patched
# Zak B. Elep
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
#
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack. The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
#
#
# More information: http://bugs.debian.org/546913
# More information: http://bugs.debian.org/546913
@ -12,41 +19,23 @@
# common.local
# common.local
before = common.conf
before = common.conf
[Definition]
[Definition]
_daemon = dropbear
_daemon = dropbear
# Option: failregex
failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:.*$
# Notes.: regex to match the password failures messages in the logfile. The
^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>.*$
# host must be matched by a group named "host". The tag "<HOST>" can
^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
# These match the unmodified dropbear messages. It isn't possible to
ignoreregex =
# match the source of the 'exit before auth' messages from dropbear.
#
failregex = ^%(__prefix_line)s(L|l)ogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
^%(__prefix_line)s(B|b)ad password attempt for .+ from <HOST>:.*\s*$
^%(__prefix_line)sExit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
# The only line we need to match with the modified dropbear.
# NOTE: The failregex below is ONLY intended to work with a patched
# DEV Notes:
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
#
#
# The standard Dropbear output doesn't provide enough information to
# The first two regexs here match the unmodified dropbear messages. It isn't
# ban all types of attack. The Dropbear patch adds IP address
# possible to match the source of the 'exit before auth' messages from dropbear
# information to the 'exit before auth' message which is always
# as they don't include the "from <HOST>" bit.
# produced for any form of non-successful login. It is that message
# which this file matches.
# failregex = ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
#
ignoreregex =
# The second last failregex line we need to match with the modified dropbear.
#
# Author: Francis Russell
# Zak B. Elep