Merge branch 'sshd-locked' of https://github.com/kwirk/fail2ban into 0.9

* 'sshd-locked' of https://github.com/kwirk/fail2ban:
  DOC: Update man page for <SKIPLINES> usage
  ENH: Add new regex for locked accounts for sshd
  BF: fail2ban-regex adding duplicate lines with each regex

bin/fail2ban-regex

@@ -277,7 +277,12 @@ class Fail2banRegex:
 					return False
 			finally:
 				self.__filter.delFailRegex(0)
+				try:
+					del self.__filter._Filter__lineBuffer[-1]
+				except IndexError:
+					pass
 				logging.getLogger("fail2ban").setLevel(logging.CRITICAL)
+		self.__filter.processLine(line)
 		for regex in self.__ignoreregex:
 					self.__filter.delIgnoreRegex(0)
 

config/filter.d/sshd.conf

@@ -20,6 +20,9 @@ _daemon = sshd
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+#          Multiline regexs should use tag "<SKIPLINES>" to separate lines.
+#          This allows lines between the matching lines to continue to be
+#          searched for other failures. This tag can be used multiple times.
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
@@ -33,9 +36,15 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
             ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \[preauth\]$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex = 
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10

fail2ban/tests/files/logs/sshd

@@ -46,3 +46,11 @@ Apr 29 15:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication error
 Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201
 Apr 29 17:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.102
 Apr 29 18:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.103
+
+#11
+Apr 24 01:39:19 host sshd[3719]: User root not allowed because account is locked
+Apr 24 01:39:19 host sshd[3719]: input_userauth_request: invalid user root [preauth]
+Apr 24 01:39:19 host sshd[3719]: error: Received disconnect from 198.51.100.34: 11: Bye Bye [preauth]
+May 27 00:16:33 host sshd[2364]: User root not allowed because account is locked
+May 27 00:16:33 host sshd[2364]: input_userauth_request: invalid user root [preauth]
+May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76: 11: Bye Bye [preauth]

man/jail.conf.5

@@ -135,8 +135,9 @@ There are two filter definitions used in the [Definition] section:
 
 .TP
 \fBfailregex\fR
-is the regex (\fBreg\fRular \fBex\fRpression) that will match failed attempts. The tag <HOST> is used as part of the regex and is itself a regex
+is the regex (\fBreg\fRular \fBex\fRpression) that will match failed attempts. The tag \fI<HOST>\fR is used as part of the regex and is itself a regex
 for IPv4 addresses and hostnames. fail2ban will work out which one of these it actually is.
+For multiline regexs the tag \fI<SKIPLINES>\fR should be used to separate lines. This allows lines between the matched lines to continue to be searched for other failures. The tag can be used multiple times.
 
 .TP
 \fBignoreregex\fR