diff --git a/bin/fail2ban-regex b/bin/fail2ban-regex index 2b563cae..9302fd6a 100755 --- a/bin/fail2ban-regex +++ b/bin/fail2ban-regex @@ -277,7 +277,12 @@ class Fail2banRegex: return False finally: self.__filter.delFailRegex(0) + try: + del self.__filter._Filter__lineBuffer[-1] + except IndexError: + pass logging.getLogger("fail2ban").setLevel(logging.CRITICAL) + self.__filter.processLine(line) for regex in self.__ignoreregex: self.__filter.delIgnoreRegex(0) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 18ac6668..0d865afc 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -20,6 +20,9 @@ _daemon = sshd # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Multiline regexs should use tag "" to separate lines. +# This allows lines between the matching lines to continue to be +# searched for other failures. This tag can be used multiple times. # Values: TEXT # failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from ( via \S+)?\s*$ @@ -33,9 +36,15 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ^%(__prefix_line)sUser .+ from not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ + ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: Bye Bye \[preauth\]$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = + +[Init] + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 10 diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index 5dab1606..960dd38a 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -46,3 +46,11 @@ Apr 29 15:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication error Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201 Apr 29 17:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.102 Apr 29 18:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.103 + +#11 +Apr 24 01:39:19 host sshd[3719]: User root not allowed because account is locked +Apr 24 01:39:19 host sshd[3719]: input_userauth_request: invalid user root [preauth] +Apr 24 01:39:19 host sshd[3719]: error: Received disconnect from 198.51.100.34: 11: Bye Bye [preauth] +May 27 00:16:33 host sshd[2364]: User root not allowed because account is locked +May 27 00:16:33 host sshd[2364]: input_userauth_request: invalid user root [preauth] +May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76: 11: Bye Bye [preauth] diff --git a/man/jail.conf.5 b/man/jail.conf.5 index 14dc5663..466172f5 100644 --- a/man/jail.conf.5 +++ b/man/jail.conf.5 @@ -135,8 +135,9 @@ There are two filter definitions used in the [Definition] section: .TP \fBfailregex\fR -is the regex (\fBreg\fRular \fBex\fRpression) that will match failed attempts. The tag is used as part of the regex and is itself a regex +is the regex (\fBreg\fRular \fBex\fRpression) that will match failed attempts. The tag \fI\fR is used as part of the regex and is itself a regex for IPv4 addresses and hostnames. fail2ban will work out which one of these it actually is. +For multiline regexs the tag \fI\fR should be used to separate lines. This allows lines between the matched lines to continue to be searched for other failures. The tag can be used multiple times. .TP \fBignoreregex\fR