diff --git a/config/filter.d/sshd-ddos.conf b/config/filter.d/sshd-ddos.conf
index 4f4b6fa2..266594ba 100644
--- a/config/filter.d/sshd-ddos.conf
+++ b/config/filter.d/sshd-ddos.conf
@@ -2,11 +2,17 @@
 #
 # Author: Yaroslav Halchenko
 #
-# $Revision$
-#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
 
 [Definition]
 
+_daemon = sshd
+
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
@@ -14,7 +20,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
+failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/testcases/files/logs/sshd-ddos b/testcases/files/logs/sshd-ddos
new file mode 100644
index 00000000..d71c6bb2
--- /dev/null
+++ b/testcases/files/logs/sshd-ddos
@@ -0,0 +1,2 @@
+# http://forums.powervps.com/showthread.php?t=1667
+Jun 7 01:10:56 host sshd[5937]: Did not receive identification string from 69.61.56.114