# Fail2Ban configuration file # # Author: Xavier Devlamynck # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Wrong password$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - No matching peer found$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Username/auth name mismatch$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Device does not match ACL$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - ACL error \(permit/deny\)$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Not a local domain$ NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$ NOTICE%(__pid_re)s [^:]+: Host failed to authenticate as '[^']*'$ NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from \)$ NOTICE%(__pid_re)s [^:]+: Host failed MD5 authentication for '[^']*' \([^)]+\)$ NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@\S*$ SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P//[0-9]+"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =