# Fail2Ban configuration file # # Author: Francis Russell # Zak B. Elep # # # More information: http://bugs.debian.org/546913 [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = dropbear # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # These match the unmodified dropbear messages. It isn't possible to # match the source of the 'exit before auth' messages from dropbear. # failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from :.*\s*$ ^%(__prefix_line)sbad password attempt for .+ from :.*\s*$ # The only line we need to match with the modified dropbear. # NOTE: The failregex below is ONLY intended to work with a patched # version of Dropbear as described here: # http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches # # The standard Dropbear output doesn't provide enough information to # ban all types of attack. The Dropbear patch adds IP address # information to the 'exit before auth' message which is always # produced for any form of non-successful login. It is that message # which this file matches. # failregex = ^%(__prefix_line)sexit before auth from .*\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =