--- /dev/null 2010-01-12 16:33:00.000000000 -0500 +++ ./config/filter.d/bsd-sshd.conf 2010-01-12 16:26:22.000000000 -0500 @@ -0,0 +1,40 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# $Revision: 663 $ +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = sshd + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT +# +failregex = ^%(__prefix_line)s(?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from \s*$ + ^%(__prefix_line)sDid not receive identification string from $ + ^%(__prefix_line)sFailed [-/\w]+ for .* from (?: port \d*)?(?: ssh\d*)?$ + ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ + ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ + ^%(__prefix_line)sUser \S+ from not allowed because not listed in AllowUsers$ + ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ + ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ + ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[\] .* POSSIBLE BREAK-IN ATTEMPT!$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex =