Created
October 4, 2018 07:54
-
-
Save kaworu/c433fec363b18d879c38e8d1930879eb to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fail2Ban filter for openssh | |
| # | |
| # If you want to protect OpenSSH from being bruteforced by password | |
| # authentication then get public key authentication working before disabling | |
| # PasswordAuthentication in sshd_config. | |
| # | |
| # | |
| # "Connection from <HOST> port \d+" requires LogLevel VERBOSE in sshd_config | |
| # | |
| [INCLUDES] | |
| # Read common prefixes. If any customizations available -- read them from | |
| # common.local | |
| before = common.conf | |
| [DEFAULT] | |
| _daemon = sshd | |
| # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " | |
| __pref = (?:(?:error|fatal): (?:PAM: )?)? | |
| # optional suffix (logged from several ssh versions) like " [preauth]" | |
| __suff = (?: \[preauth\])?\s* | |
| __on_port_opt = (?: port \d+)?(?: on \S+(?: port \d+)?)? | |
| # single line prefix: | |
| __prefix_line_sl = %(__prefix_line)s%(__pref)s | |
| # multi line prefixes (for first and second lines): | |
| __prefix_line_ml1 = (?P<__prefix>%(__prefix_line)s)%(__pref)s | |
| __prefix_line_ml2 = %(__suff)s$<SKIPLINES>^(?P=__prefix)%(__pref)s | |
| mode = %(normal)s | |
| normal = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*%(__suff)s$ | |
| ^%(__prefix_line_sl)sUser not known to the underlying authentication module for .* from <HOST>\s*%(__suff)s$ | |
| ^%(__prefix_line_sl)sFailed \S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) | |
| ^%(__prefix_line_sl)sROOT LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$ | |
| ^%(__prefix_line_sl)s[iI](?:llegal|nvalid) user .*? from <HOST>%(__on_port_opt)s\s*$ | |
| ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$ | |
| ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$ | |
| ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because not in any group\s*%(__suff)s$ | |
| ^%(__prefix_line_sl)srefused connect from \S+ \(<HOST>\)\s*%(__suff)s$ | |
| ^%(__prefix_line_sl)sReceived disconnect from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ | |
| ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$ | |
| ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$ | |
| ^%(__prefix_line_sl)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*%(__suff)s$ | |
| ^%(__prefix_line_sl)s(error: )?maximum authentication attempts exceeded for .* from <HOST>%(__on_port_opt)s(?: ssh\d*)? \[preauth\]$ | |
| ^%(__prefix_line_ml1)sUser .+ not allowed because account is locked%(__prefix_line_ml2)sReceived disconnect from <HOST>: 11: .+%(__suff)s$ | |
| ^%(__prefix_line_ml1)sDisconnecting: Too many authentication failures for .+?%(__prefix_line_ml2)sConnection closed by <HOST>%(__suff)s$ | |
| ^%(__prefix_line_ml1)sConnection from <HOST>%(__on_port_opt)s%(__prefix_line_ml2)sDisconnecting: Too many authentication failures for .+%(__suff)s$ | |
| ddos = ^%(__prefix_line_sl)sDid not receive identification string from <HOST>%(__suff)s$ | |
| ^%(__prefix_line_sl)sReceived disconnect from <HOST>%(__on_port_opt)s:\s*14: No supported authentication methods available%(__suff)s$ | |
| ^%(__prefix_line_sl)sUnable to negotiate with <HOST>%(__on_port_opt)s: no matching (?:cipher|key exchange method) found. | |
| ^%(__prefix_line_ml1)sConnection from <HOST>%(__on_port_opt)s%(__prefix_line_ml2)sUnable to negotiate a (?:cipher|key exchange method)%(__suff)s$ | |
| ^%(__prefix_line_ml1)sSSH: Server;Ltype: (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:.*%(__prefix_line_ml2)sRead from socket failed: Connection reset by peer%(__suff)s$ | |
| aggressive = %(normal)s | |
| %(ddos)s | |
| [Definition] | |
| failregex = %(mode)s | |
| ignoreregex = | |
| [Init] | |
| # "maxlines" is number of log lines to buffer for multi-line regex searches | |
| maxlines = 10 | |
| journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd | |
| # DEV Notes: | |
| # | |
| # "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because | |
| # it is coming before use of <HOST> which is not hard-anchored at the end as well, | |
| # and later catch-all's could contain user-provided input, which need to be greedily | |
| # matched away first. | |
| # | |
| # Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment