[OpenIndiana-discuss] fail2ban for sshd
Oscar del Rio
delrio at mie.utoronto.ca
Thu Apr 24 15:43:01 UTC 2014
On 04/24/14 06:43 AM, Gary Gendel wrote:
> Fail2ban seems to randomly miss ssh matches. I've been hacking at the
> filter but nothing I seem to do works. What regex are others using
> that works? The line that should catch the ones missed is:
>
> ^%(__prefix_line)s\[.*\] Failed
> (?:password|publickey|none|keyboard-interactive) for .* from <HOST>\s*$
Did you test the rules with the "fail2ban-regex" command?
The following works fine for us:
failregex = (?:error: PAM: )?[aA]uthentication (?:failure|error) for .*
from <HOST>( via \S+)?\s*$
(?:error: PAM: )?User not known to the underlying
authentication module for .* from <HOST>\s*$
Failed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
ROOT LOGIN REFUSED.* FROM <HOST>\s*$
[iI](?:llegal|nvalid) user .* from <HOST>\s*$
Did not receive identification string from <HOST>\s*$
User .+ from <HOST> not allowed because not listed in
AllowUsers\s*$
User .+ from <HOST> not allowed because listed in DenyUsers\s*$
User .+ from <HOST> not allowed because not in any group\s*$
refused connect from \S+ \(<HOST>\)\s*$
User .+ from <HOST> not allowed because a group is listed
in DenyGroups\s*$
User .+ from <HOST> not allowed because none of user's
groups are listed in AllowGroups\s*$
More information about the OpenIndiana-discuss
mailing list