ENH: added multiline filter for sshd filter

fail2ban · Nov 25, 2013 · 227f27c · 227f27c
1 parent 84f915c
commit 227f27c
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -36,6 +36,9 @@ code-review and minor additions from Yaroslav Halchenko.
      into logging messages in case of error or at DEBUG loglevel.
    Daniel Black and TESTOVIK
    * Multiline filter for sendmail-spam. Close gh-418
+   Daniel Black and John Thoe
+   * Multiline regex for Disconnecting: Too many authentication failures for
+     root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]
 
 - Enhancements
   Steven Hiscocks

diff --git a/THANKS b/THANKS
@@ -33,6 +33,7 @@ Georgiy Mernov
 Guillaume Delvit
 Hanno 'Rince' Wagner
 Iain Lea
+John Thoe
 Jonathan Kamens
 Jonathan Lanning
 Jonathan Underwood

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
@@ -23,6 +23,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
             ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
 
 ignoreregex = 
 

diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd
@@ -117,3 +117,10 @@ Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 po
 
 # failJSON: { "time": "2004-11-11T08:04:51", "match": true , "host": "127.0.0.1", "desc": "Injecting on username ssh 'from 10.10.1.1'@localhost" }
 Nov 11 08:04:51 redbamboo sshd[2737]: Failed password for invalid user from 10.10.1.1 from 127.0.0.1 port 58946 ssh2
+
+
+
+# failJSON: { "match": false }
+Nov 23 21:50:19 sshd[8148]: Disconnecting: Too many authentication failures for root [preauth]
+# failJSON: { "time": "2004-11-23T21:50:37", "match": true , "host": "61.0.0.1", "desc": "Multiline match for preauth failures" }
+Nov 23 21:50:37 sshd[8148]: Connection closed by 61.0.0.1 [preauth]