Current Path : /compat/linux/proc/68247/root/etc/fail2ban/filter.d/ |
FreeBSD hs32.drive.ne.jp 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Wed Jan 14 12:18:08 JST 2015 root@hs32.drive.ne.jp:/sys/amd64/compile/hs32 amd64 |
Current File : //compat/linux/proc/68247/root/etc/fail2ban/filter.d/dropbear.conf |
# Fail2Ban filter for dropbear # # NOTE: The regex below is ONLY intended to work with a patched # version of Dropbear as described here: # http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches # ^%(__prefix_line)sexit before auth from <HOST>.*\s*$ # # The standard Dropbear output doesn't provide enough information to # ban all types of attack. The Dropbear patch adds IP address # information to the 'exit before auth' message which is always # produced for any form of non-successful login. It is that message # which this file matches. # # More information: http://bugs.debian.org/546913 [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = dropbear failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$ ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$ ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$ ignoreregex = # DEV Notes: # # The first two regexs here match the unmodified dropbear messages. It isn't # possible to match the source of the 'exit before auth' messages from dropbear # as they don't include the "from <HOST>" bit. # # The second last failregex line we need to match with the modified dropbear. # # For the second regex the following apply: # # http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c # http://svn.dd-wrt.com/changeset/16642#file64 # # http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c # # Author: Francis Russell # Zak B. Elep