| 3 |
- |
1 |
# Fail2Ban ssh filter for at attempted exploit
|
|
|
2 |
#
|
|
|
3 |
# The regex here also relates to a exploit:
|
|
|
4 |
#
|
|
|
5 |
# http://www.securityfocus.com/bid/17958/exploit
|
|
|
6 |
# The example code here shows the pushing of the exploit straight after
|
|
|
7 |
# reading the server version. This is where the client version string normally
|
|
|
8 |
# pushed. As such the server will read this unparsible information as
|
|
|
9 |
# "Did not receive identification string".
|
|
|
10 |
|
|
|
11 |
[INCLUDES]
|
|
|
12 |
|
|
|
13 |
# Read common prefixes. If any customizations available -- read them from
|
|
|
14 |
# common.local
|
|
|
15 |
before = common.conf
|
|
|
16 |
|
|
|
17 |
[Definition]
|
|
|
18 |
|
|
|
19 |
_daemon = sshd
|
|
|
20 |
|
|
|
21 |
failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
|
|
|
22 |
|
|
|
23 |
ignoreregex =
|
|
|
24 |
|
| 33 |
- |
25 |
[Init]
|
|
|
26 |
|
|
|
27 |
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
|
|
|
28 |
|
| 3 |
- |
29 |
# Author: Yaroslav Halchenko
|