Subversion Repositories configs

Rev

Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
4 - 1 
# Fail2Ban filter for dropbear
2 
#
3 
# NOTE: The regex below is ONLY intended to work with a patched
4 
# version of Dropbear as described here:
5 
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
6 
#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
7 
#
8 
# The standard Dropbear output doesn't provide enough information to
9 
# ban all types of attack.  The Dropbear patch adds IP address
10 
# information to the 'exit before auth' message which is always
11 
# produced for any form of non-successful login. It is that message
12 
# which this file matches.
13 
#
14 
# More information: http://bugs.debian.org/546913
15 
 
16 
[INCLUDES]
17 
 
18 
# Read common prefixes. If any customizations available -- read them from
19 
# common.local
20 
before = common.conf
21 
 
22 
[Definition]
23 
 
24 
_daemon = dropbear
25 
 
26 
failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
27 
            ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
28 
            ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
29 
 
30 
ignoreregex =
31 
 
32 
# DEV Notes:
33 
#
34 
# The first two regexs here match the unmodified dropbear messages. It isn't
35 
# possible to match the source of the 'exit before auth' messages from dropbear
36 
# as they don't include the "from <HOST>" bit.
37 
#
38 
# The second last failregex line we need to match with the modified dropbear.
39 
#
40 
# For the second regex the following apply:
41 
#
42 
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
43 
# http://svn.dd-wrt.com/changeset/16642#file64
44 
#
45 
# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
46 
#
47 
# Author: Francis Russell
48 
#         Zak B. Elep