Subversion Repositories configs

# Fail2Ban filter for dropbear

#

# NOTE: The regex below is ONLY intended to work with a patched

# version of Dropbear as described here:

# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches

#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$

#

# The standard Dropbear output doesn't provide enough information to

# ban all types of attack.  The Dropbear patch adds IP address

# information to the 'exit before auth' message which is always

# produced for any form of non-successful login. It is that message

# which this file matches.

#

# More information: http://bugs.debian.org/546913

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from

# common.local

before = common.conf

[Definition]

_daemon = dropbear

prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$

failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$

            ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$

            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$

ignoreregex =

# DEV Notes:

#

# The first two regexs here match the unmodified dropbear messages. It isn't

# possible to match the source of the 'exit before auth' messages from dropbear

# as they don't include the "from <HOST>" bit.

#

# The second last failregex line we need to match with the modified dropbear.

#

# For the second regex the following apply:

#

# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c

# http://svn.dd-wrt.com/changeset/16642#file64

#

# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c

#

# Author: Francis Russell

#         Zak B. Elep