Blame | Last modification | View Log | RSS feed
# Fail2Ban filter for dropbear## NOTE: The regex below is ONLY intended to work with a patched# version of Dropbear as described here:# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$## The standard Dropbear output doesn't provide enough information to# ban all types of attack. The Dropbear patch adds IP address# information to the 'exit before auth' message which is always# produced for any form of non-successful login. It is that message# which this file matches.## More information: http://bugs.debian.org/546913[INCLUDES]# Read common prefixes. If any customizations available -- read them from# common.localbefore = common.conf[Definition]_daemon = dropbearfailregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$ignoreregex =# DEV Notes:## The first two regexs here match the unmodified dropbear messages. It isn't# possible to match the source of the 'exit before auth' messages from dropbear# as they don't include the "from <HOST>" bit.## The second last failregex line we need to match with the modified dropbear.## For the second regex the following apply:## http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c# http://svn.dd-wrt.com/changeset/16642#file64## http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c## Author: Francis Russell# Zak B. Elep