# Fail2Ban configuration file for generic PAM authentication errors # [INCLUDES] before = common.conf [Definition] # if you want to catch only login errors from specific daemons, use something like #_ttys_re=(?:ssh|pure-ftpd|ftp) # # Default: catch all failed logins _ttys_re=\S* __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = \S+ prefregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s .+$ failregex = ^ruser=\S* rhost=\s*$ ^ruser= rhost=\s+user=\S*\s*$ ^ruser= rhost=\s+user=.*?\s*$ ^ruser=.*? rhost=\s*$ ignoreregex = # DEV Notes: # # for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release) # _daemon = \S*\(?pam_unix\)? # failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ # # Author: Yaroslav Halchenko