51 lines
1.7 KiB
Plaintext
51 lines
1.7 KiB
Plaintext
# Fail2Ban filter for dropbear
|
|
#
|
|
# NOTE: The regex below is ONLY intended to work with a patched
|
|
# version of Dropbear as described here:
|
|
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
|
|
# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
|
|
#
|
|
# The standard Dropbear output doesn't provide enough information to
|
|
# ban all types of attack. The Dropbear patch adds IP address
|
|
# information to the 'exit before auth' message which is always
|
|
# produced for any form of non-successful login. It is that message
|
|
# which this file matches.
|
|
#
|
|
# More information: http://bugs.debian.org/546913
|
|
|
|
[INCLUDES]
|
|
|
|
# Read common prefixes. If any customizations available -- read them from
|
|
# common.local
|
|
before = common.conf
|
|
|
|
[Definition]
|
|
|
|
_daemon = dropbear
|
|
|
|
prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
|
|
|
|
failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
|
|
^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
|
|
^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
|
|
|
|
ignoreregex =
|
|
|
|
# DEV Notes:
|
|
#
|
|
# The first two regexs here match the unmodified dropbear messages. It isn't
|
|
# possible to match the source of the 'exit before auth' messages from dropbear
|
|
# as they don't include the "from <HOST>" bit.
|
|
#
|
|
# The second last failregex line we need to match with the modified dropbear.
|
|
#
|
|
# For the second regex the following apply:
|
|
#
|
|
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
|
|
# http://svn.dd-wrt.com/changeset/16642#file64
|
|
#
|
|
# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
|
|
#
|
|
# Author: Francis Russell
|
|
# Zak B. Elep
|