From: Jamal A. <jam...@ec...> - 2009-10-04 13:24:54
|
hi, Is it possible to have multiple "failregex" defined in /etc/fail2ban/filter.d/sshd.conf ? I'm seeing hits on root from diverse addresses at the same time and fail2ban picked up maybe 10/100. I would like to filter based on this string: "Failed keyboard-interactive/pam for root from <ip_address> port <port_id> ssh2" Cheers -- Jamal Ayach (+1) 514-421-5010 |
From: Yaroslav H. <li...@on...> - 2009-10-07 02:29:58
|
you can simply add additional line to failregex... but what distribution/OS, version of fail2ban are you using since we do have config/filter.d/sshd.conf: ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$ which should ... d'oh -- so it should be extended to config/filter.d/sshd.conf: ^%(__prefix_line)sFailed (?:password|publickey|keyboard-interactive/pam) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$ ? ;-) On Sun, 04 Oct 2009, Jamal Ayach wrote: > hi, > Is it possible to have multiple "failregex" defined in > /etc/fail2ban/filter.d/sshd.conf ? I'm seeing hits on root from diverse > addresses at the same time and fail2ban picked up maybe 10/100. I would > like to filter based on this string: > "Failed keyboard-interactive/pam for root from <ip_address> port > <port_id> ssh2" > Cheers -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |