# don't consider failed publickey as failures (don't need RE, see cmnfailed): # same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed): # consider failed publickey for valid users too (don't need RE, see cmnfailed): # consider failed publickey for invalid users only:cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user (?P\S+)|(?:(?! from ).)*? from %(_on_port_opt)s(?: ssh\d*)?(?(cond_> # Parameter "publickey": nofail (default), invalid, any, ignore Mdre-aggressive-other = %(mdre-ddos-other)s # mdre-extra-other is fully included within mdre-ddos-other: Mdre-extra-other = ^Disconnected(?: from)?(?: (?:invalid|authenticating)) user \S+|.*? %(_on_port_opt)s \\s> # part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on phase only: ^Unable to negotiate with %(_on_port_opt)s: no matching found. Mdre-extra = ^Received disconnect from %(_on_port_opt)s:\s*14: No(?: supported)? authentication methods available Mdre-ddos-other = ^(Connection (?:closed|reset)|Disconnected) (?:by|from)%(_authng_user)s %(_on_port_opt)s\s+\\s*$ # same as mdre-normal-other, but as failure (without ) and only: ^Read from socket failed: Connection reset by peer ^SSH: Server Ltype: (?:Authname|Version|Kex) Remote: -\d+ \w+: ^Bad protocol version identification '.*' from ^kex_exchange_identification: (?:lient sent invalid protocol identifier|onnection closed by remote host) Mdre-ddos = ^Did not receive identification string from Mdre-normal-other = ^(Connection closed|Disconnected) (?:by|from)%(_authng_user)s (?:%(_suff)s|\s*)$ # used to differentiate "connection closed" with and without `` (fail/nofail cases in ddos mode) ^Received disconnect from %(_on_port_opt)s:\s*11: ^Disconnecting: Too many authentication failures(?: for \S+|.*?)?%(_suff)s$ ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(_on_port_opt)s:\s*Change of username o> ^User \S+|.*? not allowed because account is locked%(_suff)s
^maximum authentication attempts exceeded for. # optional suffix (logged from several ssh versions) like " " # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " If any customizations available - read them from # "Connection from port \d+" requires LogLevel VERBOSE in sshd_config # authentication then get public key authentication working before disabling # If you want to protect OpenSSH from being bruteforced by password
0 kommentar(er)
