API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 29th, 2016
58
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.38 KB | None | 0 0
raw download clone embed print report
  1. 2016-07-29 15:12:27,856 fail2ban.filter [17476]: INFO [sshd] Found 1.2.3.4
  2. 2016-07-29 15:12:29,860 fail2ban.filter [17476]: INFO [sshd] Found 1.2.3.4
  3.  
  4. Jul 29 15:12:27 fsp1 sshd[17655]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhostname user=test
  5. Jul 29 15:12:29 fsp1 sshd[17655]: Failed password for test from 1.2.3.4 port 62969 ssh2
  6.  
  7. #%PAM-1.0
  8. #auth required pam_securetty.so #disable remote root
  9. auth include system-remote-login
  10. account include system-remote-login
  11. password include system-remote-login
  12. session include system-remote-login
  13.  
  14. #%PAM-1.0
  15.  
  16. auth include system-login
  17. account include system-login
  18. password include system-login
  19. session include system-login
  20.  
  21. #%PAM-1.0
  22.  
  23. auth required pam_tally.so onerr=succeed file=/var/log/faillog
  24. auth required pam_shells.so
  25. auth requisite pam_nologin.so
  26. auth include system-auth
  27.  
  28. account required pam_access.so
  29. account required pam_nologin.so
  30. account include system-auth
  31.  
  32. password include system-auth
  33.  
  34. session optional pam_loginuid.so
  35. session include system-auth
  36. session optional pam_motd.so motd=/etc/motd
  37. session optional pam_mail.so dir=/var/spool/mail standard quiet
  38. -session optional pam_systemd.so
  39. session required pam_env.so
  40.  
  41. # Fail2Ban filter for openssh
  42. #
  43. # If you want to protect OpenSSH from being bruteforced by password
  44. # authentication then get public key authentication working before disabling
  45. # PasswordAuthentication in sshd_config.
  46. #
  47. #
  48. # "Connection from <HOST> port d+" requires LogLevel VERBOSE in sshd_config
  49. #
  50.  
  51. [INCLUDES]
  52.  
  53. # Read common prefixes. If any customizations available -- read them from
  54. # common.local
  55. before = common.conf
  56.  
  57. [Definition]
  58.  
  59. _daemon = sshd
  60.  
  61. failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via S+)?s*$
  62. ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>s*$
  63. ^%(__prefix_line)sFailed S+ for .*? from <HOST>(?: port d*)?(?: sshd*)?(: (ruser .*|(S+ ID S+ (serial d+) CA )?S+ %(__md5hex)s(, client user ".*", client host ".*")?))?s*$
  64. ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>s*$
  65. ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>s*$
  66. ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUserss*$
  67. ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUserss*$
  68. ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any groups*$
  69. ^%(__prefix_line)srefused connect from S+ (<HOST>)s*$
  70. ^%(__prefix_line)s(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: [preauth])?$
  71. ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroupss*$
  72. ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroupss*$
  73. ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ [preauth]$
  74. ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? [preauth]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> [preauth]$
  75. ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port d+(?: on S+ port d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? [preauth]$
  76. ^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port d*)?(?: sshd*)? [preauth]$
  77. ^%(__prefix_line)spam_unix(sshd:auth):s+authentication failure;s*logname=S*s*uid=d*s*euid=d*s*tty=S*s*ruser=S*s*rhost=<HOST>s.*$
  78.  
  79. ignoreregex =
  80.  
  81. [Init]
  82.  
  83. # "maxlines" is number of log lines to buffer for multi-line regex searches
  84. maxlines = 10
  85.  
  86. journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
  87.  
  88. # DEV Notes:
  89. #
  90. # "Failed S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
  91. # it is coming before use of <HOST> which is not hard-anchored at the end as well,
  92. # and later catch-all's could contain user-provided input, which need to be greedily
  93. # matched away first.
  94. #
  95. # Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!