more ssh regexes

2024-06-11 13:02:13 +02:00 · 2023-11-05 12:00:00 +01:00 · 2023-11-05 12:00:00 +01:00 · 52dc67ed34
parent 50ce32d256
commit 52dc67ed34
3 changed files with 7 additions and 2 deletions
--- a/app/example.yml
+++ b/app/example.yml
@ -47,7 +47,9 @@ streams:
        regex:
          # <ip> is predefined in the patterns section
          # ip's regex is inserted in the following regex
-          - authentication failure;.*rhost=<ip>
+          - 'authentication failure;.*rhost=<ip>'
+          - 'Failed password for .* from <ip>'
+          - 'Connection reset by authenticating user .* <ip>'
        # if retry and retryperiod are defined,
        # the actions will only take place if a same pattern is
        # found `retry` times in a `retryperiod` interval
--- a/config/example.jsonnet
+++ b/config/example.jsonnet
@ -56,7 +56,9 @@ local iptables(args) = ['ip46tables', '-w'] + args;
          regex: [
            // <ip> is predefined in the patterns section
            // ip's regex is inserted in the following regex
-            'authentication failure;.*rhost=<ip>',
+            @'authentication failure;.*rhost=<ip>',
+            @'Failed password for .* from <ip>',
+            @'Connection reset by authenticating user .* <ip>',
          ],
          // if retry and retryperiod are defined,
          // the actions will only take place if a same pattern is
--- a/config/server.jsonnet
+++ b/config/server.jsonnet
@ -38,6 +38,7 @@ local banFor(time) = {
          regex: [
            @'authentication failure;.*rhost=<ip>',
            @'Connection reset by authenticating user .* <ip>',
+            @'Failed password for .* from <ip>',
          ],
          retry: 3,
          retryperiod: '6h',