{ "concurrency": 0, "patterns": { "ip": { "ignore": [ "127.0.0.1", "::1" ], "regex": "(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))" } }, "start": [ [ "ip46tables", "-w", "-N", "reaction" ], [ "ip46tables", "-w", "-I", "INPUT", "-p", "all", "-j", "reaction" ], [ "ip46tables", "-w", "-I", "FORWARD", "-p", "all", "-j", "reaction" ] ], "stop": [ [ "ip46tables", "-w", "-D", "INPUT", "-p", "all", "-j", "reaction" ], [ "ip46tables", "-w", "-D", "FORWARD", "-p", "all", "-j", "reaction" ], [ "ip46tables", "-w", "-F", "reaction" ], [ "ip46tables", "-w", "-X", "reaction" ] ], "streams": { "ssh": { "cmd": [ "journalctl", "-n0", "-fu", "sshd.service" ], "filters": { "failedlogin": { "actions": { "ban": { "cmd": [ "ip46tables", "-w", "-A", "reaction", "-s", "", "-j", "DROP" ] }, "unban": { "after": "48h", "cmd": [ "ip46tables", "-w", "-D", "reaction", "-s", "", "-j", "DROP" ] } }, "regex": [ "authentication failure;.*rhost=", "Failed password for .* from ", "Connection (reset|closed) by (authenticating|invalid) user .* " ], "retry": 3, "retryperiod": "6h" } } } } }