fail2ban regex bug fixed

d519315c · Alexander Withers · 91c5733a · d519315c · d519315c · 91c5733a
Commit d519315c authored Oct 11, 2017 by Alexander Withers
--- a/fail2ban/extern_sshsub.conf
+++ b/fail2ban/extern_sshsub.conf
@@ -2,7 +2,7 @@

 [Definition]

-failregex = vt.*: request with password <HOST> -> \S+ \S+ using \S+\s*$
+failregex = vt.*: request with password <HOST> -> \S+ \S+ using .+$

 ignoreregex = 

--- a/fail2ban/local_sshsub.conf
+++ b/fail2ban/local_sshsub.conf
@@ -2,7 +2,7 @@

 [Definition]

-failregex = local: request with password <HOST> -> \S+ \S+ using \S+\s*$
+failregex = local: request with password <HOST> -> \S+ \S+ using .+$

 ignoreregex = 

--- a/fail2ban/ssh.txt
+++ b/fail2ban/ssh.txt
-2017-10-09 10:13:06 local: connection 141.142.148.13 -> 141.142.236.43:22
-2017-10-09 14:28:42 local: connection 141.142.22.47 -> 141.142.236.43:22
-2017-10-09 16:44:16 local: connection 141.142.148.13 -> 141.142.236.43:22
-2017-10-09 23:15:23 local: connection 141.142.148.13 -> 141.142.236.43:22
-2017-10-10 05:47:10 local: connection 141.142.148.13 -> 141.142.236.43:22
-2017-10-10 05:50:28 local: connection 141.142.148.13 -> 141.142.236.43:22
-2017-10-10 09:16:11 local: connection 10.193.229.151 -> 141.142.236.43:22
-2017-10-10 09:16:12 local: request with password 10.193.229.151 -> 141.142.236.43:22 awithers:sdfsadf using SSH-2.0-OpenSSH_6.9
-2017-10-10 09:16:13 local: request with password 10.193.229.151 -> 141.142.236.43:22 awithers:sadfasd using SSH-2.0-OpenSSH_6.9
-2017-10-10 09:16:57 local: connection 10.193.229.151 -> 141.142.236.43:22
-2017-10-10 09:17:07 local: request with password 10.193.229.151 -> 141.142.236.43:22 awithers:aaasssddd using SSH-2.0-OpenSSH_6.9
-2017-10-10 09:17:11 local: request with password 10.193.229.151 -> 141.142.236.43:22 awithers:fffggghhh using SSH-2.0-OpenSSH_6.9
-2017-10-10 09:17:15 local: request with password 10.193.229.151 -> 141.142.236.43:22 awithers:wwwqqqeee using SSH-2.0-OpenSSH_6.9
-2017-10-10 09:19:17 local: connection 143.219.0.223 -> 141.142.236.43:22
-2017-10-10 09:19:18 local: request with password 143.219.0.223 -> 141.142.236.43:22 oracle:12345678 using SSH-2.0-libssh-0.7.1
-2017-10-10 09:19:19 local: request with password 143.219.0.223 -> 141.142.236.43:22 user:qwerty using SSH-2.0-libssh-0.7.1
-2017-10-10 09:20:17 local: connection 143.219.0.223 -> 141.142.236.43:22
-2017-10-10 09:20:18 local: connection 143.219.0.223 -> 141.142.236.43:22
-2017-10-10 09:20:19 local: request with password 143.219.0.223 -> 141.142.236.43:22 guest:1234 using SSH-2.0-libssh-0.7.1
-2017-10-10 09:20:20 local: request with password 143.219.0.223 -> 141.142.236.43:22 user:qwerty using SSH-2.0-libssh-0.7.1
-2017-10-10 09:21:04 local: connection 143.219.0.223 -> 141.142.236.43:22
-2017-10-10 09:21:05 local: connection 143.219.0.223 -> 141.142.236.43:22
-2017-10-10 09:21:06 local: request with password 143.219.0.223 -> 141.142.236.43:22 root:dragon using SSH-2.0-libssh-0.7.1
-2017-10-10 09:21:07 local: request with password 143.219.0.223 -> 141.142.236.43:22 adm:letmein using SSH-2.0-libssh-0.7.1
-2017-10-10 09:22:57 vt01.security.ncsa.illinois.edu: connection 143.219.0.223 -> 141.142.236.41:22
-2017-10-10 09:22:58 vt01.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.41:22 administrator:12345678 using SSH-2.0-libssh-0.7.1
-2017-10-10 09:22:59 vt01.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.41:22 test:qwerty using SSH-2.0-libssh-0.7.1
-2017-10-10 09:23:00 vt02.security.ncsa.illinois.edu: connection 143.219.0.223 -> 141.142.236.42:22
-2017-10-10 09:23:01 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 root:1234 using SSH-2.0-libssh-0.7.1
-2017-10-10 09:23:02 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 adm:qwerty using SSH-2.0-libssh-0.7.1
-2017-10-10 09:23:03 local: connection 143.219.0.223 -> 141.142.236.43:22
-2017-10-10 09:23:04 local: request with password 143.219.0.223 -> 141.142.236.43:22 administrator:12345678 using SSH-2.0-libssh-0.7.1
-2017-10-10 09:23:05 local: request with password 143.219.0.223 -> 141.142.236.43:22 test:qwerty using SSH-2.0-libssh-0.7.1
-2017-10-10 09:34:55 vt01.security.ncsa.illinois.edu: connection 141.142.22.47 -> 141.142.236.41:22
-2017-10-10 09:35:00 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:test2 using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 09:35:09 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:password using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 09:35:15 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:password using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 09:35:18 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:password using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 09:35:20 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:password using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 09:35:22 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:sa using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 09:35:26 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:passwr using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 09:35:28 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:passw using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 09:35:29 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:pass using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 09:35:30 vt01.security.ncsa.illinois.edu: request with password 141.142.22.47 -> 141.142.236.41:22 test-user:pass using SSH-2.0-PuTTY_Release_0.68
-2017-10-10 12:10:44 vt02.security.ncsa.illinois.edu: connection 141.142.148.13 -> 141.142.236.42:22
-2017-10-10 12:10:44 local: connection 141.142.148.13 -> 141.142.236.43:22
-2017-10-10 12:10:44 vt01.security.ncsa.illinois.edu: connection 141.142.148.13 -> 141.142.236.41:22
-2017-10-10 13:13:00 vt02.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.42:22
-2017-10-10 13:17:45 vt02.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.42:22
-2017-10-10 13:18:02 vt02.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.42:22
-2017-10-10 13:18:16 vt02.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.42:22
-2017-10-10 13:18:24 vt02.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.42:22
-2017-10-10 13:21:51 vt02.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.42:22
-2017-10-10 13:33:59 vt01.security.ncsa.illinois.edu: connection 10.193.229.151 -> 141.142.236.41:22
-2017-10-10 13:34:04 vt01.security.ncsa.illinois.edu: request with password 10.193.229.151 -> 141.142.236.41:22 awithers:aaabbbccc using SSH-2.0-OpenSSH_6.9
-2017-10-10 13:34:08 vt01.security.ncsa.illinois.edu: request with password 10.193.229.151 -> 141.142.236.41:22 awithers:xxxyyyzzz using SSH-2.0-OpenSSH_6.9
-2017-10-10 13:34:12 vt01.security.ncsa.illinois.edu: request with password 10.193.229.151 -> 141.142.236.41:22 awithers:mmmnnnooo using SSH-2.0-OpenSSH_6.9
-2017-10-10 13:42:13 local: connection 64.39.99.50 -> 141.142.236.43:22
-2017-10-10 13:48:20 local: connection 64.39.99.50 -> 141.142.236.43:22
-2017-10-10 13:48:37 local: connection 64.39.99.50 -> 141.142.236.43:22
-2017-10-10 13:48:51 local: connection 64.39.99.50 -> 141.142.236.43:22
-2017-10-10 13:48:59 local: connection 64.39.99.50 -> 141.142.236.43:22
-2017-10-10 13:51:39 local: connection 64.39.99.50 -> 141.142.236.43:22
-2017-10-10 13:55:26 vt01.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.41:22
-2017-10-10 13:57:09 vt02.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.42:22
-2017-10-10 13:57:18 vt02.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.42:22
-2017-10-10 13:57:37 vt02.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.42:22
-2017-10-10 13:57:54 vt02.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.42:22
-2017-10-10 13:58:08 vt02.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.42:22
-2017-10-10 13:58:16 vt02.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.42:22
-2017-10-10 14:00:10 vt01.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.41:22
-2017-10-10 14:00:27 vt01.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.41:22
-2017-10-10 14:00:41 vt01.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.41:22
-2017-10-10 14:00:49 vt01.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.41:22
-2017-10-10 14:04:00 vt01.security.ncsa.illinois.edu: connection 64.39.99.50 -> 141.142.236.41:22
-2017-10-10 15:19:03 vt02.security.ncsa.illinois.edu: connection 143.219.0.223 -> 141.142.236.42:22
-2017-10-10 15:19:04 vt02.security.ncsa.illinois.edu: connection 143.219.0.223 -> 141.142.236.42:22
-2017-10-10 15:19:05 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 oracle:123456 using SSH-2.0-libssh-0.7.1
-2017-10-10 15:19:06 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 root:12345678 using SSH-2.0-libssh-0.7.1
-2017-10-10 15:19:07 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 test:1234 using SSH-2.0-libssh-0.7.1
-2017-10-10 15:19:08 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 guest:testabc using SSH-2.0-libssh-0.7.1
-2017-10-10 15:19:09 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 info:12345 using SSH-2.0-libssh-0.7.1
-2017-10-10 15:19:10 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 mysql:dragon using SSH-2.0-libssh-0.7.1
-2017-10-10 15:19:11 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 user:qwerty using SSH-2.0-libssh-0.7.1
-2017-10-10 15:19:12 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 oracle:696969 using SSH-2.0-libssh-0.7.1
-2017-10-10 15:19:13 vt02.security.ncsa.illinois.edu: request with password 143.219.0.223 -> 141.142.236.42:22 root:letmein using SSH-2.0-libssh-0.7.1
-2017-10-10 15:40:04 vt01.security.ncsa.illinois.edu: connection 143.219.0.223 -> 141.142.236.41:22
-2017-10-10 16:03:00 vt01.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.41:22
-2017-10-10 16:03:08 vt01.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.41:22
-2017-10-10 16:03:09 vt01.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.41:22
-2017-10-10 16:03:27 vt01.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.41:22
-2017-10-10 16:03:44 vt01.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.41:22
-2017-10-10 16:03:58 vt01.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.41:22
-2017-10-10 16:04:06 vt01.security.ncsa.illinois.edu: connection 141.142.148.51 -> 141.142.236.41:22
-2017-10-10 18:11:42 local: connection 141.142.148.51 -> 141.142.236.43:22
-2017-10-10 18:11:51 local: connection 141.142.148.51 -> 141.142.236.43:22
-2017-10-10 18:12:09 local: connection 141.142.148.51 -> 141.142.236.43:22
-2017-10-10 18:12:26 local: connection 141.142.148.51 -> 141.142.236.43:22
-2017-10-10 18:12:40 local: connection 141.142.148.51 -> 141.142.236.43:22
-2017-10-10 18:12:48 local: connection 141.142.148.51 -> 141.142.236.43:22
-2017-10-10 18:32:59 vt02.security.ncsa.illinois.edu: connection 141.142.148.13 -> 141.142.236.42:22
-2017-10-10 18:32:59 vt01.security.ncsa.illinois.edu: connection 141.142.148.13 -> 141.142.236.41:22
-2017-10-10 18:32:59 local: connection 141.142.148.13 -> 141.142.236.43:22
-2017-10-11 01:04:58 vt01.security.ncsa.illinois.edu: connection 141.142.148.13 -> 141.142.236.41:22
-2017-10-11 01:04:58 vt02.security.ncsa.illinois.edu: connection 141.142.148.13 -> 141.142.236.42:22
-2017-10-11 01:04:58 local: connection 141.142.148.13 -> 141.142.236.43:22
-2017-10-11 07:31:32 vt02.security.ncsa.illinois.edu: connection 141.142.148.13 -> 141.142.236.42:22
-2017-10-11 07:31:32 vt01.security.ncsa.illinois.edu: connection 141.142.148.13 -> 141.142.236.41:22
-2017-10-11 07:31:32 local: connection 141.142.148.13 -> 141.142.236.43:22
--- a/fail2ban/sshsub.conf
+++ b/fail2ban/sshsub.conf
@@ -2,7 +2,7 @@

 [Definition]

-failregex = \S+: request with password <HOST> -> \S+ \S+ using \S+\s*$
+failregex = \S+: request with password <HOST> -> \S+ \S+ using .+$

 ignoreregex =