SSH
Configuration for the OpenSSH service.
As an action, we'll use iptables. See here.
As a pattern, we'll use ip. See here.
{
streams: {
// Ban hosts failing to connect via ssh
ssh: {
// Use systemd's `journalctl` to tail logs
cmd: [' journalctl', '-fn0', '-u', 'sshd.service'],
// may also be ↑ ssh.service, depends on the distribution
filters: {
failedlogin: {
regex: [
// Auth fail
@'authentication failure;.*rhost=<ip>',
// Client disconnects during authentication
@'Connection (reset|closed) by (authenticating|invalid) user .* <ip>',
// More specific auth fail
@'Failed password for .* from <ip>',
],
retry: 3,
retryperiod: '6h',
actions: banFor('48h'),
},
},
},
},
}
OpenBSD
{
streams: {
// Ban hosts failing to connect via ssh
ssh: {
// Use `/var/log/authlog` to tail logs
cmd: [' tail', '-fn0', '/var/log/authlog'],
filters: {
failedlogin: {
regex: [
// Auth fail
@'Failed password for invalid user .* from <ip>',
// Client disconnects during authentication
@'Disconected from invalid user .* <ip>',
],
retry: 3,
retryperiod: '6h',
actions: banFor('48h'),
},
},
},
},
}
Depending on the Linux distributions (or other UNIX systems), your OpenSSH logs may vary.
Check yourself what logs are printed by your SSH server!