Hello, The regex ^%(__prefix_line)sDid not receive identification string from <HOST>$ will not match entry in /var/log/auth.log as the log entry contains tcp port number Ex : Did not receive identification string from 51.159.67.165 port 59677 we should add this regex in the filter : ^%(__prefix_line)sDid not receive identification string from <HOST>\s.*$ In the same spirit, ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] .* POSSIBLE BREAK-IN ATTEMPT!$ in my log i only see ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] failed\.$ We should add a regex accordingly And at last, in my opinion, hitting the preauth timeout is suspicious, i think we should add a regex to match it ^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$ Regards
1) "Did not receive identification": perhaps just add " port \d" just as in other failregex. 2) OK 3) I think in upstream sshd.conf (which does not work with bsd's sshd) this failure would only be tracked with mode=ddos. So we should do it accordingly. I'll do it over the holidays.
(In reply to theis from comment #1) 1 : yes, that seems much better. Thanks alot !
^Triage: Leave maintainer-feedback open pending patch
Created attachment 231276 [details] Patch I hope the patch has the correct format, first time I created the diff with git.
I didn't had the time to follow the bug this month ... Fixed the wrong regex (Point 1 and 2) Added a regex for the "Connection closed by ..." failure. As upstream does in the similar case you have to enable it by setting "mode = ddos" in the [bsd-sshd] section in your jail.local file, like the examples for the plain [sshd] filter.
I submitted a patch, but still get a reminder. Did I miss something?
I submitted a patch but still receive warnings that my attention is required? Did I miss to fill out / check a field?
I submitted a patch some time ago. But how and whom to tell about it?