Regex for multiple sshd Received disconnect from ... [preauth]

regex fail2ban

Solution 1:

You can use this rule:

^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$

To test it with fail2ban-regex or egrep, you can just strip off the ^%(__prefix_line)s from the beginning. Add this line to the failregex variable in your /etc/fail2ban/filter.d/sshd.conf.

A run with fail2ban-regex gave me these results, confirming that the rule matches:

Running tests
=============

Use regex file : sshd.conf
Use log file   : /var/log/auth.log


Results
=======

Failregex
|- Regular expressions:
[...]
|  [11] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Received disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$
|
`- Number of matches:
[...]
   [11] 545 match(es)
[...]

Related

SQL Server 2014 SP1 installation failure - bug in SSIS_hotfix_install.sql
SSH: su root or sudo? [duplicate]
How to install lynx on an AWS redhat machine that can't find the package?
Can AWS Certificate Manager (ACM) Certificates be used on Elastic Load Balancer Instances in Regions other than us-east-1?
Making a phone call in an iOS application
How to cd to a folder with two dots in the path
How can I chose a max load threshold depending on the number of available cores?
Why does 'ansible -a "env"' return a different environment PATH than my user?
How does Route53 give priority to wildcard subdomains?
Will my site be stopped during an iptables restart?
Change default mapping of string to "not analyzed" in Elasticsearch
Docker run bash script, then remove container