# sshdfilter config, V1.5
# Config parser is simple, so don't try anything fancy.

SECTION OPTIONS
# These options set the general behaviour of sshdfilter, more specific
# options are set in the named sections below this OPTIONS section.

# Any character matching this expression is removed from the username
# before matching, to ensure odd characters aren't processed.
# If sanitisation changes a username, the username is called DIRTY and 
# matches the DIRTY pattern below.
sanitise='[^-a-zA-Z0-9_]'

# Options to pass to iptables, such as interface and/or port number.
# Note some options must be in the right order to be accepted by the 
# iptables parser.
# This replaces the 'interface' option found in sshdfilter <=1.4.2
iptablesoptions='--dport 22 -j DROP'
#iptablesoptions='--dport 22 -i eth1 -j DROP'
#iptablesoptions='-j DROP'

# Name of iptables chain where sshdfilter will store its rules. If you 
# want to run multiple isolated instances of sshdfilter then you will
# need to change this, your iptables setup and use the SSHFILTERRC 
# environment variable (see INSTALL).
chain='SSHD'

# Email any block events. Runs this line with some more details on stdin.
# Note perl executes this line, so be careful with escaping. Using the
# debug option might be a good idea to get this working, as would 
# logging debug level syslog events (thats /etc/syslog.conf).
#mail='mail -s \"sshdfilter event for $ip, $event\" greg\@abatis.flint'

# convert any IPv6 addresses to IPv4, necessary for iptables, as only
# ip6tables knows about IPv6. Setting this option to 0 also enables
# calling ip6tables instead of iptables, so you should generally leave it
# set to 1.
ip6toip4=1

# Where the sshd log messages come from, either from STDIN (sshd -e -D | sshdfilter),
# or via syslog, in which case the messages are read from a named pipe and you need to
# look at the sshdname and logpid options below.
logsource='STDIN'

# where sshd lives
sshdpath='/usr/sbin/sshd'

# The name of the sshd process, only needed to identify the sshd process 
# from a none STDIN logsource. See also logpid below, which isn't required
# if you have only one sshd daemon process.
sshdname='sshd'

# Assuming standard sshd behaviour, children of sshd (one sshd per
# connection) log to syslog directly, so the pid reported by syslog will
# change every time. The parent of the reported pid will be constant, and
# that is what this value should be. Or, set to <=0, and all sshdname
# processes will be interpretted as the same sshd. Can be given on the
# command line, sshdfilter logpid=`cat /var/run/sshd.pid`
logpid=0

# debug? !0 turns on debugging, setting to 1 should help diagnose unexpected 
# behaviour. 
debug=1

SECTION USERPOLICY
# Action policy says what happens when different users try to log in. The
# right hand side of the = is a regular expression that matches either 
# usernames or is a special word DEFAULT, INVALID, NOID or DIRTY.
# The format is:
# [number of failures],[block time] = <regular expression>
# [number of failures] is the maximum number of failures (password or 
# invalid usernames) before an iptables block rule is created. Here twice 
# what it should be, 'sshd -e -D', likes to output failures and successes 
# twice. [block time] is how long that block will last. After this time, 
# the iptables rule will be removed. This is specified as <number>d, 
# <number>h, <number>m or <number>s, for days, hours, minutes or seconds
# respectively.
# This list is read from top to bottom, the first match wins. But,
# DEFAULT sets the current default values and can be used multiple times
# to set the ongoing default values for following lines. INVALID works in
# the same way, any options provide defaults for future matches against
# users that match the given regular expression but are also invalid
# user names.

# On my RedHat 7.3 system, sshd message doublings (when using the sshd 
# options -eD, which is sshdfilter install route 1) follow this pattern
#(actual attempts at password=>log messages):
# FAILVAL: 1=>2, 2=>4, 3=>6
# INVALID: 0=>5, 1=>7, 2=>9, 3=>11, and repeat
# INVALID: 0=>4, 1=>6, 2=>8, 3=>10, and repeat

5,3d = DEFAULT   # catch all
0,10d = DIRTY         # username sanitising was necessary? instant long term block
0,10d = '^(nobody|test|guest|mythtv|admin|adm)$'   # common brute force names, instant block for 10 days
#6 = '^greg$'        # My username, so give me more chances, block for the default 3 days.
#3 = '^g[reg]{3}$'   # allow 3 guesses of greg, grge, ggre, gger, gerg, gegr,
                    # even if they are invalid usernames.
2,5d = '^root$'     # allow two guesses of root, block for 5 days.
#,1h = '^ian$'      # default of 3 guesses, only block for 1 hour.
3,5d = DEFAULT   # change defaults from this point on, 3 guesses, block for 5 days.
3,6d = INVALID    # Sets the dafault for Invalid user names, three chances, and a 6 day block time.
                  # If any of the below are Invalid and missing a value, this value, not the DEFAULT
                  # value is used.
#4 =  '^(peter|ian)$' # peter would get 4 chances and would be blocked for 7 days. ian would have matched
		   # the line above and so is redundant here.
#, = '^bob$'        # If bob exists, gets 3 chances and is blocked for 5 days, all values based on last DEFAULT.
                   # If bob is Illegal, gets 3 chances and is blocked for 7 days, values based on last INVALID.
3,7d = INVALID    # Catch all for Invalid usernames, if none of the above matched, these numbers will apply.
0,10d = NOID      # Catch all No ssh id events, instant block for 10 days.


SECTION IPPOLICY
# Good nets(+) and bad nets(-), by regular expression matching IP addresses.
# This matches the same addresses as reported in sshdfilter logs, ie, the
# same IP version as used by your iptables command, which will most likely
# be version 4. No hostname lookup is done, or proper subnet matching.
# If you want any of that you need to be using iptables.
#-'^192\.168\.7\.9$'  # drop a test #
#+'^192\.168\.7\.[0-9]+$'       # always accept, never block LAN connections
#+'^192\.168\.8\.[0-9]+$'       # always accept, never block LAN connections
#+'^192\.168\.0\.[0-9]+$'       # always accept, never block LAN connections
-'^207\.46\.[0-9]+.[0-9]+$'    # Block known evil domain


SECTION EMAILPOLICY
# When to send emails about block events. + means send email, - means don't.
# Read from top to bottom, the first match is the action. Except DEFAULT, 
# which only matches after none of the others have matched. But for DEFAULT,
# INVALID and NOID, the surrounding '' are required.

-'^peter$'   # If peter ever fails to login, don't email.
+DEFAULT     # Email in most circumstances.
+'^greg$'    # Email if the user is greg, redundant as this is the default.
+INVALID     # Email all invalid users
-NOID        # Don't email if there was no ssh id given.



SECTION SSHDLOG
# The SSHDLOG section maps sshd messages into one of several types, No Id string, Invalid User, Bad password for valid user, and Good password for valid user. Each version and distribution uses different message formats, so the exact format needs to be user configurable. These are already supplied for quite a few distributions.


