From 5a3546436c1d1e6e70a98196306061a78c42fd08 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Wed, 2 Apr 2014 19:09:09 -0700
Subject: [PATCH] Add more ssh filter rules

---
 files/ssh/etc/filter-syslog/ssh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/files/ssh/etc/filter-syslog/ssh b/files/ssh/etc/filter-syslog/ssh
index be19463..8ef72f8 100644
--- a/files/ssh/etc/filter-syslog/ssh
+++ b/files/ssh/etc/filter-syslog/ssh
@@ -65,11 +65,11 @@ sshd: /^Disconnecting: Too many authentication failures for \S+$/
 
 # Ignore failed logins by IDG, Systems, and other ITS staff.  We all mistype
 # passwords occasionally.
-sshd: /^sshd\(pam_unix\): authentication failure; .* user=(adamhl|atayts|bxk|chekh|darrenp1|digant|frobozz|hallk|jmcdermo|ktai|laltman|jonrober|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|whm|vdc|xinlei|yuelu)$/
-sshd: /^pam_(unix|krb5)\(sshd:auth\): authentication failure;.* (logname|user)=(adamhl|atayts|bxk|chekh|darrenp1|digant|frobozz|hallk|jmcdermo|jonrober|ktai|laltman|martinp|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|whm|vdc|xinlei|yuelu)( |\Z)/
-sshd: /^PAM \d+ more authentication failures?; .* user=(adamhl|atayts|bxk|chehk|darrenp1|digant|frobozz|hallk|jmcdermo|jonrober|ktai|laltman|martinp|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|whm|vdc|xinlei|yuelu)$/
-sshd: /^Failed (password|gssapi-with-mic|keyboard-interactive/pam) for (adamhl|atayts|bxk|chehk|darrenp1|digant|frobozz|hallk|jmcdermo|jonrober|ktai|laltman|martinp|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|whm|vdc|xinlei|yuelu) from [a-f:\d.]+ port \d+ ssh2$/
-sshd: /^error: PAM: Authentication failure for (adamhl|atayts|bxk|chekh|darrenp1|digant|frobozz|hallk|jonrober|jmcdermo|ktai|laltman|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|whm|vdc|xinlei|yuelu) from [a-z:\d.-]+$/
+sshd: /^sshd\(pam_unix\): authentication failure; .* user=(adamhl|atayts|bxk|chekh|darrenp1|digant|frobozz|hallk|jmcdermo|jcowart|jonrober|ktai|laltman|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|tzakrajs|whm|vdc|xinlei|yuelu)$/
+sshd: /^pam_(unix|krb5)\(sshd:auth\): authentication failure;.* (logname|user)=(adamhl|atayts|bxk|chekh|darrenp1|digant|frobozz|hallk|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|tzakrajs|whm|vdc|xinlei|yuelu)( |\Z)/
+sshd: /^PAM \d+ more authentication failures?; .* user=(adamhl|atayts|bxk|chehk|darrenp1|digant|frobozz|hallk|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|tzakrajs|whm|vdc|xinlei|yuelu)$/
+sshd: /^Failed (password|gssapi-with-mic|keyboard-interactive/pam) for (adamhl|atayts|bxk|chehk|darrenp1|digant|frobozz|hallk|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|tzakrajs|whm|vdc|xinlei|yuelu) from [a-f:\d.]+ port \d+ ssh2$/
+sshd: /^error: PAM: Authentication failure for (adamhl|atayts|bxk|chekh|darrenp1|digant|frobozz|hallk|jcowart|jonrober|jmcdermo|ktai|laltman|meeilee|mgoll|nbfa|pradtke|rra|saracook|sfeng|tzakrajs|whm|vdc|xinlei|yuelu) from [a-z:\d.-]+$/
 
 # Ignore GSS-API failures as root.  This is normally because people try to
 # use their normal credentials for root access.
-- 
GitLab