Update comments and pattern for another ssh failure

Don't single out the specific accounts that Nessus checks, but instead skip all the errors about disconnecting due to too many authentication failures.

Update comments and pattern for another ssh failure
ad7f2414 · Russ Allbery · 8e48f578 · ad7f2414
Commit ad7f2414 authored 11 years ago by Russ Allbery
--- a/files/ssh/etc/filter-syslog/ssh
+++ b/files/ssh/etc/filter-syslog/ssh
@@ -56,8 +56,10 @@ sshd: /^refused connect from (::ffff:)?171\.67\.22\.12 /
 sshd: / authentication failure; .* rhost=(scan1|inspect(2-scan)?)\.stanford/
 sshd: /^Postponed \S+ for invalid user \S+ from (::ffff:)?171\.67\.22\.12 /
 sshd: /^Postponed \S+ for \S+ from (::ffff:)?171\.67\.22\.12 /
-# Ignore noise on ubuntu from nessus scan
-sshd: /^Disconnecting: Too many authentication failures for (n3ssus|root|admin|manage|cisco|monitor|Cisco|ftp)$/
+
+# Ignore the logged disconnect message.  (We'll still get individual
+# authentication failures from compromised systems.)
+sshd: /^Disconnecting: Too many authentication failures for \S+$/

 # Ignore failed logins by IDG, Systems, and other ITS staff.  We all mistype
 # passwords occasionally.