From e1ff702cd1d49989b27778611eaf65ad58fadfed Mon Sep 17 00:00:00 2001
From: ppom <reaction@ppom.me>
Date: Sat, 6 Jan 2024 12:00:00 +0100
Subject: [PATCH] Generalisation of new SSH regex

---
 app/example.yml        | 2 +-
 config/example.jsonnet | 2 +-
 config/server.jsonnet  | 3 ++-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/example.yml b/app/example.yml
index e275e5a..f3e34c5 100644
--- a/app/example.yml
+++ b/app/example.yml
@@ -55,7 +55,7 @@ streams:
           # ip's regex is inserted in the following regex
           - 'authentication failure;.*rhost=<ip>'
           - 'Failed password for .* from <ip>'
-          - 'Connection reset by authenticating user .* <ip>'
+          - 'Connection (reset|closed) by (authenticating|invalid) user .* <ip>'
         # if retry and retryperiod are defined,
         # the actions will only take place if a same pattern is
         # found `retry` times in a `retryperiod` interval
diff --git a/config/example.jsonnet b/config/example.jsonnet
index add9588..516feb4 100644
--- a/config/example.jsonnet
+++ b/config/example.jsonnet
@@ -64,7 +64,7 @@ local iptables(args) = ['ip46tables', '-w'] + args;
             // ip's regex is inserted in the following regex
             @'authentication failure;.*rhost=<ip>',
             @'Failed password for .* from <ip>',
-            @'Connection reset by authenticating user .* <ip>',
+            @'Connection (reset|closed) by (authenticating|invalid) user .* <ip>',
           ],
           // if retry and retryperiod are defined,
           // the actions will only take place if a same pattern is
diff --git a/config/server.jsonnet b/config/server.jsonnet
index de3c578..2886c28 100644
--- a/config/server.jsonnet
+++ b/config/server.jsonnet
@@ -16,7 +16,8 @@ local banFor(time) = {
     // ip46tables (C program also in this repo) handles running the good commands
     ip: {
       regex: @'(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))',
-      ignore: std.makeArray(255, function(i) "192.168.1."+i),
+      // Ignore all from 192.168.1.1 to 192.168.1.255
+      ignore: std.makeArray(255, function(i) '192.168.1.' + (i + 1)),
     },
   },