[sslh] fail2ban filter

[Evert Mouw]

Yesterday I tried to get transparency working. I have one VM that acts 
as a proxy and also has sslh installed. Another VM should be accessable 
over ssh. No luck. But then I found an old mail in the sslh mailinglist 
archives:

 > Yves Rutschle yves at naryves.com
 > Fri Oct 4 08:23:03 CEST 2013
 > An alternative would be to write the appropriate regexp for
 > fail2ban, extracting the data from sslh logs:
 > sslh[17582]: connection from <...> to <...> forwarded from 
localhost:52890 to localhost:ssh
 > -> if I see 5 connections to ssh from the same IP address,
 > there's something suspicious going on, ban that IP.

Since my proxy has fail2ban installed, I could block brute force attacks 
already on the proxy. I just wrote a small fail2ban filter that I have 
not extensively tested but that I will use on my own system. Maybe 
others can test it as well or improve it. After that, we can maybe 
submit the filter to the fail2ban devs or include it with sslh.

--- start of sslh-ssh.conf ---

# Fail2Ban filter for sslh demultiplexed ssh
#
# Doesn't (and cannot) detect auth errors,
# but many connection attempts from the same
# origin is reason enough to block.
#
# Verion: 2014-03-28

[INCLUDES]

# no includes

[Definition]

failregex = ^.+ sslh\[.+\]: connection from <HOST>:.+ to .+ forwarded 
from .+ to .+:ssh\s*$

ignoreregex =

# Author: Evert Mouw <post at evert.net>

--- end of sslh-ssh.conf ---

Thanks,
Evert