sshdfilter

Support was added for sshd patterns that span multiple lines. The behavior defaults to using all known sshd patterns. The installer now supports Ubuntu.

The configuration parser and the pattern matching engine were rewritten to provide all the flexibility you could ever want. sshdfilter can now read sshd messages from either sshd -eD (as with previous versions of sshdfilter) or via a named pipe maintained by syslog. Hostname lookup for messages was added for PAM-based systems that show hostnames and never a source IP. ipfw support was added.

Support for CentOS 4.3, Slackware, and Debian Sid was added. A config loading bug where SSHDFILTERRC was ignored was fixed. Man page installation was fixed in install.pl. Typos in the documentation were corrected.

Custom ports and options such as -j REJECT are a
configuration option. A hanging email command no
longer delays sshdfilter. The result code from
system() calls is checked when adding block rules.
The SSHD chain name is now a config option, so
multiple instances of sshdfilter can have their
own chains. Support for multiple configuration
files was added. Support for Gentoo and Debian sid
was added. The LogWatch installer for Fedora Core
4 was improved. The LogWatch script's
compatibility with other versions of LogWatch was
improved. Man pages were added for sshdfilter and
sshdfilterrc.

Support was added for Suse 10.0 RC 1, CentOS, and
Red Hat Enterprise Linux ES release 4. The program
now daemonizes like sshd, so it makes a better
replacement for sshd in the startup scripts.
select() is now used to read sshd output, making
repurgetime much more responsive when a small
value is given. Email can be sent to someone
optionally on block events. More support was added
for IPv6 and conversion to IPv4. A typographical
bug in IPv6 to IPv4 conversion of 1.4.0 was fixed.