From aac82d53f776786c2ce70a49f92b073ed90ce1c3 Mon Sep 17 00:00:00 2001
From: Alex 'AdUser' Z <ad_user@runbox.com>
Date: Wed, 26 May 2021 12:53:50 +1000
Subject: [PATCH] * tune filters

---
 filters/ssh.preg | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/filters/ssh.preg b/filters/ssh.preg
index 7a90a18..e675875 100644
--- a/filters/ssh.preg
+++ b/filters/ssh.preg
@@ -1,19 +1,17 @@
 # set: defscore=15
-Invalid user [[:print:]]+ from <HOST>
-Postponed keyboard-interactive for invalid user [[:print:]]+ from <HOST> port [0-9]+
-Failed password for invalid user .* from <HOST>
+User [[:print:]]+ from <HOST> not allowed because listed in DenyUsers
+User [[:print:]]+ from <HOST> not allowed because a group is listed in DenyGroups
 # set: defscore=10
-[Aa]uthentication failure for .* from <HOST>( via [[:print:]]*)?
-[Aa]uthentication error for .* from <HOST>( via [[:print:]]*)?
-User not known to the underlying authentication module for .* from <HOST>
-Failed password for .* from <HOST>
-refused connect from [[:print:]]+ \(<HOST>\)
-Received disconnect from <HOST>: [0-9]*: [[:print:]]+: Auth fail
 User [[:print:]]+ from <HOST> not allowed because not listed in AllowUsers
-User [[:print:]]+ from <HOST> not allowed because listed in DenyUsers
 User [[:print:]]+ from <HOST> not allowed because not in any group
-User [[:print:]]+ from <HOST> not allowed because a group is listed in DenyGroups
 User [[:print:]]+ from <HOST> not allowed because none of user's groups are listed in AllowGroups
+[Aa]uthentication failure for .* from <HOST>( via [[:print:]]*)?
+[Aa]uthentication error for .* from <HOST>( via [[:print:]]*)?
+Failed password for .* from <HOST>
 # set: defscore=5
+User not known to the underlying authentication module for .* from <HOST>
+Invalid user [[:print:]]+ from <HOST>
+# set: defscore=3
+refused connect from [[:print:]]+ \(<HOST>\)
 Did not receive identification string from <HOST>
 Connection closed by <HOST>( port [0-9]+)? \[preauth\]