added fail2ban configuration examples

ChangeLog

@@ -3,6 +3,9 @@ vNEXT:
 	privilege escalation).
 	(Lars Vogdt)
 
+	Example configuration for fail2ban.
+	(Every Mouw)
+
 v1.16:	11FEB2014
 	Probes made more resilient, to incoming data
 	containing NULLs. Also made them behave properly

README.md

@@ -250,6 +250,18 @@ This will not work:
 
 	sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443
 
+Fail2ban
+--------
+
+If using transparent proxying, just use the standard ssh
+rules. If you can't or don't want to use transparent
+proxying, you can set `fail2ban` rules to block repeated ssh
+connections from a same IP address (obviously this depends
+on the site, there might be legimite reasons you would get
+many connections to ssh from the same IP address...)
+
+See example files in scripts/fail2ban.
+
 Comments? Questions?
 ====================
 

scripts/fail2ban/jail.conf

@@ -0,0 +1,9 @@
+# Add the following to your fail2ban jail.conf
+# In Debian you'd append it to /etc/fail2ban/jail.local
+
+[sslh-ssh]
+enabled = true
+filter = sslh-ssh
+action = iptables-multiport[name=sslh,port="443"]
+logpath = /var/log/messages
+maxretry = 5

scripts/fail2ban/sslh-ssh.conf

@@ -0,0 +1,25 @@
+# Add the following to you fail2ban configuration file
+# In Debian it'd go in /etc/fail2ban/filter.d/sslh-ssh.conf
+
+
+# Fail2Ban filter for sslh demultiplexed ssh
+#
+# Doesn't (and cannot) detect auth errors,
+# but many connection attempts from the same
+# origin is reason enough to block.
+#
+# Verion: 2014-03-28
+
+[INCLUDES]
+
+# no includes
+
+[Definition]
+
+failregex = ^.+ sslh\[.+\]: connection from <HOST>:.+ to .+ forwarded
+from .+ to .+:ssh\s*$
+
+ignoreregex =
+
+# Author: Evert Mouw <post@evert.net>
+