# Add the following to you fail2ban configuration file
# In Debian it'd go in /etc/fail2ban/filter.d/sslh-ssh.conf


# Fail2Ban filter for sslh demultiplexed ssh
#
# Doesn't (and cannot) detect auth errors,
# but many connection attempts from the same
# origin is reason enough to block.
#
# Verion: 2014-03-28

[INCLUDES]

# no includes

[Definition]

failregex = ^.+ sslh\[.+\]: connection from <HOST>:.+ to .+ forwarded
from .+ to .+:ssh\s*$

ignoreregex =

# Author: Evert Mouw <post@evert.net>