Stephen Gran on 23 Mar 2009 16:03:16 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fail2ban (was: Re: 'logcheck')

On Mon, Mar 23, 2009 at 11:10:49PM +0100, sean finney said:
> just FYI, the last time i checked (around the DSA ssh key debacle),
> fail2ban was unable to automatically detect and block failed key-based
> logins.  i don't recall whether this was a fault in fail2ban or the
> logging facility of sshd...

It's sort of more feature than bug, but it's sshd.  If left at the
default log level (INFO), sshd won't log key transactions until the
final failed login.  If upped to DEBUG (IIRC), it will.  fail2ban
doesn't have an explicit regex for key based auth, but it will pick up
the regular failed login line.  In order to block brute force key based
attacks, you'd have to write your own (rather trivial) regex to catch
them after turning up verbosity in sshd.

|  Stephen Gran                  | An intellectual is someone whose mind   |
|             | watches itself.   -- Albert Camus       |
| |                                         |

Attachment: signature.asc
Description: Digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --