Page 1 of 1

SSH Deny for RSA Auth?

Posted: 25 Sep 2007, 02:07
by JRKy
Chirpy,

I'm not sure this has been discussed but here goes:

I've noticed that since we don't use SSH password auth we don't get Bruteforce IPs blocked for SSH. I suppose it makes sense if an RSA auth failure isn't classified as a loggin failure (I'm thinking out loud there as I'm not sure on the technical side myself yet).

Personally, I would rather see these IPs banned permanently than to get a free opportunity to hit the servers all day long. For the interim, we've lowered the login trigger for SSH and enabled SSH password auth.

So my question is can LFD track failed logins for RSA auth? Should this already be happening? Is it a bug?

I await your response.

Posted: 27 Sep 2007, 15:21
by chirpy
There are no regex's for RSA authentication. If you can post the login failures seen in the logs files for that authentication mechanism and which log files they're in I'll see if a regex can be included.

Posted: 27 Sep 2007, 17:46
by JRKy
Chirpy,

The following three lines show up in the "secure" log when an RSA login fails:
Sep 27 12:42:49 hostname sshd[4446]: Invalid user test from ::ffff:123.123.123.123
Sep 27 12:42:49 hostname sshd[4448]: input_userauth_request: invalid user test
Sep 27 12:42:49 hostname sshd[4448]: Received disconnect from ::ffff:123.123.123.123: 14: No supported authentication methods available