ssh login failures when plain text passwords are off

mistlethrush · Post by **mistlethrush** » 27 Feb 2008, 11:28

I recently configured my server so that ssh logins will only work using public key encryption, and not plain old passwords. I noticed that lfd stopped detecting and banning IPs for people that attack ssh. Not a problem, you might think, since they will never get in anyway since they don't have a valid key. However, looking at the very long logfile of attempts, I thought it was probably best to lock them out anyway in case they might try other attacks, and just for neatness sake. I added the following to /etc/csf/regex.pm inside the processline sub, below the equivalent line looking for "Illegal user":

Code: Select all

        if (($config{LF_SSHD}) and ($lgfile eq $config{SSHD_LOG}) and ($bits[4]
=~ /^sshd/) and ($line =~ /sshd.*: Invalid user.*(\s|:)(\d+\.\d+\.\d+\.\d+)/)) {
                return ("Failed SSH login from",$2,"sshd");
        }

Hope this helps someone.

Paul.

Post by **chirpy** » 03 Mar 2008, 15:47

Thank you Paul. I'll include the regex in the next release of regex.pm to keep that in place.