ssh login failures when plain text passwords are off
Posted: 27 Feb 2008, 11:28
I recently configured my server so that ssh logins will only work using public key encryption, and not plain old passwords. I noticed that lfd stopped detecting and banning IPs for people that attack ssh. Not a problem, you might think, since they will never get in anyway since they don't have a valid key. However, looking at the very long logfile of attempts, I thought it was probably best to lock them out anyway in case they might try other attacks, and just for neatness sake. I added the following to /etc/csf/regex.pm inside the processline sub, below the equivalent line looking for "Illegal user":
Hope this helps someone.
Paul.
Code: Select all
if (($config{LF_SSHD}) and ($lgfile eq $config{SSHD_LOG}) and ($bits[4]
=~ /^sshd/) and ($line =~ /sshd.*: Invalid user.*(\s|:)(\d+\.\d+\.\d+\.\d+)/)) {
return ("Failed SSH login from",$2,"sshd");
}Paul.