SSH Deny for RSA Auth?

Post Reply
JRKy
Junior Member
Posts: 26
Joined: 05 Jan 2007, 05:08

SSH Deny for RSA Auth?

Post by JRKy »

Chirpy,

I'm not sure this has been discussed but here goes:

I've noticed that since we don't use SSH password auth we don't get Bruteforce IPs blocked for SSH. I suppose it makes sense if an RSA auth failure isn't classified as a loggin failure (I'm thinking out loud there as I'm not sure on the technical side myself yet).

Personally, I would rather see these IPs banned permanently than to get a free opportunity to hit the servers all day long. For the interim, we've lowered the login trigger for SSH and enabled SSH password auth.

So my question is can LFD track failed logins for RSA auth? Should this already be happening? Is it a bug?

I await your response.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

There are no regex's for RSA authentication. If you can post the login failures seen in the logs files for that authentication mechanism and which log files they're in I'll see if a regex can be included.
JRKy
Junior Member
Posts: 26
Joined: 05 Jan 2007, 05:08

Post by JRKy »

Chirpy,

The following three lines show up in the "secure" log when an RSA login fails:
Sep 27 12:42:49 hostname sshd[4446]: Invalid user test from ::ffff:123.123.123.123
Sep 27 12:42:49 hostname sshd[4448]: input_userauth_request: invalid user test
Sep 27 12:42:49 hostname sshd[4448]: Received disconnect from ::ffff:123.123.123.123: 14: No supported authentication methods available
Post Reply