On Monday 28 Apr 2014 20:54:18 thegeezer wrote:
On 04/21/2014 08:02 PM, thegeezer wrote:
Hi all,
i was looking up the gentoo wiki on fail2ban [1] to have it look at it's
own log file fail2ban.log in order to block repeat offenders for longer
as abuse@offender doesn't really seem to help these days.
then i saw a warning saying fail2ban not blocking all requests which i
followed to github [2] wihch has a paste of his logfiles [3]
now this i commented at github saying it looks similar to something i
discovered when trying to setup authkeys on ssh - namely invalid keys
give you no log file entry saying invalid keys
can anyone tell me if they know how to make the log file entry show that
it was an invalid key?
i only know that it is this from my experience -- when i was using the
wrong key or auth keys file had wrong permission i had only similar
entries in my logs. i did try to find the answer myself at that time but
was unable to.
thanks in advance!
[1] http://wiki.gentoo.org/wiki/Fail2ban
[2] https://github.com/fail2ban/fail2ban/issues/643
[3] http://bpaste.net/show/188261/
hey so i've been doing some digging and for openssh to log public key
failures you have to set loglevel to minimum of VERBOSE
please see my email to openssh mailing list. [4]
is this something that could be implemented as a gentoo specific patch ?
if so how would i go about requesting it ?
i don't know about you all but i'm a little concerned that ssh is not
logging bruteforce public keys, they might be harder to crack but if
they are invisible in the logs then this could go on silently for a long
time.
[4] http://marc.info/?l=openssh-unix-devm=139871423503774w=3
At the very least when one emerges fail2ban there should be an elog message
informing/warning of the required modifications to the associated
applications' config files, like ssh, to enable fail2ban to do its filtering.
You can raise a bug for it at: https://bugs.gentoo.org/
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
