Talk:OpenSSH

From Fail2ban

Jump to navigation Jump to search

ssh and pam

OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log

Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29

Adding this regex rule is really helpful:

sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>

Retrieved from "http://wiki.fail2ban.org/wiki/index.php?title=Talk:OpenSSH&oldid=4976"

Navigation menu