Why does aggressive mode result in multiple log messages for invalid sshd user logins? #3176
-
I have been using fail2ban successfully with sshd for invalid user logins. However, I noticed the other day that invalid public key logins are not being caught. I looked around online and discovered that I had to change the mode to be aggressive. In aggressive mode, the invalid public key logins are caught as they should be. But now the invalid user logins create 2 logs in fail2ban. This causes 2 retries to trigger when only 1 should trigger. I have run my logs through the fail2ban-regex utility and each condition (invalid user logins and invalid public key logins) result in 1 matched line. This is not the case when I actually attempt to log in with an invalid user. Am I doing something wrong? What am I missing? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
This is conditionally correct. This "limitation" is initially made to avoid issues like #1263 (prevent against false positives for users connecting to git et al via ssh with multiple public keys). The only exception was that an attempt to login (no matter public key or password) with invalid user causes a failure. So setting it to [sshd]
# mode = aggressive
filter = %(known/filter)s[publickey=any] You could also try newest sshd-filter variant (replacing the filter file in
Well, aggressive mode is called so because it targets many vectors (inclusive ddos similar circumstances, etc). Maybe some additional message triggers that or it is because of abovementioned exception (however I thought we deactivated that in aggressive mode later, but you may have some older filter). Anyway some not-a-failure messages in normal case can be indeed considered as failures in aggressive mode, especially in cases where user name switches (or simply together with another messages) especially without a success at end, so sometimes it is a combination of messages that matters.
BTW, is it really so bad that a session rejecting invalid user considered as 2 failures at once? I mean in aggressive mode...
This is indeed a sign that some other message affecting double counting, so please provide an excerpt for all messages of some session. |
Beta Was this translation helpful? Give feedback.
This is conditionally correct. This "limitation" is initially made to avoid issues like #1263 (prevent against false positives for users connecting to git et al via ssh with multiple public keys). The only exception was that an attempt to login (no matter public key or password) with invalid user causes a failure.
But it is not quite true now, since 9137c7b, newer fail2ban versions (>= 0.11.2 or 0.10.6) have a new parameter
publickey
, so it is possible to enable publickey failures withoutaggressive
mode too, see #2765 (comment) for details.So setting it to
any
in jail like below would count any kind …