New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Included filter.d/sshd.conf does not identify failed public keys #1477
Comments
I seem to have it working with the following line:
However, when I run the test script, I get failures but I do not understand why.
|
…+ improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>"
…+ improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>" ChangeLog entry added
Fixed within #1479 |
@sebres in which fail2ban version was the fix added? I am using fail2ban 0.10.2-2.1 from Debian 10. After adding
|
I assume your user name is valid, so the messages, that you mean, are not
Shortly, I don't know, because the sshd filter changes continuously. The case is simple - we have to find a balance between:
I can only say, in the the last version (0.10.5 / 0.11.1) it is fixed "ultimately" (at least unless the logging changes or we get again some new findings).
Also note that even with old (not "fixed") variants of sshd-filter you are "safe", because the key authentication method is extremely stable against brute-force - even 1024-bit RSA key would expect approximately 2.7 * 10151 primes tries what is equal a number with 150 zeros attempts to hit your key with 100% guaranty or approximately 1075 to hit it with even chance (50%). |
@sebres thanks for your reply. Yes, I meant |
Did you read at all what I wrote above about a chance to success using brute force?
This is normally configurable (and I don't know how many attempts is possible on your system before you get that).
So I guess you did not read what I wrote... |
@sebres yes I read that it is nearly impossible to bruteforce but I talked about improving since it is always possible to improve security. For my other question, I asked that because my IP address was not banned even if I have a |
This fix is probably outdated.
And the logic I described above is valid for latest version only (e. g. last month fix - 9137c7b). To cut a long story short, it is always possible to provide your own RE's if needed, so: [sshd]
enabled = true
failregex = ...your-own-RE...
%(known/failregex)s For other things install latest version. |
I also ran into the problem that an attempt to connect with the wrong certificate or without it, but with the correct user is not banned. I configured ssh in such a way that there was a login by certificate and login by password. |
Environment:
Fill out and check (
[x]
) the boxes which apply. If your Fail2Ban version is outdated,and you can't verify that the issue persists in the recent release, better seek support
from the distribution you obtained Fail2Ban from
The issue:
Fail2Ban does not trigger a ban when connection attempts are made using an invalid public key. On this box, sshd setup running on port 15001 and only allows keyfiles on Arch Linux using Fail2Ban v0.9.4.
Steps to reproduce
/etc/fail2ban/jail.local
Expected behavior
After 3 attempts, F2B should lock out the offending IP.
Observed behavior
No ban is triggered.
Any customizations done to /etc/fail2ban/ configuration
The only modification I have made is to create /etc/fail2ban/jail.local
Relevant parts of /var/log/fail2ban.log file:
preferably obtained while running fail2ban with
loglevel = 4
Below is the output from
journalctl -u sshd
while I am pounding the box with an unauthorized key:The text was updated successfully, but these errors were encountered: