Home » Odeon Blogs » Stefan Talpalaru, CTO »

fail2ban and SSH public key authentication

fail2ban and SSH public key authentication

Using fail2ban is a great way to prevent dictionary attacks on SSH but I encountered an unusual problem with it: I sometimes got banned after frequent successful logins. The reason was that I had public key authentication set up for another user on the same host and ssh was trying to use it for all the other accounts before prompting me for a password. The default fail2ban filters consider the "Failed publickey" error in the sshd log file at the same level with a failed password login hence the ban.

To change this behavior I had to edit /etc/fail2ban/filter.d/sshd.conf and change

  1. ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$

to

  1. ^%(__prefix_line)sFailed password for .* from (?: port \d*)?(?: ssh\d*)?$

and, of course, restart the daemon. From a security point of view, I find it highly unlikely that an attacker might use brute force with public keys so the setup is still safe.


Category: Linux

Discussion

  1. Guillermo on Apr 25, 2010 - 15:25 said:

    If you want to learn more about fail2ban
    read
    http://www.go2linux.org/fail2ban-secure-linux-services-from-brute-forces-attacks


  2. james on Apr 25, 2010 - 16:46 said:

    Sweet. Have you proposed this patch upstream to the maintainers of fail2ban? I'm confident that this is a viable patch that can only improve the product. Thanks!


  3. Stefan Talpalaru on Apr 26, 2010 - 3:42 said:

    Good idea. I just emailed the fail2ban dev about it.




Leave a Comment :

(required)


(required)




(required)




(required)






Leave a Comment


Page generated in: 0.17s