Date: Wed, 5 Aug 2020 10:59:56 -0600 From: "@lbutlr" <kremels@kreme.com> To: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: SSH log lines Message-ID: <A75BF381-8BBB-407F-862A-8A3E1AC1A516@kreme.com> In-Reply-To: <745dc612-d5a4-1e06-89bb-8df5dfbd7e1f@fechner.net> References: <09256F5E-469C-402B-94DC-3C07F8AC29ED@kreme.com> <745dc612-d5a4-1e06-89bb-8df5dfbd7e1f@fechner.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03 Aug 2020, at 23:22, Matthias Fechner <idefix@fechner.net> wrote: > Am 03.08.2020 um 21:37 schrieb @lbutlr: >> When some moon tires to login to an account like root, ssh does n’t log the IP address in the failure line as it does with non-existent users. >> >> sshd[99328] error: PAM: Authentication error for root from vps-94314d13.vps.ovh.ca >> sshd[99328] Connection closed by authenticating user root 139.99.236.165 port 46226 [preauth] >> >> sshd[7202] Invalid user pi from 2.232.248.6 port 46438 >> >> Is there anyway that I can change this so that the IP address appears not eh same line as the Authentication error, it would make my blacklisting these people much easier. > > try fail2ban, it can handle all of this correctly. Why I am trying to do wis instantly ban any criminals attempting to login to root (and a few other other accounts). Fail2ban will ban repeated attempts (just like sshguard which I am already using). But it doesn't matter, the sshguard author is looking at adding a feature for this. -- Space Directive 723: Terraformers are expressly forbidden from recreating Swindon.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A75BF381-8BBB-407F-862A-8A3E1AC1A516>