Using fail2ban is a great way to prevent dictionary attacks on SSH but I encountered an unusual problem with it: I sometimes got banned after frequent successful logins. The reason was that I had public key authentication set up for another user on the same host and ssh was trying to use it for all the other accounts before prompting me for a password. The default fail2ban filters consider the “Failed publickey” error in the sshd log file at the same level with a failed password login hence the ban.
To change this behavior I had to edit /etc/fail2ban/filter.d/sshd.conf and change
1 ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$
1 ^%(__prefix_line)sFailed password for .* from (?: port \d*)?(?: ssh\d*)?$
and, of course, restart the daemon. From a security point of view, I find it highly unlikely that an attacker might use brute force with public keys so the setup is still safe.
Related Posts: On this day...
- State Dept adding intrusive, semi-impossible questionnaire for US passport applications - 2011
- Render frosted glass transparent with Scotch tape - 2011
- What if I had bought Apple stock instead? - 2010
- HOWTO: Move /home to its own partition after a linux install - 2009
- Iptables country blocklist API - 2009
- Which Government Agency Should Be Your Computer's Firewall? - 2008