| Saturday April 19th 2014

Feedburner

Subscribe by email:

We promise not to spam/sell you.


Search Amazon deals:

fail2ban and SSH public key authentication


Using fail2ban is a great way to prevent dictionary attacks on SSH but I encountered an unusual problem with it: I sometimes got banned after frequent successful logins. fail2ban screenshotThe reason was that I had public key authentication set up for another user on the same host and ssh was trying to use it for all the other accounts before prompting me for a password. The default fail2ban filters consider the “Failed publickey” error in the sshd log file at the same level with a failed password login hence the ban.

To change this behavior I had to edit /etc/fail2ban/filter.d/sshd.conf and change
1 ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$
to
1 ^%(__prefix_line)sFailed password for .* from (?: port \d*)?(?: ssh\d*)?$
and, of course, restart the daemon. From a security point of view, I find it highly unlikely that an attacker might use brute force with public keys so the setup is still safe.

Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.