From Fail2ban
Jump to: navigation, search

ssh and pam

OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log

Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=

Adding this regex rule is really helpful:

sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>