Talk:OpenSSH
From Fail2ban
Revision as of 03:24, 15 March 2014 by Daniel.subs (Talk | contribs) (removed stuff that has been implemented for ages)
ssh and pam
OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log
Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29
Adding this regex rule is really helpful:
sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>