From Fail2ban
Revision as of 03:24, 15 March 2014 by Daniel.subs (Talk | contribs) (removed stuff that has been implemented for ages)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

ssh and pam

OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log

Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=

Adding this regex rule is really helpful:

sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>