Hi
I've enabled a Pi with SSH on Jessie Lite so I can login remotely. I have changed the port from 22 and enabled logging with SSH keys and then installed fail2ban with it set to ban on 1 failed login attempt.
However fail2ban seems to ignore failed logins attempts without keys, auth.log shows
sshd[739]: Connection closed by IP [preauth]
I understand nobody can log in without the keys, but thought fail2ban would block the port if a failed attempt was made?
I have seen a post elsewhere adding this line to fail2ban ssh filter,
^%(__prefix_line)sConnection closed by <HOST> \[preauth\]$
But I'm not sure if it is wise to add this line or not, as I'd have thought it would have been a default line in the filter anyway. Does anyone have a view on this?
I also noticed that my Jessie Lite installation is using a deb from 2014, fail2ban_0.8.13-1_all.deb. I can see Raspbian has a newer version fail2ban_0.9.6-1_all.deb http://mirrordirector.raspbian.org/rasp ... /fail2ban/ and wondered if the newer fail2ban version might block failed ssh key attempts, but confused as to why it is not available via apt-get. Any ideas?
Thanks in advance
Rich
-
DougieLawson
- Posts: 39121
- Joined: Sun Jun 16, 2013 11:19 pm
- Location: A small cave in deepest darkest Basingstoke, UK
- Contact: Website Twitter
Re: fail2ban setup for SSH using keys
I've added that preauth line with no adverse effects.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.
Criticising any questions is banned on this forum.
Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.
Criticising any questions is banned on this forum.
Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.