[gentoo-user] ssh authkeys log invalid

[gentoo-user] ssh authkeys log invalid

[thegeezer]

Hi all,
i was looking up the gentoo wiki on fail2ban [1] to have it look at it's
own log file fail2ban.log in order to block repeat offenders for longer
as abuse@offender doesn't really seem to help these days.

then i saw a warning saying fail2ban not blocking all requests which i
followed to github [2] wihch has a paste of his logfiles [3]

now this i commented at github saying it looks similar to something i
discovered when trying to setup authkeys on ssh - namely invalid keys
give you no log file entry saying "invalid keys"

can anyone tell me if they know how to make the log file entry show that
it was an invalid key?
i only know that it is this from my experience -- when i was using the wrong
key or auth keys file had wrong permission i had only similar entries in my logs.
i did try to find the answer myself at that time but was unable to.

thanks in advance!



[1] http://wiki.gentoo.org/wiki/Fail2ban
[2] https://github.com/fail2ban/fail2ban/issues/643
[3] http://bpaste.net/show/188261/

 

Re: [gentoo-user] ssh authkeys log invalid

[thegeezer]

On 04/21/2014 08:02 PM, thegeezer wrote:
> Hi all,
> i was looking up the gentoo wiki on fail2ban [1] to have it look at it's
> own log file fail2ban.log in order to block repeat offenders for longer
> as abuse@offender doesn't really seem to help these days.
>
> then i saw a warning saying fail2ban not blocking all requests which i
> followed to github [2] wihch has a paste of his logfiles [3]
>
> now this i commented at github saying it looks similar to something i
> discovered when trying to setup authkeys on ssh - namely invalid keys
> give you no log file entry saying "invalid keys"
>
> can anyone tell me if they know how to make the log file entry show that
> it was an invalid key?
> i only know that it is this from my experience -- when i was using the wrong
> key or auth keys file had wrong permission i had only similar entries in my logs.
> i did try to find the answer myself at that time but was unable to.
>
> thanks in advance!
>
>
>
> [1] http://wiki.gentoo.org/wiki/Fail2ban
> [2] https://github.com/fail2ban/fail2ban/issues/643
> [3] http://bpaste.net/show/188261/
>
>  
>
>
hey so i've been doing some digging and for openssh to log public key
failures you have to set loglevel to minimum of VERBOSE
please see my email to openssh mailing list. [4]
is this something that could be implemented as a gentoo specific patch ?
if so how would i go about requesting it ?
i don't know about you all but i'm a little concerned that ssh is not
logging bruteforce public keys, they might be harder to crack but if
they are invisible in the logs then this could go on silently for a long
time.

[4] http://marc.info/?l=openssh-unix-dev&m=139871423503774&w=3

Re: [gentoo-user] ssh authkeys log invalid

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2152 bytes --]

On Monday 28 Apr 2014 20:54:18 thegeezer wrote:
> On 04/21/2014 08:02 PM, thegeezer wrote:
> > Hi all,
> > i was looking up the gentoo wiki on fail2ban [1] to have it look at it's
> > own log file fail2ban.log in order to block repeat offenders for longer
> > as abuse@offender doesn't really seem to help these days.
> > 
> > then i saw a warning saying fail2ban not blocking all requests which i
> > followed to github [2] wihch has a paste of his logfiles [3]
> > 
> > now this i commented at github saying it looks similar to something i
> > discovered when trying to setup authkeys on ssh - namely invalid keys
> > give you no log file entry saying "invalid keys"
> > 
> > can anyone tell me if they know how to make the log file entry show that
> > it was an invalid key?
> > i only know that it is this from my experience -- when i was using the
> > wrong key or auth keys file had wrong permission i had only similar
> > entries in my logs. i did try to find the answer myself at that time but
> > was unable to.
> > 
> > thanks in advance!
> > 
> > 
> > 
> > [1] http://wiki.gentoo.org/wiki/Fail2ban
> > [2] https://github.com/fail2ban/fail2ban/issues/643
> > [3] http://bpaste.net/show/188261/
> 
> hey so i've been doing some digging and for openssh to log public key
> failures you have to set loglevel to minimum of VERBOSE
> please see my email to openssh mailing list. [4]
> is this something that could be implemented as a gentoo specific patch ?
> if so how would i go about requesting it ?
> i don't know about you all but i'm a little concerned that ssh is not
> logging bruteforce public keys, they might be harder to crack but if
> they are invisible in the logs then this could go on silently for a long
> time.
> 
> [4] http://marc.info/?l=openssh-unix-dev&m=139871423503774&w=3

At the very least when one emerges fail2ban there should be an elog message 
informing/warning of the required modifications to the associated 
applications' config files, like ssh, to enable fail2ban to do its filtering.

You can raise a bug for it at:  https://bugs.gentoo.org/

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]