Skip to content
Advertisement

how to customize ssh log?

Goals of my ask:

Implement a fail2ban which ban user. (For this I have a solution)

Work environment:

  • I connect to my machines with ssh-key protect with a password
  • When a user type a wrong password for his ssh-key thrice I want to ban it for prevent attack

Fail2ban parsed logs in /var/log/messages.

Actually I have enable LogLevel DEBUG2 on /etc/ssh/sshd_config to obtain this log:
Feb 25 09:31:12 ip-10-8-11-126 sshd[12033]: Postponed publickey for USER from IP_ADDRESS port 51134 ssh2 [preauth] Feb 25 09:31:27 ip-10-8-11-126 sshd[12033]: Connection closed by IP_ADDRESS port 51134 [preauth]

Someone could know a tips to modify the log format send by ssh for having following format with or without enable LogLevel DEBUG2 in /etc/ssh/sshd_config?
Feb 25 09:31:27 ip-10-8-11-126 sshd[12033]: Connection closed by IP_ADDRESS port 51134 for USER[preauth]

Thank you for your help !

Advertisement

Answer

You can’t change the log format. Even if you did you’d be making on the same failure twice.

You cannot make on the user getting their ssh key password incorrect. This purely occurs on the client side.

Even if you managed to do this, a user might remove the passphrase on their key to prevent getting locked out this way. Security mechanisms have consequences.

User contributions licensed under: CC BY-SA
7 People found this is helpful
Advertisement