Update SSHD Configuration to Capture publickey Authentication

In order for App Infrastructure Protection (AIP) to capture publickey authentication fails, the server needs to have SSHD logging set to VERBOSE within the SSHD config. 

You need to edit /etc/ssh/sshd_config and change

LogLevel INFO



then restart the service by either doing

service sshd restart


service ssh restart (ubuntu/debian)


Rule Modification

You also need to alter the rule "User Activity: Login Failures" in the Base Ruleset.

Add a filter of group = "authentication_failed" in order to catch the publickey failures. This is in addition to the current filter for "authentication-failed". Use an OR function and make the value:

group = "authentication_failed" OR group = "authentication-failed"

Was this article helpful?
0 out of 0 found this helpful