Update SSHD config to capture publickey authentication.

In order for Threat Stack to capture publickey authentication fails the server needs to have SSHD logging set to VERBOSE within the SSHD config. 

You will need to edit /etc/ssh/sshd_config and change

LogLevel INFO



then restart the service by either doing

service sshd restart


service ssh restart (ubuntu/debian)


Rule Modification

You will also need to alter the rule "User Activity: Login Failures" in the Base Ruleset.

Add a filter of group = "authentication_failed" in order to catch the publickey failures. This is in addition to the current filter for "authentication-failed". Use an OR function and make the value:

group = "authentication_failed" OR group = "authentication-failed"

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request