In order for Threat Stack to capture publickey authentication fails the server needs to have SSHD logging set to VERBOSE within the SSHD config.
You will need to edit /etc/ssh/sshd_config and change
LogLevel INFO
to
LogLevel VERBOSE
then restart the service by either doing
service sshd restart
or
service ssh restart (ubuntu/debian)
Rule Modification
You will also need to alter the rule "User Activity: Login Failures" in the Base Ruleset.
Add a filter of group = "authentication_failed" in order to catch the publickey failures. This is in addition to the current filter for "authentication-failed". Use an OR function and make the value:
group = "authentication_failed" OR group = "authentication-failed"
0 Comments