Update SSHD Configuration to Capture publickey Authentication

In order for Threat Stack to capture publickey authentication fails, the server needs to have SSHD logging set to VERBOSE within the SSHD config. 

You need to edit /etc/ssh/sshd_config and change

LogLevel INFO

to

LogLevel VERBOSE

then restart the service by either doing

service sshd restart

or

service ssh restart (ubuntu/debian)

Rule Modification

You also need to alter the rule "User Activity: Login Failures" in the Base Ruleset.

Add a filter of group = "authentication_failed" in order to catch the publickey failures. This is in addition to the current filter for "authentication-failed". Use an OR function and make the value:

group = "authentication_failed" OR group = "authentication-failed"