Update SSHD Configuration to Capture publickey Authentication
In order for Threat Stack to capture publickey authentication fails, the server needs to have SSHD logging set to VERBOSE within the SSHD config.
You need to edit /etc/ssh/sshd_config and change
LogLevel INFO
to
LogLevel VERBOSE
then restart the service by either doing
service sshd restart
or
service ssh restart (ubuntu/debian)
Rule Modification
You also need to alter the rule "User Activity: Login Failures" in the Base Ruleset.
Add a filter of group = "authentication_failed" in order to catch the publickey failures. This is in addition to the current filter for "authentication-failed". Use an OR function and make the value:
group = "authentication_failed" OR group = "authentication-failed"