SSH log successful login by publickey too #196
chrisandchris
started this conversation in
Ideas
Replies: 3 comments 2 replies
-
Can you post the actual log file line? You can mask out the user and ip. I'll add this to the regex. |
Beta Was this translation helpful? Give feedback.
0 replies
-
Sure, I'll take an example from https://www.elastic.co/de/blog/grokking-the-linux-authorization-logs which looks like mine (with different usernames / IPs obvsiouly):
|
Beta Was this translation helpful? Give feedback.
2 replies
-
Ok, I believe this if fixed in 1.7.2 which I refreshed today with commit 69a1415 Let me know if you see the same |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi there,
I have a question/input about the defaults for SSH log file parsing. The default only matches "Accepted password [...]", however this does not match any authentication with publickey (or other authentication method). See: https://github.com/DigitalRuby/IPBan/blob/master/IPBanCore/ipban.config#L58
E.g. the message when authentication with a publickey looks like this:
I suggest either extending the regex in ipban.config to also match publickey auth or using a wildcard (\w) to match any authentication method. Or is there any disadvantage I'm not seeing? Maybe the same applies to failed logins (using an invalid/wrong key pair).
Best regards,
Christian
Beta Was this translation helpful? Give feedback.
All reactions