I think you could end up with a lot of false positives doing this. I know I have quite a few keys that my client will try before falling back to password authentication. You would need to have enough logic in your script to see if the authentication succeeds at some point or have a very high limit. It might be more interesting to make a database of bad public keys or fingerprints and block any addresses that attempt one of them (assuming you can get openssh to log the failed keys somehow). -- Eldon Koyle On Apr 25 13:52+0100, TheGezer wrote: > Hi guys, > i was wondering if someone could point me in the right direction please. > if someone connects using public keys, but uses the wrong keys to > connect, openssh logs this kind of thing: > > Apr 21 23:50:04 [sshd] SSH: Server;Ltype: Version;Remote: > 122.169.248.92-49232;Protocol: 2.0;Client: libssh-0.2 > Apr 21 23:50:05 [sshd] SSH: Server;Ltype: Kex;Remote: > 122.169.248.92-49232;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth] > Apr 21 23:50:05 [sshd] SSH: Server;Ltype: Version;Remote: > 122.169.248.92-51680;Protocol: 2.0;Client: libssh-0.2 > Apr 21 23:50:05 [sshd] SSH: Server;Ltype: Kex;Remote: > 122.169.248.92-51680;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth] > > while i appreciate that bruteforcing a public key is significantly more > difficult than a short password, this does make me a little uneasy and > i'd like to be able to feed these bad IP addresses to my firewall. > > however, when I correctly ssh to my machines, i get similar entries > Apr 20 09:16:24 [sshd] SSH: Server;Ltype: Version;Remote: > 192.168.x.100-55939;Protocol: 2.0;Client: OpenSSH_5.9p1 Debian-5ubuntu3 > Apr 20 09:16:24 [sshd] SSH: Server;Ltype: Kex;Remote: > 192.168.x.100-55939;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth] > Apr 20 09:16:24 [sshd] SSH: Server;Ltype: Authname;Remote: > 192.168.x.100-55939;Name: root [preauth] > Apr 20 09:16:28 [sshd] Accepted keyboard-interactive/pam for root from > 192.168.x.100 port 55939 ssh2 > > i've tried changing LogLevel VERBOSE but it doesn't seem to make any > difference > what i was hoping for is something similar to this: > > Apr 24 11:53:47 [sshd] input_userauth_request: invalid user ubuntu [preauth] > > but saying "invalid keys" or similar. > > any pointers gratefully received, > thanks in advance and especially thanks for openssh ! > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev