Continuing on from #13953 continue to improve and standardise
logging from internal SSH.
Also updates the fail2ban setup
Signed-off-by: Andrew Thornton <art27@cantab.net>
@ -25,9 +25,27 @@ on a bad authentication from the web or CLI using SSH or HTTP respectively:
```log
```log
2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
```
```
```log
2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```
```log
2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```
```log
```log
2020/10/15 16:05:09 modules/ssh/ssh.go:188:publicKeyHandler() [E] SearchPublicKeyByContent: public key does not exist [id: 0] Failed authentication attempt from xxx.xxx.xxx.xxx
2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```
```
```log
2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```
```log
2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
```
```log
```log
2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
// User is presenting an invalid cerficate - STOP any further processing
// User is presenting an invalid certificate - STOP any further processing
log.Error("Permission Denied: Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s",cert.KeyId,gossh.FingerprintSHA256(cert.SignatureKey),principal)
iflog.IsError(){
log.Error("Invalid Certificate KeyID %s with Signature Fingerprint %s presented for Principal: %s from %s",cert.KeyId,gossh.FingerprintSHA256(cert.SignatureKey),principal,ctx.RemoteAddr())
}
log.Warn("Failed authentication attempt from %s",ctx.RemoteAddr())
returnfalse
returnfalse
}
}
iflog.IsDebug(){// <- FingerprintSHA256 is kinda expensive so only calculate it if necessary