New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
sshd service: Default to INFO logLevel (upstream default) #100255
Conversation
I got the bit about
On the motivation of the change, I believe that following the OpenSSH upstream default should take precedence over making OpenSSH play well with fail2ban out-of-the-box. If we instead concluded that we should keep a higher default SSH log level to benefit fail2ban, then we should document that in the sshd options. |
d111fb6
to
34deb2a
Compare
Also try adding to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM as openssh maintainer though I didn't test
2d84df0
to
afb7b56
Compare
afb7b56
to
c6840c8
Compare
@Izorkin Nice idea, I implemented that. I'll wait another half-a-month in case more feedback arrives, after that I'll probably merge it. |
The previous justification for using "VERBOSE" is incorrect, because OpenSSH does use level INFO to log "which key was used to log in" for sccessful logins, see: https://github.com/openssh/openssh-portable/blob/6247812c76f70b2245f3c23f5074665b3d436cae/auth.c#L323-L328 Also update description to the wording of the sshd_config man page. `fail2ban` needs, sshd to be "VERBOSE" to work well, thus the `fail2ban` module sets it to "VERBOSE" if enabled. The docs are updated accordingly.
c6840c8
to
a48fea4
Compare
I fixed the merge conflicts and squashed the commits, as they better fit into one. |
Thanks @nh2! |
Motivation for this change
This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.
The previous justification (added in #40692) for using
VERBOSE
is incorrect, because OpenSSH does use levelINFO
to log "which key was used to log in" for sccessful logins, see:https://github.com/openssh/openssh-portable/blob/6247812c76f70b2245f3c23f5074665b3d436cae/auth.c#L323-L328
I've verified it; sshd logs with
VERBOSE
look like:and with
INFO
look like:As shown, the fingerprint for the successful login is still printed with
INFO
.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)CC @bjornfor @volth @Izorkin from #40692.
CC recent
sshd
committers @aanderse @infinisil @jeayeCC @eelco @lovek323 @fpletz as
fail2ban
maintainers, and @c0bw3b @Baughn as recentfail2ban
service committers.