mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-23 15:33:13 +00:00
sshd service: Default to INFO logLevel (upstream default).
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
6247812c76/auth.c (L323-L328)
Also update description to the wording of the sshd_config man page.
`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.
The docs are updated accordingly.
This commit is contained in:
parent
bb8c2116dd
commit
a48fea4c5e
@ -321,7 +321,26 @@
|
||||
</section>
|
||||
<section xml:id="sec-release-21.11-notable-changes">
|
||||
<title>Other Notable Changes</title>
|
||||
<para>
|
||||
</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
The setting
|
||||
<link xlink:href="options.html#opt-services.openssh.logLevel"><literal>services.openssh.logLevel</literal></link>
|
||||
<literal>"VERBOSE"</literal>
|
||||
<literal>"INFO"</literal>. This brings NixOS in line
|
||||
with upstream and other Linux distributions, and reduces log
|
||||
spam on servers due to bruteforcing botnets.
|
||||
</para>
|
||||
<para>
|
||||
However, if
|
||||
<link xlink:href="options.html#opt-services.fail2ban.enable"><literal>services.fail2ban.enable</literal></link>
|
||||
is <literal>true</literal>, the <literal>fail2ban</literal>
|
||||
will override the verbosity to
|
||||
<literal>"VERBOSE"</literal>, so that
|
||||
<literal>fail2ban</literal> can observe the failed login
|
||||
attempts from the SSH logs.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
@ -79,3 +79,7 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
old 2.7.7 version.
|
||||
|
||||
## Other Notable Changes {#sec-release-21.11-notable-changes}
|
||||
|
||||
- The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.
|
||||
|
||||
However, if [`services.fail2ban.enable`](options.html#opt-services.fail2ban.enable) is `true`, the `fail2ban` will override the verbosity to `"VERBOSE"`, so that `fail2ban` can observe the failed login attempts from the SSH logs.
|
||||
|
@ -351,15 +351,12 @@ in
|
||||
|
||||
logLevel = mkOption {
|
||||
type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ];
|
||||
default = "VERBOSE";
|
||||
default = "INFO"; # upstream default
|
||||
description = ''
|
||||
Gives the verbosity level that is used when logging messages from sshd(8). The possible values are:
|
||||
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is VERBOSE. DEBUG and DEBUG1
|
||||
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1
|
||||
are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level
|
||||
violates the privacy of users and is not recommended.
|
||||
|
||||
LogLevel VERBOSE logs user's key fingerprint on login.
|
||||
Needed to have a clear audit track of which key was used to log in.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -45,7 +45,12 @@ in
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = "Whether to enable the fail2ban service.";
|
||||
description = ''
|
||||
Whether to enable the fail2ban service.
|
||||
|
||||
See the documentation of <option>services.fail2ban.jails</option>
|
||||
for what jails are enabled by default.
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
@ -221,6 +226,15 @@ in
|
||||
defined in <filename>/etc/fail2ban/action.d</filename>,
|
||||
while filters are defined in
|
||||
<filename>/etc/fail2ban/filter.d</filename>.
|
||||
|
||||
NixOS comes with a default <literal>sshd</literal> jail;
|
||||
for it to work well,
|
||||
<option>services.openssh.logLevel</option> should be set to
|
||||
<literal>"VERBOSE"</literal> or higher so that fail2ban
|
||||
can observe failed login attempts.
|
||||
This module sets it to <literal>"VERBOSE"</literal> if
|
||||
not set otherwise, so enabling fail2ban can make SSH logs
|
||||
more verbose.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -313,6 +327,9 @@ in
|
||||
banaction_allports = ${cfg.banaction-allports}
|
||||
'';
|
||||
# Block SSH if there are too many failing connection attempts.
|
||||
# Benefits from verbose sshd logging to observe failed login attempts,
|
||||
# so we set that here unless the user overrode it.
|
||||
services.openssh.logLevel = lib.mkDefault "VERBOSE";
|
||||
services.fail2ban.jails.sshd = mkDefault ''
|
||||
enabled = true
|
||||
port = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}
|
||||
|
Loading…
Reference in New Issue
Block a user