Bug 2633

Summary: Provide hook invoked for login failures
Product: Portable OpenSSH Reporter: Josh Triplett <josh>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm
Priority: P5    
Version: 7.3p1   
Hardware: Other   
OS: Linux   

Description Josh Triplett 2016-10-27 05:03:41 AEDT 
Many different scripts exist to parse the log output of sshd and attempt to block sources of excessive failed login attempts.  Most such scripts involve fragile, easily-misled text parsing.

Please consider adding a standard hook, configurable in sshd_config, invoked by sshd when a login fails.  That hook should receive the source IP address for the connection, and the login type(s) attempted and failed (not those not attempted), so that it can decide (for instance) to have different thresholds for password attempts/failures and key-based failures.
Comment 1 Damien Miller 2019-07-19 15:17:46 AEST 
I suggest that you investigate the Linux audit API. OpenSSH has supported this for a while and it does notify failed authentication attempts via linux_audit_record_event()
Comment 2 Damien Miller 2021-04-23 15:08:42 AEST 
closing resolved bugs as of 8.6p1 release