I'm using joshuamkite's terraform-aws-ssh-bastion-service, which sets up an SSH socket with systemd that directs SSH connections to a docker container.
I have been attempting to set up fail2ban along with this service to assist with the insane amount of SSH requests these public boxes get daily. Unfortunately, with this setup it seems that auth.log doesn't know about the IP address:
sshd[32094]: Failed password for root from UNKNOWN port 65535 ssh2
sshd[41614]: Accepted publickey for cbell from UNKNOWN port 65535 ssh2: RSA SHA256:xxxx
The socket name itself is correctly named with the IP, so I'm not sure why it's being stripped in auth.log.
[email protected]:22-88.xxx.xxx.66:12437.service: Main process exited, code=exited, status=255/EXCEPTION
Screenshots from the repository show that auth.log did show IP addresses in late 2018, so something has changed since then.
Why is auth.log not correctly reporting IP addresses of connections?
Some potentially relevant versions:
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
Ubuntu 20.04.2 LTS
systemd 245 (245.4-4ubuntu3.6)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid
