Record Failed Passwords

Bob Proulx bob at proulx.com
Wed Jul 21 06:02:00 EST 2010


Alan Neville wrote:
> I am emailing you to ask is it possible to record failed passwords
> attempts and log them to syslog? Are there patches available for this?
> Has anyone managed to do this before? Are there alternitive methods?

My logs are always filled with cracking attempts to log in but failing
the password.  The past couple of months the distributed attacks have
increased significantly.  I currently have around 2,000 IP addresses
attacking from a distributed attack engine.  (No chance of succeeding
however.)

  Jul 18 07:01:26 joseki sshd[21461]: error: PAM: User not known to the underlying authentication module for illegal user kate from 200.63.163.27
  Jul 18 07:01:26 joseki sshd[21461]: Failed keyboard-interactive/pam for invalid user kate from 200.63.163.27 port 16602 ssh2

I don't know what system you are using and you did not say.  On a
Debian Stable system the above is normal output on a standard
installation without additional user patches.  What you are asking for
seems to already be available.

Bob


More information about the openssh-unix-dev mailing list