Record Failed Passwords

Keisial keisial at gmail.com
Wed Jul 21 07:03:34 EST 2010


 Bob Proulx wrote:
> Alan Neville wrote:
>> I am emailing you to ask is it possible to record failed passwords
>> attempts and log them to syslog? Are there patches available for this?
>> Has anyone managed to do this before? Are there alternitive methods?
> My logs are always filled with cracking attempts to log in but failing
> the password.  The past couple of months the distributed attacks have
> increased significantly.  I currently have around 2,000 IP addresses
> attacking from a distributed attack engine.  (No chance of succeeding
> however.)
>
>   Jul 18 07:01:26 joseki sshd[21461]: error: PAM: User not known to the underlying authentication module for illegal user kate from 200.63.163.27
>   Jul 18 07:01:26 joseki sshd[21461]: Failed keyboard-interactive/pam for invalid user kate from 200.63.163.27 port 16602 ssh2
>
> I don't know what system you are using and you did not say.  On a
> Debian Stable system the above is normal output on a standard
> installation without additional user patches.  What you are asking for
> seems to already be available.
>
> Bob
I think he wants the actual passwords, Bob.

There are some patches for that, Alan, but AFAIK they work only with the
traditional passwd, not with PAM.
It could be logged with a PAM module I think, but don't know of an existing
one.



More information about the openssh-unix-dev mailing list