Logging Login Attempts
wagle at mac.com
Fri Oct 8 09:47:50 EST 2010
I have PasswordAuthentication turned off, and all I get is:
Oct 7 10:44:02 brainz sshd: Connection from 18.104.22.168 port 50912
>From a(n anonymized) host that doesn't have the key to login with.
I do get hundreds or thousands of invalid users though:
Oct 6 04:13:19 brainz sshd: Invalid user spam from 22.214.171.124
Maybe your path doesn't get used when you have passwords turned off?
On Oct 7, 2010, at 3:37 PM, Iain Morgan wrote:
> On Thu, Oct 07, 2010 at 14:39:13 -0500, Perry Wagle wrote:
>> LogLevel VERBOSE logs the ipaddress of the attempt on a "signon that
>> exists", but not which signon name.
>> -- Perry
>> On Oct 7, 2010, at 9:51 AM, Iain Morgan wrote:
>> On Wed, Oct 06, 2010 at 18:07:29 -0500, Perry Wagle wrote:
>> I have passwords turned off, and require keys to match. The zombie
>> armies swarming outside are trying brute force attacks that in part
>> involve guessing login NAMES. If they guess the wrong NAME, this is
>> logged in syslog. If they guess a working user name, then the
>> attack has PARTIALLY SUCCEEDED, but this information is IGNORED.
>> That is, it is not logged. If the zombie army has tell when it has
>> found a working user name, then it might concentrate on finding its
>> key, and I will be none the wiser. I will not see that happening.
>> I can get this info by turning logging to DEBUG, but then it is very
>> noisy. I do not understand why failed attempts to login to my
>> account are not logged.
>> Why is this, and how do I get it fixed?
>> Try verbose rather than debug.
> Actually, the attempted username, source IP address, and source port are
> logged. This is done in auth.c. At least that is the case in cvs HEAD
> and looks like it goes back at least as far as 5.1p1.
> 274 authlog("%s %s for %s%.100s from %.200s port %d%s",
> 275 authmsg,
> 276 method,
> 277 authctxt->valid ? "" : "invalid user ",
> 278 authctxt->user,
> 279 get_remote_ipaddr(),
> 280 get_remote_port(),
> 281 info);
> Note that in the case of password authentication, authlog is a pointer
> to logit(), whereas for all other authentication methods it is a pointer
> to verbose().
More information about the openssh-unix-dev