Logging Login Attempts

Iain Morgan imorgan at nas.nasa.gov
Fri Oct 8 11:27:44 EST 2010


On Thu, Oct 07, 2010 at 17:47:50 -0500, Perry Wagle wrote:
> I have PasswordAuthentication turned off, and all I get is:
> 
> Oct  7 10:44:02 brainz sshd[5043]: Connection from 111.222.247.191 port 50912
> 
> >From a(n anonymized) host that doesn't have the key to login with.
> 
> I do get hundreds or thousands of invalid users though:
> 
> Oct  6 04:13:19 brainz sshd[7727]: Invalid user spam from 115.89.210.36
> 
> Maybe your path doesn't get used when you have passwords turned off?
> 
> -- Perry
> 

I have only glanced at the relevant code, but the intent is that it is
called for all authentication methods. That is why one of the arguments
to authlog() is the authentication method.

You should see messages of the form "Failed publickey for invalid user
spam from 115.89.210.36 port ..." Alternatively, you should see
something like "Accepted publickey for blah from ..." for successful
logins. 

The code is there, and I can verify that it works for both 5.1p1 and
5.6p1. To eliminate any Debian-specific patches that might be
inadvertently interfering, you could build a stock version of 5.3p1 and
test it.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list