[SOLVED] How to check log files for ssh connection attempts
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to check log files for ssh connection attempts
I've setup a ssh server at home to do ssh tunneling so I can use my tablet on public wifi.
How I can check the logs file(s) for attempts of others trying to connect to my ssh server. btw, I am using a 5 digit number as the ssh port.
I never hardly look at any logs files because they are so cryptic to understand. I need help on what to look for whether the attempt to connect was successful or not.
I have a script that runs every minute looking at the last 150 lines in auth.log.
If it finds 20 of two different messages in a sample it blocks the IP.
It used to block a few a week, but after moving off of port 22 it hasn't blocked an IP in over two and a half years, this is on three machines.
I ran the grep commands above and no output was given. I guess my new ssh server is OK for now.
I read as much as possible about ssh tunneling before implementing it. For example, I used a different port other than the standard 22. I've used AllowUsers and added my name only.
There is something I read about using private key authentication as to password authentication. They say it is more secure. But, I don't know if I could trust something I never done before.
I already know this, what I meant in my last post was I didn't want to take a change on trying something I haven't tried before. I always done password authentications.
If you don't set a password on the key, then if you loose or someone gets hold of your tablet they will be able to access the server until you remove or change the server key.
It is more secure using the key and you should password protect it if you feel the need.
You have to decide that when you create the key.
If someone steals my notebook, I have to make a phone call before they figure out they have root access to several machines.
If I create this key pair, what do I do with the keys. Do both keys need to be in the .ssh directory or just one of them or could I move both off to a usb stick?
i dont quite follow the original question, which was how to monitor for others trying to access the ssh server. then it turned into a how-to-authenticate question.
what exactly are you tunneling? a client-server app and the server is at your house?
run iptables and configure the rules and logging accordingly.
My question was solved. I have no issues with ssh tunneling whatsoever. My question about ssh private key authentication was a after though, just asking people if it was safer than password authentication.
Sometimes threads go off topic. Anyway, I mark it as solved. Thanks to all who replied.
Denyhosts monitors ssh login failures and adds the offending IP to hosts.deny.
I believe you can configure it for other port numbers, the number of long in attempts, and services. It also automatically removes offending IPs from hosts.deny after a month.
I use ssh on the standard port number with denyhosts.
Denyhosts monitors ssh login failures and adds the offending IP to hosts.deny.
I believe you can configure it for other port numbers, the number of long in attempts, and services. It also automatically removes offending IPs from hosts.deny after a month.
I use ssh on the standard port number with denyhosts.
he uses public wifi (dhcp) so how could he know what to deny?
I thought he said he had a ssh server was at home. That is where the denyhosts runs.
I guess I don't understand what the set up is here.
yes, sshd runs at his house, but his tablet is a dhcp client that connects to various wifi ap's. his tablet runs the ssh client and he uses it to tunnel to/through his sshd at home. so if his IP changes often then hosts.deny is not robust enough. certainly he can use hosts.deny to limit a majority of inet IP but thats not a secure solution.
Last edited by Linux_Kidd; 10-05-2011 at 01:42 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.