OpenSSH - how to force logging of failed attempts?
Does anybody know how I can force sshd to log failed attempts? See the middle logging example below - the failed attempt was rejected, but there is no specific log message telling of this. The rejection can be inferred from the absense of an "accepted" message in the file, but I would prefer a positive "login attempt rejected" indication in the file (for grepping and analysis after-the-fact).
--- The following are my test logs from /var/log/auth.log. SSHD version 4.2p1-5 (from Debian sid repository) /etc/ssh/sshd_config is set for "LogLevel VERBOSE", and the ONLY allowed authenticate method is pubkey (no password, no PAM, nothing else). Log for a user disallowed in sshd_config (A record of the failed attempt was created): Code:
Jun 6 13:28:58 familyroom sshd[23352]: Connection from xxx.xxx.xxx.xxx port 37071 Code:
Jun 6 13:29:27 familyroom sshd[23364]: Connection from xxx.xxx.xxx.xxx port 37078 Code:
Jun 6 13:30:01 familyroom sshd[23380]: Connection from xxx.xxx.xxx.xxx port 37086 Here's my /etc/ssh/sshd_config file, stripped down to only the stuff I think is relevent: Code:
SyslogFacility AUTH |
Have you checked the debug logging levels (DEBUG1, DEBUG2 and DEBUG3) instead of VERBOSE?
|
Quote:
Maybe I'll have to go to the DEBUG levels, or maybe just abandon my little project here. I'm really surprized that sshd does not log these failed attempts. If it were to log anything by default, I would certainly expect THIS! Guess not. |
Inside your sshd_config file, set UsePAM to Yes and put the following in your sshd file under /etc/pam.d:
auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth password required pam_cracklib.so retry=3 minlen=6 difok=3 This will keep it logged well for you ;-) |
Quote:
The reason I had PAM turned off, is because I want to allow pubkey authentication, and ONLY pubkey authentication. No password, challenge-response, keyboard-interactive, etc. Thus crackers would get no chance to start guessing passwords. And the reason I wanted logging of pubkey failures, is so I can have a program that scans auth.log looking for repeated pubkey failures, and the program would then add an iptables rule to block the offending IP address permanently ... from all ports, even though port 22 is the only one I plan to have open. This is the "layers of protection" I like to maintain. I think what I will need to do is turn PAM back on, but configure its sshd script to not allow any authentication to succeed. Just log the fact that something got through and tried to authenticate. The fact that PAM is asked to authenticate means that sshd pubkey authentication had already failed, so PAM could just log the event and then fail authentication a second time. It appears from my testing, that if PAM is told to require password authentication, but sshd pubkey authentication ALREADY passed, then PAM is somehow aware of this and DOES NOT try to reauthenticate. But other PAM modules are still called - MOTD, etc. This would be much simpler if PAM supported pubkey. Then I'd just use PAM for everything. |
All times are GMT -5. The time now is 06:51 PM. |