LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   OpenSSH - how to force logging of failed attempts? (https://www.linuxquestions.org/questions/linux-security-4/openssh-how-to-force-logging-of-failed-attempts-452184/)

haertig 06-06-2006 03:07 PM
OpenSSH - how to force logging of failed attempts?
 
Does anybody know how I can force sshd to log failed attempts? See the middle logging example below - the failed attempt was rejected, but there is no specific log message telling of this. The rejection can be inferred from the absense of an "accepted" message in the file, but I would prefer a positive "login attempt rejected" indication in the file (for grepping and analysis after-the-fact).

---

The following are my test logs from /var/log/auth.log. SSHD version 4.2p1-5 (from Debian sid repository)

/etc/ssh/sshd_config is set for "LogLevel VERBOSE", and the ONLY allowed authenticate method is pubkey (no password, no PAM, nothing else).

Log for a user disallowed in sshd_config (A record of the failed attempt was created):
Code:
Jun  6 13:28:58 familyroom sshd[23352]: Connection from xxx.xxx.xxx.xxx port 37071
Jun  6 13:29:01 familyroom sshd[23352]: Invalid user bogus_user from xxx.xxx.xxx.xxx
Log for an allowed user, but without a valid pubkey (Connection was logged, but NO specific record of the failed attempt!. Only the absense of an "accepted" message after the "connection" message indicates a failed attempt):
Code:
Jun  6 13:29:27 familyroom sshd[23364]: Connection from xxx.xxx.xxx.xxx port 37078
Log for an allowed user, with a good pubkey (A record of the successful login was created):
Code:
Jun  6 13:30:01 familyroom sshd[23380]: Connection from xxx.xxx.xxx.xxx port 37086
Jun  6 13:30:03 familyroom sshd[23380]: Found matching DSA key: 90:95:xx:49:yy:26:5a:zz:62:56:ac:41:a6:43:6d:5b
Jun  6 13:30:05 familyroom sshd[23380]: Found matching DSA key: 90:95:xx:49:yy:26:5a:zz:62:56:ac:41:a6:43:6d:5b
Jun  6 13:30:05 familyroom sshd[23380]: Accepted publickey for good_user from xxx.xxx.xxx.xxx port 37086 ssh2
Jun  6 13:30:12 familyroom sshd[23380]: syslogin_perform_logout: logout() returned an error
Jun  6 13:30:12 familyroom sshd[23384]: Connection closed by xxx.xxx.xxx.xxx
Jun  6 13:30:12 familyroom sshd[23384]: Closing connection to xxx.xxx.xxx.xxx
I don't know the reason behind that "logout() returned an error" message ... I'll have to investigate that later.

Here's my /etc/ssh/sshd_config file, stripped down to only the stuff I think is relevent:
Code:
SyslogFacility AUTH
LogLevel VERBOSE

UsePrivilegeSeparation yes
StrictModes yes
IgnoreRhosts yes

Protocol 2
PermitRootLogin no
AllowUsers good_user

PubkeyAuthentication yes

RSAAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no

macemoneta 06-07-2006 09:49 AM
Have you checked the debug logging levels (DEBUG1, DEBUG2 and DEBUG3) instead of VERBOSE?

haertig 06-07-2006 11:02 AM
Quote:
Originally Posted by macemoneta
Have you checked the debug logging levels (DEBUG1, DEBUG2 and DEBUG3) instead of VERBOSE?
I have not. Only INFO, VERBOSE, and ERROR. I wanted to stay away from the DEBUG's because they reveal user's private info (per the manpage). Not that just anybody can go viewing auth.log, so privacy is not much of a concern, but I imagined DEBUG logging would fill the logfile with tons of unwanted blabber.

Maybe I'll have to go to the DEBUG levels, or maybe just abandon my little project here. I'm really surprized that sshd does not log these failed attempts. If it were to log anything by default, I would certainly expect THIS! Guess not.

Harlin 06-07-2006 02:05 PM
Inside your sshd_config file, set UsePAM to Yes and put the following in your sshd file under /etc/pam.d:

auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_cracklib.so retry=3 minlen=6 difok=3

This will keep it logged well for you ;-)

haertig 06-07-2006 05:49 PM
Quote:
Originally Posted by Harlin
Inside your sshd_config file, set UsePAM to Yes
Thanks for the tip on PAM. I know PAM can do nice logging. But unfortunately PAM does not support pubkey authentication. Not that I've been able to find, anyway.

The reason I had PAM turned off, is because I want to allow pubkey authentication, and ONLY pubkey authentication. No password, challenge-response, keyboard-interactive, etc. Thus crackers would get no chance to start guessing passwords. And the reason I wanted logging of pubkey failures, is so I can have a program that scans auth.log looking for repeated pubkey failures, and the program would then add an iptables rule to block the offending IP address permanently ... from all ports, even though port 22 is the only one I plan to have open. This is the "layers of protection" I like to maintain.

I think what I will need to do is turn PAM back on, but configure its sshd script to not allow any authentication to succeed. Just log the fact that something got through and tried to authenticate. The fact that PAM is asked to authenticate means that sshd pubkey authentication had already failed, so PAM could just log the event and then fail authentication a second time. It appears from my testing, that if PAM is told to require password authentication, but sshd pubkey authentication ALREADY passed, then PAM is somehow aware of this and DOES NOT try to reauthenticate. But other PAM modules are still called - MOTD, etc.

This would be much simpler if PAM supported pubkey. Then I'd just use PAM for everything.


All times are GMT -5. The time now is 06:51 PM.