OpenSSH - how to force logging of failed attempts?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OpenSSH - how to force logging of failed attempts?
Does anybody know how I can force sshd to log failed attempts? See the middle logging example below - the failed attempt was rejected, but there is no specific log message telling of this. The rejection can be inferred from the absense of an "accepted" message in the file, but I would prefer a positive "login attempt rejected" indication in the file (for grepping and analysis after-the-fact).
---
The following are my test logs from /var/log/auth.log. SSHD version 4.2p1-5 (from Debian sid repository)
/etc/ssh/sshd_config is set for "LogLevel VERBOSE", and the ONLY allowed authenticate method is pubkey (no password, no PAM, nothing else).
Log for a user disallowed in sshd_config (A record of the failed attempt was created):
Code:
Jun 6 13:28:58 familyroom sshd[23352]: Connection from xxx.xxx.xxx.xxx port 37071
Jun 6 13:29:01 familyroom sshd[23352]: Invalid user bogus_user from xxx.xxx.xxx.xxx
Log for an allowed user, but without a valid pubkey (Connection was logged, but NO specific record of the failed attempt!. Only the absense of an "accepted" message after the "connection" message indicates a failed attempt):
Code:
Jun 6 13:29:27 familyroom sshd[23364]: Connection from xxx.xxx.xxx.xxx port 37078
Log for an allowed user, with a good pubkey (A record of the successful login was created):
Code:
Jun 6 13:30:01 familyroom sshd[23380]: Connection from xxx.xxx.xxx.xxx port 37086
Jun 6 13:30:03 familyroom sshd[23380]: Found matching DSA key: 90:95:xx:49:yy:26:5a:zz:62:56:ac:41:a6:43:6d:5b
Jun 6 13:30:05 familyroom sshd[23380]: Found matching DSA key: 90:95:xx:49:yy:26:5a:zz:62:56:ac:41:a6:43:6d:5b
Jun 6 13:30:05 familyroom sshd[23380]: Accepted publickey for good_user from xxx.xxx.xxx.xxx port 37086 ssh2
Jun 6 13:30:12 familyroom sshd[23380]: syslogin_perform_logout: logout() returned an error
Jun 6 13:30:12 familyroom sshd[23384]: Connection closed by xxx.xxx.xxx.xxx
Jun 6 13:30:12 familyroom sshd[23384]: Closing connection to xxx.xxx.xxx.xxx
I don't know the reason behind that "logout() returned an error" message ... I'll have to investigate that later.
Here's my /etc/ssh/sshd_config file, stripped down to only the stuff I think is relevent:
Code:
SyslogFacility AUTH
LogLevel VERBOSE
UsePrivilegeSeparation yes
StrictModes yes
IgnoreRhosts yes
Protocol 2
PermitRootLogin no
AllowUsers good_user
PubkeyAuthentication yes
RSAAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no
Have you checked the debug logging levels (DEBUG1, DEBUG2 and DEBUG3) instead of VERBOSE?
I have not. Only INFO, VERBOSE, and ERROR. I wanted to stay away from the DEBUG's because they reveal user's private info (per the manpage). Not that just anybody can go viewing auth.log, so privacy is not much of a concern, but I imagined DEBUG logging would fill the logfile with tons of unwanted blabber.
Maybe I'll have to go to the DEBUG levels, or maybe just abandon my little project here. I'm really surprized that sshd does not log these failed attempts. If it were to log anything by default, I would certainly expect THIS! Guess not.
Thanks for the tip on PAM. I know PAM can do nice logging. But unfortunately PAM does not support pubkey authentication. Not that I've been able to find, anyway.
The reason I had PAM turned off, is because I want to allow pubkey authentication, and ONLY pubkey authentication. No password, challenge-response, keyboard-interactive, etc. Thus crackers would get no chance to start guessing passwords. And the reason I wanted logging of pubkey failures, is so I can have a program that scans auth.log looking for repeated pubkey failures, and the program would then add an iptables rule to block the offending IP address permanently ... from all ports, even though port 22 is the only one I plan to have open. This is the "layers of protection" I like to maintain.
I think what I will need to do is turn PAM back on, but configure its sshd script to not allow any authentication to succeed. Just log the fact that something got through and tried to authenticate. The fact that PAM is asked to authenticate means that sshd pubkey authentication had already failed, so PAM could just log the event and then fail authentication a second time. It appears from my testing, that if PAM is told to require password authentication, but sshd pubkey authentication ALREADY passed, then PAM is somehow aware of this and DOES NOT try to reauthenticate. But other PAM modules are still called - MOTD, etc.
This would be much simpler if PAM supported pubkey. Then I'd just use PAM for everything.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.