I'm running OpenSSH on Ubuntu Hardy and I have it set to only allow me, only via my private key, etc, so I'm feeling fairly comfortable. But I'm curious about all these apparently ubiquitous automatic attacks on SSH servers -- is there a way to make SSH log them? I can tell it's not logging every attempt to log in, because when I tried experimentally logging in without a private key (as though I was a bot waiting for a chance to try a password), my SSH session unceremoniously ended but nothing appeared in auth.log. In fact, the only attempt I've seen in auth.log was one attempt to log in as root (which is of course not allowed) and it didn't even record the damn IP address!

So what I'd like is logs of attempts that fail because I use private key authentication, and I'd also like to see the dang IP addresses. I don't really know what I'm doing here so any help is appreciated.

There are two values in 'sshd_conf' that can me modified to produce more log output:
The default's are in bold. I would leave 'SyslogFacility' alone, but you can increase LogLevel to Verbose to get more output. Also, sshd will log through syslog. So try looking for info in '/var/log/messages' or '/var/log/syslog' (whichever one you have). Here's a little one-liner that will show you all sshd logs:
I've been getting a lot of brute-force ssh attacks lately too. After one ip tried 3000 times, I decided to do something. You can setup /etc/hosts.allow and /etc/hosts.deny to block a single ip or allow ssh access from only listed ips:
/etc/hosts.denyThere are various ways to use those two files (there are ways to do everything through hosts.allows without having to touch hosts.deny).

Okay, thanks! Done.


Checked both, neither of them have anything SSH related.

I forgot to mention, that you need to restart the sshd service through one of these ways (I don't know how ubuntu does it):one of those should restart it.

Also, after some reading, it looks like ssh in ubuntu logs to /var/log/auth.log, so after you restart ssh, check there.

Right, already done, and it did in fact log an attempt (by me) to log in without a password afterwards. Unless I'm not looking in the right place, though, I'm not getting the once-a-minute bot attempts that a lot of people were talking about.

The attempts are pretty random (as far is I'm concerned). yesterday i would get hit by random ip's for hours straight, then they would stop. I would be 'unattacked' for another few hours, then another slew of random ip's would attack. When a bunch of random ip's all attack around the same time, it's most likely a botnet. As long as an attacker's ssh request isn't 'refused' they will keep trying. If you block all ip's, they attack for a few attempts and give up since they get a 'connection refused' message.

Sometimes, people will change the ssh port to something random. This stops 99% of attacks from happening since they all target 22.

Right -- I deliberately left sshd listening to 22 today just to see. Normally I use 443 since our firewall at work blocks outgoing traffic to any port but 80 or 443.

Only LogLevel affects what is logged, SyslogFacility logs WHERE it is logged. Info should show failed attempts, but Verbose will give even more. Do not use Debug+ on production, as this actually logs some sensitive information.