LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Logs of TCP Wrappers (https://www.linuxquestions.org/questions/linux-security-4/logs-of-tcp-wrappers-858785/)

vikas027 01-26-2011 09:48 AM
Logs of TCP Wrappers
 
Hi All,

I have a CENTOS 5.5 boxes.
I want to block all ssh services to domain test.com.

For this, I have made the below entry in /etc/host.deny
Code:
sshd : .test.com  \ : spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log
This works properly and log as below in /var/log/sshd.log
Code:
Wed Jan 26 21:06:10 IST 2011 access denied
Can I also log the IP and username of the system from which the ssh request came ?

Is there any other log file for TCP Wrappers, there were no logs in /var/log/messages.

Code:
# tail -f  /var/log/messages -f /var/log/sshd.log
==> /var/log/messages <==
Jan 26 20:27:46 gateway yum: Installed: dansguardian-2.8.0.6-1.2.el5.rf.i386
Jan 26 20:28:15 gateway clamd[3915]: SelfCheck: Database status OK.
Jan 26 20:30:43 gateway kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jan 26 20:30:43 gateway kernel: Netfilter messages via NETLINK v0.30.
Jan 26 20:30:43 gateway kernel: ip_conntrack version 2.4 (4096 buckets, 32768 max) - 228 bytes per conntrack
Jan 26 20:38:14 gateway init: Trying to re-exec init
Jan 26 20:41:22 gateway clamd[3915]: SelfCheck: Database status OK.
Jan 26 20:53:08 gateway yum: Installed: zsh-html-4.2.6-3.el5.i386

==> /var/log/sshd.log <==
Wed Jan 26 21:06:10 IST 2011 access denied
Wed Jan 26 21:13:05 IST 2011 access denied

anomie 01-26-2011 10:25 AM
RHEL-based system?

On systems where sshd(8) is compiled with libwrap.so (tcp wrappers), the logging goes to the same place as sshd logging. On RHEL systems, that would be /var/log/secure.

vikas027 01-26-2011 11:02 AM
Quote:
Originally Posted by anomie (Post 4238348)
RHEL-based system?

On systems where sshd(8) is compiled with libwrap.so (tcp wrappers), the logging goes to the same place as sshd logging. On RHEL systems, that would be /var/log/secure.
Hi Anomie,

I forgot to write by OS name, have edited it now.

I know I can find out this info in /var/log/secure, but other logs would also be logged in it. I was just curious to know if we have any such option in TCP wrappers to just log for one rule.

Thanks for your time.

frndrfoe 01-26-2011 12:20 PM
Try:

Code:
sshd : .test.com  \ : spawn /bin/echo `/bin/date` access denied for %u on host %a>>/var/log/sshd.log

vikas027 01-28-2011 08:31 AM
Quote:
Originally Posted by frndrfoe (Post 4238466)
Try:

Code:
sshd : .test.com  \ : spawn /bin/echo `/bin/date` access denied for %u on host %a>>/var/log/sshd.log

Hi frndrfoe,

Many thanks !

It helped me to find the IP which is trying to ssh but not the username.

Now, I am getting the below logs

Code:
[root@gateway ~]# tail -5f /var/log/sshd.log
Wed Jan 26 21:32:18 IST 2011 access denied
Fri Jan 28 19:53:57 IST 2011 access denied
Fri Jan 28 19:55:13 IST 2011 access denied
Fri Jan 28 19:55:53 IST 2011 access denied for unknown on host ::ffff:192.168.0.10
Fri Jan 28 19:56:09 IST 2011 access denied for unknown on host ::ffff:192.168.0.10
Any other ideas ?

frndrfoe 01-28-2011 10:56 AM
Does /var/log/secure have a corresponding failure entry with a username?

from man hosts.allow
%u The client user name (or "unknown").

vikas027 01-29-2011 04:02 PM
Yes it has an entry but not of username. :(


All times are GMT -5. The time now is 07:50 PM.