Logs of TCP Wrappers

vikas027 · 01-26-2011, 09:48 AM

Hi All,

I have a CENTOS 5.5 boxes.
I want to block all ssh services to domain test.com.

For this, I have made the below entry in /etc/host.deny

Code:

sshd : .test.com  \ : spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log

This works properly and log as below in /var/log/sshd.log

Code:

Wed Jan 26 21:06:10 IST 2011 access denied

Can I also log the IP and username of the system from which the ssh request came ?

Is there any other log file for TCP Wrappers, there were no logs in /var/log/messages.

Code:

# tail -f  /var/log/messages -f /var/log/sshd.log
==> /var/log/messages <==
Jan 26 20:27:46 gateway yum: Installed: dansguardian-2.8.0.6-1.2.el5.rf.i386
Jan 26 20:28:15 gateway clamd[3915]: SelfCheck: Database status OK.
Jan 26 20:30:43 gateway kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jan 26 20:30:43 gateway kernel: Netfilter messages via NETLINK v0.30.
Jan 26 20:30:43 gateway kernel: ip_conntrack version 2.4 (4096 buckets, 32768 max) - 228 bytes per conntrack
Jan 26 20:38:14 gateway init: Trying to re-exec init
Jan 26 20:41:22 gateway clamd[3915]: SelfCheck: Database status OK.
Jan 26 20:53:08 gateway yum: Installed: zsh-html-4.2.6-3.el5.i386

==> /var/log/sshd.log <==
Wed Jan 26 21:06:10 IST 2011 access denied
Wed Jan 26 21:13:05 IST 2011 access denied

anomie · 01-26-2011, 10:25 AM

RHEL-based system?

On systems where sshd(8) is compiled with libwrap.so (tcp wrappers), the logging goes to the same place as sshd logging. On RHEL systems, that would be /var/log/secure.

vikas027 · 01-26-2011, 11:02 AM

Quote:

Originally Posted by anomie

RHEL-based system?

On systems where sshd(8) is compiled with libwrap.so (tcp wrappers), the logging goes to the same place as sshd logging. On RHEL systems, that would be /var/log/secure.

Hi Anomie,

I forgot to write by OS name, have edited it now.

I know I can find out this info in /var/log/secure, but other logs would also be logged in it. I was just curious to know if we have any such option in TCP wrappers to just log for one rule.

Thanks for your time.

frndrfoe · 01-26-2011, 12:20 PM

Try:

Code:

sshd : .test.com  \ : spawn /bin/echo `/bin/date` access denied for %u on host %a>>/var/log/sshd.log

vikas027 · 01-28-2011, 08:31 AM

Quote:

Originally Posted by frndrfoe

Try:

Code:

sshd : .test.com  \ : spawn /bin/echo `/bin/date` access denied for %u on host %a>>/var/log/sshd.log

Hi frndrfoe,

Many thanks !

It helped me to find the IP which is trying to ssh but not the username.

Now, I am getting the below logs

Code:

[root@gateway ~]# tail -5f /var/log/sshd.log
Wed Jan 26 21:32:18 IST 2011 access denied
Fri Jan 28 19:53:57 IST 2011 access denied
Fri Jan 28 19:55:13 IST 2011 access denied
Fri Jan 28 19:55:53 IST 2011 access denied for unknown on host ::ffff:192.168.0.10
Fri Jan 28 19:56:09 IST 2011 access denied for unknown on host ::ffff:192.168.0.10

Any other ideas ?

frndrfoe · 01-28-2011, 10:56 AM

Does /var/log/secure have a corresponding failure entry with a username?

from man hosts.allow
%u The client user name (or "unknown").

vikas027 · 01-29-2011, 04:02 PM

Yes it has an entry but not of username.