Hi,

How do I monitor who is ssh'ing into a box (SLES) as well as failed attempts? How can I log their IP addresses, even if they're not in DNS? In /var/log/messages I see their hostname but no IP address.

Thanks,

Riley

Hi,
I have no SLES available right now but AFAIK you find that information in "/var/log/auth.log".

Thanks for the reply but I looked and there is no /var/log/auth

I wasn't sure if that was logged anywhere. I did try the following:

watch 'netstat -anp | grep :22' >> iplog.txt

But that doesn't actually append to the file, it just overwrites. I was hoping to 'catch' the IP as it connected on port 22.

Just to be sure. There is no "/var/log/auth.log"? I have made a typo in my post but I corrected it.

I checked and there is no auth.log file.

OpenSUSE uses PAM so IIRC that should be /var/log/secure or whatever syslog sends PAM messages (authpriv facility) to: see /etc/.*syslog.*.conf. Wrt logging failed logins I suggest overcoming the idea there's a need to reinvent the wheel and use fail2ban. See http://www.linuxquestions.org/questi...tempts-340366/ for more.

Hmm
There should be a logfile "/var/log/secure".
If not look in "/etc/syslog.conf" there is a line starting with "auth.*" the name of the file carrying that log follows.

I don't see the /var/log/secure file either.

There also isn't any /etc/syslog.conf.

There is a /etc/sysctl.conf however.

cat sysctl.conf
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 1
# enable ipV6 forwarding
#net.ipv6.conf.all.forwarding = 1
# everything after this comment added by jm 12-15-2009
# increase TCP max buffer size setable using netsockopt()
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# increase Linux autotuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# don't cache sshthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
# recommended to increase this for 1000 BT or higher
net.core.netdev_max_backlog = 2500

You should get to know your system. AFAIK SLES10 seems to use syslog-ng so that'll be /etc/syslog-ng.conf or /etc/syslog-ng/syslog-ng.conf.

I was able find what needed to be updated.

In the /etc/ssh/sshd_config file change the setting

UseDNS yes

to

UseDNS no

The failed ssh logins will then show up in /var/log/messages with the IP Addresses instead of the DNS/host names.

Congrats!

Now, can you mark this thread as 'solved'?

Just curious, isn't this a waste of time?

My boxes get thousands of failed SSH logins each day.
All you get is a long list of proxies from some weird countries

It pays to at least look at who knocked on the door.

It tends to be more difficult doing this after you've been compromised.

Tools such as logwatch help, though.