| View previous topic :: View next topic |
| Author |
Message |
dan_aka_jack
Apprentice
Joined: 04 Dec 2004
Posts: 169
|
 Posted: Tue Nov 08, 2005 10:50 am Post subject: sshd isn't logging |
 |
|
Hi,
sshd isn't logging anything and I'm not sure why.
| Code: |
cat /var/log/messages | grep ssh
|
shows nothing at all.
I've tried running slocate sshd and this shows that there is a directory called /var/log/sshd... however, nothing in this directory has been changed for over a year!
My sshd_config file instructs:
| Code: |
SyslogFacility AUTH
LogLevel INFO
|
Any ideas as to why sshd isn't logging would be very greatfully recieved. I'd like to keep an eye on sshd to make sure no one is trying to hack me!
Thanks,
Jack |
|
| Back to top |
|
 |
chrbecke
Guru
Joined: 12 Jul 2004
Posts: 598
Location: Berlin - Germany
|
| Posted: Tue Nov 08, 2005 11:16 am Post subject: |
|
|
| Increase the LogLevel from INFO to VERBOSE. It looks like sshd doesn't log logins in INFO. |
|
| Back to top |
|
|
dan_aka_jack
Apprentice
Joined: 04 Dec 2004
Posts: 169
|
| Posted: Tue Nov 08, 2005 11:24 am Post subject: |
|
|
Some more info:
I'm using sysklogd. rc-update -s shows that it's installed as a default service and that it's running fine.
Here are my configuration files:
/etc/conf.d/sysklogd
| Code: |
# Config file for /etc/init.d/sysklogd
SYSLOGD="-m 0"
# send warnings and above to the console
KLOGD="-c 3 -2"
|
/etc/syslog.conf
| Code: |
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
# This is from Debian, we are using it for now
# Daniel Robbins, 5/15/99
#
# First some standard logfiles. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* /var/log/mail.log
user.* -/var/log/user.log
uucp.* -/var/log/uucp.log
local6.debug /var/log/imapd.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
#daemon.*,mail.*;\
# news.crit;news.err;news.notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole
local2.* -/var/log/ppp.log
|
Any thoughts as to why sshd isn't logging?
Thanks,
Jack |
|
| Back to top |
|
|
chrbecke
Guru
Joined: 12 Jul 2004
Posts: 598
Location: Berlin - Germany
|
| Posted: Tue Nov 08, 2005 11:32 am Post subject: Re: sshd isn't logging |
|
|
| dan_aka_jack wrote: |
My sshd_config file instructs:
| Code: |
SyslogFacility AUTH
LogLevel INFO
|
|
As said before: Just change the LogLevel line to and sshd will log login attempts.
I did not get any logs from sshd until I changed the LogLevel. |
|
| Back to top |
|
|
dan_aka_jack
Apprentice
Joined: 04 Dec 2004
Posts: 169
|
| Posted: Tue Nov 08, 2005 11:36 am Post subject: |
|
|
Hi ChrBecke,
Thanks loads of both your replies. Sorry... I think we must have posted at exactly the same time! I didn't see you first reply when I posted my config files.
I ran a
| Code: |
cd /var/log
cat * | grep sshd
|
... the good news is that sshd has always been logging to /var/log/auth.log. The bad news is that I've had about a million failed ssh login attempts! I'm glad I've got difficult passwords! I've now given my computer some IPTABLES love and made sure that only my work computer can login to my home computer.
Frightening!
Thanks,
Jack |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2198
|
| Posted: Tue Nov 08, 2005 1:34 pm Post subject: |
|
|
| dan_aka_jack wrote: | Hi ChrBecke,
Thanks loads of both your replies. Sorry... I think we must have posted at exactly the same time! I didn't see you first reply when I posted my config files.
I ran a
| Code: |
cd /var/log
cat * | grep sshd
|
... the good news is that sshd has always been logging to /var/log/auth.log. The bad news is that I've had about a million failed ssh login attempts! I'm glad I've got difficult passwords! I've now given my computer some IPTABLES love and made sure that only my work computer can login to my home computer.
Frightening!
Thanks,
Jack |
That's normal, see this thread --> https://forums.gentoo.org/viewtopic-t-210585.html
I have about a 4 Mb file of nothing but failed attempts.....
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
dan_aka_jack
Apprentice
Joined: 04 Dec 2004
Posts: 169
|
| Posted: Tue Nov 08, 2005 1:39 pm Post subject: |
|
|
Hi,
Thanks for that link... yeah... it was that "I got hacked" thread that prompted me to look at my own logs.
It's an interesting world out there in the wild!
Thanks,
Jack |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2198
|
| Posted: Tue Nov 08, 2005 1:41 pm Post subject: |
|
|
Most secure thing I could find was to add the UserAllow variable to your sshd config.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
|
Networking & Security
