Improve company productivity with a Business Account.Sign Up

x
?
Solved

Failed SSH login log - CentOS

Posted on 2010-11-19
15
Medium Priority
?
1,548 Views
Last Modified: 2012-05-10
I am running CentOS - where do failed SSH login attempts get logged to?
0
Comment
Question by:tonygoodchild
  • 4
  • 4
  • 3
  • +2
15 Comments
 
LVL 12

Expert Comment

by:Nathan Riley
ID: 34177692
/var/log/message
0
 
LVL 12

Expert Comment

by:Nathan Riley
ID: 34177715
or

/var/log/btmp
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34178400
The best place to check where is your failed login getting logged is your /etc/syslog.conf. In my syslog.conf has the following entry

# The authpriv file has restricted access.
authpriv.*                      /var/log/secure

which means all my failed login are logged in /var/log/secure.
regards
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
LVL 19

Accepted Solution

by:
jools earned 500 total points
ID: 34178804
on my system which has not been modified they are logged in /var/log/secure.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34191515
/var/log  files named: auth.log
0
 
LVL 19

Expert Comment

by:jools
ID: 34192948
@maxalarie: there is no auth.log in /var/log in the general centos install.

if you want to check all file locations you can check the /etc/syslog.conf file this can be modified to log to any file you want.
0
 

Author Comment

by:tonygoodchild
ID: 34193170
Thanks, but none of these files have anything in them or they don't exist:

/var/log/auth.log -> does not exist
/etc/syslog.conf -> does not exist
/var/log/messages -> empty
/var/log/btmp -> filld with random characters
/var/log/secure -> empty

Does this mean that logging is just not enabled at all?
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34193738
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

regards
0
 
LVL 19

Expert Comment

by:jools
ID: 34194457
If the files arent there then they have either not been installed or deleted,

use; yum install sysklogd
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196793
can you post your sshd_config file? You should find it  in /etc/sshd

make sure the logging is  activated:


# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196874
Some say its a bug, but apparently its definitevely an attack:

http://kerneltrap.org/node/7182
0
 
LVL 19

Expert Comment

by:jools
ID: 34198322
I'm not sure you could go as far a saying it's an attack at this stage, there has been no information posted to make us think that at the present time.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34198340
I posted in the wrong thread.. Please disregards  my post above.
0
 

Author Comment

by:tonygoodchild
ID: 34219057
Sorry for delay,
 here is the config

Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem      sftp      /usr/libexec/openssh/sftp-server
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34219680
You din't tell me anything about my previous post. Do you find any other logging like messages, mail.log etc in your /var/log....
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

cheers
0

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their Grid shared hosting experience that much smoother.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question