Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Failed SSH login log - CentOS

Posted on 2010-11-19
15
Medium Priority
?
1,514 Views
Last Modified: 2012-05-10
I am running CentOS - where do failed SSH login attempts get logged to?
0
Comment
Question by:tonygoodchild
  • 4
  • 4
  • 3
  • +2
15 Comments
 
LVL 12

Expert Comment

by:Nathan Riley
ID: 34177692
/var/log/message
0
 
LVL 12

Expert Comment

by:Nathan Riley
ID: 34177715
or

/var/log/btmp
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34178400
The best place to check where is your failed login getting logged is your /etc/syslog.conf. In my syslog.conf has the following entry

# The authpriv file has restricted access.
authpriv.*                      /var/log/secure

which means all my failed login are logged in /var/log/secure.
regards
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 19

Accepted Solution

by:
jools earned 500 total points
ID: 34178804
on my system which has not been modified they are logged in /var/log/secure.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34191515
/var/log  files named: auth.log
0
 
LVL 19

Expert Comment

by:jools
ID: 34192948
@maxalarie: there is no auth.log in /var/log in the general centos install.

if you want to check all file locations you can check the /etc/syslog.conf file this can be modified to log to any file you want.
0
 

Author Comment

by:tonygoodchild
ID: 34193170
Thanks, but none of these files have anything in them or they don't exist:

/var/log/auth.log -> does not exist
/etc/syslog.conf -> does not exist
/var/log/messages -> empty
/var/log/btmp -> filld with random characters
/var/log/secure -> empty

Does this mean that logging is just not enabled at all?
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34193738
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

regards
0
 
LVL 19

Expert Comment

by:jools
ID: 34194457
If the files arent there then they have either not been installed or deleted,

use; yum install sysklogd
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196793
can you post your sshd_config file? You should find it  in /etc/sshd

make sure the logging is  activated:


# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196874
Some say its a bug, but apparently its definitevely an attack:

http://kerneltrap.org/node/7182
0
 
LVL 19

Expert Comment

by:jools
ID: 34198322
I'm not sure you could go as far a saying it's an attack at this stage, there has been no information posted to make us think that at the present time.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34198340
I posted in the wrong thread.. Please disregards  my post above.
0
 

Author Comment

by:tonygoodchild
ID: 34219057
Sorry for delay,
 here is the config

Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem      sftp      /usr/libexec/openssh/sftp-server
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34219680
You din't tell me anything about my previous post. Do you find any other logging like messages, mail.log etc in your /var/log....
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

cheers
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month12 days, 9 hours left to enroll

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question