Solved

Failed SSH login log - CentOS

Posted on 2010-11-19
15
1,449 Views
Last Modified: 2012-05-10
I am running CentOS - where do failed SSH login attempts get logged to?
0
Comment
Question by:tonygoodchild
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2
15 Comments
 
LVL 11

Expert Comment

by:N R
ID: 34177692
/var/log/message
0
 
LVL 11

Expert Comment

by:N R
ID: 34177715
or

/var/log/btmp
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34178400
The best place to check where is your failed login getting logged is your /etc/syslog.conf. In my syslog.conf has the following entry

# The authpriv file has restricted access.
authpriv.*                      /var/log/secure

which means all my failed login are logged in /var/log/secure.
regards
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 19

Accepted Solution

by:
jools earned 125 total points
ID: 34178804
on my system which has not been modified they are logged in /var/log/secure.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34191515
/var/log  files named: auth.log
0
 
LVL 19

Expert Comment

by:jools
ID: 34192948
@maxalarie: there is no auth.log in /var/log in the general centos install.

if you want to check all file locations you can check the /etc/syslog.conf file this can be modified to log to any file you want.
0
 

Author Comment

by:tonygoodchild
ID: 34193170
Thanks, but none of these files have anything in them or they don't exist:

/var/log/auth.log -> does not exist
/etc/syslog.conf -> does not exist
/var/log/messages -> empty
/var/log/btmp -> filld with random characters
/var/log/secure -> empty

Does this mean that logging is just not enabled at all?
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34193738
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

regards
0
 
LVL 19

Expert Comment

by:jools
ID: 34194457
If the files arent there then they have either not been installed or deleted,

use; yum install sysklogd
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196793
can you post your sshd_config file? You should find it  in /etc/sshd

make sure the logging is  activated:


# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196874
Some say its a bug, but apparently its definitevely an attack:

http://kerneltrap.org/node/7182
0
 
LVL 19

Expert Comment

by:jools
ID: 34198322
I'm not sure you could go as far a saying it's an attack at this stage, there has been no information posted to make us think that at the present time.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34198340
I posted in the wrong thread.. Please disregards  my post above.
0
 

Author Comment

by:tonygoodchild
ID: 34219057
Sorry for delay,
 here is the config

Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem      sftp      /usr/libexec/openssh/sftp-server
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34219680
You din't tell me anything about my previous post. Do you find any other logging like messages, mail.log etc in your /var/log....
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

cheers
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question