Solved

Failed SSH login log - CentOS

Posted on 2010-11-19
15
1,439 Views
Last Modified: 2012-05-10
I am running CentOS - where do failed SSH login attempts get logged to?
0
Comment
Question by:tonygoodchild
  • 4
  • 4
  • 3
  • +2
15 Comments
 
LVL 11

Expert Comment

by:N R
ID: 34177692
/var/log/message
0
 
LVL 11

Expert Comment

by:N R
ID: 34177715
or

/var/log/btmp
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34178400
The best place to check where is your failed login getting logged is your /etc/syslog.conf. In my syslog.conf has the following entry

# The authpriv file has restricted access.
authpriv.*                      /var/log/secure

which means all my failed login are logged in /var/log/secure.
regards
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 19

Accepted Solution

by:
jools earned 125 total points
ID: 34178804
on my system which has not been modified they are logged in /var/log/secure.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34191515
/var/log  files named: auth.log
0
 
LVL 19

Expert Comment

by:jools
ID: 34192948
@maxalarie: there is no auth.log in /var/log in the general centos install.

if you want to check all file locations you can check the /etc/syslog.conf file this can be modified to log to any file you want.
0
 

Author Comment

by:tonygoodchild
ID: 34193170
Thanks, but none of these files have anything in them or they don't exist:

/var/log/auth.log -> does not exist
/etc/syslog.conf -> does not exist
/var/log/messages -> empty
/var/log/btmp -> filld with random characters
/var/log/secure -> empty

Does this mean that logging is just not enabled at all?
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34193738
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

regards
0
 
LVL 19

Expert Comment

by:jools
ID: 34194457
If the files arent there then they have either not been installed or deleted,

use; yum install sysklogd
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196793
can you post your sshd_config file? You should find it  in /etc/sshd

make sure the logging is  activated:


# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196874
Some say its a bug, but apparently its definitevely an attack:

http://kerneltrap.org/node/7182
0
 
LVL 19

Expert Comment

by:jools
ID: 34198322
I'm not sure you could go as far a saying it's an attack at this stage, there has been no information posted to make us think that at the present time.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34198340
I posted in the wrong thread.. Please disregards  my post above.
0
 

Author Comment

by:tonygoodchild
ID: 34219057
Sorry for delay,
 here is the config

Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem      sftp      /usr/libexec/openssh/sftp-server
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34219680
You din't tell me anything about my previous post. Do you find any other logging like messages, mail.log etc in your /var/log....
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

cheers
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question