Solved

Failed SSH login log - CentOS

Posted on 2010-11-19
15
1,458 Views
Last Modified: 2012-05-10
I am running CentOS - where do failed SSH login attempts get logged to?
0
Comment
Question by:tonygoodchild
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2
15 Comments
 
LVL 11

Expert Comment

by:N R
ID: 34177692
/var/log/message
0
 
LVL 11

Expert Comment

by:N R
ID: 34177715
or

/var/log/btmp
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34178400
The best place to check where is your failed login getting logged is your /etc/syslog.conf. In my syslog.conf has the following entry

# The authpriv file has restricted access.
authpriv.*                      /var/log/secure

which means all my failed login are logged in /var/log/secure.
regards
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 19

Accepted Solution

by:
jools earned 125 total points
ID: 34178804
on my system which has not been modified they are logged in /var/log/secure.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34191515
/var/log  files named: auth.log
0
 
LVL 19

Expert Comment

by:jools
ID: 34192948
@maxalarie: there is no auth.log in /var/log in the general centos install.

if you want to check all file locations you can check the /etc/syslog.conf file this can be modified to log to any file you want.
0
 

Author Comment

by:tonygoodchild
ID: 34193170
Thanks, but none of these files have anything in them or they don't exist:

/var/log/auth.log -> does not exist
/etc/syslog.conf -> does not exist
/var/log/messages -> empty
/var/log/btmp -> filld with random characters
/var/log/secure -> empty

Does this mean that logging is just not enabled at all?
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34193738
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

regards
0
 
LVL 19

Expert Comment

by:jools
ID: 34194457
If the files arent there then they have either not been installed or deleted,

use; yum install sysklogd
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196793
can you post your sshd_config file? You should find it  in /etc/sshd

make sure the logging is  activated:


# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34196874
Some say its a bug, but apparently its definitevely an attack:

http://kerneltrap.org/node/7182
0
 
LVL 19

Expert Comment

by:jools
ID: 34198322
I'm not sure you could go as far a saying it's an attack at this stage, there has been no information posted to make us think that at the present time.
0
 
LVL 2

Expert Comment

by:maxalarie
ID: 34198340
I posted in the wrong thread.. Please disregards  my post above.
0
 

Author Comment

by:tonygoodchild
ID: 34219057
Sorry for delay,
 here is the config

Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem      sftp      /usr/libexec/openssh/sftp-server
0
 
LVL 9

Expert Comment

by:expert_tanmay
ID: 34219680
You din't tell me anything about my previous post. Do you find any other logging like messages, mail.log etc in your /var/log....
Try the command
# service syslog status

it should display you like this
syslogd (pid 5114) is running...
klogd (pid 5118) is running...

if it displays "unrecognized service" then check
#rpm -qa | grep log
can you find any package like syslogd or sysklogd or syslog-ng if not you will have to install the package.

cheers
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question