Originally Posted by sforget
I have noticed that the system log only records failed log-in attempts through SSH.
While still providing useful information, I would rather log ALL attempts at logging in through SSH, successful or otherwise. This way I can determin how secure my server is by also paying attention to who does successfully log in.
Any ideas how I might go about doing this?
You can also use the 'last' command--that will show you all logins--example:
root pts/4 188.8.131.52 Thu Jun 23 15:28 still logged in
root pts/3 192.168.100.11 Thu Jun 23 12:47 still logged in
root pts/3 192.168.100.11 Wed Jun 22 23:17 - 02:23 (03:05)
root pts/3 192.168.100.11 Wed Jun 22 22:21 - 22:52 (00:30)
root pts/5 184.108.40.206 Wed Jun 22 13:59 - 22:22 (08:23)
root pts/5 220.127.116.11 Wed Jun 22 13:38 - 13:58 (00:19)
root pts/3 192.168.100.11 Wed Jun 22 01:34 - 14:06 (12:31)
Also, the /var/log/messages file shows you all attempts, failed or succesful:
Jun 23 14:03:12 apollo sshd(pam_unix): check pass; user unknown
Jun 23 14:03:12 apollo sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=18.104.22.168
Jun 23 14:03:17 apollo sshd(pam_unix): check pass; user unknown
Jun 23 14:03:17 apollo sshd(pam_unix): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22.214.171.124
Jun 23 15:28:40 apollo sshd(pam_unix): session opened for user root by root(uid=0)
(looks like I already have someone trying to crack my new install of fc4--sheesh)
Finally, if you are running logwatch, which runs by default in fc4, you should have these messages in roots mailbox daily:
U 4 firstname.lastname@example.org
l Sun Jun 19 04:02 176/6410 "LogWatch for apollo"
root (192.168.100.11): 2 Time(s)
root by root: 4 Time(s)