Quote:
|
Originally Posted by sforget
I have noticed that the system log only records failed log-in attempts through SSH.
While still providing useful information, I would rather log ALL attempts at logging in through SSH, successful or otherwise. This way I can determin how secure my server is by also paying attention to who does successfully log in.
Any ideas how I might go about doing this?
|
You can also use the 'last' command--that will show you all logins--example:
apollo[root]:/root-> last
root pts/4 209.57.192.100 Thu Jun 23 15:28 still logged in
root pts/3 192.168.100.11 Thu Jun 23 12:47 still logged in
root pts/3 192.168.100.11 Wed Jun 22 23:17 - 02:23 (03:05)
root pts/3 192.168.100.11 Wed Jun 22 22:21 - 22:52 (00:30)
root pts/5 209.57.192.100 Wed Jun 22 13:59 - 22:22 (08:23)
root pts/5 209.57.192.100 Wed Jun 22 13:38 - 13:58 (00:19)
root pts/3 192.168.100.11 Wed Jun 22 01:34 - 14:06 (12:31)
Also, the /var/log/messages file shows you all attempts, failed or succesful:
Jun 23 14:03:12 apollo sshd(pam_unix)[5487]: check pass; user unknown
Jun 23 14:03:12 apollo sshd(pam_unix)[5487]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.51.253.38
Jun 23 14:03:17 apollo sshd(pam_unix)[5489]: check pass; user unknown
Jun 23 14:03:17 apollo sshd(pam_unix)[5489]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.51.253.38
Jun 23 15:28:40 apollo sshd(pam_unix)[6183]: session opened for user root by root(uid=0)
(looks like I already have someone trying to crack my new install of fc4--sheesh)
Finally, if you are running logwatch, which runs by default in fc4, you should have these messages in roots mailbox daily:
U 4
root@localhost.local Sun Jun 19 04:02 176/6410 "LogWatch for apollo"
contents:
sshd:
Authentication Failures:
root (192.168.100.11): 2 Time(s)
Sessions Opened:
root by root: 4 Time(s)
Linear Mode
