Debian: logging of SSH failed login attempts?

linux ssh logging kernel
16,623

Solution 1

You can (by default) check for these failures in /var/log/auth.log

Solution 2

The first line means that a connection attempt was received from an IP address. The ssh server attemped to reverse-resolve the address and got a hostname (dinamic-tigo186-180-143-166.tigo.com.co), but when it attempted to forward-resolve that hostname to get back to the original IP address, it failed. This isn't fatal, it usually means someone else has screwed up their DNS, but ssh lets you know that that log entry has failed a basic can-I-be-relied-on test.

The second line means someone from the same IP address tried to ssh in as root, and failed.

If you get too many of the second kind of entry and want to make things harder for people, I wrote a piece on techniques for dealing with automated ssh password guessing that may interest you, though it doesn't cover fail2ban and similar technologies (because I don't like them).

Share:
16,623

Related videos on Youtube

dynamic
Author by

dynamic

Updated on September 17, 2022

Comments

  • dynamic
    dynamic 3 months

    I just typed a wrong password for login to ssh @ root.

    I went to 

    /var/log/faillog

    But the file is empty ( tho its filesize is: 32 Byte )

    Ok in auth.log is spammed this:

    reverse mapping checking getaddrinfo for dinamic-tigo186-180-143-166.tigo.com.co [186.180.143.166] failed - POSSIBLE BREAK-IN ATTEMPT!
Feb 21 03:44:22 ns3xxxx9 sshd[7497]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=186.180.143.166  user=root

    What's that?

  • dynamic
    dynamic almost 12 years
    thanks +1, Do you know what those log lines mean? (watch first post adds)
  • MadHatter
    MadHatter almost 12 years
    OpenSSH (not "Linux", the kernel isn't responsible for this) will not automatically block logins from a given address after a certain number of failures. There do exist rate-limiting configuration variables you can use inside sshd's config file (man sshd_config), or you can use fail2ban, or you can use one of the ideas in my tech note. The joy of free software is that the power and the responsibility are both yours: go for it.
  • signine almost 12 years
    The getaddrinfo error just means that something was strange with the DNS records for that IP/hostname. Not a serious error, really. The second line is where they fail to login as root.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to make logkeys work over SSH?
How to grep logfile via SSH on multiple servers?
How to load previous kernel via ssh?
FTP and SFTP logs track in CentOS
Where is ssh daemon log file
sshd not writing any kind of log Debian 6
How do I list the N last successful and unsuccessful login attempts for my user when I log in with e.g. ssh on Linux?
Monitor file copies with SCP done via SSH
What do these entries in my SSH logs mean?
How to log ssh client connection/command?