[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] sshd logins without a source
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] sshd logins without a source
- From: Laurelai <laurelai@xxxxxxxxxxxx>
- Date: Fri, 23 Sep 2011 04:51:23 -0500
On 9/23/2011 4:42 AM, paul.szabo@xxxxxxxxxxxxx wrote:
>> ... I can see in each servers sshd logs an entry like the following:
>> Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session opened
>> for user root by (uid=0)
>> Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session closed
>> for user root
>> ... seems odd that there is no IP address corresponding with the
>> login, I can't seem to reproduce that on my test servers.
> I do not think that sshd normally logs its source. What do you mean that
> you cannot reproduce? - To produce the desired log, I added to
> /etc/hosts.allow the line
> sshd : all : spawn /usr/bin/logger -t"%d[%p]" "Connection source %h port %r"
>
> Cheers, Paul
>
> Paul Szabo psz@xxxxxxxxxxxxxxxxx http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney Australia
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Don't most modern Linux distros log sshd by default? If for whatever
reason yours doesn't you can set the log level in the sshd config.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/