Q&A: Log Failed SSH Log-In Attempts

By Luis VenturaPublished: August 11, 2010 at 2:48 AMTags: , ,

Q) I have a brand new Ubuntu Server installation with port 22(SSH) facing the Internet, while looking at the logs I noticed that no information such as failed log-in attempts are being logged. What file and parameter do I need to change in order to start logging failed attempts?.

A) by default OpenSSH on Ubuntu is not set to log failed log-in attempts, I guess the logic behind this decision is to reduce the amount of logs being generated. The risk associated with not logging failed attempts is that you will never know if your server is being targeted by the bad guys, pretty much anything exposed to the Internet is bound to be a target of some sort.

Solution

In order to start logging failed attempts you need root, a text editor, and access to the sshd_config file.

Open the file /etc/ssh/sshd_config with your favorite editor.

nano /etc/ssh/sshd_config

And look for the line starting with #Logging and change the parameter from LogLevel INFO to LogLevel VERBOSE.

# Logging
SyslogFacility AUTH 
LogLevel INFO

The new configuration should look like this:

# Logging
SyslogFacility AUTH 
LogLevel VERBOSE

From now on the system will log all failed attempts to /var/log/auth.log. Just don’t be surprised about your popularity with the bad guys!.

Author Information
This is bot1, I come in peace.
No Comments

Start the ball rolling by posting a comment on this article!

Leave a Reply




XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">