[Logwatch] No IP Address Reported For Unauthorized ssh Logins

MrC lists-logwatch at cappella.us
Tue Mar 11 09:37:36 MST 2008


Benjamin Avdicevic wrote:
> Hi Bob,
> 
> Thanks for your suggestions.
> 
> I just installed the latest version (7.3.6) binary RPM of logwatch, but I'm
> getting the same issue.  I first tried it without specifying --service sshd,
> and then I tried with it.  As you can see, *when I specify --service sshd I
> get no output on stdout*.
> 

Look in /var/log for the log file that contains sshd log entires.  It 
could be auth.log, security.log, messages, or any number of places for 
your distro/system.

Then, you need to configure logwatch to know where to look for those 
entries.  If you are not sure how to do this, first find the correct log 
file, and report back what you find.

MrC

> Thanks,
> 
> Ben
> 
> 
> =================================================================================
>  [root at benvmocs451 ~]# logwatch --print --range Today --detail High
> 
>  ################### Logwatch 7.3.6 (05/19/07) ####################
>         Processing Initiated: Tue Mar 11 12:23:58 2008
>         Date Range Processed: today
>                               ( 2008-Mar-11 )
>                               Period is day.
>       Detail Level of Output: 10
>               Type of Output: unformatted
>            Logfiles for Host: benvmocs451.bensvmsrv.platform.com
>   ##################################################################
> 
>  --------------------- pam_unix Begin ------------------------
> 
>  sshd:
>     Invalid Users:
>        Unknown Account: 3 Time(s)
> 
> 
>  ---------------------- pam_unix End -------------------------
> 
> 
>  --------------------- Disk Space Begin ------------------------
> 
>  Filesystem            Size  Used Avail Use% Mounted on
>  /dev/sda1             5.8G  2.9G  2.7G  53% /
>  /dev/sda5              12G  3.1G  8.4G  27% /state/partition1
>  /dev/sda3             981M  181M  750M  20% /var
>  /state/partition1/home/ben
>                         12G  3.1G  8.4G  27% /home/ben
>  /state/partition1/apps
>                         12G  3.1G  8.4G  27% /share/apps
>  /state/partition1/home/install
>                         12G  3.1G  8.4G  27% /home/install
> 
> 
>  ---------------------- Disk Space End -------------------------
> 
> 
>  ###################### Logwatch End #########################
> 
>  [root at benvmocs451 ~]# logwatch --print --range Today --service sshd
>  [root at benvmocs451 ~]#
> 
> =================================================================================
> 
> On Mon, Mar 10, 2008 at 7:20 PM, Bob McClure Jr <bob at bobcatos.com> wrote:
> 
>> On Mon, Mar 10, 2008 at 07:05:06PM -0400, Benjamin Avdicevic wrote:
>>> Hello,
>>>
>>> I would like to know why logwatch does not report IP addresses of
>>> Failed/Unauthorized ssh login attempts.  In case that someone was
>> attacking
>>> my machine I would not be able to see which IP they are coming from.
>>>
>>> Following is the output of pam_unix section of:  # logwatch --print
>> --range
>>> Today --detail 10
>>>
>>>  --------------------- pam_unix Begin ------------------------
>>>
>>> sshd:
>>>    Invalid Users:
>>>       Unknown Account: 3 Time(s)
>>>
>>>
>>>  ---------------------- pam_unix End -------------------------
>>>
>>> It is showing that there were 3 Invalid Users, which is correct, because
>> I
>>> tried 3 times to log in with ssh as an unauthorized user.  But it is not
>>> showing me an IP address of the machine I was connecting from.
>>>
>>> I searched through the archives but couldn't find anything on this
>> issue.
>>> Thanks,
>>>
>>> Ben
>> Look further down the report in the section:
>>
>>  --------------------- SSHD Begin ------------------------
>>
>>  Failed logins from:
>>    123.45.67.89 (some.domain.tld): 1 time
>>
>>  Illegal users from:
>>    123.45.67.89 (some.domain.tld): 5 times
>>
>>  Users logging in through sshd:
>>    root:
>>       98.76.54.231 (my.domain.tld): 1 time
>>
>>  ---------------------- SSHD End -------------------------
>>
>> Cheers,
>> --
>> Bob McClure, Jr.             Bobcat Open Systems, Inc.
>> bob at bobcatos.com             http://www.bobcatos.com
>> Though the fig tree does not bud and there are no grapes on the vines,
>> though the olive crop fails and the fields produce no food, though
>> there are no sheep in the pen and no cattle in the stalls, yet I will
>> rejoice in the LORD, I will be joyful in God my Savior.
>> Habakkuk 3:17-18 (NIV)
>> _______________________________________________
>> Logwatch mailing list
>> Logwatch at logwatch.org
>> http://www2.list.logwatch.org:81/mailman/listinfo/logwatch
>>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Logwatch mailing list
> Logwatch at logwatch.org
> http://www2.list.logwatch.org:81/mailman/listinfo/logwatch


More information about the Logwatch mailing list