Re: sshd: Logging illegal users
On Fri, 20 Aug 2004 02:26:17 -0600, Will Aoki wrote: Set LogLevel VERBOSE in /etc/ssh/sshd_config LogLevel is already set to VERBOSE. But even with LogLevel DEBUG the invalid usernames are not logged. :-( I tested that on three different machines running Debian/woody. It works for me on all of my machines running woody, including a fresh installation I did last week. I just figured out that when setting UsePrivilegeSeparation to no in sshd_config, also sshd on Debian/woody logs sshd[xxx]: Failed auth-method for illegal user user from xxx.xxx.xxx.xxx port x ssh2 But with PrivilegeSeparation turned on, the username is not logged. However, sshd from Debian/sarge also logs the illegal usernames with PrivilegeSeparation turned on. So I wonder if you do not use PrivilegeSeparation on your woody installations? - Thomas -- PGP: 2047Bit RSA, ID 0x668E601D - Encrypted mail welcome! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
On Thu, 19 Aug 2004 11:52:51 +0300 (EEST), Martin Fluch wrote: Do you really want to log those illegal user names? If you do so, you would run into danger to log passwords in plain text as well, when you accidently enter the password when ssh asks you for the user name... I'm aware of that, but there are situations when logging the usernames is quite interesting. For example, if there is an increase in ssh scanning like over the last weeks, it is nice to put a machine on the net which offers no other services (kind of a honeypot) and see what usernames the attackers are trying. - Thomas -- PGP: 2047Bit RSA, ID 0x668E601D - Encrypted mail welcome! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
On Thu, Aug 19, 2004 at 10:44:40AM +0200, Thomas Hungenberg wrote: On Sun, 15 Aug 2004 12:34:59 -0600, Will Aoki wrote: Is there a way to make the sshd included with Debian/woody to also log the usernames an attacker tried to connect with? Set LogLevel VERBOSE in /etc/ssh/sshd_config LogLevel is already set to VERBOSE. But even with LogLevel DEBUG the invalid usernames are not logged. :-( I tested that on three different machines running Debian/woody. It works for me on all of my machines running woody, including a fresh installation I did last week. Could this be a PAM issue? Is there perhaps a configuration variable to turn on logging of invalid usernames in PAM like LOG_UNKFAIL_ENAB in /etc/login.defs? My PAM configuration is only nonstandard in that the SSH PAM config says auth sufficient pam_ldap.so before auth required pam_unix.so but I've also seen it work on machines using pam_krb5 or a completely standard PAM configuration. This may sound a stupuid question, but did you restart sshd after making the change? -- William Aoki KD7YAF [EMAIL PROTECTED] /\ ASCII Ribbon Campaign \ / No HTML in mail or news! X / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
On Sun, 15 Aug 2004 12:34:59 -0600, Will Aoki wrote: Is there a way to make the sshd included with Debian/woody to also log the usernames an attacker tried to connect with? Set LogLevel VERBOSE in /etc/ssh/sshd_config LogLevel is already set to VERBOSE. But even with LogLevel DEBUG the invalid usernames are not logged. :-( I tested that on three different machines running Debian/woody. Could this be a PAM issue? Is there perhaps a configuration variable to turn on logging of invalid usernames in PAM like LOG_UNKFAIL_ENAB in /etc/login.defs? - Thomas -- PGP: 2047Bit RSA, ID 0x668E601D - Encrypted mail welcome! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
TH From: Thomas Hungenberg [EMAIL PROTECTED] TH Date: Thu, 19 Aug 2004 10:44:40 +0200 TH LogLevel is already set to VERBOSE. But even with LogLevel DEBUG the TH invalid usernames are not logged. :-( I was explained some time ago by somebody that this is a security feature rather than a bug. Some users type in their passwords instead of login names (imagine that you used to Unix ssh, that does not ask for username, and then occasionally have to login from a Windows machine with PuTTY, that does. I mistyped my password in such situation at least twice :(). You do not want their clear text passwords to be in your log file, do you? -- Good luck -Boris Genius is ten percent inspiration and fifty percent capital gains. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
On Sun, 2004-08-15 at 19:46 -0600, s. keeling wrote: Incoming from Greg Folkert: Hey, I have found some thing. Rather than repost. I'll share where I posted it. http://z.iwethey.org/forums/render/content/show?contentid=169321 Zope Error Hmmm... try it again. I get it. I'd be surprised if you get it again. If you do, please send me the backtrace from the page source of the error page. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: sshd: Logging illegal users
On Sun, Aug 15, 2004 at 07:15:18PM +0200, Thomas Hungenberg wrote: Hello, [snip] Is there a way to make the sshd included with Debian/woody to also log the usernames an attacker tried to connect with? Set LogLevel VERBOSE in /etc/ssh/sshd_config -- William Aoki KD7YAF [EMAIL PROTECTED] /\ ASCII Ribbon Campaign \ / No HTML in mail or news! X / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd: Logging illegal users
On Sun, 2004-08-15 at 19:15 +0200, Thomas Hungenberg wrote: Hello, sshd included with Debian/sarge logs connection attempts with illegal usernames this way: sshd[xxx]: Illegal user username from xxx.xxx.xxx.xxx sshd[xxx]: Failed unknown for illegal user username from xxx.xxx.xxx.xxx port x ssh2 However, the older sshd version from Debian/woody by default only logs the following when trying to connect with an illegal username: sshd[xxx]: Connection from xxx.xxx.xxx.xxx port x sshd[xxx]: Enabling compatibility mode for protocol 2.0 Is there a way to make the sshd included with Debian/woody to also log the usernames an attacker tried to connect with? Hey, I have found some thing. Rather than repost. I'll share where I posted it. http://z.iwethey.org/forums/render/content/show?contentid=169321 Check it out. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part