Date: Thu, 01 Jul 2010 10:49:00 -0400 From: Glen Barber <glen.j.barber@gmail.com> To: FreeBSD Mailing List <freebsd-questions@FreeBSD.ORG> Subject: sshd logging with private key authentication Message-ID: <4C2CAADC.4080704@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi,
I've been seeing quite a bit of ssh bruteforce attacks which appear to
be dictionary-based. That's fine; I have proper measures in place, such
as key-only access, bruteforce tables for pf(4), and so on.
What caught my interest is if I attempt to log in from a machine where I
do not have my key, I see nothing logged about a failed publickey
attempt. If I attempt with an invalid username, as expected, I see
'Invalid user foo from ${IP}.'
Is this to be expected? If so, I am curious why. Though I realize an
attacker may not be able to see that a user is valid or invalid, might
we want to know that a valid username is being used in an attack?
(Unless, of course, the valid username is 'john'...)
Regards,
--
Glen Barber
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C2CAADC.4080704>