From owner-freebsd-questions@FreeBSD.ORG Thu Jul 1 14:49:09 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A145410656E4 for ; Thu, 1 Jul 2010 14:49:09 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5507F8FC21 for ; Thu, 1 Jul 2010 14:49:09 +0000 (UTC) Received: by vws6 with SMTP id 6so1631779vws.13 for ; Thu, 01 Jul 2010 07:49:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=x+RubrP6pcR9BmOC+qtsPzEVsLIt5cpPUh6CXEuLgAs=; b=SZJZopFESgyKC/53Z6lo11h6zxyL5UK+mCc9001jjaob/TKIzhWlOmCnUKZaUJGjEh uICzMW1s1gem544vbVC4Im/O2zqWOkuLj3ZC0nrQ8c6K5IPYRPRntwarHi/+DOAWdQyo BVIdC7z6AhqcEMktxzniZugnzXTvUHjDNEu6I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=AxJqLwr9GDE5ISp6lUq+0f9fDZrrd5jgaM18n18grtnWXwLJ/gd/kDa7HxBTCLGQn1 4XkuiYqRArZiIc1ObqSkwvNL/iivdsVZYjxeF3kqygdBKcsUcAYa/FRUV9Fq8xOozhBH G22NjP8iPZerpNRNmhuYSfxW+z0OjSvMum5Ew= Received: by 10.220.122.71 with SMTP id k7mr5741503vcr.257.1277995743353; Thu, 01 Jul 2010 07:49:03 -0700 (PDT) Received: from schism.local (173-161-130-225-Philadelphia.hfc.comcastbusiness.net [173.161.130.225]) by mx.google.com with ESMTPS id d12sm10238679vcn.14.2010.07.01.07.49.01 (version=SSLv3 cipher=RC4-MD5); Thu, 01 Jul 2010 07:49:02 -0700 (PDT) Message-ID: <4C2CAADC.4080704@gmail.com> Date: Thu, 01 Jul 2010 10:49:00 -0400 From: Glen Barber User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 MIME-Version: 1.0 To: FreeBSD Mailing List Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: sshd logging with private key authentication X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jul 2010 14:49:09 -0000 Hi, I've been seeing quite a bit of ssh bruteforce attacks which appear to be dictionary-based. That's fine; I have proper measures in place, such as key-only access, bruteforce tables for pf(4), and so on. What caught my interest is if I attempt to log in from a machine where I do not have my key, I see nothing logged about a failed publickey attempt. If I attempt with an invalid username, as expected, I see 'Invalid user foo from ${IP}.' Is this to be expected? If so, I am curious why. Though I realize an attacker may not be able to see that a user is valid or invalid, might we want to know that a valid username is being used in an attack? (Unless, of course, the valid username is 'john'...) Regards, -- Glen Barber