From owner-freebsd-questions@freebsd.org Mon Jul 17 23:35:23 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C3FADA42A1 for ; Mon, 17 Jul 2017 23:35:23 +0000 (UTC) (envelope-from pschmehl_lists@tx.rr.com) Received: from dnvrco-oedge-vip.email.rr.com (dnvrco-outbound-snat.email.rr.com [107.14.73.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "dnvrco-oedge-vip.email.rr.com", Issuer "dnvrco-oedge-vip.email.rr.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D53D4772FA for ; Mon, 17 Jul 2017 23:35:22 +0000 (UTC) (envelope-from pschmehl_lists@tx.rr.com) Received: from [76.183.153.52] ([76.183.153.52:51014] helo=[192.168.0.8]) by dnvrco-omsmta03 (envelope-from ) (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTP id DE/E2-25786-3B94D695; Mon, 17 Jul 2017 23:35:15 +0000 Date: Mon, 17 Jul 2017 18:35:14 -0500 From: Paul Schmehl Reply-To: Paul Schmehl To: FreeBSD Questions Subject: Re: sshd logging Message-ID: In-Reply-To: References: <20170717051638.GB2368@c720-r314251> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-RR-Connecting-IP: 107.14.64.88:25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 23:35:23 -0000 --On July 17, 2017 at 6:38:00 AM -0400 Daniel Feenberg =20 wrote: > > > On Mon, 17 Jul 2017, Matthias Apitz wrote: > >> El d=C3=ADa domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul = Schmehl >> escribi=C3=B3: >> >>> Is there a way to get sshd to only log successful logins? >> >> What about using ipf(8)? > > denyhosts or fail2ban would be easier. You'd still get a few lines in the > logs, but only a few. > Thanks, Dan. I'll take a look. I've never understood why logging routinely records every failed=20 interaction. I suppose it's because summarizing it would take more=20 processing plus some sort of database. Seriously though, why should I care=20 about failed logins? It's the successful ones that I need to know about. Paul Schmehl, Retired As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell