Date: Tue, 1 Jul 1997 17:19:07 -0400 (EDT) From: Bryan Swann <swann@nosc.mil> To: mika ruohotie <bsdsec@shadows.aeon.net> Cc: freebsd-security@FreeBSD.ORG Subject: SSHD logging Message-ID: <Pine.GSO.3.96.970701165348.21412A-100000@mailbox> In-Reply-To: <199706281358.QAA24251@shadows.aeon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I've been looking into ssh and it's logging capabilities. It appears that a typical connection using the ssh daemon is logged by default at the "info" level. The "debug" level shows additional information, but nothing of great concern, IMHO. Most of my other servers such as telnet and ftp log the same type of information at the "notice" level. The default configuration of my Sun Solaris box would not display the logging information from the ssh daemon; you will need to edit the syslog configuration files. But, my HP box logs data at the "info" level by default. I'm no expert in this area, but it appears that HP and Sun do not agree to the information that should be logged and the level it should be logged. If you want to see every connection to the ssh daemon, be sure to configure syslog to log at the "info" level. I would assume that failed connnections are logged at a higher priority, but I haven't tested yet. Hope this helps. __________________________________________________________________________ | Bryan Swann (swann@nosc.mil) 803/974-4267 803/974-5080 (Fax) | | Eagan McAllister Associates, Inc. | | | | "Everything must be working perfectly, cause I don't smell any smoke" | -------------------------------------------------------------------------- On Sat, 28 Jun 1997, mika ruohotie wrote: > > > > Denied connections were logged, allowed ones weren't, IIRC. > > > > Not good enough for me, so I'm running sshd out of inetd. > > Well, as a matter of taste I prefer to keep all the access control stuff > > in one file, and I've always used the extended language option for > > tcpwrappers. > > hmm... > > pardon me if i'm not really understanding what you want to do... > > my out from the box sshd logs the incoming connections well, all i > did was add line to /etc/syslog.conf > > auth.* goes to it's own file auth.all (and is rotated once a month) > > sample output from sshd: > > Jun 28 16:49:07 shadows sshd[24172]: log: Connection from 194.111.220.20 port 1019 > Jun 28 16:49:18 shadows sshd[24172]: debug: Client protocol version 1.5; client software version 1.2.20 > Jun 28 16:49:18 shadows sshd[24172]: debug: Sent 768 bit public key and 1024 bit host key. > Jun 28 16:49:18 shadows sshd[24172]: debug: Encryption type: idea > Jun 28 16:49:18 shadows sshd[24172]: debug: Received session key; encryption turned on. > Jun 28 16:49:18 shadows sshd[24172]: debug: Attempting authentication for soap. > Jun 28 16:49:18 shadows sshd[24172]: debug: Trying rhosts with RSA host authentication for soap > Jun 28 16:49:18 shadows sshd[24172]: debug: RhostsRSA authentication failed for 'soap', remote 'soap', host 'beasty-boys.supsys.fi'. > Jun 28 16:49:23 shadows sshd[24172]: debug: Password authentication for soap failed. > Jun 28 16:49:23 shadows sshd[24172]: fatal: Connection closed by remote host. > Jun 28 16:49:23 shadows sshd[24172]: debug: Calling cleanup 0x104c0(0x0) > Jun 28 16:49:25 shadows sshd[24174]: log: Connection from 194.111.220.20 port 1018 > Jun 28 16:49:25 shadows sshd[24171]: debug: Forked child 24174. > Jun 28 16:49:25 shadows sshd[24174]: debug: Client protocol version 1.5; client software version 1.2.19 > Jun 28 16:49:25 shadows sshd[24174]: debug: Sent 768 bit public key and 1024 bit host key. > Jun 28 16:49:25 shadows sshd[24174]: debug: Encryption type: idea > Jun 28 16:49:26 shadows sshd[24174]: debug: Received session key; encryption turned on. > Jun 28 16:49:26 shadows sshd[24174]: debug: Attempting authentication for soap. > Jun 28 16:49:26 shadows sshd[24174]: debug: Trying rhosts with RSA host authentication for soap > Jun 28 16:49:26 shadows sshd[24174]: debug: RhostsRSA authentication failed for 'soap', remote 'soap', host 'beasty-boys.supsys.fi'. > Jun 28 16:49:49 shadows sshd[24174]: log: Password authentication for soap accepted. > Jun 28 16:49:49 shadows sshd[24174]: debug: Allocating pty. > Jun 28 16:49:49 shadows sshd[24174]: debug: Forking shell. > Jun 28 16:49:49 shadows sshd[24174]: debug: Entering interactive session. > Jun 28 16:49:50 shadows sshd[24176]: login_getclass: unknown class '00^B' > Jun 28 16:49:53 shadows sshd[24174]: debug: Received SIGCHLD. > Jun 28 16:49:53 shadows sshd[24174]: debug: End of interactive session; stdin 5, stdout (read 824, sent 824), stderr 0 bytes. > Jun 28 16:49:53 shadows sshd[24174]: debug: pty_cleanup_proc called > Jun 28 16:49:53 shadows sshd[24174]: debug: Command exited with status 0. > Jun 28 16:49:53 shadows sshd[24174]: debug: Received exit confirmation. > Jun 28 16:49:53 shadows sshd[24174]: log: Closing connection to 194.111.220.20 > > i run sshd as standalone, as suggested. fascistlogging turned on. > > if that's not enough, i dont know what you want. sure, it's bit "vocal". > > i also have still that unknown class thing, even though both my /etc > files and ssh are upgraded multiple times to match the rest of the system, > since i run -current i have to do that often. > > > mickey >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.3.96.970701165348.21412A-100000>