sshd logging

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

sshd logging

Paul Schmehl-2
Is there a way to get sshd to only log successful logins? The Russians and
Chinese are filling up the logs, which turns them over every two hours.

Paul Schmehl, Retired
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sshd logging

Matthias Apitz-4
El día domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul Schmehl escribió:

> Is there a way to get sshd to only log successful logins?

What about using ipf(8)?

> The Russians and
> Chinese are filling up the logs, which turns them over every two hours.

Hmm. Do you mean that the SSH login from NSA and CIA are logged only once
because the are always successful?

        matthias


--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sshd logging

Daniel Feenberg


On Mon, 17 Jul 2017, Matthias Apitz wrote:

> El día domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul Schmehl escribió:
>
>> Is there a way to get sshd to only log successful logins?
>
> What about using ipf(8)?

denyhosts or fail2ban would be easier. You'd still get a few lines in the
logs, but only a few.

dan feenberg

>
>> The Russians and
>> Chinese are filling up the logs, which turns them over every two hours.
>
> Hmm. Do you mean that the SSH login from NSA and CIA are logged only once
> because the are always successful?
>
> matthias
>
>
> --
> Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
> Public GnuPG key: http://www.unixarea.de/key.pub
> 8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
> 8 de mayo de 1945: Quien no festeja perdió la Guerra.
> May 8, 1945: Who does not celebrate lost the War.
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sshd logging

Paul Schmehl-2
In reply to this post by Matthias Apitz-4
--On July 17, 2017 at 7:16:38 AM +0200 Matthias Apitz <[hidden email]>
wrote:

> El día domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul Schmehl
> escribió:
>
>> Is there a way to get sshd to only log successful logins?
>
> What about using ipf(8)?
>
>> The Russians and
>> Chinese are filling up the logs, which turns them over every two hours.
>
> Hmm. Do you mean that the SSH login from NSA and CIA are logged only once
> because the are always successful?
>

Yes, that's exactly what I meant. :-)

Paul Schmehl, Retired
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sshd logging

Paul Schmehl-2
In reply to this post by Daniel Feenberg
--On July 17, 2017 at 6:38:00 AM -0400 Daniel Feenberg <[hidden email]>
wrote:

>
>
> On Mon, 17 Jul 2017, Matthias Apitz wrote:
>
>> El día domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul Schmehl
>> escribió:
>>
>>> Is there a way to get sshd to only log successful logins?
>>
>> What about using ipf(8)?
>
> denyhosts or fail2ban would be easier. You'd still get a few lines in the
> logs, but only a few.
>

Thanks, Dan. I'll take a look.

I've never understood why logging routinely records every failed
interaction. I suppose it's because summarizing it would take more
processing plus some sort of database. Seriously though, why should I care
about failed logins? It's the successful ones that I need to know about.

Paul Schmehl, Retired
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sshd logging

Wayne Sierke
On Mon, 2017-07-17 at 18:35 -0500, Paul Schmehl wrote:

> --On July 17, 2017 at 6:38:00 AM -0400 Daniel Feenberg <feenberg@nber
> .org>
> wrote:
>
> >
> >
> > On Mon, 17 Jul 2017, Matthias Apitz wrote:
> >
> > > El día domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul
> > > Schmehl
> > > escribió:
> > >
> > > > Is there a way to get sshd to only log successful logins?
> > >
> > > What about using ipf(8)?
> >
> > denyhosts or fail2ban would be easier. You'd still get a few lines
> > in the
> > logs, but only a few.
> >
>
> Thanks, Dan. I'll take a look.
>
> I've never understood why logging routinely records every failed
> interaction. I suppose it's because summarizing it would take more
> processing plus some sort of database. Seriously though, why should I
> care
> about failed logins? It's the successful ones that I need to know
> about.

I imagine that historically the intensity of unauthorised login
attempts carried more significance (or was thought to) than it does
now.

sshd_config(5) - LogLevel

I haven't seen a description of which events are logged at each level,
but I have seen a comment that setting it to "ERROR" eliminates the
logging of failed attempts.

This page suggests an approach that may be of interest:

https://blog.stalkr.net/2010/11/login-notifications-pamexec-scripting.html


Wayne

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sshd logging

Valeri Galtsev
In reply to this post by Paul Schmehl-2

On Mon, July 17, 2017 6:32 pm, Paul Schmehl wrote:

> --On July 17, 2017 at 7:16:38 AM +0200 Matthias Apitz <[hidden email]>
> wrote:
>
>> El día domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul Schmehl
>> escribió:
>>
>>> Is there a way to get sshd to only log successful logins?
>>
>> What about using ipf(8)?
>>
>>> The Russians and
>>> Chinese are filling up the logs, which turns them over every two hours.
>>
>> Hmm. Do you mean that the SSH login from NSA and CIA are logged only
>> once
>> because the are always successful?

And KGB is not mentioned at all because they are not only always
successful, but also always either through NSA or CIA ;-)

Valeri

>>
>
> Yes, that's exactly what I meant. :-)
>
> Paul Schmehl, Retired
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
>
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[hidden email]"


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sshd logging

Valeri Galtsev
In reply to this post by Paul Schmehl-2

On Mon, July 17, 2017 6:35 pm, Paul Schmehl wrote:

> --On July 17, 2017 at 6:38:00 AM -0400 Daniel Feenberg <[hidden email]>
> wrote:
>
>>
>>
>> On Mon, 17 Jul 2017, Matthias Apitz wrote:
>>
>>> El día domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul Schmehl
>>> escribió:
>>>
>>>> Is there a way to get sshd to only log successful logins?
>>>
>>> What about using ipf(8)?
>>
>> denyhosts or fail2ban would be easier. You'd still get a few lines in
>> the
>> logs, but only a few.
>>

I use sshguard (you may want to look also at sshguard-ipfw, sshguard-pf).
ssh is not the only service sshguard can protect. Just one more option.

Valeri

>
> Thanks, Dan. I'll take a look.
>
> I've never understood why logging routinely records every failed
> interaction. I suppose it's because summarizing it would take more
> processing plus some sort of database. Seriously though, why should I care
> about failed logins? It's the successful ones that I need to know about.
>
> Paul Schmehl, Retired
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
>
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[hidden email]"


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sshd logging

freebsd-questions mailing list
In reply to this post by Paul Schmehl-2

On Tue, July 18, 2017 10:32, Valeri Galtsev wrote:

>
> And KGB is not mentioned at all because they are not only always
> successful, but also always either through NSA or CIA ;-)
>

Perhaps the FSB would be a better choice of initialism?  I think that
the KGB as such has gone the way of NKVD and SMERSH; not to mention
the OSS.

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Loading...