Re: CentOS 5 sshd does not log IP address of reverse mapping failure [solved, I guess]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Am 08.03.2013 20:51, schrieb Gordon Messmer:
> # tail -f /var/log/secure
> Mar  8 11:46:54 firewall sshd[27455]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=173-xx-xx-xx-washington.hfc.comcastbusiness.net  user=root
> Mar  8 11:46:56 firewall sshd[27455]: Failed password for root from 
> 173.xx.xx.xx port 51437 ssh2

I think I see what's happening now.

The machines in question all have password authentication disabled, so
they obviously never log "Failed password". If someone tries to log in
to an existing user account with password authentication, she gets the
message "no supported authentication methods available" or something
like that. In that case /var/log/secure does not log a failure message.
The only trace of that attempt is a "Received disconnect", like here
after the message I cited in my original posting:

Mar  3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo
for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  3 04:44:49 gimli sshd[12871]: Received disconnect from
61.163.113.72: 11: Bye Bye

If I set "UseDNS no" the first message disappears and only the second
one remains.

So it seems there is no way to identify password bruteforcing attempts
on servers which don't accept password authentication in the first
place.

-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux