Difference between revisions of "Talk:OpenSSH"

Latest revision as of 03:24, 15 March 2014

OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log

Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29

Adding this regex rule is really helpful:

sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>

@@ Line 1: / Line 1: @@
-please make it detect this earlyer:
- Jan 17 06:32:37 myhost sshd[17731]: Did not receive identification string from 59.125.118.241
+=== ssh and pam ===
- Jan 17 06:32:37 myhost sshd[17732]: User root from 59.125.118.241 not allowed because not listed in AllowUsers
- Jan 17 06:32:37 myhost sshd[17734]: Invalid user fluffy from 59.125.118.241
+OpenSSH on recent linux distributions uses pam to authenticate user. If the user doesn't exist this line is printed on auth.log
- Jan 17 06:32:37 myhost sshd[17736]: Invalid user admin from 59.125.118.241
+<pre>
- Jan 17 06:32:37 myhost sshd[17738]: Invalid user test from 59.125.118.241
+Jul 20 01:35:44 foo sshd[7140]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=194.187.212.29
- Jan 17 06:32:37 myhost sshd[17740]: Invalid user guest from 59.125.118.241
+</pre>
- Jan 17 06:32:37 myhost sshd[17742]: Invalid user webmaster from 59.125.118.241
- Jan 17 06:32:37 myhost sshd[17744]: User mysql not allowed because shell /usr/sbin/nologin does not exist
+Adding this regex rule is really helpful:
- Jan 17 06:32:37 myhost sshd[17746]: Invalid user oracle from 59.125.118.241
- Jan 17 06:32:37 myhost sshd[17748]: Invalid user library from 59.125.118.241
+<pre>
- Jan 17 06:32:37 myhost sshd[17750]: Invalid user info from 59.125.118.241
+sshd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>
- Jan 17 06:32:37 myhost sshd[17752]: Invalid user shell from 59.125.118.241
+</pre>