Re: Getting IP's added to log entry

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 11/29/05

Next message: Darren Tucker: "Re: issue with name resolution"

Previous message: Darren Tucker: "Re: Compiling OpenSSH with Kerberos support"
In reply to: Matt Pearce: "Getting IP's added to log entry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 29 Nov 2005 03:25:19 GMT

On 2005-11-28, Matt Pearce <matt@00pearceits.com.au> wrote:
> As you are all aware there are bots scanning servers for sshd service
> and trying combinations of username/password to gain entry. To counter
> this I have added AllowUsers to my sshd_config with only one entry in it
> (not root). My log output for sshd to auth.log only logs this:-
>
> sshd[321]: User root not allowed because not listed in AllowUsers
>
> when anyone else but the allowed users name is used to try and gain
> entry. I would like this log message to reflect the ip the failed
> attempt came from as my bruteforceblocker will then take the ip and sent
> it to a table for my firewall that will block it from connection to me
> again on my ssh port.
>
> So is it easy to modify sshd to do this or is someone with no
> programming knowledge way out of there depth ??

Assuming you're using OpenSSH (and the log message looks like it) then
you can just upgrade to 4.1 or newer, the change you want is already in
those those versions. The log message has been changed to be of the form:

User foo from hostname not allowed because not listed in AllowUsers

where "hostname" will be either a fully qualified domain name (if you
have UseDNS=yes) or an IP address (if you have UseDNS=no).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Next message: Darren Tucker: "Re: issue with name resolution"

Previous message: Darren Tucker: "Re: Compiling OpenSSH with Kerberos support"
In reply to: Matt Pearce: "Getting IP's added to log entry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Getting IPs added to log entry
... Matt Pearce wrote: ... > As you are all aware there are bots scanning servers for sshd service ... > and trying combinations of username/password to gain entry. ... I would like this log message to reflect the ip the failed ...
(comp.security.ssh)
Re: named exited on signal 6?
... >> In my system messages i have the following entry: ... The only log message was the one from above. ... Would named log messages to another location or facility when it is ...
(FreeBSD-Security)