Getting IP's added to log entry - SSH

This is a discussion on Getting IP's added to log entry - SSH ; Hi All, As you are all aware there are bots scanning servers for sshd service and trying combinations of username/password to gain entry. To counter this I have added AllowUsers to my sshd_config with only one entry in it (not ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Getting IP's added to log entry

  1. Getting IP's added to log entry

    Hi All,

    As you are all aware there are bots scanning servers for sshd service
    and trying combinations of username/password to gain entry. To counter
    this I have added AllowUsers to my sshd_config with only one entry in it
    (not root). My log output for sshd to auth.log only logs this:-

    sshd[321]: User root not allowed because not listed in AllowUsers

    when anyone else but the allowed users name is used to try and gain
    entry. I would like this log message to reflect the ip the failed
    attempt came from as my bruteforceblocker will then take the ip and sent
    it to a table for my firewall that will block it from connection to me
    again on my ssh port.

    So is it easy to modify sshd to do this or is someone with no
    programming knowledge way out of there depth ??

    Matt.

  2. Re: Getting IP's added to log entry

    Matt Pearce wrote:
    > Hi All,
    >
    > As you are all aware there are bots scanning servers for sshd service
    > and trying combinations of username/password to gain entry. To counter
    > this I have added AllowUsers to my sshd_config with only one entry in it
    > (not root). My log output for sshd to auth.log only logs this:-
    >
    > sshd[321]: User root not allowed because not listed in AllowUsers
    >
    > when anyone else but the allowed users name is used to try and gain
    > entry. I would like this log message to reflect the ip the failed
    > attempt came from as my bruteforceblocker will then take the ip and sent
    > it to a table for my firewall that will block it from connection to me
    > again on my ssh port.
    >
    > So is it easy to modify sshd to do this or is someone with no
    > programming knowledge way out of there depth ??
    >
    > Matt.


    This should not be impossible - though I have not looked at the code -
    but why don't you just take note of the 'sshd[321]: connect from
    1.1.1.1' message?

    Joachim

  3. Re: Getting IP's added to log entry

    On 2005-11-28, Matt Pearce wrote:
    > As you are all aware there are bots scanning servers for sshd service
    > and trying combinations of username/password to gain entry. To counter
    > this I have added AllowUsers to my sshd_config with only one entry in it
    > (not root). My log output for sshd to auth.log only logs this:-
    >
    > sshd[321]: User root not allowed because not listed in AllowUsers
    >
    > when anyone else but the allowed users name is used to try and gain
    > entry. I would like this log message to reflect the ip the failed
    > attempt came from as my bruteforceblocker will then take the ip and sent
    > it to a table for my firewall that will block it from connection to me
    > again on my ssh port.
    >
    > So is it easy to modify sshd to do this or is someone with no
    > programming knowledge way out of there depth ??


    Assuming you're using OpenSSH (and the log message looks like it) then
    you can just upgrade to 4.1 or newer, the change you want is already in
    those those versions. The log message has been changed to be of the form:

    User foo from hostname not allowed because not listed in AllowUsers

    where "hostname" will be either a fully qualified domain name (if you
    have UseDNS=yes) or an IP address (if you have UseDNS=no).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  4. Re: Getting IP's added to log entry

    Darren Tucker wrote:

    > Assuming you're using OpenSSH (and the log message looks like it) then
    > you can just upgrade to 4.1 or newer, the change you want is already in
    > those those versions. The log message has been changed to be of the form:
    >
    > User foo from hostname not allowed because not listed in AllowUsers
    >
    > where "hostname" will be either a fully qualified domain name (if you
    > have UseDNS=yes) or an IP address (if you have UseDNS=no).


    Hi Darren,

    Thanks for the reply :-), I am running OpenSSH, version 4.2p1 to be
    precise and my log files dont reflect this change and I cant find
    anywhere in the man pages or examples that allows me to do this with my
    sshd_config. Am I missing something ??

    Matt.

  5. Re: Getting IP's added to log entry

    Darren Tucker wrote:
    > Assuming you're using OpenSSH (and the log message looks like it) then
    > you can just upgrade to 4.1 or newer, the change you want is already in
    > those those versions. The log message has been changed to be of the form:
    >
    > User foo from hostname not allowed because not listed in AllowUsers
    >
    > where "hostname" will be either a fully qualified domain name (if you
    > have UseDNS=yes) or an IP address (if you have UseDNS=no).


    Hi Darren,

    Thanks for the reply. I have checked my version of OpenSSH and found it
    to be 4.2p1. Interestingly my log files dont have the mentioned change
    to them. Am I doing something wrong here ?? I have disabled the base
    version of sshd and am running the latest port version which is 4.2p1.

    Thanks,

    Matt.

  6. Re: Getting IP's added to log entry


    > Thanks for the reply. I have checked my version of OpenSSH and found it
    > to be 4.2p1. Interestingly my log files dont have the mentioned change
    > to them. Am I doing something wrong here ?? I have disabled the base
    > version of sshd and am running the latest port version which is 4.2p1.


    Ok, just found something most odd, I had /usr/ports/openssh installed on
    FreeBSD 6.0, the start script was /usr/local/etc/rc.d/sshd.sh which
    pointed to /usr/local/sbin/sshd. This sshd reported as being 4.2p1 but
    was actually 3.6 hmmmmmmm something rather odd. I have since removed
    that port and installed openssh-portable and its fixed everything. I
    believe that /openssh needs to be depreciated or at least flagged as
    being an old version.

    Matt.

+ Reply to Thread