This is a discussion on Re: log viewer for remote logon attempts: the accounts and passwords tried? - Ubuntu ; * xubunt6 : [ ... ] > Thanks. > Actually what I meant was not the password, but the login attempts. > faillog and lastb both show an "empty" file, by the way. It needs some > configuring I guess? ...
[ ... ]
> Actually what I meant was not the password, but the login attempts.
> faillog and lastb both show an "empty" file, by the way. It needs some
> configuring I guess?
Configuration should already be set up to use faillog and lastb. Just
tried them here. lastb showed an empty file, and faillog reported no
login failures. Guessing that I haven't had any login failures, at
least since the last couple of rotations of the btmp file. ;-)
Just tried logging in on a virtual console, intentionally entering a bad
password. lastb now reports my failed login as well as faillog.
However... Just tried it with an SSH login, and no login failure was
logged. :-/ The SSH login failure was logged in '/var/log/auth.log'.
The following command will quickly extract SSH login failures from
awk '$5~/^sshd/&&/Failed password/' /var/log/auth.log
I think SSH login failures aren't logged like local login failures since
sshd is configured by default not to use login.
Quoting from sshd_config(5):
Specifies whether login(1) is used for interactive login ses-
sions. The default is “no”. Note that login(1) is never used
for remote command execution. Note also, that if this is
enabled, X11Forwarding will be disabled because login(1) does not
know how to handle xauth(1) cookies. If UsePrivilegeSeparation
is specified, it will be disabled after authentication.
James Michael Fultz
Remove this part when replying ^^^^^^^^