[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

sshd logs and possible security violation

I think this belongs on d.-user not the security or ssh lists.  

Thanks to people who helped point me to logcheck, I saw my first 
attempted login from outside today.  At least, I'm pretty sure that's 
what I saw but I am seeking some information about what gets logged 
by sshd.

What I see in auth.log is (consecutive lines):
Feb 14 23:19:29 www sshd[438]: Did not receive ident string from
   xxx.yy.zzz.uu (actual number removed in case!)
       I think that's an usuccessful attempt to log in, am I right?

Feb 14 23:49:32 www sshd[242]: Generating new 768 bit RSA key.
Feb 14 23:49:33 www sshd[242]: RSA key generation complete.
      don't understand why sshd did that then, 30 minutes later

      then the next lines are me testing what happens if I try to do 
an illegal login:
Feb 15 07:36:08 www su[1154]: + ??? root-www-data
Feb 15 07:36:08 www PAM_unix[1154]: (su) session opened for user www-
data by (uid=0)
      which looks alarming but I was slung out by shell being
      /usr/bin/false or by fact I didn't give right password
Feb 15 07:36:08 www su[1174]: + ??? root-nobody
Feb 15 07:36:08 www PAM_unix[1174]: (su) session opened for user 
nobody by (uid=0)
      ditto
Feb 15 07:55:52 www sshd[1375]: Accepted password for xxxxxxx from
   zzz.zzz.zzz.zzz port yyyy

That last line seems to be the logging of a successful login and it's 
very reassuringly different from the one from someone else, from an 
outside IP address.

I had a look in the ssh documentation (which points to various dead 
URLs) but couldn't find anything detailed on logging messages.  I 
don't think my programming is up to reading the source package to see 
if that would tell me.  

I'm also under the impression that sshd generates new keys when 
restarted and at intervals, does anyone know if that is right?

TIA,

Chris



-- 
Chris Evans <chris@psyctc.org>
Consultant Psychiatrist in Psychotherapy,
Rampton Hospital; Associate R&D Director,
Tavistock & Portman NHS Trust;
Hon. SL Institute of Psychiatry
*** My views are my own and not representative 
of those institutions ***
Reply to: