sshd logs and possible security violation
I think this belongs on d.-user not the security or ssh lists.
Thanks to people who helped point me to logcheck, I saw my first
attempted login from outside today. At least, I'm pretty sure that's
what I saw but I am seeking some information about what gets logged
by sshd.
What I see in auth.log is (consecutive lines):
Feb 14 23:19:29 www sshd[438]: Did not receive ident string from
xxx.yy.zzz.uu (actual number removed in case!)
I think that's an usuccessful attempt to log in, am I right?
Feb 14 23:49:32 www sshd[242]: Generating new 768 bit RSA key.
Feb 14 23:49:33 www sshd[242]: RSA key generation complete.
don't understand why sshd did that then, 30 minutes later
then the next lines are me testing what happens if I try to do
an illegal login:
Feb 15 07:36:08 www su[1154]: + ??? root-www-data
Feb 15 07:36:08 www PAM_unix[1154]: (su) session opened for user www-
data by (uid=0)
which looks alarming but I was slung out by shell being
/usr/bin/false or by fact I didn't give right password
Feb 15 07:36:08 www su[1174]: + ??? root-nobody
Feb 15 07:36:08 www PAM_unix[1174]: (su) session opened for user
nobody by (uid=0)
ditto
Feb 15 07:55:52 www sshd[1375]: Accepted password for xxxxxxx from
zzz.zzz.zzz.zzz port yyyy
That last line seems to be the logging of a successful login and it's
very reassuringly different from the one from someone else, from an
outside IP address.
I had a look in the ssh documentation (which points to various dead
URLs) but couldn't find anything detailed on logging messages. I
don't think my programming is up to reading the source package to see
if that would tell me.
I'm also under the impression that sshd generates new keys when
restarted and at intervals, does anyone know if that is right?
TIA,
Chris
--
Chris Evans <chris@psyctc.org>
Consultant Psychiatrist in Psychotherapy,
Rampton Hospital; Associate R&D Director,
Tavistock & Portman NHS Trust;
Hon. SL Institute of Psychiatry
*** My views are my own and not representative
of those institutions ***
Reply to: