conf/70973: script 800.loginfail dose not report 'Illegal user'
ogino at verama.net
Wed Aug 25 21:10:26 PDT 2004
>Synopsis: script 800.loginfail dose not report 'Illegal user' login failures
>Arrival-Date: Thu Aug 26 04:10:25 GMT 2004
>Originator: Mitsuru Ogino
FreeBSD vic.verama.net 5.2.1-RELEASE-p8 FreeBSD 5.2.1-RELEASE-p8 #6: Tue Jun 1 18:43:31 JST 2004
root at vic.verama.net:/usr/src/sys/i386/compile/VIC i386
Sshd(8) reports login failures. But the style of report is different between the failure caused by wrong user and that by wrong password. /etc/periodic/security/800.loginfail only report failure by wrong password.
It is important to know that someone attempt to login the system. So the system should report 'Illegal user' login failures to root.
Aug 26 01:47:25 vic sshd: Illegal user test from xxx.xxx.xxx.xxx
Use code to find pattern 'illegal user':
< n=$(catmsgs | grep -ia "^$yesterday.*fail" |
> n=$(catmsgs | egrep -ia "^$yesterday.*(fail|illegal user)" |
More information about the freebsd-bugs