getting pam to put the ip address in the log

DA Forsyth iwrtech at
Wed Aug 20 07:58:34 UTC 2008

Date: Tue, 19 Aug 2008 14:02:59 +0200

> Recently I have been seeing lots of connections to my sshd trying to
> guess passwords.  One thing I noticed was the hostname reported in the
> auth.log without reverse dns.  sshd never puts in the ip address, this
> is all I see:  

> sshd[14450]: error: PAM: authentication error for illegal user access
> from  

> Is it possible to get pam or sshd or whatever is ultimatly logging
> this to put the ip address in the log so I can see where this is
> really coming from?  

I don't know about the log format (I'd run it through and AWK script 
that does the translation), but maybe you want to consider using PF 
to block those repeated attempts.  I've been contemplating this after 
reading the PF tutorial
which indicates an automated way to catch those IP's and stick them 
into a block list so after a few attempts your machine stops 

       DA Fo rsyth            Network Supervisor
Principal Technical Officer -- Institute for Water Research

More information about the freebsd-questions mailing list