sshd logging with private key authentication
Glen Barber
glen.j.barber at gmail.com
Thu Jul 1 14:49:09 UTC 2010
Hi,
I've been seeing quite a bit of ssh bruteforce attacks which appear to
be dictionary-based. That's fine; I have proper measures in place, such
as key-only access, bruteforce tables for pf(4), and so on.
What caught my interest is if I attempt to log in from a machine where I
do not have my key, I see nothing logged about a failed publickey
attempt. If I attempt with an invalid username, as expected, I see
'Invalid user foo from ${IP}.'
Is this to be expected? If so, I am curious why. Though I realize an
attacker may not be able to see that a user is valid or invalid, might
we want to know that a valid username is being used in an attack?
(Unless, of course, the valid username is 'john'...)
Regards,
--
Glen Barber
More information about the freebsd-questions
mailing list