sshd logging with private key authentication

Glen Barber glen.j.barber at
Thu Jul 1 14:49:09 UTC 2010


I've been seeing quite a bit of ssh bruteforce attacks which appear to 
be dictionary-based.  That's fine; I have proper measures in place, such 
as key-only access, bruteforce tables for pf(4), and so on.

What caught my interest is if I attempt to log in from a machine where I 
do not have my key, I see nothing logged about a failed publickey 
attempt.  If I attempt with an invalid username, as expected, I see 
'Invalid user foo from ${IP}.'

Is this to be expected?  If so, I am curious why.  Though I realize an 
attacker may not be able to see that a user is valid or invalid, might 
we want to know that a valid username is being used in an attack? 
(Unless, of course, the valid username is 'john'...)


Glen Barber

More information about the freebsd-questions mailing list