sshd logging

Wayne Sierke ws at au.dyndns.ws
Tue Jul 18 07:49:17 UTC 2017


On Mon, 2017-07-17 at 18:35 -0500, Paul Schmehl wrote:
> --On July 17, 2017 at 6:38:00 AM -0400 Daniel Feenberg <feenberg at nber
> .org> 
> wrote:
> 
> > 
> > 
> > On Mon, 17 Jul 2017, Matthias Apitz wrote:
> > 
> > > El día domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul
> > > Schmehl
> > > escribió:
> > > 
> > > > Is there a way to get sshd to only log successful logins?
> > > 
> > > What about using ipf(8)?
> > 
> > denyhosts or fail2ban would be easier. You'd still get a few lines
> > in the
> > logs, but only a few.
> > 
> 
> Thanks, Dan. I'll take a look.
> 
> I've never understood why logging routinely records every failed 
> interaction. I suppose it's because summarizing it would take more 
> processing plus some sort of database. Seriously though, why should I
> care 
> about failed logins? It's the successful ones that I need to know
> about.

I imagine that historically the intensity of unauthorised login
attempts carried more significance (or was thought to) than it does
now.

sshd_config(5) - LogLevel

I haven't seen a description of which events are logged at each level,
but I have seen a comment that setting it to "ERROR" eliminates the
logging of failed attempts.

This page suggests an approach that may be of interest:

https://blog.stalkr.net/2010/11/login-notifications-pamexec-scripting.html


Wayne



More information about the freebsd-questions mailing list