sshd logging
Wayne Sierke
ws at au.dyndns.ws
Tue Jul 18 07:49:17 UTC 2017
On Mon, 2017-07-17 at 18:35 -0500, Paul Schmehl wrote:
> --On July 17, 2017 at 6:38:00 AM -0400 Daniel Feenberg <feenberg at nber
> .org>
> wrote:
>
> >
> >
> > On Mon, 17 Jul 2017, Matthias Apitz wrote:
> >
> > > El día domingo, julio 16, 2017 a las 10:34:42p. m. -0500, Paul
> > > Schmehl
> > > escribió:
> > >
> > > > Is there a way to get sshd to only log successful logins?
> > >
> > > What about using ipf(8)?
> >
> > denyhosts or fail2ban would be easier. You'd still get a few lines
> > in the
> > logs, but only a few.
> >
>
> Thanks, Dan. I'll take a look.
>
> I've never understood why logging routinely records every failed
> interaction. I suppose it's because summarizing it would take more
> processing plus some sort of database. Seriously though, why should I
> care
> about failed logins? It's the successful ones that I need to know
> about.
I imagine that historically the intensity of unauthorised login
attempts carried more significance (or was thought to) than it does
now.
sshd_config(5) - LogLevel
I haven't seen a description of which events are logged at each level,
but I have seen a comment that setting it to "ERROR" eliminates the
logging of failed attempts.
This page suggests an approach that may be of interest:
https://blog.stalkr.net/2010/11/login-notifications-pamexec-scripting.html
Wayne
More information about the freebsd-questions
mailing list