[SOLVED] How to check log files for ssh connection attempts

Dave_P · 10-05-2011, 04:09 PM

Quote:

Originally Posted by Linux_Kidd

yes, sshd runs at his house, but his tablet is a dhcp client that connects to various wifi ap's. his tablet runs the ssh client and he uses it to tunnel to/through his sshd at home.

Yep, that's my setup.

Anyway, rustek answered my original question which was how to check log files for ssh attempts.

@ everyone
I apologize for going off topic (i.e ssh keys) after my solution was solved which has cause some confusion.

pwalden · 10-06-2011, 03:38 PM

Then the service denyhosts should be a good solution. It does not care whether the client's IP changes. It only cares when a client fails to provide a login/password after 4 or so attempts. It then adds the offending client's IP to the hosts.deny for a month. If the client correctly logs in, using less than 4 tries, then there is no issue.

I use it with my ssh server at home. I can access the server from any wifi access point using my laptop, which is a dhcp client.

All the brute force password cracker attempts on my ssh server have their IP locked out for a month after 4 tries. Typically I see about 2 crackers a day get added to deny.hosts.

Denyhosts is readily available through many distro package managers.

Linux_Kidd · 10-06-2011, 04:01 PM

Quote:

Originally Posted by pwalden

Then the service denyhosts should be a good solution. It does not care whether the client's IP changes. It only cares when a client fails to provide a login/password after 4 or so attempts. It then adds the offending client's IP to the hosts.deny for a month. If the client correctly logs in, using less than 4 tries, then there is no issue.

I use it with my ssh server at home. I can access the server from any wifi access point using my laptop, which is a dhcp client.

All the brute force password cracker attempts on my ssh server have their IP locked out for a month after 4 tries. Typically I see about 2 crackers a day get added to deny.hosts.

Denyhosts is readily available through many distro package managers.

it doesnt stop unauthorized authenticated access! using a key pair with password is a better solution imho. is denyhosts susceptiple to any IP spoofing attacks?

rustek · 10-06-2011, 04:09 PM

@pwalden
Move off of port 22 and you won't get those attacks, I still scan for them but they just don't happen.

@Linux_Kidd

Quote:

it doesn't stop unauthorized authenticated access! using a key pair with password is a better solution imho.

In this case I agree.