On Tue, Oct 28, 2008 at 06:06:16PM +0800, Ming-Ching Tiew wrote:
I am wondering if it makes sense to put failed
attempts to login into the syslog including the
information like user and password ?
Right now it only logs information that there
is a failed attempt when there is invalid user.
The motivation for writing these information into
syslog is to figure out if there is an auditable trail
of the brute force attempts ( example dictionary attack )
or just the user forgot the password.
I supposed the downside this scheme is that
whoever got hold of read access to the log
will know what is considered invalid attempts ?
The problem with logging invalid usernames is that the
invalid username may actually be the valid password. As you
noted, while the logs are secure for that machine, it's
nicer not to be storing sensitive information there. I
personally have found myself typing my password instead of
username a few times when using PuTTY, just because the
order of prompts is different to Unix clients. Avoiding
logging usernames was shamelessly taken from OpenSSH, I
think it makes sense. If the username is valid, it will get
logged.
Also, it takes a fair amount of time to perform an online brute
force attack against an SSH server. Attackers tend to use
simple passwords (chicken and alex were two examples I've seen
guessed that way). It would seem much better to concentrate
your defensive efforts on just running John or similar on
/etc/passwd every now and then.
Matt