I've been looking for something in OpenSolaris 2008.11 or Solaris 10 that is similar to the "lastb" command in Red Hat Enterprise Linux where one can just type in: "lastb -i" while logged in as root and get a detailed list of all the IP addresses that are launching brute force login attacks against my SSH port and then I can work on that list with awk, "sort -rnk" and "uniq -c" to get a nice formatted list of the top 10 IP addresses in Romania or China that are launching the largest number of attacks (tens of thousands of bad login attempts) against one of my servers (actually it's a honeypot, not a real server, but that shouldn't matter for the purpose of this discussion).
I tried the whole "touch /var/adm/loginlog" thing, but it seems that it only tracks bad login attempts from the console and from telnet but not from SSH? Every time I get a brute force SSH attack, I get messages on the console that look something like: May 6 01:41:43 zone1 sshd[8833]: Failed keyboard-interactive for root from 64.27.1.36 port 37553 ssh2 But what log file are these console messages written to in OpenSolaris 2008.11? Does anybody know? I know, everyone who is hanging out here on this mailing list probably uses pre-shared SSH keys and VPN's and things of that nature, so this issue doesn't really affect them, but one of my long term goals is to build better, more secure (and more tempting) honeypots using Solaris Zones / Containers technology, which is why I'm wondering what the secret is for keeping track of bad SSH log in attempts. There just HAS to be a way to do this since Solaris seems to be one of the most popular UNIX operating systems in security focused organizations (up there with the likes of OpenBSD and FreeBSD). I just can't find the "how to" anywhere on google. -- This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list [email protected]
