how to log sshd access in a single file
Hello, just a few days ago i setup my first FreeBSD server, so i am new to this OS. I already tried to find the information i was looking for, but to no luck. I try to add a line in /etc/hosts.allow which would allow and log all attempts using SSH (sshd). I found http://www.freebsd.org/doc/handbook/tcpwrappers.html, which mentions twist as the only way to accomplish this. So i created a line in allow.hosts which reads as follows: sshd : ALL : twist /bin/echo a% from h% attempted to acces d% \ \var\log\ssh-connections.log : allow sshd for the service ALL for all ip-addresses allow to allow access and the text in between should make sure that the file ssh-connections is being updated. The file already exists, i used root access to create it. But it does not work as expected. Could you please point me where i did it wrong. Thanks in advance for your help. Best regards, aurikus ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to log sshd access in a single file
Hello Rick, sorry that i did not reply to all, from now on i will use reply to all. Thanks for pointing it out. I will also open port 80 for web access, but i do not want to log those. Because i expect a huge amount of traffic on my server. So i only want to log successfull and unsuccessfull sshd access. twist is part of the FreeBSD 9.1 base installation, i did not yet install any other package. The idea behind using hosts.allow was because i could specify the rule by the service (and not by the level of the message). And yes, in my case sshd is configured to run via inetd. You are correct, my main goal is to log all failed sshd attempts. If it is easier to log successfull and failed attempts (to the same file), this would also be fine for me. Thanks in advance for your continued effort. Best regards, aurikus. 2013/9/16 Rick Miller vmil...@hostileadmin.com Hi Aurikus, Selecting Reply all when replying to messages on the list allows the entire list to benefit from the discussion. On Mon, Sep 16, 2013 at 11:05 AM, aurikus grande auri...@gmail.comwrote: Hello Rick. thanks a lot for your quick reply. Does your recommendation - to use syslog.conf mean instead - that i cant accomplish what i want with hosts.allow and twist ? I am unfamiliar with twist and cannot authoritatively answer this question. Not to mention, it does not appear to be in base I´m still reading through the man pages and try to understand how to configure syslog.conf. I recommended syslog, because it is the stock logging mechanism for FreeBSD. On my 9.1 system, /etc/syslog.conf contains: auth.info;authpriv.info /var/log/auth.log These facilities are both logging to /var/log/auth.log. Your stated goal was logging of failed ssh attempts to your host. The above line in syslog.conf accomplishes this by sending the message to /var/log/auth.log. TCPWrappers will have no effect on logging of failed ssh attempts unless sshd is configured to run via inetd. I recommend pf or ipfw for filtering access to ssh. -- Take care Rick Miller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to log sshd access in a single file
Most web servers handle their own logging. I do _not_ want the web server acces to be logged (at least as of now). Have you looked at /var/log/auth.log? yes, and as you mentioned in your previous update, it logs the success login (only). Unsuccessfull attempts are being sent to /var/log/messages . So there are 2 separate files. I would like to have all sshd access attempts in one single file - regardless if they are successfull or unsuccessfull. Quotation: I believe FreeBSD defaults to failed ssh authentication is logged to /var/log/messages while successful authentication is written to /var/log/auth.log. Can you elaborate on your reasons for running sshd via inetd? I'm curious as I've never even heard of anyone attempting this. When i searched how to setup / configure sshd on internet, i found many hints to start it using inetd. Since it worked for me there was no reason to change it. Best regards, aurikus 2013/9/16 Rick Miller vmil...@hostileadmin.com On Mon, Sep 16, 2013 at 1:57 PM, aurikus grande auri...@gmail.com wrote: Hello Rick, sorry that i did not reply to all, from now on i will use reply to all. Thanks for pointing it out. I will also open port 80 for web access, but i do not want to log those. Because i expect a huge amount of traffic on my server. Most web servers handle their own logging. So i only want to log successfull and unsuccessfull sshd access. Have you looked at /var/log/auth.log? twist is part of the FreeBSD 9.1 base installation, i did not yet install any other package. That was my mistake, I sent the email before editing that out as I had intended. The idea behind using hosts.allow was because i could specify the rule by the service (and not by the level of the message). And yes, in my case sshd is configured to run via inetd. You are correct, my main goal is to log all failed sshd attempts. If it is easier to log successfull and failed attempts (to the same file), this would also be fine for me. Can you elaborate on your reasons for running sshd via inetd? I'm curious as I've never even heard of anyone attempting this. -- Take care Rick Miller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org