Re: ftpd and sshd logging of domain names
On Sun, 24 Aug 2008 16:32:56 -0500, Len Conrad [EMAIL PROTECTED] wrote: Are there are any flags or tricks to get these two daemons to log IP addresses of failed login attempts, rather than PTR hostnames? man ftpd man sshd ... show nothing, afaics. At least for ftpd I think there is a solution: 1. Edit /etc/inetd.conf ftp stream tcp nowait root/usr/libexec/ftpd ftpd -ll ftp stream tcp6nowait root/usr/libexec/ftpd ftpd -ll The flags -ll enable extended logging. 2. Edit /etc/syslog.conf: !ftpd *.* /var/log/ftpd.log 3. Create the log file # touch /var/log/ftpd.log 4. Optionally: Edit /etc/newsyslog.conf for preferred log rotation. The IPs are being logged in the log file. I'm sure SSH allows something similar. If I remember correctly, this has recently been discussed at this list, maybe the archive brings up some helping informations for you. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ftpd and sshd logging of domain names
At least for ftpd I think there is a solution: 1. Edit /etc/inetd.conf ftp stream tcp nowait root/usr/libexec/ftpd ftpd -ll ftp stream tcp6nowait root/usr/libexec/ftpd ftpd -ll with -ll, ftpd still logs failures as auth.log as Aug 24 17:05:30 mx1 ftpd[1625]: FTP LOGIN FAILED FROM domain.tld, user The flags -ll enable extended logging. 2. Edit /etc/syslog.conf: !ftpd *.* /var/log/ftpd.log 3. Create the log file # touch /var/log/ftpd.log same in ftpd.log The IPs are being logged in the log file. they are not logged. I'm sure SSH allows something similar. If I remember correctly, this has recently been discussed at this list, maybe the archive brings up some helping informations for you. thanks, I'll look. like everybody else, we are getting hammered by brute force attacks. thanks Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ftpd and sshd logging of domain names
On Sun, 24 Aug 2008 17:18:55 -0500, Len Conrad [EMAIL PROTECTED] wrote: with -ll, ftpd still logs failures as auth.log as same in ftpd.log [The IPs] they are not logged. I did the three steps I mentioned and have failures with IPs logged in /var/log/ftpd.log, for example: connection from 79.165.190.70 (79.165.190.70) FTP LOGIN FAILED FROM 79.165.190.70 FTP LOGIN FAILED FROM 79.165.190.70, Administrateur repeated login failures from 79.165.190.70 connection from projectvibe.net (205.234.98.200) FTP LOGIN FAILED FROM projectvibe.net FTP LOGIN FAILED FROM projectvibe.net, Administrator But you're right, in the second example, the host name is logged, not the IP, but the IP is always logged in the connection from lines. Did you have any luck parsing the mailing list's archive? -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ftpd and sshd logging of domain names
with -ll, ftpd still logs failures as auth.log as same in ftpd.log [The IPs] they are not logged. I did the three steps I mentioned and have failures with IPs logged in /var/log/ftpd.log, for example: connection from 79.165.190.70 (79.165.190.70) FTP LOGIN FAILED FROM 79.165.190.70 FTP LOGIN FAILED FROM 79.165.190.70, Administrateur repeated login failures from 79.165.190.70 ... because the IP has no PTR connection from projectvibe.net (205.234.98.200) FTP LOGIN FAILED FROM projectvibe.net FTP LOGIN FAILED FROM projectvibe.net, Administrator IP has PTR, whose domain name is logged. But you're right, in the second example, the host name is logged, not the IP, but the IP is always logged in the connection from lines. connection from not the fault we are trying to block reactively. Did you have any luck parsing the mailing list's archive? no, neither in my personal archives, nor through google. thanks Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
