Hi Scott, a way you can monitor SSH brute force attacks on valid user accounts is to do something like this:
Step 1: become root / super user $ su - root Step 2: edit the /etc/default/login file with your favorite editor and make sure that SYSLOG=YES is uncommented. # vi /etc/default/login Now when you type in this command: # grep -i syslog /etc/default/login you should get output like this: root at solarisunix:~# grep -i syslog /etc/default/login # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used SYSLOG=YES # The SYSLOG_FAILED_LOGINS variable is used to determine how many failed # message is logged, using the syslog(3) LOG_NOTICE facility. For example, SYSLOG_FAILED_LOGINS=0 root at solarisunix:~# Step 3: Create a /var/adm/authlog file # touch /var/adm/authlog # chmod 600 /var/adm/authlog # chgrp sys /var/adm/authlog Step 4: edit the /etc/syslog.conf file and add an "auth.notice /var/adm/authlog" line to the file to log failed password attempts and send them to the /var/adm/authlog file: # vi /etc/syslog.conf Fields that are on the same line in syslog.conf are separated by tabs. So you want the first three lines after the comments to look something like this: *.err;kern.notice; /dev/sysmsg *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages auth.notice /var/adm/authlog Step 5: Refresh the syslog daemon # svcadm refresh system/system-log Step 6: Verify that the log works by trying to log in with a valid username and an incorrect password a few times. I think it only logs bruteforce attacks against valid user accounts but I'm not 100% sure. -- This message posted from opensolaris.org