Hi Scott, a way you can monitor SSH brute force attacks on valid user accounts 
is to do something like this:

Step 1: become root / super user

$ su - root

Step 2: edit the /etc/default/login file with your favorite editor and make 
sure that SYSLOG=YES is uncommented.

# vi /etc/default/login

Now when you type in this command:

# grep -i syslog /etc/default/login

you should get output like this:

root at solarisunix:~# grep -i syslog /etc/default/login
# SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used
SYSLOG=YES
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# message is logged, using the syslog(3) LOG_NOTICE facility. For example,
SYSLOG_FAILED_LOGINS=0
root at solarisunix:~#

Step 3: Create a /var/adm/authlog file

# touch /var/adm/authlog

# chmod 600 /var/adm/authlog

# chgrp sys /var/adm/authlog

Step 4: edit the /etc/syslog.conf file and add an "auth.notice 
/var/adm/authlog" line to the file to log failed password attempts and send 
them to the /var/adm/authlog file:

# vi /etc/syslog.conf

Fields that are on the same line in syslog.conf are separated by tabs. So you 
want the first three lines after the comments to look something like this:

*.err;kern.notice; /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
auth.notice /var/adm/authlog

Step 5: Refresh the syslog daemon

# svcadm refresh system/system-log

Step 6: Verify that the log works by trying to log in with a valid username and 
an incorrect password a few times. I think it only logs bruteforce attacks 
against valid user accounts but I'm not 100% sure.
-- 
This message posted from opensolaris.org

Reply via email to