Date: Wed, 20 Aug 2008 09:58:17 +0200 From: "DA Forsyth" <iwrtech@iwr.ru.ac.za> To: freebsd-questions@freebsd.org Cc: mgrant@grant.org Subject: re: getting pam to put the ip address in the log Message-ID: <48ABEAB9.1674.182478DD@iwrtech.iwr.ru.ac.za>
next in thread | raw e-mail | index | archive | help
Date: Tue, 19 Aug 2008 14:02:59 +0200 > Recently I have been seeing lots of connections to my sshd trying to > guess passwords. One thing I noticed was the hostname reported in the > auth.log without reverse dns. sshd never puts in the ip address, this > is all I see: > sshd[14450]: error: PAM: authentication error for illegal user access > from host1.xxx.br > Is it possible to get pam or sshd or whatever is ultimatly logging > this to put the ip address in the log so I can see where this is > really coming from? I don't know about the log format (I'd run it through and AWK script that does the translation), but maybe you want to consider using PF to block those repeated attempts. I've been contemplating this after reading the PF tutorial http://www.bsdly.net/~peter/pf.html which indicates an automated way to catch those IP's and stick them into a block list so after a few attempts your machine stops responding. -- DA Fo rsyth Network Supervisor Principal Technical Officer -- Institute for Water Research http://www.ru.ac.za/institutes/iwr/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48ABEAB9.1674.182478DD>