From owner-freebsd-questions@FreeBSD.ORG  Wed Aug 20 07:58:34 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 192421065678
	for <freebsd-questions@freebsd.org>;
	Wed, 20 Aug 2008 07:58:34 +0000 (UTC)
	(envelope-from iwrTech@iwr.ru.ac.za)
Received: from f.mail.ru.ac.za (f.mail.ru.ac.za [IPv6:2001:4200:1010::25:6])
	by mx1.freebsd.org (Postfix) with ESMTP id 4E0C08FC1B
	for <freebsd-questions@freebsd.org>;
	Wed, 20 Aug 2008 07:58:33 +0000 (UTC)
	(envelope-from iwrTech@iwr.ru.ac.za)
Received: from iwr.ru.ac.za ([146.231.64.249]:62493)
	by f.mail.ru.ac.za with esmtp (Exim 4.69 (FreeBSD))
	(envelope-from <iwrTech@iwr.ru.ac.za>)
	id 1KViaG-0008A2-Et; Wed, 20 Aug 2008 09:58:24 +0200
Received: from iwr61.iwr.ru.ac.za ([146.231.64.161])
	by iwr.ru.ac.za with esmtp (Exim 4.69 (FreeBSD))
	(envelope-from <iwrTech@iwr.ru.ac.za>)
	id 1KViaG-000F5T-3T; Wed, 20 Aug 2008 09:58:24 +0200
From: "DA Forsyth" <iwrtech@iwr.ru.ac.za>
Organization: IWR
To: freebsd-questions@freebsd.org
Date: Wed, 20 Aug 2008 09:58:17 +0200
MIME-Version: 1.0
Message-ID: <48ABEAB9.1674.182478DD@iwrtech.iwr.ru.ac.za>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.41)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
X-Virus-Scanned: f.mail.ru.ac.za (146.231.129.38)
Cc: mgrant@grant.org
Subject: re: getting pam to put the ip address in the log
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: iwrTech@iwr.ru.ac.za
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2008 07:58:34 -0000

Date: Tue, 19 Aug 2008 14:02:59 +0200

> Recently I have been seeing lots of connections to my sshd trying to
> guess passwords.  One thing I noticed was the hostname reported in the
> auth.log without reverse dns.  sshd never puts in the ip address, this
> is all I see:  

> sshd[14450]: error: PAM: authentication error for illegal user access
> from host1.xxx.br  

> Is it possible to get pam or sshd or whatever is ultimatly logging
> this to put the ip address in the log so I can see where this is
> really coming from?  

I don't know about the log format (I'd run it through and AWK script 
that does the translation), but maybe you want to consider using PF 
to block those repeated attempts.  I've been contemplating this after 
reading the PF tutorial
   http://www.bsdly.net/~peter/pf.html
which indicates an automated way to catch those IP's and stick them 
into a block list so after a few attempts your machine stops 
responding.


--
       DA Fo rsyth            Network Supervisor
Principal Technical Officer -- Institute for Water Research
http://www.ru.ac.za/institutes/iwr/