From owner-freebsd-questions@FreeBSD.ORG Mon Nov 28 01:09:37 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57B4416A41F for ; Mon, 28 Nov 2005 01:09:37 +0000 (GMT) (envelope-from james_mapson@umpquanet.com) Received: from ns.museum.rain.com (gw-ipinc.museum.rain.com [65.75.192.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49C5743D45 for ; Mon, 28 Nov 2005 01:09:36 +0000 (GMT) (envelope-from james_mapson@umpquanet.com) Received: from ns.museum.rain.com (localhost [127.0.0.1]) by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id jAS19QZ6084498 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 27 Nov 2005 17:09:26 -0800 (PST) (envelope-from james@umpquanet.com) Received: (from james@localhost) by ns.museum.rain.com (8.13.4/8.13.4/Submit) id jAS19PBf084497; Sun, 27 Nov 2005 17:09:25 -0800 (PST) (envelope-from james) Date: Sun, 27 Nov 2005 17:09:25 -0800 From: James Long To: freebsd-questions@freebsd.org Message-ID: <20051128010925.GA95412@ns.museum.rain.com> References: <20051125035711.GA58357@ns.museum.rain.com> <44y83bphn1.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44y83bphn1.fsf@be-well.ilk.org> User-Agent: Mutt/1.5.11 X-Spam-Status: No, score=-101.4 required=5.0 tests=ALL_TRUSTED, USER_IN_WHITELIST autolearn=failed version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ns.museum.rain.com Cc: Lowell Gilbert Subject: Re: How to have sshd log IP numbers instead of reverse lookups X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 01:09:37 -0000 On Sat, Nov 26, 2005 at 10:12:50AM -0500, Lowell Gilbert wrote: > James Long writes: > > > I was looking at /var/log/auth.log and saw an entry of the form: > > > > Nov 24 18:41:37 ns sshd[58083]: error: PAM: authentication error for username from example.com > > > > I wish to have an IP number logged where sshd has instead logged > > 'example.com' > > > > Reading sshd's man page and sshd_config's man page, I don't find any > > way to control this. > > > > Since 'example.com' could have multiple IP numbers, how can I change > > sshd's configuration to log the IP number from whence the > > authentication error originated? > > If I recall correctly, those messages should be associated with other > messages about the host connecting, which would include the IP > address. My logs don't seem to support that. Here are consecutive lines from auth.log: Nov 24 17:13:05 ns sshd[72333]: error: PAM: authentication error for user from localhost Nov 24 17:13:06 ns last message repeated 2 times Nov 24 17:13:41 ns sshd[72340]: error: PAM: authentication error for user from 10.75.200.249 Nov 24 17:13:45 ns last message repeated 2 times Nov 24 18:41:37 ns sshd[58083]: error: PAM: authentication error for user from example.com Nov 24 18:41:39 ns last message repeated 2 times Nov 24 18:57:20 ns sshd[58148]: Accepted publickey for user from 10.75.200.249 port 52111 ssh2 Nov 24 18:58:12 ns sshd[58174]: Accepted publickey for user from 10.75.200.249 port 52612 ssh2 Nov 24 18:58:45 ns su: user to root on /dev/ttyp3 Here, "localhost" appears to come from my hosts file, as dig -x 127.0.0.1 returns a different result. example.com appears to come from reverse DNS, as there is no reference to example.com in my hosts file. 10.75.200.249 is an IP which does not have a PTR record and is not in my hosts file. Telnetting to the ssh port reveals this version string: SSH-2.0-OpenSSH_4.2p1 FreeBSD-20050903