Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Nov 2005 17:09:25 -0800
From:      James Long <list@museum.rain.com>
To:        freebsd-questions@freebsd.org
Cc:        Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
Subject:   Re: How to have sshd log IP numbers instead of reverse lookups
Message-ID:  <20051128010925.GA95412@ns.museum.rain.com>
In-Reply-To: <44y83bphn1.fsf@be-well.ilk.org>
References:  <20051125035711.GA58357@ns.museum.rain.com> <44y83bphn1.fsf@be-well.ilk.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 26, 2005 at 10:12:50AM -0500, Lowell Gilbert wrote:
> James Long <list@museum.rain.com> writes:
> 
> > I was looking at /var/log/auth.log and saw an entry of the form:
> > 
> > Nov 24 18:41:37 ns sshd[58083]: error: PAM: authentication error for username from example.com
> > 
> > I wish to have an IP number logged where sshd has instead logged
> > 'example.com'
> > 
> > Reading sshd's man page and sshd_config's man page, I don't find any
> > way to control this.
> > 
> > Since 'example.com' could have multiple IP numbers, how can I change 
> > sshd's configuration to log the IP number from whence the 
> > authentication error originated?
> 
> If I recall correctly, those messages should be associated with other
> messages about the host connecting, which would include the IP
> address. 

My logs don't seem to support that.  Here are consecutive lines from auth.log:

Nov 24 17:13:05 ns sshd[72333]: error: PAM: authentication error for user from localhost
Nov 24 17:13:06 ns last message repeated 2 times
Nov 24 17:13:41 ns sshd[72340]: error: PAM: authentication error for user from 10.75.200.249
Nov 24 17:13:45 ns last message repeated 2 times
Nov 24 18:41:37 ns sshd[58083]: error: PAM: authentication error for user from example.com
Nov 24 18:41:39 ns last message repeated 2 times
Nov 24 18:57:20 ns sshd[58148]: Accepted publickey for user from 10.75.200.249 port 52111 ssh2
Nov 24 18:58:12 ns sshd[58174]: Accepted publickey for user from 10.75.200.249 port 52612 ssh2
Nov 24 18:58:45 ns su: user to root on /dev/ttyp3

Here, "localhost" appears to come from my hosts file, as dig -x 127.0.0.1 
returns a different result.

example.com appears to come from reverse DNS, as there is no reference to
example.com in my hosts file.

10.75.200.249 is an IP which does not have a PTR record and is not in my
hosts file.

Telnetting to the ssh port reveals this version string:

SSH-2.0-OpenSSH_4.2p1 FreeBSD-20050903




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051128010925.GA95412>