Unknown users trying to log in? Where is it logged?

Chris Mohler cr33dog at gmail.com
Wed Dec 3 19:03:23 UTC 2008

On Thu, Dec 4, 2008 at 12:53 PM, Dotan Cohen <dotancohen at gmail.com> wrote:
> I found this in logwatch:
>  login:
>    Authentication Failures:
>       unknown (): 3 Time(s)
>    Invalid Users:
>       Unknown Account: 3 Time(s)
>    Sessions Opened:
>       hardy2 by LOGIN: 1 Time(s)
> Since I am behind a NAT firewall I find this interesting. I do have
> wireless enabled, could that have been an attack vector? Which log can
> I check to see which usernames/passwords the attackers used?

Redhat-based distros use /var/log/secure - Ubuntu seems to use

If I have a SSH server exposed to the net, I usually tell sshd to
listen on a different port (higher than 1024) - that will get rid of
99% of people "banging on the door".  Of course there are other things
you can do to harden sshd, but I've found that moving the port is a
good start.


More information about the ubuntu-users mailing list