Unknown users trying to log in? Where is it logged?
Chris Mohler
cr33dog at gmail.com
Wed Dec 3 19:03:23 UTC 2008
On Thu, Dec 4, 2008 at 12:53 PM, Dotan Cohen <dotancohen at gmail.com> wrote:
> I found this in logwatch:
>
> login:
> Authentication Failures:
> unknown (): 3 Time(s)
> Invalid Users:
> Unknown Account: 3 Time(s)
> Sessions Opened:
> hardy2 by LOGIN: 1 Time(s)
>
> Since I am behind a NAT firewall I find this interesting. I do have
> wireless enabled, could that have been an attack vector? Which log can
> I check to see which usernames/passwords the attackers used?
Redhat-based distros use /var/log/secure - Ubuntu seems to use
/var/log/auth.log.
If I have a SSH server exposed to the net, I usually tell sshd to
listen on a different port (higher than 1024) - that will get rid of
99% of people "banging on the door". Of course there are other things
you can do to harden sshd, but I've found that moving the port is a
good start.
Chris
More information about the ubuntu-users
mailing list