Unknown users trying to log in? Where is it logged?

Dotan Cohen dotancohen at gmail.com
Wed Dec 3 19:26:49 UTC 2008

2008/12/3 Chris Mohler <cr33dog at gmail.com>:
> On Thu, Dec 4, 2008 at 12:53 PM, Dotan Cohen <dotancohen at gmail.com> wrote:
>> I found this in logwatch:
>>  login:
>>    Authentication Failures:
>>       unknown (): 3 Time(s)
>>    Invalid Users:
>>       Unknown Account: 3 Time(s)
>>    Sessions Opened:
>>       hardy2 by LOGIN: 1 Time(s)
>> Since I am behind a NAT firewall I find this interesting. I do have
>> wireless enabled, could that have been an attack vector? Which log can
>> I check to see which usernames/passwords the attackers used?
> Redhat-based distros use /var/log/secure - Ubuntu seems to use
> /var/log/auth.log.
> If I have a SSH server exposed to the net, I usually tell sshd to
> listen on a different port (higher than 1024) - that will get rid of
> 99% of people "banging on the door".  Of course there are other things
> you can do to harden sshd, but I've found that moving the port is a
> good start.
> Chris

Thanks. I see it was just me, getting lost in TTY4 playing with zgv
and not being able to get myself back out :)

Dotan Cohen



More information about the ubuntu-users mailing list