Unknown users trying to log in? Where is it logged?

[Dotan Cohen]

2008/12/3 Chris Mohler <cr33dog at gmail.com>:
> On Thu, Dec 4, 2008 at 12:53 PM, Dotan Cohen <dotancohen at gmail.com> wrote:
>> I found this in logwatch:
>>
>>  login:
>>    Authentication Failures:
>>       unknown (): 3 Time(s)
>>    Invalid Users:
>>       Unknown Account: 3 Time(s)
>>    Sessions Opened:
>>       hardy2 by LOGIN: 1 Time(s)
>>
>> Since I am behind a NAT firewall I find this interesting. I do have
>> wireless enabled, could that have been an attack vector? Which log can
>> I check to see which usernames/passwords the attackers used?
>
> Redhat-based distros use /var/log/secure - Ubuntu seems to use
> /var/log/auth.log.
>
> If I have a SSH server exposed to the net, I usually tell sshd to
> listen on a different port (higher than 1024) - that will get rid of
> 99% of people "banging on the door".  Of course there are other things
> you can do to harden sshd, but I've found that moving the port is a
> good start.
>
> Chris
>

Thanks. I see it was just me, getting lost in TTY4 playing with zgv
and not being able to get myself back out :)

-- 
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه‍-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü