Friday, August 11, 2006

Fixing SSH Login Failure Security Reports on FreeBSD 6.1

I recently noticed on my FreeBSD 6.1 server that login failures from ssh weren't being reported in the daily security email like on my older box. Since my old box gets a few hundred ssh login crack attempts every night (good old zombie PC brute force hack attempts...) it's kind of something I like to keep track of. I discovered it was because "fail" no longer appears in the auth.log line on my FreeBSD 6.1 installation, and /etc/periodic/security/800.loginfail was only grepping for "fail" and nothing else. The lines look like this now:
Aug 11 08:39:20 hostname sshd[48839]: error: PAM: authentication error for someuser from somewhere.some.net
So I simply modified the grep in 800.loginfail to read:
n=$(catmsgs | grep -ia "^$yesterday.*\(fail\|authentication error\)" |
tee /dev/stderr | wc -l)
I also submitted the patch to the FreeBSD bugs database under PR conf/91732 which is closely related.

# posted by Skye Poier Nott : 5:52 PM
Comments: Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?