logging invalid user

Hi,

Does anyone know if it is possible to log invalid users access with
ssh to syslog ? I want in my syslog an AUTH.WARNING with the message
[sshd]Invalid user from host = xxxxxx of something like that.

regards,

Chris

herc sez:
> Hi,
>
> Does anyone know if it is possible to log invalid users access with
> ssh to syslog ?

Yes.

...I want in my syslog an AUTH.WARNING with the message
> [sshd]Invalid user from host = xxxxxx of something like that.

You mean your ssh doesn't?

Dima
--
I have not been able to think of any way of describing Perl to [person]
"Hello, blind man? This is color." -- DPM

Dimitri Maziuk <dima@127.0.0.1> wrote in message news:<slrnckjea2.8rd.dima@localhost.localdomain>.. .
> herc sez:
> > Hi,
> >
> > Does anyone know if it is possible to log invalid users access with
> > ssh to syslog ?
>
> Yes.
>
> ..I want in my syslog an AUTH.WARNING with the message
> > [sshd]Invalid user from host = xxxxxx of something like that.
>
> You mean your ssh doesn't?
>
> Dima

If I log in to my computer with ssh and I use an invalid passwd I get
the following message to my syslog server

09-17-2004 12:32:30 Auth.Notice 172.16.13.12 PAM_unix[18715]: 1 more
authentication failure; (uid=0) -> root for ssh service
09-17-2004 12:32:30 Auth.Notice 172.16.13.12 PAM_unix[18715]: 1 more
authentication failure; (uid=0) -> root for ssh service
09-17-2004 12:32:25 Auth.Notice 172.16.13.12 PAM_unix[18715]:
authentication failure; (uid=0) -> root for ssh service
09-17-2004 12:32:25 Auth.Notice 172.16.13.12 PAM_unix[18715]:
authentication failure; (uid=0) -> root for ssh service


If I logging with an invalid user, nothings appears on the syslog
server

herc sez:
> Dimitri Maziuk <dima@127.0.0.1> wrote in message news:<slrnckjea2.8rd.dima@localhost.localdomain>.. .
>> herc sez:
>> > Hi,
>> >
>> > Does anyone know if it is possible to log invalid users access with
>> > ssh to syslog ?
>>
>> Yes.
>>
>> ..I want in my syslog an AUTH.WARNING with the message
>> > [sshd]Invalid user from host = xxxxxx of something like that.
>>
>> You mean your ssh doesn't?
>>
>> Dima
>
> If I log in to my computer with ssh and I use an invalid passwd I get
> the following message to my syslog server
>
> 09-17-2004 12:32:30 Auth.Notice 172.16.13.12 PAM_unix[18715]: 1 more
> authentication failure; (uid=0) -> root for ssh service
> 09-17-2004 12:32:30 Auth.Notice 172.16.13.12 PAM_unix[18715]: 1 more
> authentication failure; (uid=0) -> root for ssh service
> 09-17-2004 12:32:25 Auth.Notice 172.16.13.12 PAM_unix[18715]:
> authentication failure; (uid=0) -> root for ssh service
> 09-17-2004 12:32:25 Auth.Notice 172.16.13.12 PAM_unix[18715]:
> authentication failure; (uid=0) -> root for ssh service
>
>
> If I logging with an invalid user, nothings appears on the syslog
> server

(syslog-ng format)

Sep 12 09:08:29 x.x.x.x/x.x.x.x sshd[16228]: input_userauth_request:
illegal user yvonne
Sep 12 09:08:29 x.x.x.x/x.x.x.x sshd[16228]: Failed password for
illegal user yvonne from 143.107.45.186 port 55656 ssh2
Sep 12 09:08:29 x.x.x.x/x.x.x.x sshd[16228]: Received disconnect
from 143.107.45.186: 11: Bye Bye

-- from RH

Aug 31 14:20:48 x.x.x.x/x.x.x.x sshd[22309]: [ID 800047
auth.info] input_userauth_request: illegal user test
Aug 31 14:20:48 x.x.x.x/x.x.x.x sshd[22309]: [ID 800047
auth.info] Failed password for NOUSER from 140.130.177.203 port 4422 ssh2
Aug 31 14:20:48 x.x.x.x/x.x.x.x sshd[22309]: [ID 800047
auth.info] Received disconnect: 11: Bye Bye

-- from Solaris 9

Check your sshd_conf for log level & facility, check what your
loghost does with that facility/level messages.

Dima
--
I like the US government, makes the Aussie one look less dumb and THAT is a
pretty big effort. -- Craig Small