Mailinglist Archive: opensuse (3996 mails)
| < Previous | Next > |
Re: [SLE] Where are logins recorded?
- From: Anders Johansson <andjoh@xxxxxxxxxx>
- Date: Sun, 5 Sep 2004 11:19:44 +0200
- Message-id: <200409051119.44740.andjoh@xxxxxxxxxx>
On Sunday 05 September 2004 11:10, Andrew Brown wrote:
> I had an unexpected (and unexplained) crash in the early hours of this
> morning, and when I restarted the machine, began to look through
> /var/log/messages to see if there were any clues. There weren't: it
> just went from routine messages to rebooting ones without anything in
> between. But, scrolling back, I discovered connections to sshd (the
> only service on the machine that's open to the internet) from South
> Korea, Russia, China, Germany ... So far as I know, none of these
> people succeeded in logging on. But I thought there ought to be some
> file which recorded attempts to log on, and I con't find it. What
> should it be, and do I need to turn it on?
Unsuccessful login attempts through sshd are recorded in /var/log/messages,
try it and see. Successful logins are also recorded there, as well as in utmp
and wtmp
Note that most cracks rely on crashing the daemon somehow, or overwriting
parts of it with code that open shells, or some other such trick, and that
usually won't be logged anywhere
> I had an unexpected (and unexplained) crash in the early hours of this
> morning, and when I restarted the machine, began to look through
> /var/log/messages to see if there were any clues. There weren't: it
> just went from routine messages to rebooting ones without anything in
> between. But, scrolling back, I discovered connections to sshd (the
> only service on the machine that's open to the internet) from South
> Korea, Russia, China, Germany ... So far as I know, none of these
> people succeeded in logging on. But I thought there ought to be some
> file which recorded attempts to log on, and I con't find it. What
> should it be, and do I need to turn it on?
Unsuccessful login attempts through sshd are recorded in /var/log/messages,
try it and see. Successful logins are also recorded there, as well as in utmp
and wtmp
Note that most cracks rely on crashing the daemon somehow, or overwriting
parts of it with code that open shells, or some other such trick, and that
usually won't be logged anywhere
| < Previous | Next > |