On Sunday 05 September 2004 11:10, Andrew Brown wrote:
I had an unexpected (and unexplained) crash in the early hours of this morning, and when I restarted the machine, began to look through /var/log/messages to see if there were any clues. There weren't: it just went from routine messages to rebooting ones without anything in between. But, scrolling back, I discovered connections to sshd (the only service on the machine that's open to the internet) from South Korea, Russia, China, Germany ... So far as I know, none of these people succeeded in logging on. But I thought there ought to be some file which recorded attempts to log on, and I con't find it. What should it be, and do I need to turn it on?
Unsuccessful login attempts through sshd are recorded in /var/log/messages, try it and see. Successful logins are also recorded there, as well as in utmp and wtmp Note that most cracks rely on crashing the daemon somehow, or overwriting parts of it with code that open shells, or some other such trick, and that usually won't be logged anywhere