How can I record all login attempts?

Support for security such as Firewalls and securing linux
BlackMage
Posts: 7
Joined: 2019/10/29 18:49:35

How can I record all login attempts?

Post by BlackMage » 2019/10/29 18:54:57

How can I record all login attempts from sshd with pamd with password? logsshp and logsshpwd will only record the passwords if an existing username has been entered.

Code: Select all

# cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core)
Last edited by BlackMage on 2019/10/30 11:04:24, edited 1 time in total.
my server OS: CentOS 7.9.2009 (Core)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How can I record all attempted login attempts?

Post by TrevorH » 2019/10/29 19:05:11

No idea about the answer to your question but you are 3 whole years behind in updates on that box. Many of those are security related and need patching ASAP. The current CentOS 7 version is 7.7.1908 and you are on 7.3.1611 - i.e from November 2016. You need to yum update to get current. There are numerous high severity vulnerabilities in your version that have subsequently been patched. Some of those vulnerabilities are even remotely exploitable.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

BlackMage
Posts: 7
Joined: 2019/10/29 18:49:35

Re: How can I record all attempted login attempts?

Post by BlackMage » 2019/10/29 19:21:17

ok, now i am on

Code: Select all

 # cat /etc/centos-release
CentOS Linux release 7.7.1908 (Core)
my server OS: CentOS 7.9.2009 (Core)

drk
Posts: 405
Joined: 2014/01/30 20:38:28

Re: How can I record all attempted login attempts?

Post by drk » 2019/10/30 05:08:42

How about

Code: Select all

# last -f /var/log/btmp
that shows all bad logins via ssh on CentoS6,7,8 on systems I've looked at.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How can I record all attempted login attempts?

Post by TrevorH » 2019/10/30 09:33:36

And I am not sure I understand your original post but if you are trying to actually capture the passwords as they are entered, well, just don't. It's a stupid idea and one that will come back to bite you in the rear end.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

BlackMage
Posts: 7
Joined: 2019/10/29 18:49:35

Re: How can I record all attempted login attempts?

Post by BlackMage » 2019/10/30 09:58:12

I want to all tried wrong passwords record, to me a list of them to create. And from which IP the login came, to ban them. But the password sign in only works, when an existing user name entered. And /var/log/btmp shows so only the IP and the username.

And why it's a stupid idea and one that will come back to bite in my rear end?
my server OS: CentOS 7.9.2009 (Core)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How can I record all login attempts?

Post by TrevorH » 2019/10/30 11:18:29

So you're going to record all wrong password attempts. When you get your password wrong by one character due to a typo, now that password is available to anyone who can read your logs. And it's wrong by one character so whoever gets that now has a really good starting place in order to get the right one...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
Errosion
Posts: 43
Joined: 2014/12/03 19:58:02

Re: How can I record all login attempts?

Post by Errosion » 2019/10/30 19:39:15

As a general point of security recording clear passwords is not a good idea as others have stated.

I would need to double check but I do believe that via syslog, logging auth.* and authpriv.* (or maybe just one of those) to /var/log/secure (if it's not getting done already) will show failed login attempts, the username and the source IP they are coming from.

If you are trying to block bad people from attempting to log in, that should be all you need since you'd be blocking either the source IP address of where they are logging in from or the specific user accounts they are attempting to use.

Perhaps the question that has yet to be answered... What does having their passwords do for you?

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: How can I record all login attempts?

Post by lightman47 » 2019/11/03 13:00:31

... and to see the failed logins (without passwords), see /var/log/secure.

jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

Re: How can I record all login attempts?

Post by jscarville » 2019/11/03 13:42:12

I did know it was even possible to record the passwords entered in an ssh session. I suppose I could add code to the server and to openssl to do that but I am not even sure of that. Frankly, I've never even considered it. Seems to me adding such a thing seriously undermines the integrity of openssh and openssl. Or am I misunderstanding what is actually being requested?

Anyways, I log my ssh transactions to a separate log file. Insert these rules in /etc/rsyslogd.conf

Code: Select all

if $programname == 'sshd' then /var/log/sshd.log
if $programname == 'sshd' then ~
if $programname == 'internal-sftp' then /var/log/sshd.log
if $programname == 'internal-sftp' then ~
Be sure to add /var/log/sshd.log to the list of file to be rotated by logrotate -- I put it in /etc/logrotate.d/syslog.

Post Reply