How can I see a list of failed SSH logins?

Question

taalvoel Author

Level 1

9 points

How can I see a list of failed SSH logins?

Is there a bash script I can write to be updated when a failed SSH login takes place and alert me via GeekTook?

I'm using Mountain Lion.

Thank you.

Posted on Dec 8, 2012 4:56 PM

Reply

Answer 1

Best reply

BobHarris

Level 9

53,063 points

Dec 28, 2012 8:09 AM in response to taalvoel

Look at /var/log/secure.log

The sshd entries will tell you about ssh connection attempts, both successful as well as failures.

Reply

Answer 2

taalvoel Author

Level 1

9 points

Dec 28, 2012 1:10 PM in response to BobHarris

Thanks!

Reply

Answer 3

taalvoel Author

Level 1

9 points

Jan 3, 2013 5:03 PM in response to BobHarris

Actually, I looked for that log and cannot find it.

Where would it be?

Reply

Answer 4

BobHarris

Level 9

53,063 points

Jan 3, 2013 5:18 PM in response to taalvoel

From an Applications -> Utilities -> Terminal session

cd /var/log

cat secure.log

If you are not Unix command line aware, then Applications -> Utilities -> Console -> /var/log -> secure.log

Reply

Answer 5

taalvoel Author

Level 1

9 points

Jan 3, 2013 8:22 PM in response to BobHarris

"cat: secure.log: No such file or directory"

Reply

Answer 6

taalvoel Author

Level 1

9 points

Jan 3, 2013 9:03 PM in response to BobHarris

Why would the file not be there?

Any ideas?

Reply

Answer 7

BobHarris

Level 9

53,063 points

Jan 4, 2013 3:58 AM in response to taalvoel

ls -laeO@ /private

ls -laeO@ /private/var

ls -laeO@ /private/var/log

ls -laeO@ /private/var/log/secure.log

Either the secure.log file is there, or something is missing along the way.

Also did you try the console app?

Reply

Answer 8

softwater

Level 5

5,556 points

Jan 4, 2013 4:13 AM in response to taalvoel

There would be no such file if there had been no valid ssh attempts.

Reply

Answer 9

taalvoel Author

Level 1

9 points

Jan 4, 2013 10:52 AM in response to softwater

The log isn't in the Console.

Would the log be in the Terminal if there were invalid ssh attempts?

Reply

Answer 10

BobHarris

Level 9

53,063 points

Jan 4, 2013 11:01 AM in response to taalvoel

OK. In Mountain Lion, they moved the secure.log entries into system.log

My mistake.

/var/log/system.log

contains the sshd messages in Mountain Lion. Lion, Snow Leopard, Leopard, Tiger, ... use /var/log/secure.log

Reply

Answer 11

taalvoel Author

Level 1

9 points

Jan 4, 2013 11:12 AM in response to taalvoel

Okay,

I found the log.

Can someone help me decipher what this means in the log:

Received disconnect from 124.224.178.154: 11: Bye Bye [preauth]

Jan 4 06:00:03 Quad-Core-Sandy-Bridge-iMac.local sshd[4902]: Received disconnect from 124.224.178.154: 11: Bye Bye [preauth]

Jan 4 06:00:07 Quad-Core-Sandy-Bridge-iMac.local sshd[4905]: Invalid user oracle from 124.224.178.154

Jan 4 06:00:07 Quad-Core-Sandy-Bridge-iMac.local sshd[4905]: input_userauth_request: invalid user oracle [preauth]

Jan 4 06:00:07 Quad-Core-Sandy-Bridge-iMac.local sshd[4905]: Received disconnect from 124.224.178.154: 11: Bye Bye [preauth]

Jan 4 06:00:11 Quad-Core-Sandy-Bridge-iMac.local sshd[4907]: Invalid user test from 124.224.178.154

Jan 4 06:00:11 Quad-Core-Sandy-Bridge-iMac.local sshd[4907]: input_userauth_request: invalid user test [preauth]

What's user oracle and Bye Bye mean?

Within hours of turning this on, I am getting attempts?

Also, how do I open the Drop Box in OS X and allow anyone to post things in it?

Thanks!

Reply

Answer 12

BobHarris

Level 9

53,063 points

Jan 4, 2013 11:25 AM in response to taalvoel

I'm just putting 2+2 together to give guesses

'oracle' is the username the connection request was trying. The same with user 'test'

I do not have 'Bye Bye' entries, so maybe that is another username as it is followed by [preauth] which follows the 'oracle' and 'test' usernames. Or maybe it is something sshd is issuing. But again, I do not have any 'Bye Bye' entries in my logs.

Within hours of turning this on, I am getting attempts?

Is your Mac on a public network? Then you are getting random phishing attempts to connect to any IP address that can be found. I'm surprised you do not have any 'root' probes. 'oracle' I can undestand, as that it the user name to an Oracle Database, so getting access to a corporate Oracle Database could provide lots of information.

Drop Box is a new question. Please post a new thread about that, so you do not muddy up this discussion.

Reply

Answer 13

taalvoel Author

Level 1

9 points

Jan 4, 2013 2:37 PM in response to BobHarris

What do you mean is my Mac on a public network?

It's connected to my cable modem and the entire internet can see it.

Is this bad though, if they don't know my password?

Also, what would happen if I went into Sharing, and under Remote login, clicked Allow all users, or create a guest account with a guest password?

Would that let someone have access to a guest account remotely?

Reply

Answer 14

BobHarris

Level 9

53,063 points

Jan 4, 2013 2:49 PM in response to taalvoel

If you are directly connected to the internet (no home router between you and the ISP's broandband modem), then yes the world can see you.

Any no-password required access is open to the world. Now the world needs to guess your IP address has accessible accounts, but there are systems out there constantly probing IP addresses trying Well Known ports and Accounts attempting to find a "Live One". Not just ssh. File sharing, Screen Sharing, Web servers, FTP servers, etc...

If they think they have found a "Live One", they may come back and keep trying different passwords hoping to guess the password for an account. <https://www.grc.com/haystack.htm>

Reply

Answer 15

taalvoel Author

Level 1

9 points

Jan 4, 2013 2:52 PM in response to BobHarris

I thought it was safe to enable virtually all of OS X's sharing boxes without any repercussions of being hacked, as long as you had strong passwords?

Reply