How can I see a list of failed SSH logins?
How can I see a list of failed SSH logins?
Is there a bash script I can write to be updated when a failed SSH login takes place and alert me via GeekTook?
I'm using Mountain Lion.
Thank you.
How can I see a list of failed SSH logins?
Is there a bash script I can write to be updated when a failed SSH login takes place and alert me via GeekTook?
I'm using Mountain Lion.
Thank you.
Look at /var/log/secure.log
The sshd entries will tell you about ssh connection attempts, both successful as well as failures.
Look at /var/log/secure.log
The sshd entries will tell you about ssh connection attempts, both successful as well as failures.
Thanks!
Actually, I looked for that log and cannot find it.
Where would it be?
From an Applications -> Utilities -> Terminal session
cd /var/log
cat secure.log
If you are not Unix command line aware, then Applications -> Utilities -> Console -> /var/log -> secure.log
"cat: secure.log: No such file or directory"
Why would the file not be there?
Any ideas?
ls -laeO@ /private
ls -laeO@ /private/var
ls -laeO@ /private/var/log
ls -laeO@ /private/var/log/secure.log
Either the secure.log file is there, or something is missing along the way.
Also did you try the console app?
There would be no such file if there had been no valid ssh attempts.
The log isn't in the Console.
Would the log be in the Terminal if there were invalid ssh attempts?
OK. In Mountain Lion, they moved the secure.log entries into system.log
My mistake.
/var/log/system.log
contains the sshd messages in Mountain Lion. Lion, Snow Leopard, Leopard, Tiger, ... use /var/log/secure.log
Okay,
I found the log.
Can someone help me decipher what this means in the log:
Received disconnect from 124.224.178.154: 11: Bye Bye [preauth]
Jan 4 06:00:03 Quad-Core-Sandy-Bridge-iMac.local sshd[4902]: Received disconnect from 124.224.178.154: 11: Bye Bye [preauth]
Jan 4 06:00:07 Quad-Core-Sandy-Bridge-iMac.local sshd[4905]: Invalid user oracle from 124.224.178.154
Jan 4 06:00:07 Quad-Core-Sandy-Bridge-iMac.local sshd[4905]: input_userauth_request: invalid user oracle [preauth]
Jan 4 06:00:07 Quad-Core-Sandy-Bridge-iMac.local sshd[4905]: Received disconnect from 124.224.178.154: 11: Bye Bye [preauth]
Jan 4 06:00:11 Quad-Core-Sandy-Bridge-iMac.local sshd[4907]: Invalid user test from 124.224.178.154
Jan 4 06:00:11 Quad-Core-Sandy-Bridge-iMac.local sshd[4907]: input_userauth_request: invalid user test [preauth]
What's user oracle and Bye Bye mean?
Within hours of turning this on, I am getting attempts?
Also, how do I open the Drop Box in OS X and allow anyone to post things in it?
Thanks!
I'm just putting 2+2 together to give guesses
'oracle' is the username the connection request was trying. The same with user 'test'
I do not have 'Bye Bye' entries, so maybe that is another username as it is followed by [preauth] which follows the 'oracle' and 'test' usernames. Or maybe it is something sshd is issuing. But again, I do not have any 'Bye Bye' entries in my logs.
Within hours of turning this on, I am getting attempts?
Is your Mac on a public network? Then you are getting random phishing attempts to connect to any IP address that can be found. I'm surprised you do not have any 'root' probes. 'oracle' I can undestand, as that it the user name to an Oracle Database, so getting access to a corporate Oracle Database could provide lots of information.
Drop Box is a new question. Please post a new thread about that, so you do not muddy up this discussion.
What do you mean is my Mac on a public network?
It's connected to my cable modem and the entire internet can see it.
Is this bad though, if they don't know my password?
Also, what would happen if I went into Sharing, and under Remote login, clicked Allow all users, or create a guest account with a guest password?
Would that let someone have access to a guest account remotely?
If you are directly connected to the internet (no home router between you and the ISP's broandband modem), then yes the world can see you.
Any no-password required access is open to the world. Now the world needs to guess your IP address has accessible accounts, but there are systems out there constantly probing IP addresses trying Well Known ports and Accounts attempting to find a "Live One". Not just ssh. File sharing, Screen Sharing, Web servers, FTP servers, etc...
If they think they have found a "Live One", they may come back and keep trying different passwords hoping to guess the password for an account. <https://www.grc.com/haystack.htm>
I thought it was safe to enable virtually all of OS X's sharing boxes without any repercussions of being hacked, as long as you had strong passwords?
How can I see a list of failed SSH logins?