lixuewei / rt-n56u

Automatically exported from code.google.com/p/rt-n56u
0 stars 0 forks source link

Log ssh login attempts? #1134

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Hi,
  I am just wondering if there is a log somewhere that logs my ssh logins? If not, how can I implement one? I have searched all over the place, but I cannot find anything.

Thanks!
-Troy

Original issue reported on code.google.com by tmbou...@mtu.edu on 23 Jan 2014 at 4:31

GoogleCodeExporter commented 9 years ago
After doing more looking, I see that in my system logs it does show ssh logins:

Jan 23 00:25:24 dropbear[3964]: Password auth succeeded for 'username' from IP
Jan 23 00:25:46 dropbear[3964]: Exit (username): Exited normally

Basically, I have my SFTP exposed because I dont want to use FTP.  So in my 
firewall I have just my SSH Server exposed to WAN (not web access). I have been 
reading how a lot of people try to hack SSH and I just want to be monitoring 
mine. So I have two questions:

1) Is there a way to email me when an ssh login happens?
2) Is it just my admin login/password that works for ssh? Where can  I see 
which logins work with the SSH Server?

I have Optware installed

Thank you!
-Troy

Original comment by tmbou...@mtu.edu on 23 Jan 2014 at 5:32

GoogleCodeExporter commented 9 years ago
You can use only admin login/password for ssh. It's configured at page 
http://my.router/Advanced_System_Content.asp
You can't send notifications with basic functions. But you can parse the system 
log and use your scripts for this.

Original comment by Dr.Sydorenko.O on 24 Jan 2014 at 3:09

GoogleCodeExporter commented 9 years ago
Hi Dr. Sydorenko,
  I do have an Ubuntu server running in my LAN. What's the best way to set that up as a remote system log and then send email notifications from there? Also, where in the router file directory is the system log located?

Thank you!
-Troy

Original comment by tmbou...@mtu.edu on 24 Jan 2014 at 4:44

GoogleCodeExporter commented 9 years ago
I found the syslog.log file. It is in /tmp/syslog.log, but I can't get it to 
send to my Ubuntu server. I installed syslog-ng like this posted said:
https://code.google.com/p/rt-n56u/issues/detail?id=7

I kept getting errors so I did not do this:
echo 'include "remote.conf";' >>/etc/syslog-ng/syslog-ng.conf

I just copied the below in syslog-ng.conf:
source s_rem { tcp(ip("0.0.0.0") port(514)); };
destination d_rem {file(
  "/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log"  perm(0600)  template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $HOST $PRIORITY: $MESSAGE\n") );};
destination d_raw {file(
  "/var/log/remote/.raw/$YEAR-$MONTH-$DAY.log" perm(0600) template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $HOST $PRIORITY: $MESSAGE\n"));};

log {source(s_rem);  destination(d_rem);};
log {source(s_rem);  destination(d_raw);};

syslog-ng rules (I can view my syslog file and it works), but nothing in 
var/log/remote/...I allowed UDP and TCP ports 514 in my UFW

Any idea why the syslog file is not going to my server? Thank you
-Troy

p.s. I hope to use logwatch (follow this guide) to email notifications once I 
can see the logfiles:
http://askubuntu.com/questions/235868/how-can-i-monitor-syslog-and-send-notifica
tion-based-on-events

Original comment by tmbou...@mtu.edu on 25 Jan 2014 at 4:45

GoogleCodeExporter commented 9 years ago
Would I be able to add something to the iptables to stop brut force attacks? 
Like this:
http://www.rackaid.com/blog/how-to-block-ssh-brute-force-attacks/

Original comment by tmbou...@mtu.edu on 25 Jan 2014 at 5:39

GoogleCodeExporter commented 9 years ago
https://code.google.com/p/rt-n56u/source/detail?r=adaa13f122de370bb87e335738732c
f618a09b26

Original comment by Dr.Sydorenko.O on 10 Feb 2014 at 10:44

GoogleCodeExporter commented 9 years ago
Hi Dr Sydorenko!
  Thank you for sharing this. Does this mean the next version will contain this change? or Can i just modify the files shown and reboot the router to get the changes now?

Thanks again!
-Troy

Original comment by tmbou...@mtu.edu on 11 Feb 2014 at 2:53

GoogleCodeExporter commented 9 years ago
you can use openssh instead of dropbear. There are some methods to control 
connections if you read its manual (MaxStartups, MaxSessions, MaxAuthTries etc.)

Original comment by d...@soulblader.com on 23 Feb 2014 at 7:17

GoogleCodeExporter commented 9 years ago
Thanks for the tip! I'll try openssh out when I get some time.

Original comment by tmbou...@mtu.edu on 23 Feb 2014 at 9:06