Closed GoogleCodeExporter closed 9 years ago
After doing more looking, I see that in my system logs it does show ssh logins:
Jan 23 00:25:24 dropbear[3964]: Password auth succeeded for 'username' from IP
Jan 23 00:25:46 dropbear[3964]: Exit (username): Exited normally
Basically, I have my SFTP exposed because I dont want to use FTP. So in my
firewall I have just my SSH Server exposed to WAN (not web access). I have been
reading how a lot of people try to hack SSH and I just want to be monitoring
mine. So I have two questions:
1) Is there a way to email me when an ssh login happens?
2) Is it just my admin login/password that works for ssh? Where can I see
which logins work with the SSH Server?
I have Optware installed
Thank you!
-Troy
Original comment by tmbou...@mtu.edu
on 23 Jan 2014 at 5:32
You can use only admin login/password for ssh. It's configured at page
http://my.router/Advanced_System_Content.asp
You can't send notifications with basic functions. But you can parse the system
log and use your scripts for this.
Original comment by Dr.Sydorenko.O
on 24 Jan 2014 at 3:09
Hi Dr. Sydorenko,
I do have an Ubuntu server running in my LAN. What's the best way to set that up as a remote system log and then send email notifications from there? Also, where in the router file directory is the system log located?
Thank you!
-Troy
Original comment by tmbou...@mtu.edu
on 24 Jan 2014 at 4:44
I found the syslog.log file. It is in /tmp/syslog.log, but I can't get it to
send to my Ubuntu server. I installed syslog-ng like this posted said:
https://code.google.com/p/rt-n56u/issues/detail?id=7
I kept getting errors so I did not do this:
echo 'include "remote.conf";' >>/etc/syslog-ng/syslog-ng.conf
I just copied the below in syslog-ng.conf:
source s_rem { tcp(ip("0.0.0.0") port(514)); };
destination d_rem {file(
"/var/log/remote/$HOST/$YEAR-$MONTH-$DAY.log" perm(0600) template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $HOST $PRIORITY: $MESSAGE\n") );};
destination d_raw {file(
"/var/log/remote/.raw/$YEAR-$MONTH-$DAY.log" perm(0600) template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $HOST $PRIORITY: $MESSAGE\n"));};
log {source(s_rem); destination(d_rem);};
log {source(s_rem); destination(d_raw);};
syslog-ng rules (I can view my syslog file and it works), but nothing in
var/log/remote/...I allowed UDP and TCP ports 514 in my UFW
Any idea why the syslog file is not going to my server? Thank you
-Troy
p.s. I hope to use logwatch (follow this guide) to email notifications once I
can see the logfiles:
http://askubuntu.com/questions/235868/how-can-i-monitor-syslog-and-send-notifica
tion-based-on-events
Original comment by tmbou...@mtu.edu
on 25 Jan 2014 at 4:45
Would I be able to add something to the iptables to stop brut force attacks?
Like this:
http://www.rackaid.com/blog/how-to-block-ssh-brute-force-attacks/
Original comment by tmbou...@mtu.edu
on 25 Jan 2014 at 5:39
https://code.google.com/p/rt-n56u/source/detail?r=adaa13f122de370bb87e335738732c
f618a09b26
Original comment by Dr.Sydorenko.O
on 10 Feb 2014 at 10:44
Hi Dr Sydorenko!
Thank you for sharing this. Does this mean the next version will contain this change? or Can i just modify the files shown and reboot the router to get the changes now?
Thanks again!
-Troy
Original comment by tmbou...@mtu.edu
on 11 Feb 2014 at 2:53
you can use openssh instead of dropbear. There are some methods to control
connections if you read its manual (MaxStartups, MaxSessions, MaxAuthTries etc.)
Original comment by d...@soulblader.com
on 23 Feb 2014 at 7:17
Thanks for the tip! I'll try openssh out when I get some time.
Original comment by tmbou...@mtu.edu
on 23 Feb 2014 at 9:06
Original issue reported on code.google.com by
tmbou...@mtu.edu
on 23 Jan 2014 at 4:31