Difference between revisions of "Sshd logs"
Jump to navigation
Jump to search
↑ https://man.cx/sshd(1)
↑ https://serverfault.com/a/608976
(32 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
− | = Logs: [[journalctl]] -u ssh | + | = Logs: [[journalctl]] -u ssh or [[journalctl]] -u [[sshd]] = |
− | |||
− | |||
− | |||
− | |||
− | |||
Dec 01 07:01:05 SERVER sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3 sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3 | Dec 01 07:01:05 SERVER sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3 sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3 | ||
Line 16: | Line 11: | ||
ssh.service: Found left-over process 30050 (sshd) in control group while starting unit. Ignoring. | ssh.service: Found left-over process 30050 (sshd) in control group while starting unit. Ignoring. | ||
− | Unable to negotiate with 55.xxx.455.45 port 30367: no matching cipher found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth] | + | [[Unable to negotiate with]] 55.xxx.455.45 port 30367: no matching [[cipher]] found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth] |
+ | |||
+ | == Unsuccessful [[authentication]] attempts == | ||
+ | |||
+ | <code>[[journalctl]] -r | egrep "[[Failed password for]]|[[Unable to negotiate with]]|[[maximum authentication attempts]]|[[Failed publickey for]]"</code> | ||
Invalid user USERNAME from 54.xxX.138.126 port 39980 | Invalid user USERNAME from 54.xxX.138.126 port 39980 | ||
+ | error: maximum authentication attempts exceeded for root from 10.10.10.110 port 40314 ssh2 [preauth] | ||
+ | |||
+ | Jan 08 11:18:03 SERVER sshd[7429]: Failed password for invalid user USERNAME from 212.XXX.98.46 port 63474 ssh2 | ||
+ | |||
+ | Jan 11 11:15:34 SERVER sshd[7024]: Failed password for USERNAME from 19x.118.XXX.62 port 41430 ssh2 | ||
+ | |||
+ | [[Unable to negotiate with]] 55.xxx.455.45 port 30367: no matching cipher found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth] | ||
+ | |||
+ | |||
+ | Example of failed login with [[verbose]] mode, see ([[sshd logs]]): | ||
+ | May 07 15:55:01 SERVER sshd[1870524]: Failed none for USERNAME from 23.33.xx.xx port 12616 ssh2 | ||
+ | May 07 15:55:01 SERVER sshd[1870524]: [[Failed publickey for]] USERNAME from 23.33.xx.xx port 12616 ssh2: [[RSA]] [[SHA256]]:tAkCKfvCmOTpVeceSyAOy9Sjyp213hQ7RLTyKUaNw12 | ||
+ | May 07 15:55:00 SERVER sshd[1870524]: Connection from 23.33.xx.xx port 12616 on 10.10.10.xx port 22 [[rdomain]] "" | ||
== Successful [[authentication]] attempts == | == Successful [[authentication]] attempts == | ||
− | <code>[[journalctl]] -r | egrep "Accepted publickey for|Accepted password for"</code> | + | <code>[[journalctl]] -r | egrep "[[Accepted publickey for]]|[[Accepted password for]]"</code> |
sshd[17161]: Accepted [[publickey]] for USERNAME from | sshd[17161]: Accepted [[publickey]] for USERNAME from | ||
Accepted password for USERNAME from 95.14.XXX.214 port 52731 ssh2 | Accepted password for USERNAME from 95.14.XXX.214 port 52731 ssh2 | ||
+ | |||
+ | == [[ChrootDirectory]] related == | ||
+ | May 05 14:01:41 SERVER_NAME sshd[1825292]: [[fatal: bad ownership or modes for]] [[chroot]] directory "/home/USERNAME | ||
+ | All components of the pathname must be root-owned directories that are not writable by any other user or group ([[Sftp configuration]]) | ||
+ | |||
+ | == Connection closing, user not allowed == | ||
+ | May 18 11:05:30 SERVER_NAME sshd[2427302]: error: [[kex_exchange_identification]]: Connection closed by remote host | ||
+ | |||
+ | Oct 12 09:03:39 SERVER_NAME sshd[2963]: User XXXX not allowed because [[account is locked]] | ||
+ | |||
+ | Mar 31 13:26:52 SERVER_NAME sshd[441]: User XXXX not allowed because ''shell /sbin/[[nologin]] does not exist''' | ||
+ | |||
+ | == Related terms == | ||
+ | * <code>[[/var/log/auth.log]]</code> | ||
+ | * <code>[[LogLevel]]</code> | ||
+ | * <code>[[ssh -vvv]]</code> | ||
== See also == | == See also == | ||
+ | * {{sshd}} | ||
* {{OpenSSH}} | * {{OpenSSH}} | ||
− | * <code>/var/log/[[auth.log]]</code> | + | * <code>/var/[[log]]/[[auth.log]]</code> |
* {{journalctl}} | * {{journalctl}} | ||
* {{PAM}} | * {{PAM}} | ||
* {{fail2ban}} | * {{fail2ban}} | ||
+ | * {{logging}} | ||
[[Category:ssh]] | [[Category:ssh]] | ||
[[Category:IT Security]] | [[Category:IT Security]] | ||
[[Category:logging]] | [[Category:logging]] |
Latest revision as of 11:15, 21 September 2023
Contents
Logs: journalctl -u ssh or journalctl -u sshd[edit]
Dec 01 07:01:05 SERVER sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3 sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3 See:MaxAuthTries
insshd_config
Dec 11 09:29:36 SERVER sshd[5506]: Received disconnect from 103.217.11.10 port 43200:11: Bye Bye [preauth]
ssh.service: Found left-over process 30050 (sshd) in control group while starting unit. Ignoring.
Unable to negotiate with 55.xxx.455.45 port 30367: no matching cipher found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
Unsuccessful authentication attempts[edit]
journalctl -r | egrep "Failed password for|Unable to negotiate with|maximum authentication attempts|Failed publickey for"
Invalid user USERNAME from 54.xxX.138.126 port 39980
error: maximum authentication attempts exceeded for root from 10.10.10.110 port 40314 ssh2 [preauth]
Jan 08 11:18:03 SERVER sshd[7429]: Failed password for invalid user USERNAME from 212.XXX.98.46 port 63474 ssh2
Jan 11 11:15:34 SERVER sshd[7024]: Failed password for USERNAME from 19x.118.XXX.62 port 41430 ssh2
Unable to negotiate with 55.xxx.455.45 port 30367: no matching cipher found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
Example of failed login with verbose mode, see (sshd logs): May 07 15:55:01 SERVER sshd[1870524]: Failed none for USERNAME from 23.33.xx.xx port 12616 ssh2 May 07 15:55:01 SERVER sshd[1870524]: Failed publickey for USERNAME from 23.33.xx.xx port 12616 ssh2: RSA SHA256:tAkCKfvCmOTpVeceSyAOy9Sjyp213hQ7RLTyKUaNw12 May 07 15:55:00 SERVER sshd[1870524]: Connection from 23.33.xx.xx port 12616 on 10.10.10.xx port 22 rdomain ""
Successful authentication attempts[edit]
journalctl -r | egrep "Accepted publickey for|Accepted password for"
sshd[17161]: Accepted publickey for USERNAME from
Accepted password for USERNAME from 95.14.XXX.214 port 52731 ssh2
[edit]
May 05 14:01:41 SERVER_NAME sshd[1825292]: fatal: bad ownership or modes for chroot directory "/home/USERNAME
All components of the pathname must be root-owned directories that are not writable by any other user or group (Sftp configuration)
Connection closing, user not allowed[edit]
May 18 11:05:30 SERVER_NAME sshd[2427302]: error: kex_exchange_identification: Connection closed by remote host
Oct 12 09:03:39 SERVER_NAME sshd[2963]: User XXXX not allowed because account is locked
Mar 31 13:26:52 SERVER_NAME sshd[441]: User XXXX not allowed because shell /sbin/nologin does not exist'
Related terms[edit]
See also[edit]
sshd
,sshd logs
,sshd -t
,sshd -T
,sshd_config
,sftp
- OpenSSH (changelog):
/etc/ssh/sshd_config
|/etc/ssh/ssh_config
|~/.ssh/
|openSSL | sshd logs
|sftp
|scp
|authorized_keys
|ssh-keygen
|ssh-keyscan
|ssh-add
|ssh-agent
|ssh
|Ssh -O stop
|ssh-copy-id
|CheckHostIP
|UseKeychain
, OpenSSF /var/log/auth.log
- systemd-journald:
journalctl
,/etc/systemd/journald.conf
,journalctl logs
,journalctl --list-boots
,journalctl --disk-usage
,journalctl -u kubelet
,journalctl -u prometheus
,journalctl --help
- PAM,
libpam_cracklib
,pam_tally2
,/etc/pam.d/, /etc/pam.d/sshd
,pam_oath
,pam_sss
,/etc/pam.d/login, pam_unix, pam_krb5
- Port knocking,
fail2ban
[2]fwknop
, DenyHosts - Linux logging, Cisco IOS logging
Advertising: