Difference between revisions of "Sshd logs"

From wikieduonline
Jump to navigation Jump to search
 
(61 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
<code>[[sshd]]</code><ref>https://man.cx/sshd(1)</ref> secure shell daemon.
 +
 +
 +
= Logs: [[journalctl]] -u ssh or [[journalctl]] -u [[sshd]]  =
 +
 +
Dec 01 07:01:05 SERVER sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3 sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3
 +
See: <code>[[MaxAuthTries]]</code> in <code>[[sshd_config]]</code>
 +
 +
Dec 11 09:29:36 SERVER sshd[5506]: Received disconnect from 103.217.11.10 port 43200:11: Bye Bye [preauth]
 +
 +
ssh.service: Found left-over process 30050 (sshd) in control group while starting unit. Ignoring.
 +
 +
[[Unable to negotiate with]] 55.xxx.455.45 port 30367: no matching [[cipher]] found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
 +
 +
== Unsuccessful [[authentication]] attempts ==
 +
 +
<code>[[journalctl]] -r | egrep "[[Failed password for]]|[[Unable to negotiate with]]|[[maximum authentication attempts]]|[[Failed publickey for]]"</code>
 +
 +
Invalid user USERNAME from 54.xxX.138.126 port 39980
 +
 
  error: maximum authentication attempts exceeded for root from 10.10.10.110 port 40314 ssh2 [preauth]
 
  error: maximum authentication attempts exceeded for root from 10.10.10.110 port 40314 ssh2 [preauth]
  
See: <code>MaxAuthTries</code> in <code>[[sshd]]</code>
+
Jan 08 11:18:03 SERVER sshd[7429]: Failed password for invalid user USERNAME from 212.XXX.98.46 port 63474 ssh2
 +
 
 +
Jan 11 11:15:34 SERVER sshd[7024]: Failed password for USERNAME from 19x.118.XXX.62 port 41430 ssh2
 +
 
 +
[[Unable to negotiate with]] 55.xxx.455.45 port 30367: no matching cipher found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
 +
 
 +
 
 +
Example of failed login with [[verbose]] mode, see ([[sshd logs]]):
 +
May 07 15:55:01 SERVER sshd[1870524]: Failed none for  USERNAME  from 23.33.xx.xx port 12616 ssh2
 +
May 07 15:55:01 SERVER sshd[1870524]: [[Failed publickey for]]  USERNAME  from 23.33.xx.xx port 12616 ssh2: [[RSA]] [[SHA256]]:tAkCKfvCmOTpVeceSyAOy9Sjyp213hQ7RLTyKUaNw12
 +
May 07 15:55:00 SERVER sshd[1870524]: Connection from 23.33.xx.xx port 12616 on 10.10.10.xx port 22 [[rdomain]] ""
 +
 
 +
== Successful [[authentication]] attempts ==
 +
<code>[[journalctl]] -r | egrep "[[Accepted publickey for]]|[[Accepted password for]]"</code>
 +
 
 +
sshd[17161]: Accepted [[publickey]] for USERNAME from
 +
 
 +
Accepted password for USERNAME from 95.14.XXX.214 port 52731 ssh2
 +
 
 +
== [[ChrootDirectory]] related ==
 +
May 05 14:01:41 SERVER_NAME sshd[1825292]: [[fatal: bad ownership or modes for]] [[chroot]] directory "/home/USERNAME
 +
All components of the pathname must be root-owned directories that are not writable by any other user or group ([[Sftp configuration]])
 +
 
 +
== Connection closing, user not allowed ==
 +
May 18 11:05:30 SERVER_NAME sshd[2427302]: error: [[kex_exchange_identification]]: Connection closed by remote host
 +
 
 +
Oct 12 09:03:39 SERVER_NAME sshd[2963]: User XXXX not allowed because [[account is locked]]
  
 +
Mar 31 13:26:52 SERVER_NAME sshd[441]: User XXXX not allowed because ''shell /sbin/[[nologin]] does not exist'''
  
 +
== Related terms ==
 +
* <code>[[/var/log/auth.log]]</code>
 +
* <code>[[LogLevel]]</code>
 +
* <code>[[ssh -vvv]]</code>
  
 
== See also ==
 
== See also ==
 +
* {{sshd}}
 
* {{OpenSSH}}
 
* {{OpenSSH}}
* <code>/var/log/[[auth.log]]</code>
+
* <code>/var/[[log]]/[[auth.log]]</code>
 
* {{journalctl}}
 
* {{journalctl}}
 +
* {{PAM}}
 +
* {{fail2ban}}
 +
* {{logging}}
  
 
[[Category:ssh]]
 
[[Category:ssh]]
 +
[[Category:IT Security]]
 +
[[Category:logging]]

Latest revision as of 11:15, 21 September 2023

sshd[1] secure shell daemon.


Logs: journalctl -u ssh or journalctl -u sshd[edit]

Dec 01 07:01:05 SERVER sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3 sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3
See: MaxAuthTries in sshd_config
Dec 11 09:29:36 SERVER sshd[5506]: Received disconnect from 103.217.11.10 port 43200:11: Bye Bye [preauth]
ssh.service: Found left-over process 30050 (sshd) in control group while starting unit. Ignoring.
Unable to negotiate with 55.xxx.455.45 port 30367: no matching cipher found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]

Unsuccessful authentication attempts[edit]

journalctl -r | egrep "Failed password for|Unable to negotiate with|maximum authentication attempts|Failed publickey for"

Invalid user USERNAME from 54.xxX.138.126 port 39980
error: maximum authentication attempts exceeded for root from 10.10.10.110 port 40314 ssh2 [preauth]
Jan 08 11:18:03 SERVER sshd[7429]: Failed password for invalid user USERNAME from 212.XXX.98.46 port 63474 ssh2
Jan 11 11:15:34 SERVER sshd[7024]: Failed password for USERNAME from 19x.118.XXX.62 port 41430 ssh2
Unable to negotiate with 55.xxx.455.45 port 30367: no matching cipher found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]


Example of failed login with verbose mode, see (sshd logs):
May 07 15:55:01 SERVER sshd[1870524]: Failed none for  USERNAME  from 23.33.xx.xx port 12616 ssh2
May 07 15:55:01 SERVER sshd[1870524]: Failed publickey for  USERNAME  from 23.33.xx.xx port 12616 ssh2: RSA SHA256:tAkCKfvCmOTpVeceSyAOy9Sjyp213hQ7RLTyKUaNw12
May 07 15:55:00 SERVER sshd[1870524]: Connection from 23.33.xx.xx port 12616 on 10.10.10.xx port 22 rdomain ""

Successful authentication attempts[edit]

journalctl -r | egrep "Accepted publickey for|Accepted password for"

sshd[17161]: Accepted publickey for USERNAME from
Accepted password for USERNAME from 95.14.XXX.214 port 52731 ssh2

ChrootDirectory related[edit]

May 05 14:01:41 SERVER_NAME sshd[1825292]: fatal: bad ownership or modes for chroot directory "/home/USERNAME

All components of the pathname must be root-owned directories that are not writable by any other user or group (Sftp configuration)

Connection closing, user not allowed[edit]

May 18 11:05:30 SERVER_NAME sshd[2427302]: error: kex_exchange_identification: Connection closed by remote host
Oct 12 09:03:39 SERVER_NAME sshd[2963]: User XXXX not allowed because account is locked
Mar 31 13:26:52 SERVER_NAME sshd[441]: User XXXX not allowed because shell /sbin/nologin does not exist'

Related terms[edit]

See also[edit]

  • https://man.cx/sshd(1)
  • https://serverfault.com/a/608976
  • Advertising: