How to view, setup and analyze sshd(Secure shell daemon) logs in redhat or centos linux ?
In this article, we will look how to view, analyze and setup SSHD logs on our Redhat or Centos Linux system.
1. Viewing SSHD Log file.
## For Ubuntu [root@nglinux ~]# ls -l /var/log/auth.log ls: cannot access /var/log/auth.log: No such file or directory ## For Redhat or Centos [root@nglinux ~]# ls -l /var/log/secure -rw-------. 1 root root 0 May 30 20:36 /var/log/secure
2. Check out the logs in logfile
[root@nglinux ~]# cat /var/log/secure [root@nglinux ~]#
We can see there are no logs in the file.
It seems the SSH logging is disabled on the server.
Lets check it out.
[root@nglinux ~]# cat /etc/ssh/sshd_config | grep -iA 4 logging # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
In above output, we can see “Loglevel INFO” is commented out, due to which the logging is not captured.
3. Setup SSH Log: Enable logging and restart service.
## Uncomment Loglevel line below [root@nglinux ~]# cat /etc/ssh/sshd_config | grep -iA 4 logging # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV LogLevel INFO [root@nglinux ~]# [root@nglinux ~]# vim /etc/ssh/sshd_config [root@nglinux ~]# ## And then restart the service. [root@nglinux ~]# service sshd reload Reloading sshd: [ OK ]
4. Verify if logs started to appear in Log file.
[root@nglinux ~]# cat /var/log/secure May 31 01:54:09 localhost sshd[1796]: Received SIGHUP; restarting. May 31 01:54:09 localhost sshd[28471]: Server listening on 0.0.0.0 port 22. May 31 01:54:09 localhost sshd[28471]: Server listening on :: port 22. [root@nglinux ~]#
5. Understanding ssh login attempt history
[root@nglinux ~]# cat /var/log/secure May 31 01:54:09 localhost sshd[1796]: Received SIGHUP; restarting. May 31 01:54:09 localhost sshd[28471]: Server listening on 0.0.0.0 port 22. May 31 01:54:09 localhost sshd[28471]: Server listening on :: port 22. May 31 01:56:48 localhost sshd[4267]: Received disconnect from 172.21.49.223: 11: disconnected by user --> Logged out the session. May 31 01:56:48 localhost sshd[4267]: pam_unix(sshd:session): session closed for user root May 31 01:56:52 localhost sshd[28476]: Accepted password for root from 172.21.49.223 port 57163 ssh2 ---> User login from IP 172.21.49.223 via port 57163 May 31 01:56:53 localhost sshd[28476]: pam_unix(sshd:session): session opened for user root by (uid=0) May 31 01:56:53 localhost sshd[28480]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory May 31 01:56:53 localhost sshd[28480]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory May 31 01:56:54 localhost sshd[28476]: Received disconnect from 172.21.49.223: 11: disconnected by user May 31 01:56:54 localhost sshd[28476]: pam_unix(sshd:session): session closed for user root May 31 01:56:56 localhost unix_chkpwd[28504]: password check failed for user (root) ----> wrong password entered by user. May 31 01:56:56 localhost sshd[28502]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.49.223 user=root May 31 01:56:58 localhost sshd[28502]: Failed password for root from 172.21.49.223 port 57164 ssh2 May 31 01:57:00 localhost sshd[28502]: Accepted password for root from 172.21.49.223 port 57164 ssh2 May 31 01:57:00 localhost sshd[28502]: pam_unix(sshd:session): session opened for user root by (uid=0) May 31 01:57:00 localhost sshd[28507]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory May 31 01:57:00 localhost sshd[28507]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory