|
Posted by Joe Strout on August 18, 2006, 5:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I'm getting a lot of login attempts on my Mac OS X (10.4.x) machine, as
judged by /var/log/secure.log entries like this:
Aug 15 21:36:41 macname com.apple.SecurityServer: authinternal failed to
authenticate user ftp.
Aug 15 21:36:41 macname com.apple.SecurityServer: Failed to authorize
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
However, these log messages don't show an IP address. Moreover, after
adding an AllowUsers line to my sshd_config, I don't seem to be getting
any log lines here at all for a failed login attempt (except for the
allowed user, but so far none of the attackers have guessed that user
name).
I also looked in system.log; this initially wasn't getting any log
entries for these login attempts. After changing the log level in
sshd_config to DEBUG, I now get messages for invalid user names like:
Aug 18 14:37:26 VerEx-1 sshd[13258]: fatal: Timeout before
authentication for 67.174.105.26
(They're always timeouts because with AllowUsers, sshd seems to delay
indefinitely after the password entry.) But this doesn't show the user
name that was attempted.
Perhaps that doesn't matter -- but I feel like I'm groping around in the
dark here. Does anyone have a good, up-to-date description of how
logging with sshd works in OS X?
Also, /var/log contains an ipfw.log file -- but it is always empty. I
do have a firewall turned on, and ipfw list can show me how many times
each rule has been applied (these numbers go up as I attempt
connections). Yet the log is empty. Any idea how to get ipfw to log
these connection attempts?
Ideally, I'd like to make a script to automatically block connections
from a given host after too many failed attempts, as described here:
<http://elibrary.fultus.com/technical/index.jsp?topic=/com.fultus.freebsd
.nonfdp/books/FBSDinstall_guide60/06.13-Defending_Against_%20Attacks.htm>
Given the hoops I've had to jump through to get useful logging at all,
I'm not confident this will work on my OS X machine. Any Mac-specific
advice?
Thanks,
- Joe
|
| Similar Threads | Posted | | how to handle failed login attempts? | September 8, 2006, 6:57 pm |
| Advice, security specification calls for using system login to do login to web application | August 28, 2007, 8:19 am |
| Auto Proxy Login?? Please help | March 14, 2005, 4:39 am |
| Bank login not using https | March 9, 2007, 11:46 pm |
| windows xp professional login problems | June 2, 2005, 3:52 pm |
| Deny non-ssl access for login web pages | May 28, 2006, 11:12 pm |
| Chicken and egg issue with Cookie based login? | April 6, 2005, 4:39 am |
| How to enhance login/password weak authentication ? | January 18, 2007, 6:17 am |
| Re: Deleting names from Skype login window dropdown list | September 6, 2007, 1:17 am |
| block Ares | September 19, 2006, 1:10 am |
|
XML site map