30

Trying to find out why fail2ban is not working.

Where does Ubuntu 14.04 log SSH access attempts?

Maythux
  • 84,289
timbram
  • 1,995
  • You could ask rsyslogd which files it logs to: cat /etc/rsyslog.d/* | egrep -v '^#|^$' | egrep -o '/[^ ]+' on your system. – waltinator Jun 25 '15 at 19:04

2 Answers2

39

All login attempts are logged to /var/log/auth.log

Search for brute-force SSH logins

Run this command:

grep sshd.\*Failed /var/log/auth.log | less

Search for failed connections

Run this command:

grep sshd.*Did /var/log/auth.log | less

UPDATE:

You should try restarting the syslog daemon to see if it starts to log to the correct file.

sudo service rsyslog restart

Once you have messages going to the auth.log it should start working.

Maythux
  • 84,289
  • 1
    I looked in /var/log/auth.log and the file is empty and nothing is being logged to it... – timbram Jun 25 '15 at 16:00
  • check the update – Maythux Jun 25 '15 at 16:03
  • Ok, just restarted rsyslog. Then logged out, tried to log in with a few wrong passwords. Then went ahead and logged in properly. Still nothing logged to auth.log. – timbram Jun 25 '15 at 16:09
  • What do you think I should look at next? – timbram Jun 25 '15 at 16:10
  • I noticed that in /var/log the username that I use (my non-root user) is the owner of a lot of these files. Could that be the problem do you think? – timbram Jun 25 '15 at 16:12
  • Yeah, it was definitely the permissions. Correcting them, based on the proper settings from another server I have corrected the logging to auth.log. fail2ban still not banning but I will ask another questions If I cant get that to work. – timbram Jun 25 '15 at 16:47
3

The default log settings for ssh are "INFO".

If you want to have it include login attempts in the log file, you'll need to edit the /etc/ssh/sshd_config file and change the "LogLevel" from INFO to VERBOSE.

After that, restart the sshd daemon with

sudo service rsyslog restart

After that, the ssh login attempts will be logged into the /var/log/auth.log file.

Videonauth
  • 33,355
  • 17
  • 105
  • 120
Shay Walters
  • 151