• 4

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

This is on Solaris 10 sparc platform.

I'm trying to make our denyhosts script block the dictionary ssh attacks. Unfortunately, the logging does not show an IP when the user name is invalid.

We are using winbind module in pam.conf

If I intentionally enter a bad password for a good user name, it logs like this:

Mar 30 14:49:21 t2000 sshd[29870]: [ID 800047 auth.notice] Failed keyboard-interactive for fpicabia from 111.222.333.444 port 52567 ssh2

This shows the IP which I want to keep for denyhosts to scan later. No problems here.

If I login with a bogus user name, the log shows no IP info:

Mar 30 14:55:57 t2000 sshd[1816]: [ID 186046 auth.error] pam_winbind(sshd-kbdint): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (13), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user

In /etc/ssh/sshd_config I already use verbose for logging:

SyslogFacility auth

In pam.conf I have these settings for winbind:

login   auth sufficient         pam_winbind.so.1 debug
other   auth sufficient         pam_winbind.so.1 try_first_pass debug

On Linux, the winbind module reports on the IP in the auth log with only the Loglevel of INFO and no debug turned on at the pam module. The limitation is specific to Solaris and its winbind module.

How can I get the IP address showing in the authentication log when the user is unknown?

Somehow this was not logging sufficient detail before, despite restarting winbind and ssh.

The server was rebooted for other reasons and now the logging does include IP for invalid user, with same settings as in question.

  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags