SSHD - LogLevel?

All questions, comments, discussion about firmware 518 can be placed here. Please place regular support questions in one of the subjects below.
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
User avatar
martinsa
I'm New!
I'm New!
Posts: 9
Joined: Fri Nov 30, 2007 1:54 pm

SSHD - LogLevel?

Unread post by martinsa » Fri Nov 30, 2007 3:04 pm

It’s great the latest firmware has OpenSSH available for use.

I’m having an issue setting LogLevel in /etc/ssh/sshd_config

The Default is INFO
The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.

Setting any of these doesn’t seem to change the amount of logging sshd does to /var/log/messages

The only log it seems to log is: “sshd[22632]: error: Could not get shadow information for NOUSERâ€

User avatar
NetBoot
Ace
Ace
Posts: 725
Joined: Tue Oct 24, 2006 8:20 pm
Location: Northeastern U.S.

Unread post by NetBoot » Fri Nov 30, 2007 8:28 pm

Would you by chance be using the Network Backup feature on your DiskStation?

Net....
Product Model: DS-106
Firmware Version: 2.0.3 - 0640

I have my reasons for my insanity....

User avatar
martinsa
I'm New!
I'm New!
Posts: 9
Joined: Fri Nov 30, 2007 1:54 pm

Unread post by martinsa » Tue Dec 04, 2007 10:37 am

Hi,

Actully I'm not using the network backup feature.
I'm just using SSH to remotly administer the NAS.

I'm finding a lot of the 'failed logon due to an unknown username' type messages. So it looks like my IP range is being scanned... and there are attempts to log on via SSH.

I've seen some scripts that check for the failed logons in the messages log, and block the client IP using 'iptable' for a while to stop the scripted attack. But for this to work I need the client IP logged for all failed logon attempts.....

...any one know how to get this detail logged?

Cheers,
Martin.

User avatar
martinsa
I'm New!
I'm New!
Posts: 9
Joined: Fri Nov 30, 2007 1:54 pm

Unread post by martinsa » Tue Dec 11, 2007 7:46 pm

OK found out how to do it….

Syslog (syslogd) is used to log SSH authentication failures to /var/log/messages
You need to edit /etc/syslog.deny as this is blocking the logging of INFO type messages. So commenting out INFO means the INFO messages from sshd can be logged.

(remember to always back up files before you edit them!)

# These priorities in this config file are not logged
# refer to syslog.h

#alert
#crit
debug
#emerg
#err
#info
notice

# Always keep these setting , as these are obselete
# refer to syslog.h
error
none
warn
panic



Now in /var/log/messages I get entries like this:-

Dec 11 18:32:24 sshd[6457]: Failed password for invalid user bob from 15x.x.x.x port 1691 ssh2
Dec 11 18:32:24 sshd[6457]: Failed password for invalid user bob from 15x.x.x.x port 1691 ssh2
Dec 11 18:32:30 sshd[6459]: Failed password for root from 15x.x.x.x port 1946 ssh2
Dec 11 18:32:30 sshd[6459]: Failed password for root from 15x.x.x.x port 1946 ssh2


So I can search for these client IP’s and block the IP’s from accessing my Diskstation, stopping further attacks :-)

Franklin, this shouldn’t cause excessive logging of other components should it?... I’ll keep an eye on it and let you know.

mischaq
Versed
Versed
Posts: 279
Joined: Mon Jul 16, 2007 7:37 pm

Re: SSHD - LogLevel?

Unread post by mischaq » Thu Feb 07, 2008 6:30 pm

Hi all

I also changed my syslog.deny as described above. I'm getting many " -- MARK --" logs now in var/log/messages, but i'm not sure if it's this mod of syslog.deny, that's responsible for this.

more here: http://www.synology.com/enu/forum/viewt ... =21&t=6660

cheers, mischaq

Locked

Return to “Firmware 518 for x07, x06, DS-101j Models”