|
The only thing I find is a Syslog server config for IBM i. Thing is
there doesn't appear to be any way to get SSHD to log to anything but a
local syslog so it's probably using localhost. Even looking at the
generic config for openssh on linux etc there is no option to log
anywhere else.
I am suspicious that SSHD doesn't do ANYTHING with the audit journal and
the only reason anything shows up there is that they call some API to
validate UID and PWD and when that fails the entries are generated.
Thing is if that's the case you'd also expect it to log the entries when
the UID is invalid because actual code in the Journal is UID *OR* PWD
not valid.
- Larry "DrFranken" Bolhuis
www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.
On 8/18/2015 3:52 PM, Bryan Dietz wrote:
this has come up before try searching the archives for "syslog"
I found some sample code.
Bryan
DrFranken wrote on 8/18/2015 3:39 PM:
Yep saw that. It raises two questions though. 1) Can I redirect that
syslog output to another system, that is have all my partitions syslog
to ONE partition?
If so, How?
The sshd_config file seems only to allow a few tweaks but no
configuration of where to send the syslog messages.
- Larry "DrFranken" Bolhuis
www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.
On 8/18/2015 3:12 PM, Steinmetz, Paul wrote:
Larry,
Check if you have SSHD setup for logging.
http://www-01.ibm.com/support/docview.wss?uid=nas8N1014301
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Vernon Hamberg
Sent: Tuesday, August 18, 2015 2:59 PM
To: Midrange Systems Technical Discussion
Subject: Re: QAUDJRN entry for failed password attempts with SSH
Larry - is SSH running in PASE? If so, I would not expect much in the
audit journal, as PASE knows nothing about that. It's like those who
want exit points for sftp and all.
But PASE (AIX) might have some logging of this kind of thing - that a
WAG for sure on my part.
Vern
On 8/18/2015 1:39 PM, DrFranken wrote:
I get these for TELNET (Code T Type PW) I get these for FTP I get
these for the http: *ADMIN server I get them with System i Navigator
I get them with SSH *IF* they are attempting a VALID user profile.
I get NOTHING with SSH if they try root or admin etc. Anyone know
where I can turn that on or where to look for this type of failed
attempt to authenticate with SSH on i?
In this case I'm testing on i 7.1
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.