SSHD config in Suse

UNIX for Advanced & Expert Users
1

Hi there

I was wondering, is there anyway I can change the appearance of sshd logs output in /var/log/sshderr.log and /var/log/sshd.log. Right now, its showing as such:

 sshd[4857]: error: PAM: Authentication failure for it.sysadm from cijXXX.jp.mitsubishi-motors.com
 sshd[4249]: Accepted keyboard-interactive/pam for root from 191.255.XXX.XXX port XXXXX ssh2

I am fine with the results above, but the customer had a weird request to ensure that IP addresses don't show up, instead they want "host names" to appear in the IP address column. Is this even possible? :confused:

My host file has a bunch of servers DNS added in it, so it makes sense if I SSH from box A to box B and the ssh logs print out host name instead of IP address. But I don't understand how to make this possible with the rest of the world! I already said no but they're not taking no for an answer

In the Suse box, most parameters in /etc/sshd/sshd_config are already commented out. I am using SUSE Linux Enterprise Server 10 (x86_64)

Appreciate if someone could help me out on this. Thank you

---------- Post updated at 01:13 PM ---------- Previous update was at 12:22 PM ----------

There's been an update for the request above.

So now would it be possible to identify the machine from where user ssh'd into the servers for both successful and failed logins?

e.g

sshd[5655]: Accepted keyboard-interactive/pam for root from 191.255.128.119 priti-pc port 55462 ssh2
2

it is not a very bright idea to me. you can try with syslog-ng but im not sure.even if you can able to the dns resolution so it requires extra times and may create the tail of the log.you must tell to him.

3

I agree with you, because already IP addresses are captured and I hate to mess up something I don't know how to fix later. But if I were to do it, how do i go by it? My sshd setting in syslog-ng.conf.in is as such:

# SSH Filters
filter f_sshderr    { match('^sshd\[[0-9]+\]: error:'); };
filter f_sshd       { match('^sshd\[[0-9]+\]:'); };

# SSH Logging
destination sshderr { file("/var/log/sshd/sshderr.log"); };
log { source(src); filter(f_sshderr); destination(sshderr); flags(final); };

destination sshd { file("/var/log/sshd/sshd.log"); };
log { source(src); filter(f_sshd); destination(sshd); flags(final); };
4

i m not sure but maybe you can try this in your conf..

options {
# Check client hostnames for valid DNS characters
          check_hostname (yes);

          # Specify whether to trust hostname in the log message.
          # If "yes", then it is left unchanged, if "no" the server replaces
          # it with client's DNS lookup value.
          keep_hostname (yes);

          # Use DNS fully qualified domain names (FQDN) 
          # for the names of log file folders
          use_fqdn (yes);
          use_dns (yes);

          # Cache DNS entries for up to 1000 hosts for 12 hours
          dns_cache (yes);
          dns_cache_size (1000);
          dns_cache_expire (43200);

        };
5

hi ygemici

Which config file do i add that to...my nsswitch conf file?

---------- Post updated at 11:05 AM ---------- Previous update was at 10:39 AM ----------

hi again ygemici

I edited my options in /etc/syslog-ng/syslog-ng.conf.in and run SuSEconfig command after adding the options you provided but at best I am still getting IPs instead of DNS so I am guessing these IP addresses are not mapped to the DNS of this server

Apr  5 11:18:08 src@testlinux.site sshd[21867]: error: PAM: User not known to the underlying authentication module for illegal user test from testlinux.site
Apr  5 11:18:08 src@testlinux.site sshd[21867]: Failed keyboard-interactive/pam for invalid user test from 10.160.11.10 port 60394 ssh2

# Global options.
#
options { check_hostname (yes); keep_hostname (yes); use_fqdn (yes); use_dns (yes); long_hostnames(on); sync(0); perm(0640); stats(3600); };
6

did you restart the syslog?

# cd /etc/init.d/
# ./syslog stop
# ./syslog start

how about dns servers?

# cat /etc/resolv.conf
7

Yup, I had restarted sshd and syslog deamon

testlinux:~ # service syslog restart
Shutting down syslog services                                         done
Starting syslog services                                              done
testlinux:~ # cat /etc/resolv.conf
nameserver 203.115.1XX.XX
nameserver 203.115.1XX.XX
search site

Somehow I think this is impossible to achieve both outputs, I can either have hostname or IP showing. Can you show how me how you manage to get IP and hostname?

Apr  6 10:24:26 ciXXX sshd[10485]: error: PAM: Authentication failure for root from XXXXX.jp.mitsubishi-motors.com-----------when I ssh from another server to this server
Apr  6 10:26:06 ciXXX sshd[10485]: Accepted keyboard-interactive/pam for root from 10.17.XXX.1XX port 47898 ssh2--------------when I ssh from another server to this server
Apr  6 10:27:16 ciXXX sshd[10626]: Accepted keyboard-interactive/pam for root from 191.255.1XX.XXX port 63374 ssh2-------------------when I ssh from SecureCRT from my desktop
8

what is the entire conf (syslog-ng.conf ) ?
what is ur the version of suse?
what is ur the versi of syslog-ng?

9

Hi there

syslog-ng-conf.in file

testlinux:/etc/syslog-ng # more syslog-ng.conf.in
#@SuSEconfig@
#@SuSEconfig@ This is a template file used by SuSEconfig
#@SuSEconfig@ to generate the final syslog-ng.conf.
#@SuSEconfig@
#@SuSEconfig@ SuSEconfig adds additional log sockets from
#@SuSEconfig@ /etc/sysconfig/syslog to the source bellow.
#@SuSEconfig@
#
# File format description can be found in syslog-ng.conf(5)
# and /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#

#
# Global options.
#
options { check_hostname (yes); keep_hostname (yes); use_fqdn (yes); use_dns (yes); dns_cache (yes); dns_cache_size (1000); dns_cache_expire (4
3200); long_hostnames(on); sync(0); perm(0640); stats(3600); };

#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

        #
        # the following line will be replaced by the
        # socket list generated by SuSEconfig using
        # variables from /etc/sysconfig/syslog:
        #
        @SuSEconfig_SOCKETS@

        #
        # uncomment to process log messages from network:
        #
        #udp(ip("0.0.0.0") port(514));
};

#
# Filter definitions
#
filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };

filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };

filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };

filter f_cron       { facility(cron); };

filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };

filter f_acpid      { match('^\[acpid\]:'); };
filter f_netmgm     { match('^NetworkManager:'); };

filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };

#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console  { pipe("/dev/tty10"    group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };

#
# News-messages in separate files:
#
destination newscrit   { file("/var/log/news/news.crit"
                              owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };

destination newserr    { file("/var/log/news/news.err"
                              owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"
                              owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };

#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };

#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

destination mailerr  { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr);  destination(mailerr); };

#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };


#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };

#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };

#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };

#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };

#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };

#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };

#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };

# SSH Filters
filter f_sshderr    { match('^sshd\[[0-9]+\]: error:'); };
filter f_sshd       { match('^sshd\[[0-9]+\]:'); };

# SSH Logging
destination sshderr { file("/var/log/sshd/sshderr.log"); };
log { source(src); filter(f_sshderr); destination(sshderr); flags(final); };

destination sshd { file("/var/log/sshd/sshd.log"); };
log { source(src); filter(f_sshd); destination(sshd); flags(final); };

suse version

testlinux:/etc/syslog-ng # cat /etc/*release
SUSE Linux Enterprise Server 10 (x86_64)
VERSION = 10
PATCHLEVEL = 4
LSB_VERSION="core-2.0-noarch:core-3.0-noarch:core-2.0-x86_64:core-3.0-x86_64"
testlinux:/etc/syslog-ng #

syslog-ng version

testlinux:/etc/syslog-ng # /sbin/syslog-ng -V
syslog-ng 1.6.8
10

i suppose syslog-ng with "use_dns" does not resolve all IPs to names in the logs.
i think, "use_dns(yes)" resolves only "$HOST_FROM" variable(that is from remote ssh client[if remote ssh cl send to that] ,
syslogd-ng receives it and resolv the IP source to NAME if it is possible,other remaining log generates by local sshd)
in the sshd error.log seems resolved to names, but that is done by sshd itself(useDNS yes).
maybe you can use a little script

#!/bin/bash
cp sshd.log sshdn.log
awk '/Accepted/{a[$(NF-3)]++}END{for(i in a)print i}' sshdn.log|\
while read -r IP ; do
IPn=$(dig +short -x $IP)
sed "/Accepted/s/$IP/$IPn/" sshdn.log >sshdnn.log && mv sshdnn.log sshdn.log
done
more sshdn.log

regards
ygemici

11

:b:

thank you ygemici, for taking your time in helping me sort out this issue. I am so very grateful! BTW, the useDNS works fine with WTMP logs, I can get both the IP and the hostname (I think this has to do with something the network guy changed at his end, but I cant say what we're doing is in any way secure)

Your script worked like charm, heres my before and after results

BEFORE

testlinux:/var/log/sshd # more sshd.log
Apr  6 10:55:40 src@testlinux.site sshd[29089]: Received signal 15; terminating.
Apr  6 10:55:40 src@testlinux.site sshd[29674]: Server listening on 0.0.0.0 port 22.
Apr  6 10:57:41 src@testlinux.site sshd[29696]: Accepted keyboard-interactive/pam for root from 191.255.1XX.XXX port 63470 ssh2
Apr 10 10:14:36 src@testlinux.site sshd[16795]: Accepted keyboard-interactive/pam for root from 191.255.1XX.XXX port 51735 ssh2

AFTER

testlinux:/var/log/sshd # ./test 
Apr  6 10:55:40 src@testlinux.site sshd[29089]: Received signal 15; terminating.
Apr  6 10:55:40 src@testlinux.site sshd[29674]: Server listening on 0.0.0.0 port 22.
Apr  6 10:57:41 src@testlinux.site sshd[29696]: Accepted keyboard-interactive/pam for root from my-cXXXX.myhq.XXXX.com.my. po
rt 63470 ssh2
Apr 10 10:14:36 src@testlinux.site sshd[16795]: Accepted keyboard-interactive/pam for root from my-cXXXX.myhq.XXXX.com.my. po
rt 51735 ssh2