Results 1 to 4 of 4

Thread: sshd logs to get sftp clients external IP's making sftp connections

  1. #1
    Join Date
    Jun 2021
    Beans
    1

    sshd logs to get sftp clients external IP's making sftp connections

    hi folks,

    I'm not able to gather logs from auth.log files for last 1 year. question is does sshd saves logs for this period?. if yes how should i able to gather it. I only can see last month logs.

    Thanks


    A

  2. #2
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,904
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: sshd logs to get sftp clients external IP's making sftp connections

    Quote Originally Posted by atulrajput0786 View Post
    I only can see last month logs.

    Did you check the contents of "/var/log" ?? Chances are log rotation is active and the old logs have been compressed and are now stored as *.gz (Gnu ZIP) files.

  3. #3
    Join Date
    Jun 2006
    Location
    UK
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: sshd logs to get sftp clients external IP's making sftp connections

    Support, not chat.

    Thread moved to General Help.
    Ubuntu 18.04 Desktop Guide - Ubuntu 20.04 Desktop Guide - Forum Guide to BBCode - Using BBCode code tags - IRC #ubuntuforums

    Member: Not Canonical Team

    If you need help with your forum account, such as SSO login issues, username changes, etc, the correct place to contact an admin is here. Please do not PM me about these matters unless you have been asked to - unsolicited PMs concerning forum accounts will be ignored.

  4. #4
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: sshd logs to get sftp clients external IP's making sftp connections

    You can configure logs to be retained for as long as you like. When it comes to ssh and related sensitive network connections, those should be locked down by firewall rules to a whitelist. If users will only come from your country, no need to allow the other 190+ country IPs to have any access at all. Block them

    You can also use DenyHosts or Fail2Ban to dynamically block failed attempts, but I've seen where 3 attempts will come from each IP of about 1,000 and stop. Then they come back 62 minutes later and try again. Over and over and over. Why 62 minutes? Because the default firewall blocking is 1 hr. Change it to 1 week or 1 month to drastically reduce it. Also, ssh in the sshd_config file can force connections to only use key-based authentication or to allow passwords only from a few trusted subnets.

    Don't allow anyone without a legitimate need access to ssh, scp, rsync, sftp, or the 50 other connection stuff that is based on ssh.
    And one last thing. For a WAN connection, never use the default ssh port 22/tcp. Always shift that somewhere else.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •