You are not logged in.
- Topics: Active | Unanswered
#1 2007-06-11 01:17:04
- .:B:.
- Forum Fellow
- Registered: 2006-11-26
- Posts: 5,819
- Website
TCP wrappers not logging?
I recently opened up my SSH server to the world (so i can log in from outside my home network to my server). Did some reading up, found out TCP wrappers acts as an intermediary to decide whether or not a request for a given application gets acknowledged.
SSH logs authentication attempts to /var/log/auth.log. So far, so good. I tried logging in from work, got bounced. Found the entries in that file.
Today, I tried to log in again, got bounced (again 
), however, no sign of it in auth.log. I wanted to check what TCP wrappers had to tell me about this, only to find out it (tcpd) does not seem to log anywhere? /etc/syslog-ng.conf has no tcpd entries.
Since the contents of syslog-ng.conf look a bit complicated, can someone enlighten me on how to add tcpd logging facilities to it, and also tell why is it not enabled by default?
The tcpd manual refers to the system logging utility for further info on its logs, and since it has no own config file, there doesn't seem to be a way to set up tcpd independently to log its activities somewhere.
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
#2 2007-06-11 09:28:37
- briest
- Member
- From: Katowice, PL
- Registered: 2006-05-04
- Posts: 468
Re: TCP wrappers not logging?
Tcpd is rarely used by itself; most programs (including openssh) uses libwrap (the same package, the same functionality, but library instead of separate process). Look at the bounce entry in auth.log, you'd see it comes from sshd, not tcpd. Therefore you can't distinguish log entries coming from tcpwrappers and 'wrapped' program. If you really want to, you can use sshd via tcpd via (x)inetd, but it seems unnecessarily complicated, to me at least.
Offline
#3 2007-06-11 16:53:00
- .:B:.
- Forum Fellow
- Registered: 2006-11-26
- Posts: 5,819
- Website
Re: TCP wrappers not logging?
The thing is: i see the sshd entry in auth.log, which means tcp_wrappers allowed the connection to pass through (if not it should have never reached sshd, right?).
Last night there weren't even any entries in auth.log, so that's why I'd like to have tcp_wrappers logging the
attempts it bounces (if possible).
Anyway, maybe it's just PuTTy acting up about that RSA key 
.
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
#4 2007-06-13 19:55:38
- briest
- Member
- From: Katowice, PL
- Registered: 2006-05-04
- Posts: 468
Re: TCP wrappers not logging?
The thing is: i see the sshd entry in auth.log, which means tcp_wrappers allowed the connection to pass through (if not it should have never reached sshd, right?).
No. Sshd checks hosts.* rules by itself (via libwrap functions), and tcpd is never run. So, it is sshd which logs the connection, successful or not. See, there's an exempt from auth.log; the connection was refused because of hosts.* settings:
Jun 13 21:42:06 kreml sshd[19994]: refused connect from 87.207.23.75
Last night there weren't even any entries in auth.log, so that's why I'd like to have tcp_wrappers logging the
attempts it bounces (if possible).
Maybe the connection wasn't refused by wrapper (leaving alone how called), but by some other means? Anyway, you won't find tcpd entries in logs nor syslogd configuration, it is rarely used nowadays, in favor of direct linking with libwrap.
Of course, I'm talking about Arch defaults here, you can arrange your config to make use of tcpd.
Offline