You are not logged in.

Pages: 1

#1 2014-02-05 17:33:47

rin
Member
Registered: 2013-12-24
Posts: 31

auth.log empty / missing

I have ssh open to the world and I want to check the ssh logs, to see if anyone is trying to break in. On my raspberry pi, auth.log and other files are empty: 

pi@tiny:~$ ls -l /var/log
total 640
-rw-r--r--  1 root root                 0 Feb  5 09:53 access-log
-rw-r--r--  1 root root                 0 Feb  5 09:53 aculog
-rw-r--r--  1 root root                 0 Feb  5 09:53 alternatives.log
-rw-r--r--  1 root root                 0 Feb  5 09:53 anaconda.log
-rw-r--r--  1 root root                 0 Feb  5 09:53 auth.log
-rw-r--r--  1 root root                 0 Feb  5 09:53 boot.log
-rw-------  1 root utmp            553344 Feb  5 17:26 btmp
-rw-------  1 root utmp             28800 Feb  1 01:14 btmp.1
-rw-r--r--  1 root root                 0 Feb  5 09:53 cron
-rw-r--r--  1 root root                 0 Feb  5 09:53 cups
-rw-r--r--  1 root root                 0 Feb  5 09:53 daemon.log
-rw-r--r--  1 root root                 0 Feb  5 09:53 dpkg.log
-rw-------  1 root root                24 Feb  5 17:26 faillog
drwxr-sr-x+ 3 root systemd-journal   4096 Jan  1  1970 journal
-rw-r--r--  1 root root                 0 Feb  5 09:53 kern.log
-rw-r--r--  1 root root            292292 Feb  5 17:14 lastlog
-rw-r--r--  1 root root                 0 Feb  5 09:53 maillog
-rw-r--r--  1 root root                 0 Feb  5 09:53 messages
drwxr-xr-x  2 root root              4096 Jun  4  2013 old
-rw-r--r--  1 root root             22526 Feb  2 23:10 pacman.log
-rw-r--r--  1 root root                 0 Feb  5 09:53 secure
-rw-r--r--  1 root root                 0 Feb  5 09:53 spooler
-rw-r--r--  1 root root                 0 Feb  5 09:53 sudolog
-rw-r--r--  1 root root                 0 Feb  5 09:53 user.log
-rw-r--r--  1 root root                 0 Feb  5 09:53 utmp
-rw-rw-r--  1 root utmp              4224 Feb  5 17:14 wtmp
-rw-r--r--  1 root root                 0 Feb  5 09:53 Xorg.x.log
-rw-r--r--  1 root root                 0 Feb  5 09:53 yum.log

And on my laptop, it's not there!

tom@nyx:~$ ls -l /var/log
total 1744
-rw-------  1 root    utmp               4608 Feb  1 11:25 btmp
-rw-------  1 root    root              32032 Feb  5 17:28 faillog
drwx--x--x  2 root    gdm                4096 Dec 28 14:56 gdm
drwxr-sr-x+ 3 root    systemd-journal    4096 Dec  5 17:27 journal
-rw-r--r--  1 root    root               4621 Dec 28 15:11 kdm.log
-rw-r--r--  1 root    root             292292 Feb  5 17:28 lastlog
drwx--x--x  2 lightdm lightdm            4096 Feb  1 07:32 lightdm
drwxr-xr-x  2 root    root               4096 May 31  2013 old
-rw-r--r--  1 root    root             187025 Feb  5 14:21 pacman.log
drwxr-xr-x  2 root    root               4096 Oct 27 00:00 speech-dispatcher
-rw-rw-r--  1 root    utmp            1437312 Feb  5 17:28 wtmp
-rw-r--r--  1 root    root               2603 Dec  5 19:47 xdm.log
-rw-r--r--  1 root    root              20308 Feb  3 21:41 Xorg.0.log
-rw-r--r--  1 root    root              19508 Feb  1 00:23 Xorg.0.log.old
-rw-r--r--  1 root    users              6977 Jan 30 20:52 Xorg.1.log

Where can I find the ssh logs?
Thanks

Offline

#2 2014-02-05 18:36:08

mychris
Member
From: Munich
Registered: 2012-09-15
Posts: 68

Re: auth.log empty / missing

Try the systemd journal

# journalctl --unit sshd

Offline

#3 2014-02-05 18:54:47

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,804

Re: auth.log empty / missing

rin wrote:

I have ssh open to the world and I want to check the ssh logs, to see if anyone is trying to break in.
Thanks

They are.  Oh, they are.

You may need to run journalctl as root (Kind of implicit in the command given above, I thought I would make it explicit).  I recommend sshguard

ewaller$@$odin ~ 1017 %journalctl -u sshguard --no-pager | grep Blocking
Jan 30 02:47:08 odin sshguard[1436]: Blocking 216.82.193.144:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Jan 30 05:01:15 odin sshguard[1436]: Blocking 85.114.133.83:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Jan 30 08:35:55 odin sshguard[1436]: Blocking 162.220.166.192:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Jan 30 08:37:41 odin sshguard[1436]: Blocking 61.139.5.22:4 for >630secs: 40 danger in 4 attacks over 15 seconds (all: 40d in 1 abuses over 15s).
Jan 30 09:41:08 odin sshguard[1436]: Blocking 61.56.92.7:4 for >630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses over 12s).
Jan 30 13:37:53 odin sshguard[1436]: Blocking 198.15.89.170:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Jan 30 19:23:09 odin sshguard[1436]: Blocking 123.129.216.39:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Jan 30 21:00:33 odin sshguard[1436]: Blocking 61.255.92.34:4 for >630secs: 40 danger in 4 attacks over 136 seconds (all: 40d in 1 abuses over 136s).
Jan 31 00:22:44 odin sshguard[1436]: Blocking 60.248.165.106:4 for >630secs: 40 danger in 4 attacks over 10 seconds (all: 40d in 1 abuses over 10s).
Jan 31 12:44:48 odin sshguard[1436]: Blocking 218.26.89.179:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Jan 31 14:02:30 odin sshguard[1436]: Blocking 62.218.141.202:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Jan 31 18:49:29 odin sshguard[1436]: Blocking 60.199.196.140:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Jan 31 19:49:08 odin sshguard[1436]: Blocking 211.143.33.81:4 for >630secs: 40 danger in 4 attacks over 13 seconds (all: 40d in 1 abuses over 13s).
Jan 31 21:48:38 odin sshguard[1436]: Blocking 123.108.111.191:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Jan 31 21:55:17 odin sshguard[1436]: Blocking 60.199.196.140:4 for >945secs: 40 danger in 4 attacks over 10 seconds (all: 80d in 2 abuses over 11159s).
Feb 01 04:34:54 odin sshguard[1436]: Blocking 218.94.68.8:4 for >630secs: 40 danger in 4 attacks over 15 seconds (all: 40d in 1 abuses over 15s).
Feb 01 06:14:07 odin sshguard[1436]: Blocking 218.26.89.179:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 62968s).
Feb 02 03:20:22 odin sshguard[1436]: Blocking 208.43.250.123:4 for >630secs: 40 danger in 4 attacks over 136 seconds (all: 40d in 1 abuses over 136s).
Feb 02 03:42:45 odin sshguard[1436]: Blocking 222.85.90.245:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Feb 02 03:44:00 odin sshguard[1436]: Blocking 61.182.170.38:4 for >630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses over 12s).
Feb 02 05:51:28 odin sshguard[1436]: Blocking 211.143.33.82:4 for >630secs: 40 danger in 4 attacks over 14 seconds (all: 40d in 1 abuses over 14s).
Feb 02 07:53:36 odin sshguard[1436]: Blocking 124.162.54.171:4 for >630secs: 40 danger in 4 attacks over 104 seconds (all: 40d in 1 abuses over 104s).
Feb 02 09:16:09 odin sshguard[1436]: Blocking 77.40.50.146:4 for >630secs: 40 danger in 4 attacks over 3 seconds (all: 40d in 1 abuses over 3s).
Feb 02 13:08:35 odin sshguard[1436]: Blocking 61.136.171.198:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Feb 02 14:04:23 odin sshguard[1436]: Blocking 202.162.221.220:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Feb 02 15:51:14 odin sshguard[1436]: Blocking 95.43.105.132:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Feb 02 22:03:13 odin sshguard[1436]: Blocking 61.153.55.219:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Feb 02 23:19:25 odin sshguard[1436]: Blocking 50.57.108.188:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
Feb 03 07:36:17 odin sshguard[1436]: Blocking 212.85.158.124:4 for >630secs: 40 danger in 4 attacks over 15 seconds (all: 40d in 1 abuses over 15s).
Feb 03 11:20:03 odin sshguard[1436]: Blocking 212.85.158.124:4 for >945secs: 40 danger in 4 attacks over 12 seconds (all: 80d in 2 abuses over 13441s).
Feb 03 11:26:16 odin sshguard[1436]: Blocking 222.85.90.245:4 for >945secs: 40 danger in 4 attacks over 4 seconds (all: 80d in 2 abuses over 114217s).
Feb 03 17:58:52 odin sshguard[1436]: Blocking 94.84.218.16:4 for >630secs: 40 danger in 4 attacks over 193 seconds (all: 40d in 1 abuses over 193s).
Feb 03 20:52:15 odin sshguard[1438]: Blocking 88.208.222.32:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
Feb 03 22:16:04 odin sshguard[1438]: Blocking 211.143.33.81:4 for >630secs: 40 danger in 4 attacks over 14 seconds (all: 40d in 1 abuses over 14s).
Feb 04 04:16:19 odin sshguard[1438]: Blocking 82.200.168.218:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Feb 04 07:32:03 odin sshguard[1438]: Blocking 212.85.158.124:4 for >630secs: 40 danger in 4 attacks over 10 seconds (all: 40d in 1 abuses over 10s).
Feb 04 08:40:04 odin sshguard[1438]: Blocking 212.85.158.124:4 for >945secs: 40 danger in 4 attacks over 15 seconds (all: 80d in 2 abuses over 4091s).
Feb 04 10:44:13 odin sshguard[1438]: Blocking 111.205.154.253:4 for >630secs: 40 danger in 4 attacks over 10 seconds (all: 40d in 1 abuses over 10s).
Feb 04 11:24:57 odin sshguard[1438]: Blocking 95.154.196.170:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Feb 04 15:23:32 odin sshguard[1438]: Blocking 95.154.196.170:4 for >945secs: 40 danger in 4 attacks over 11 seconds (all: 80d in 2 abuses over 14326s).
Feb 04 16:18:08 odin sshguard[1438]: Blocking 88.150.186.179:4 for >630secs: 40 danger in 4 attacks over 10 seconds (all: 40d in 1 abuses over 10s).
Feb 04 19:06:56 odin sshguard[1438]: Blocking 95.154.196.170:4 for >0secs: 40 danger in 4 attacks over 10 seconds (all: 120d in 3 abuses over 27730s).
Feb 05 03:00:30 odin sshguard[1420]: Blocking 211.141.34.111:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Feb 05 03:12:58 odin sshguard[1420]: Blocking 211.141.34.111:4 for >945secs: 40 danger in 4 attacks over 12 seconds (all: 80d in 2 abuses over 759s).
Feb 05 04:58:48 odin sshguard[1420]: Blocking 173.161.194.189:4 for >630secs: 40 danger in 4 attacks over 90 seconds (all: 40d in 1 abuses over 90s).
Feb 05 05:57:39 odin sshguard[1420]: Blocking 213.209.108.4:4 for >630secs: 40 danger in 4 attacks over 136 seconds (all: 40d in 1 abuses over 136s).
Feb 05 07:32:17 odin sshguard[1420]: Blocking 193.107.16.206:4 for >630secs: 40 danger in 4 attacks over 55 seconds (all: 40d in 1 abuses over 55s).
ewaller$@$odin ~ 1018 %

Last edited by ewaller (2014-02-05 18:55:55)

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#4 2014-02-05 20:41:33

rin
Member
Registered: 2013-12-24
Posts: 31

Re: auth.log empty / missing

pi@tiny:~$ sudo journalctl --unit sshd
[sudo] password for pi: 
pi@tiny:~$ sudo journalctl
pi@tiny:~$

I have no journal? sad

Offline

#5 2014-02-06 10:03:27

rin
Member
Registered: 2013-12-24
Posts: 31

Re: auth.log empty / missing

tom@tom-pc:~$ ssh tiny
-bash: u~set: command not found
-bash: unseu: command not found
-bash: 5oset: command not found
-bash: $'unsetMAIlC\310ECK': command not found
-bash: unset: `MYLCHECK': not a valid identifier
-bash: unset!MAILCHECK: command not found
-bash: $'unsmt\240MAILCHGCK': command not found
-bash: unsed: command not found
-bash: unset: `MAILCHCK': not a valid identifier
-bash: unset: `MAICHECK
                        unset': not a valid identifier
-bash: unset: `MAiLCHCK': not a valid identifier
-bash: unsat: command not found
-bash: /etc/profile: line 2069: syntax error near unexpected token `MAILCHECK*qnset'
-bash: /etc/profile: line 2069: `unset(MAILCHECK*qnset MAKLCHECK'
pi@tiny:~$
pi@tiny:~$ sudo pacman -Syu
[sudo] password for pi: 
error: failed to initialise alpm library (could not find or read directory)
pi@tiny:~$ ls -l /var/lib/pacman
ls: cannot access /var/lib/pacman: Input/output error
pi@tiny:~$ ls -l /var/
ls: cannot access /var/tmp: Input/output error
ls: cannot access /var/local: Input/output error
total 32
drwxr-xr-x  6 root root  4096 Dec 25  2013 cache
drwxr-xr-x  3 root root  4096 Jan  1 01:53 db
drwxr-xr-x  2 root root  4096 Jun  4  2013 empty
drwxrwxr-x  2 root games 4096 Jun  4  2013 games
drwxr-xr-x 16 root root  4096 Feb  5  2014 lib
d?????????  ? ?    ?        ?            ? local
lrwxrwxrwx  1 root root    11 Jan  1 01:10 lock -> ../run/lock
drwxr-xr-x  4 root root  4096 Feb  3  2014 log
lrwxrwxrwx  1 root root    10 Jan  1 01:10 mail -> spool/mail
drwxr-xr-x  2 root root  4096 Jun  4  2013 opt
lrwxrwxrwx  1 root root     6 Jan  1 01:10 run -> ../run
drwxr-xr-x  5 root root  4096 Jan  1 01:10 spool
d?????????  ? ?    ?        ?            ? tmp

I have no idea what I've done to this raspberry pi, nothing seems to be working! It did overheat one night, maybe that screwed some stuff up.

Maybe I should just reinstall the OS?

Offline

Pages: 1

Board footer

Powered by FluxBB