topic monitoring incorrect login ssh - sftp in Operating System - HP-UX https://community.hpe.com/t5/operating-system-hp-ux/monitoring-incorrect-login-ssh-sftp/m-p/3773627#M261787 Dear expert,<BR /><BR />I have read and try script to capture inforect login/ftp and su attempt from therad <BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=962197" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=962197</A> (Thanks to Mel Burslan for script - however there is error in line 10 and need some modification on line 20).<BR /><BR />Now I want to modify it to capture correct/incorrect ssh and sftp login. What should I grep the messages from syslog, for example :<BR />Apr 19 10:44:30 genrep sshd[16511]: subsystem request for sftp<BR />Apr 19 10:45:05 genrep sshd[16517]: error: PAM: Authentication failed for sysadm from mypc.com<BR />Apr 19 10:45:07 genrep sshd[16517]: Failed keyboard-interactive/pam for sysadm from xxx.xxx.xxx.xxx port 1617 ssh2<BR />Apr 19 10:45:11 genrep sshd[16517]: Accepted password for sysadm from xxx.xxx.xxx.xxx port 1617 ssh2<BR />Apr 19 10:45:07 genrep sshd[16517]: error: PAM: Authentication failed for sysadm from mypc.com<BR />Apr 19 10:45:13 genrep above message repeats 2 times<BR />Apr 19 11:04:34 genrep sshd[17740]: error: PAM: Authentication failed for sysadm from mypc.com<BR />Apr 19 11:04:36 genrep sshd[17740]: Failed keyboard-interactive/pam for sysadm from xxx.xxx.xxx.xxx port 1719 ssh2<BR />Apr 19 11:04:37 genrep sshd[17740]: Failed password for sysadm from xxx.xxx.xxx.xxx port 1719 ssh2<BR />Apr 19 11:04:36 genrep sshd[17740]: error: PAM: Authentication failed for sysadm from mypc.com<BR />Apr 19 11:04:49 genrep above message repeats 2 times<BR />Apr 19 11:04:49 genrep su: + 0 sysadm-root<BR />Apr 19 11:04:39 genrep sshd[17740]: Failed password for sysadm from xxx.xxx.xxx.xxx port 1719 ssh2<BR />Apr 19 11:05:01 genrep above message repeats 2 time.Apr 19 11:08:33 genrep sshd[18621]: Accepted keyboard-interactive/pam for sysadm from xxx.xxx.xxx.xxx port 1750 ssh2<BR />Apr 19 11:09:32 genrep sshd[18830]: Accepted keyboard-interactive/pam for sysadm from xxx.xxx.xxx.xxx port 1797 ssh2<BR />Apr 19 11:09:32 genrep sshd[18844]: subsystem request for sftp<BR /><BR />What is the different for incorrect login for sftp and ssh.<BR /><BR />Any idea ?<BR /><BR />Thanks a lot before,<BR /><BR />EKO Tue, 18 Apr 2006 23:12:52 GMT yunardi 2006-04-18T23:12:52Z monitoring incorrect login ssh - sftp https://community.hpe.com/t5/operating-system-hp-ux/monitoring-incorrect-login-ssh-sftp/m-p/3773627#M261787 Dear expert,<BR /><BR />I have read and try script to capture inforect login/ftp and su attempt from therad <BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=962197" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=962197</A> (Thanks to Mel Burslan for script - however there is error in line 10 and need some modification on line 20).<BR /><BR />Now I want to modify it to capture correct/incorrect ssh and sftp login. What should I grep the messages from syslog, for example :<BR />Apr 19 10:44:30 genrep sshd[16511]: subsystem request for sftp<BR />Apr 19 10:45:05 genrep sshd[16517]: error: PAM: Authentication failed for sysadm from mypc.com<BR />Apr 19 10:45:07 genrep sshd[16517]: Failed keyboard-interactive/pam for sysadm from xxx.xxx.xxx.xxx port 1617 ssh2<BR />Apr 19 10:45:11 genrep sshd[16517]: Accepted password for sysadm from xxx.xxx.xxx.xxx port 1617 ssh2<BR />Apr 19 10:45:07 genrep sshd[16517]: error: PAM: Authentication failed for sysadm from mypc.com<BR />Apr 19 10:45:13 genrep above message repeats 2 times<BR />Apr 19 11:04:34 genrep sshd[17740]: error: PAM: Authentication failed for sysadm from mypc.com<BR />Apr 19 11:04:36 genrep sshd[17740]: Failed keyboard-interactive/pam for sysadm from xxx.xxx.xxx.xxx port 1719 ssh2<BR />Apr 19 11:04:37 genrep sshd[17740]: Failed password for sysadm from xxx.xxx.xxx.xxx port 1719 ssh2<BR />Apr 19 11:04:36 genrep sshd[17740]: error: PAM: Authentication failed for sysadm from mypc.com<BR />Apr 19 11:04:49 genrep above message repeats 2 times<BR />Apr 19 11:04:49 genrep su: + 0 sysadm-root<BR />Apr 19 11:04:39 genrep sshd[17740]: Failed password for sysadm from xxx.xxx.xxx.xxx port 1719 ssh2<BR />Apr 19 11:05:01 genrep above message repeats 2 time.Apr 19 11:08:33 genrep sshd[18621]: Accepted keyboard-interactive/pam for sysadm from xxx.xxx.xxx.xxx port 1750 ssh2<BR />Apr 19 11:09:32 genrep sshd[18830]: Accepted keyboard-interactive/pam for sysadm from xxx.xxx.xxx.xxx port 1797 ssh2<BR />Apr 19 11:09:32 genrep sshd[18844]: subsystem request for sftp<BR /><BR />What is the different for incorrect login for sftp and ssh.<BR /><BR />Any idea ?<BR /><BR />Thanks a lot before,<BR /><BR />EKO Tue, 18 Apr 2006 23:12:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/monitoring-incorrect-login-ssh-sftp/m-p/3773627#M261787 yunardi 2006-04-18T23:12:52Z