On Debian Squeeze I have sshd set up to not permit password logins and require key based authentication.
I notice that when I attempt to log in from the WAN into my box with a bad SSH key, I do not get the "Failed publickey…." message in auth.log. I only get "Connection from…." logged and that's it.
When I log in from within my LAN to my box with a bad key, I do get "Failed publickey…." logged. I want to be able to log all failed publickey attempts to SSH.
Does anyone have any advice as to why it's not logging failed keys from the WAN?
Best Answer
I generally recommend increasing the default logging for sshd.The default loglevel is INFO, which gives you some minimal levels of information, but certainly not all. I recommend cranking that up to VERBOSE which will give you such events as the fingerprint of the key used for authentication, a log message when the user logs off, and should contain the failures that you're interested in.
Edit your
/etc/ssh/sshd_config
and find the setting forLogLevel
. Change that such that it isThen restart the sshd service.