那里
有一天,我的 ubuntu(22.04) 机器写入 auth.log 太短。
以下 auth.log 无法从 fail2ban(sshd) 识别
Mar 6 17:52:03 laphs sshd[13792]: pam_unix(sshd:auth): check pass; user unknown
Mar 6 17:52:03 laphs sshd[13792]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.225.107.69
Mar 6 17:54:52 laphs sshd[13958]: pam_unix(sshd:auth): check pass; user unknown
Mar 6 17:54:52 laphs sshd[13958]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.179.157.95
Mar 6 18:05:29 laphs sshd[15051]: pam_unix(sshd:auth): check pass; user unknown
Mar 6 18:05:29 laphs sshd[15051]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.179.157.95
Mar 6 18:12:41 laphs sshd[15643]: pam_unix(sshd:auth): check pass; user unknown
Mar 6 18:12:41 laphs sshd[15643]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.190.49.157
Mar 6 18:16:23 laphs sshd[15976]: pam_unix(sshd:auth): check pass; user unknown
Mar 6 18:16:23 laphs sshd[15976]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.190.49.157
Mar 6 18:16:41 laphs sshd[16001]: pam_unix(sshd:auth): check pass; user unknown
Mar 6 18:16:41 laphs sshd[16001]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.179.157.95
Mar 6 18:17:17 laphs sshd[16030]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.141.34.151 user=root
Mar 6 18:20:11 laphs sshd[16343]: pam_unix(sshd:auth): check pass; user unknown
Mar 6 18:20:11 laphs sshd[16343]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.225.107.69
Mar 6 18:28:06 laphs sshd[16711]: pam_unix(sshd:auth): check pass; user unknown
上个月的 auth.log
Jan 15 21:54:58 laphs sshd[1555]: pam_unix(sshd:auth): check pass; user unknown
Jan 15 21:54:58 laphs sshd[1555]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=170.83.79.29
Jan 15 21:55:00 laphs sshd[1555]: Failed password for invalid user wangkun from 170.83.79.29 port 44724 ssh2
Jan 15 21:55:00 laphs sshd[1555]: Received disconnect from 170.83.79.29 port 44724:11: Bye Bye [preauth]
Jan 15 21:55:00 laphs sshd[1555]: Disconnected from invalid user wangkun 170.83.79.29 port 44724 [preauth]
Jan 15 21:55:03 laphs sshd[1557]: Invalid user huachen from 159.89.132.160 port 32798
Jan 15 21:55:03 laphs sshd[1557]: pam_unix(sshd:auth): check pass; user unknown
Jan 15 21:55:03 laphs sshd[1557]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.89.132.160
Jan 15 21:55:05 laphs sshd[1557]: Failed password for invalid user huachen from 159.89.132.160 port 32798 ssh2
Jan 15 21:55:07 laphs sshd[1557]: Received disconnect from 159.89.132.160 port 32798:11: Bye Bye [preauth]
Jan 15 21:55:07 laphs sshd[1557]: Disconnected from invalid user huachen 159.89.132.160 port 32798 [preauth]
Jan 15 21:55:12 laphs sshd[1651]: Connection closed by authenticating user root 192.168.0.34 port 49550 [preauth]
更改 sshd 的 LogLevel。但不起作用 /etc/ssh/sshd_config
...
# Logging
#SyslogFacility AUTH
# LogLevel VERBOSE
LogLevel DEBUG3
...
找不到任何解决方案...有人能帮忙吗?
etc/rsyslog.d/50-默认.conf
...
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
...
答案1
自己解决问题
一个月前,我在 /etc/systemd/journald.conf 中更改了 systemd 日志级别
MaxLevelStore=notice
MaxLevelSyslog=notice
由于 /var/log/syslog 上有太多 systemd 日志
Mar 7 15:26:47 laphs systemd[1]: run-docker-runtime\x2drunc-moby-01de1a288d671d1b55cd95662c3c26341aa029b403e923a7b94a535ffa3daaa1-runc.h
LmUbB.mount: Deactivated successfully.
Mar 7 15:27:17 laphs systemd[1]: run-docker-runtime\x2drunc-moby-01de1a288d671d1b55cd95662c3c26341aa029b403e923a7b94a535ffa3daaa1-runc.1
okAs8.mount: Deactivated successfully.
Mar 7 15:27:47 laphs systemd[1]: run-docker-runtime\x2drunc-moby-01de1a288d671d1b55cd95662c3c26341aa029b403e923a7b94a535ffa3daaa1-runc.5
o2GHy.mount: Deactivated successfully.
注释两行并重启 systemdsystemctl restart systemd-journald