SSH logs

Borygo77 · June 1, 2019 at 9:23 PM

Guys anyone know where I can find logs related to ssh logins ? Just wondering if it's available in libreelec?

**kurai** · June 1, 2019 at 10:30 PM

LibreELEC uses systemd which has a centralised journal for logging, rather than the traditional older /var/log/syslog method.

Query the journal with journalctl .

e.g.

Code

journalctl |grep ssh

Borygo77 · June 1, 2019 at 10:34 PM

Thank you! I can only see last three hours. Is that ok ?

**kurai** · June 1, 2019 at 11:37 PM

Umm ... that depends. Did you reboot 3 hours ago ?

Borygo77 · June 2, 2019 at 10:01 AM

yep I did 😉

Well jurnalctl is very usefull! Thanks for that! But I do need log file still to configure fail2ban which is included in letsencrypt docker addon.

Anyone can point me where accepted and failed logins to ssh are stored ?

**vpeter** · June 2, 2019 at 10:10 AM

Quote from Borygo77

Anyone can point me where accepted and failed logins to ssh are stored ?

Maybe

Code

systemctl status sshd -l --no-pager

Borygo77 · June 2, 2019 at 10:19 AM

Can't see any location for acces log file here Thanks vpeter!

You're always trying to help! 😊

sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2019-05-31 19:10:06 IST; 1 day 15h ago
Main PID: 293 (sshd)
Memory: 10.6M
CGroup: /system.slice/sshd.service
├─ 293 /usr/sbin/sshd -D
├─22426 sshd: root@notty
├─22432 /usr/lib/openssh/sftp-server
├─24282 sshd: root@pts/1
├─24284 -sh
└─24301 systemctl status sshd -l --no-pager

**vpeter** · June 2, 2019 at 10:26 AM

I don't know if there is any such log file. BUt i see with command above

Code

Jun 02 11:25:22 LibreELEC sshd[1340]: Failed password for root from 192.168.2.3 port 47442 ssh2
Jun 02 11:25:22 LibreELEC sshd[1340]: Connection closed by authenticating user root 192.168.2.3 port 47442 [preauth]

Maybe some cron job could create log file with grepping systemctl status.

Borygo77 · June 2, 2019 at 10:32 AM

yep it works for me as well I can see login attempts but need them in log file 😉 Just wondering if changing /etc/systemd/system.conf would help ?

We have logtarget here

Code

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See systemd-system.conf(5) for details.

[Manager]
#LogLevel=info
#LogTarget=journal-or-kmsg
#LogColor=yes
#LogLocation=no
#DumpCore=yes
#ShowStatus=yes
#CrashChangeVT=no
#CrashShell=no
#CrashReboot=no
#CtrlAltDelBurstAction=reboot-force
#CPUAffinity=1 2
#JoinControllers=cpu,cpuacct net_cls,net_prio
#RuntimeWatchdogSec=0
#ShutdownWatchdogSec=10min
#CapabilityBoundingSet=
#NoNewPrivileges=no
#SystemCallArchitectures=
#TimerSlackNSec=
#DefaultTimerAccuracySec=1min
#DefaultStandardOutput=journal
#DefaultStandardError=inherit
#DefaultTimeoutStartSec=90s
#DefaultTimeoutStopSec=90s
#DefaultRestartSec=100ms
#DefaultStartLimitIntervalSec=10s
#DefaultStartLimitBurst=5
#DefaultEnvironment=
#DefaultCPUAccounting=no
#DefaultIOAccounting=no
#DefaultIPAccounting=no
#DefaultBlockIOAccounting=no
#DefaultMemoryAccounting=yes
#DefaultTasksAccounting=yes
#DefaultTasksMax=15%
#DefaultLimitCPU=
#DefaultLimitFSIZE=
#DefaultLimitDATA=
#DefaultLimitSTACK=
#DefaultLimitCORE=
#DefaultLimitRSS=
#DefaultLimitNOFILE=
#DefaultLimitAS=
#DefaultLimitNPROC=
#DefaultLimitMEMLOCK=
#DefaultLimitLOCKS=
#DefaultLimitSIGPENDING=
#DefaultLimitMSGQUEUE=
#DefaultLimitNICE=
#DefaultLimitRTPRIO=
#DefaultLimitRTTIME=
#IPAddressAllow=
#IPAddressDeny=

Display More

**vpeter** · June 2, 2019 at 10:39 AM

Check if you can add StandardOutput to file in sshd.service file.

Borygo77 · June 2, 2019 at 10:46 AM

will do it later after work Thanks again!

**vpeter** · June 2, 2019 at 1:38 PM

edit file /storage/.cache/services/sshd.conf and change/add -E log_file

Code

SSH_ARGS="-E /var/log/sshd.log"

restart sshd service

Code

systemctl restart sshd

check log file /var/log/sshd.log

Code

cat /var/log/sshd.log

Borygo77 · June 2, 2019 at 5:24 PM

You're legend vpeter! Thanks a mill!

Borygo77 · June 4, 2019 at 11:11 AM

Got another question How can I preserve those changes between and after reboots ?

My log looks like this one below and I would like to have timestamps as well ? Any chances vpeter ?

Code

Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
Accepted password for root from 192.168.1.19 port 58507 ssh2
Accepted password for root from 192.168.1.19 port 58508 ssh2
Accepted password for root from 192.168.1.19 port 60206 ssh2
Received disconnect from 192.168.1.19 port 58507:11: Normal Shutdown
Disconnected from user root 192.168.1.19 port 58507
Received disconnect from 192.168.1.19 port 60206:11: cleanup
Disconnected from user root 192.168.1.19 port 60206
Accepted password for root from 192.168.1.19 port 60269 ssh2
Accepted password for root from 192.168.1.19 port 60271 ssh2
Exiting on signal 15
Exiting on signal 15
Received signal 15; terminating.
Exiting on signal 15
Exiting on signal 15
Exiting on signal 15
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
Accepted password for root from 185.178.71.131 port 52097 ssh2
Accepted password for root from 145.239.254.70 port 50212 ssh2
Accepted password for root from 145.239.254.70 port 50213 ssh2
Received disconnect from 145.239.254.70 port 50213:11: 
Disconnected from user root 145.239.254.70 port 50213
Accepted password for root from 145.239.254.70 port 50234 ssh2
Accepted password for root from 145.239.254.70 port 50235 ssh2
Received disconnect from 145.239.254.70 port 50235:11: 
Disconnected from user root 145.239.254.70 port 50235
Accepted password for root from 145.239.254.70 port 50238 ssh2
Accepted password for root from 145.239.254.70 port 50239 ssh2
Received disconnect from 145.239.254.70 port 50239:11: 
Disconnected from user root 145.239.254.70 port 50239
Accepted password for root from 145.239.254.70 port 50240 ssh2
Received signal 15; terminating.
Exiting on signal 15
Exiting on signal 15
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
Accepted password for root from 192.168.1.19 port 61033 ssh2
Accepted password for root from 192.168.1.19 port 61034 ssh2
Accepted password for root from 192.168.1.19 port 61035 ssh2
Exiting on signal 15
Received signal 15; terminating.
Exiting on signal 15
Exiting on signal 15
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
Accepted password for root from 192.168.1.19 port 61060 ssh2
Received signal 15; terminating.
Exiting on signal 15
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
Accepted password for root from 192.168.1.43 port 50337 ssh2
Accepted password for root from 192.168.1.43 port 50339 ssh2
Received disconnect from 192.168.1.43 port 50337:11: Normal Shutdown
Disconnected from user root 192.168.1.43 port 50337
Invalid user roo from 192.168.1.43 port 50344
Could not get shadow information for NOUSER
Failed password for invalid user roo from 192.168.1.43 port 50344 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50344 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50344 ssh2
Received disconnect from 192.168.1.43 port 50344:11: Normal Shutdown [preauth]
Disconnected from invalid user roo 192.168.1.43 port 50344 [preauth]
Invalid user roo from 192.168.1.43 port 50345
Could not get shadow information for NOUSER
Failed password for invalid user roo from 192.168.1.43 port 50345 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50345 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50345 ssh2
Received disconnect from 192.168.1.43 port 50345:11: Normal Shutdown [preauth]
Disconnected from invalid user roo 192.168.1.43 port 50345 [preauth]
Invalid user roo from 192.168.1.43 port 50347
Could not get shadow information for NOUSER
Failed password for invalid user roo from 192.168.1.43 port 50347 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50347 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50347 ssh2
Received disconnect from 192.168.1.43 port 50347:11: Normal Shutdown [preauth]
Disconnected from invalid user roo 192.168.1.43 port 50347 [preauth]
Invalid user roo from 192.168.1.43 port 50348
Could not get shadow information for NOUSER
Failed password for invalid user roo from 192.168.1.43 port 50348 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50348 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50348 ssh2
Received disconnect from 192.168.1.43 port 50348:11: Normal Shutdown [preauth]
Disconnected from invalid user roo 192.168.1.43 port 50348 [preauth]
Invalid user roo from 192.168.1.43 port 50350
Could not get shadow information for NOUSER
Failed password for invalid user roo from 192.168.1.43 port 50350 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50350 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50350 ssh2
Received disconnect from 192.168.1.43 port 50350:11: Normal Shutdown [preauth]
Disconnected from invalid user roo 192.168.1.43 port 50350 [preauth]
Invalid user roo from 192.168.1.43 port 50351
Could not get shadow information for NOUSER
Failed password for invalid user roo from 192.168.1.43 port 50351 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50351 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50351 ssh2
Received disconnect from 192.168.1.43 port 50351:11: Normal Shutdown [preauth]
Disconnected from invalid user roo 192.168.1.43 port 50351 [preauth]
Invalid user roo from 192.168.1.43 port 50353
Could not get shadow information for NOUSER
Failed password for invalid user roo from 192.168.1.43 port 50353 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50353 ssh2
Failed password for invalid user roo from 192.168.1.43 port 50353 ssh2
Received disconnect from 192.168.1.43 port 50353:11: Normal Shutdown [preauth]
Disconnected from invalid user roo 192.168.1.43 port 50353 [preauth]
Accepted password for root from 192.168.1.43 port 50358 ssh2

Display More

**vpeter** · June 4, 2019 at 1:52 PM

Well, then one option is to fix sshd service file.

First remove added SSH_ARGS value from /storage/.cache/services/sshd.conf file.

Then copy sshd service file to storage and change ExecStart line.

Code

cp /usr/lib/systemd/system/sshd.service /storage/.config/system.d/
vi /storage/.config/system.d/sshd.service

ExecStart=/bin/sh -c "/usr/sbin/sshd -D $SSH_ARGS -e 2>&1 | awk '{print strftime(\"[%%Y-%%m-%%d %%H:%%M:%%S] \") $0}' >>/var/log/sshd.log"

systemctl daemon-reload
systemctl restart sshd
systemctl status sshd -l --no-pager

Borygo77 · June 4, 2019 at 4:06 PM

Thank you vpeter! 😊

Is there any manual you're following for ssh_args or got everything in your head ? 😳

**vpeter** · June 4, 2019 at 4:16 PM

I keep few things in my head. But in this case I was using sshd(8) - OpenBSD manual pages and few suggestions from Google

Borygo77 · June 4, 2019 at 4:29 PM

Told you before! You're legend to me! 😊 Will try it once back home.

Thanks again!

SSH logs

Similar Threads

[9.0.0] LibreELEC builds for MX2/G18

9.0.1 SSH, SMB and NFS not working

Librelect 9.x handbrake encoded video playback issue, video's work fine in 8.x