I’m looking after the logs for login attempts, particularly failed attempts, as a way to monitor attacks to the NAS drive.
Typically in Linux system, login attempts can be found under /var/log/auth.log
. However I could not find any clues under /var/log
. I did find this old post with some instructions on how to turn on logging:
To enable logging I had to do two simple things:
- Add the following line in sshd_config: LogLevel VERBOSE (there is an important config already present in this file → SyslogFacility AUTHPRIV)
- Uncomment the following line in /usr/local/config/syslog.conf (this file gets copied over to /etc/syslog.conf at boot time): auth,authpriv.* /var/log/auth.log
This seems logic. The changes to syslog.conf
did persist after reboot. However the changes to sshd_config
were overwritten after the last update.
As a result, still no auth.log
under /var/log
and hence no logs of failed break-in attempts
So, anyone did manage to successfully log login attempts somehow?