On Wed, 06 Jun 2012 11:36:09 -0300, francis picabia wrote: > Today I see from logwatch report 28 sshd logins from one user at an IP > address in a different continent than usually seen here. > > When I look up this user with last command to see if this is part of a > travel pattern or perhaps their account is compromised, I don't get any > matches. I've used last and last -f /var/log/wtmp.1 with the user name > and there are no matches.
OpenSSH logins fall under "/var/log/auth*" logs. > Yet finger shows a login from Apr 24, which jives with their last > .bash_history update > > One way this could happen is by use of sftp/scp. Is there a way to get > last to record these sessions as well? Mmm... any specific reason for wanting these logs available within wtmp? :-? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jqnvkc$u68$1...@dough.gmane.org
