For this lab, use the same VM that you've been using for the previous labs. That way, you'll get a better picture of what a complete sshd_config file should look like when it's fully locked down. Remotely log into the target VM via SSH and follow these steps:
- Open the main log file and scroll down to where you see the entry that was made due to your login. Observe what it says, and then exit with less for Ubuntu:
sudo less /var/log/auth.log
For CentOS:
sudo less /var/log/secure
- As I mentioned previously, you never want to run a production machine with the SSH log level set to any of the DEBUG levels. But, just so you can see what it does log, set your machine to DEBUG now. Open the /etc/ssh/sshd_config file in your favorite text editor. Find the line that says the following:
#LogLevel INFO
Change it to the following:
LogLevel DEBUG3
- After saving the file, restart SSH. On Ubuntu, do the following:
sudo systemctl restart ssh
On CentOS, do the following:
sudo systemctl restart sshd
- Log out of the SSH session, and then log back in. View the system log file to see the new entries from this new login.
- Open the /etc/ssh/sshd_config file for editing. Change the LogLevel DEBUG3 line to the following:
LogLevel VERBOSE
- After saving the file, restart the SSH daemon. Log out of the SSH session, log back in, and look at the entries in the system log file.
The main benefit of VERBOSE mode is that it will log the fingerprints of any key that was used to log in. This can be a big help with key management.
You've reached the end of the lab – congratulations!
Okay; so far, you've seen how to get more information about SSH logins in your system logs. Next, let's talk a bit about access control.