pptpd: log of unsuccessful authentication

Question

I am using pptpd on Debian 6. I know that last shows the list of connections as well as the source IP.

I am looking for the log of unsuccessful authentication, or any form of alert/ban for a source IP failing to authenticate.

Is there anything that works with pptpd? or wtmp? Or should I look at external authentication mechanism (radius?) to get the logs I need.

Thanks for your help

score 1 · Accepted Answer · answered Mar 13 '13 at 11:50

if you enable logwtmp option on your pptpd.conf, you should see on /var/log/messages

pptpd.conf

# TAG: logwtmp
#       Use wtmp(5) to record client connections and disconnections.
#
logwtmp

/var/log/messages

Mar 13 19:45:23 pineapple pppd[25571]: No CHAP secret found for authenticating USERNAME
Mar 13 19:45:23 pineapple pppd[25571]: Peer riqa failed CHAP authentication
Mar 13 19:45:24 pineapple pptpd[25570]: CTRL: EOF or bad error reading ctrl packet length.
Mar 13 19:45:24 pineapple pptpd[25570]: CTRL: couldn't read packet header (exit)
Mar 13 19:45:24 pineapple pptpd[25570]: CTRL: CTRL read failed
Mar 13 19:45:24 pineapple pppd[25571]: Modem hangup
Mar 13 19:45:24 pineapple pppd[25571]: Connection terminated.
Mar 13 19:45:24 pineapple pppd[25571]: Exit.
Mar 13 19:45:24 pineapple pptpd[25570]: CTRL: Client w.x.y.z control connection finished

Thanks Rikih. Would you know any good tool to automate an audit of the /var/log/messages? — peyman, Mar 13 '13 at 19:33
you can try failtoban (http://www.fail2ban.org) or swatch (http://sourceforge.net/projects/swatch/) — chocripple, Mar 14 '13 at 01:41

pptpd: log of unsuccessful authentication

1 Answers1