A Guide to Dropbear Logs

Dropbear is a popular SSH (secure shell) package that is widely used by routers. Most people are familiar with OpenSSH, but the majority of routers, including OpenWRT and Unifi (from Ubiquiti) use Dropbear instead. To get access to the dropbear logs, you have to configure your router to export the logs to an external location. For example, on Unifi, you have to go to Settings->Remote Syslog.



Dropbear is a very lightweight package with a very simple log format and variations. They log every connection, failed logins, successful logins and disconnections. The flow of a connection looks like:



May 18 13:24:20 eff12311,udm-1.11.4.3940 dropbear[16421]: Child connection from 127.0.0.1:35508
May 18 13:24:20 eff12311,udm-1.11.4.3940 dropbear[16421]: Pubkey auth succeeded for 'root' with key sha1!! 7b:50:93:10:68:07:d6:bb:9e:d3:6c:46:d9:1d:1b:f0:9e:e9:a9:86 from 127.0.0.1:35508
May 18 13:24:20 eff12311,udm-1.11.4.3940 dropbear[16421]: Exit (root): Disconnect received


The first line "Child connection from" show that a TCP connection to SSH has been completed. The second line "Pubkey auth succeeded" for that the login worked - using SSH public keys. And the third line "Disconnect received" that the SSH session was closed. If the user logged in with a password instead, you would see "Password auth succeeded" instead.

On a failure, you see a log similar to this:

May 18 14:29:02 eff12311,udm-1.11.4.3940 dropbear[164429]: Bad password attempt for 'root' from 192.168.1.6:48629

Which is pretty descriptive (Bad password attempt). And those are the main logs from Dropbear that was have noticed so far. Did we miss anything? Any more logs we should add?





Posted in   log-guide   dropbear-logs     by Daniel Cid (@dcid)

Simple, affordable, log management and analysis.