A Guide to Dropbear Logs

Dropbear is a popular SSH (secure shell) package that is widely used by routers. Most people are familiar with OpenSSH, but the majority of routers, including OpenWRT and Unifi (from Ubiquiti) use Dropbear instead. To get access to the dropbear logs, you have to configure your router to export the logs to an external location. For example, on Unifi, you have to go to Settings->Remote Syslog.

Dropbear is a very lightweight package with a very simple log format and variations. They log every connection, failed logins, successful logins and disconnections. The flow of a connection looks like:

May 18 13:24:20 eff12311,udm- dropbear[16421]: Child connection from
May 18 13:24:20 eff12311,udm- dropbear[16421]: Pubkey auth succeeded for 'root' with key sha1!! 7b:50:93:10:68:07:d6:bb:9e:d3:6c:46:d9:1d:1b:f0:9e:e9:a9:86 from
May 18 13:24:20 eff12311,udm- dropbear[16421]: Exit (root): Disconnect received

The first line "Child connection from" show that a TCP connection to SSH has been completed. The second line "Pubkey auth succeeded" for that the login worked - using SSH public keys. And the third line "Disconnect received" that the SSH session was closed. If the user logged in with a password instead, you would see "Password auth succeeded" instead.

On a failure, you see a log similar to this:

May 18 14:29:02 eff12311,udm- dropbear[164429]: Bad password attempt for 'root' from

Which is pretty descriptive (Bad password attempt). And those are the main logs from Dropbear that was have noticed so far. Did we miss anything? Any more logs we should add?

Posted in   log-guide   dropbear-logs     by Daniel Cid (@dcid)

Simple, affordable, log management and analysis.