how to log or block login attempts on OS X?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I'm getting a lot of login attempts on my Mac OS X (10.4.x) machine, as
judged by /var/log/secure.log entries like this:

Aug 15 21:36:41 macname authinternal failed to
authenticate user ftp.
Aug 15 21:36:41 macname Failed to authorize
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.

However, these log messages don't show an IP address.  Moreover, after
adding an AllowUsers line to my sshd_config, I don't seem to be getting
any log lines here at all for a failed login attempt (except for the
allowed user, but so far none of the attackers have guessed that user

I also looked in system.log; this initially wasn't getting any log
entries for these login attempts.  After changing the log level in
sshd_config to DEBUG, I now get messages for invalid user names like:

Aug 18 14:37:26 VerEx-1 sshd[13258]: fatal: Timeout before
authentication for

(They're always timeouts because with AllowUsers, sshd seems to delay
indefinitely after the password entry.)  But this doesn't show the user
name that was attempted.

Perhaps that doesn't matter -- but I feel like I'm groping around in the
dark here.  Does anyone have a good, up-to-date description of how
logging with sshd works in OS X?

Also, /var/log contains an ipfw.log file -- but it is always empty.  I
do have a firewall turned on, and ipfw list can show me how many times
each rule has been applied (these numbers go up as I attempt
connections).  Yet the log is empty.  Any idea how to get ipfw to log
these connection attempts?

Ideally, I'd like to make a script to automatically block connections
from a given host after too many failed attempts, as described here:


Given the hoops I've had to jump through to get useful logging at all,
I'm not confident this will work on my OS X machine.  Any Mac-specific

- Joe

Site Timeline