New Log Messages?

Bob Proulx bob at proulx.com
Fri Jan 3 06:55:39 EST 2014


In recent months I started noticing a new type of log message.  Here
are some examples.  One of each but my logs show many runs of these
types of messages.  Along with others but these are the majority
type.  Imagine lines like these repeated many times in the syslog.

  Dec  7 15:49:42 havoc sshd[7575]: Received disconnect from 114.80.246.178: 11: Normal Shutdown, Thank you for playing [preauth]
  Dec 10 12:05:45 havoc sshd[6580]: Received disconnect from 134.147.203.117: 11: Bye [preauth]
  Dec 24 11:33:05 havoc sshd[410]: Received disconnect from 183.136.213.228: 11: Normal [preauth]

I don't recall that these were seen until recently.  Of course I
searched these out and found them in the libssh example source code.
I know that attackers have done a simple hacking of the examples and
are now using these and trying dictionary and other attacks on any
server they can probe.

I am not concerned about the attack itself.  I have good password
security and rate limiting and so forth and am not asking about the
attack itself.  Attackers have been attacking systems for a long time.
I am only asking for background so that I can understand why these new
messages are being logged now when they haven't been seen in the
syslog previously.  Just trying to understand what changed recently.
Did the examples change to include disconnect messages when they
previously did not?

I do find it annoying that anyone on the net can log any message they
want to the syslog by sending it in the disconnect message.  It makes
it more difficult to sift useful alert information from the syslog.

Thanks,
Bob


More information about the openssh-unix-dev mailing list