New Log Messages?
Damien Miller
djm at mindrot.org
Fri Jan 3 16:15:23 EST 2014
On Thu, 2 Jan 2014, Bob Proulx wrote:
> In recent months I started noticing a new type of log message. Here
> are some examples. One of each but my logs show many runs of these
> types of messages. Along with others but these are the majority
> type. Imagine lines like these repeated many times in the syslog.
>
> Dec 7 15:49:42 havoc sshd[7575]: Received disconnect from 114.80.246.178: 11: Normal Shutdown, Thank you for playing [preauth]
> Dec 10 12:05:45 havoc sshd[6580]: Received disconnect from 134.147.203.117: 11: Bye [preauth]
> Dec 24 11:33:05 havoc sshd[410]: Received disconnect from 183.136.213.228: 11: Normal [preauth]
...
> I am not concerned about the attack itself. I have good password
> security and rate limiting and so forth and am not asking about the
> attack itself. Attackers have been attacking systems for a long time.
> I am only asking for background so that I can understand why these new
> messages are being logged now when they haven't been seen in the
> syslog previously. Just trying to understand what changed recently.
> Did the examples change to include disconnect messages when they
> previously did not?
Not that I am aware - did you perhaps upgrade from some old version that
was not logging the preauth messages?
> I do find it annoying that anyone on the net can log any message they
> want to the syslog by sending it in the disconnect message. It makes
> it more difficult to sift useful alert information from the syslog.
It's useful information in some cases.
-d
More information about the openssh-unix-dev
mailing list