New Log Messages?

[Damien Miller]

On Thu, 2 Jan 2014, Bob Proulx wrote:

> In recent months I started noticing a new type of log message.  Here
> are some examples.  One of each but my logs show many runs of these
> types of messages.  Along with others but these are the majority
> type.  Imagine lines like these repeated many times in the syslog.
> 
>   Dec  7 15:49:42 havoc sshd[7575]: Received disconnect from 114.80.246.178: 11: Normal Shutdown, Thank you for playing [preauth]
>   Dec 10 12:05:45 havoc sshd[6580]: Received disconnect from 134.147.203.117: 11: Bye [preauth]
>   Dec 24 11:33:05 havoc sshd[410]: Received disconnect from 183.136.213.228: 11: Normal [preauth]

...

> I am not concerned about the attack itself.  I have good password
> security and rate limiting and so forth and am not asking about the
> attack itself.  Attackers have been attacking systems for a long time.
> I am only asking for background so that I can understand why these new
> messages are being logged now when they haven't been seen in the
> syslog previously.  Just trying to understand what changed recently.
> Did the examples change to include disconnect messages when they
> previously did not?

Not that I am aware - did you perhaps upgrade from some old version that
was not logging the preauth messages?

> I do find it annoying that anyone on the net can log any message they
> want to the syslog by sending it in the disconnect message.  It makes
> it more difficult to sift useful alert information from the syslog.

It's useful information in some cases.

-d