New Log Messages?

[Bob Proulx]

Damien Miller wrote:
> Bob Proulx wrote:
> > In recent months I started noticing a new type of log message.
> > ...
> > Just trying to understand what changed recently.  Did the examples
> > change to include disconnect messages when they previously did
> > not?
>
> Not that I am aware - did you perhaps upgrade from some old version that
> was not logging the preauth messages?

I am always hesitant to mention version numbers upstream because I am
using a software distribution and as you know software distributions
support a single release for the lifetime of the distro's stable
release.  I am running Debian Stable on my internet facing machines.
For Debian it is about two years.  For me this is perfect.

In private mail I had someone point me to this serverfault question.
Apparently I was not the only one who noticed this change and was
asking questions about it.  (shrug)

  http://serverfault.com/questions/559200/what-does-normal-shutdown-thank-you-for-playing-preauth-in-ssh-logs-mean

And the answer proposed seems reasonable.  That the disconnect message
wasn't logged by sshd previously and now it is being logged.  In your
upstream sources this could have been a change any time in the last
two years.  I only made the upgrade on my machines last summer from a
5.x release to a 6.x release.  I have been noticing these for some
months but just finally decided to ask about it.

> > I do find it annoying that anyone on the net can log any message they
> > want to the syslog by sending it in the disconnect message.  It makes
> > it more difficult to sift useful alert information from the syslog.
> 
> It's useful information in some cases.

It has certainly seen use for some fun and games from the script
kiddies trying to shake the doors and lift the windows.  :-)  Although
thinking about it maybe I could write a rule for any unusual logged
message to feed into the fail2ban rules?  Maybe.

In any case, thank you for maintaining ssh!

Bob