Minimize sshd log clutter/spam from unauthenticated connections
David Lang
david at lang.hm
Sun Mar 19 07:31:40 AEDT 2023
On Sat, 18 Mar 2023, Carsten Andrich wrote:
> Date: Sat, 18 Mar 2023 18:16:44 +0100
> From: Carsten Andrich <carsten.andrich at tu-ilmenau.de>
> To: David Lang <david at lang.hm>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: Minimize sshd log clutter/spam from unauthenticated connections
>
> On 18.03.23 14:34, David Lang wrote:
>> modern syslog daemons (including rsyslog, which is default on just about
>> every linux system) allow you to filter efficiently on the message
>> contents, not just the severity, so you can opt to throw out the messages
>> you don't want.
>>
>> I advocate for a slightly different way of dealing with it, filter these
>> messages from your main logstream, but put them into either a script
>> directly, or a separate file and have a script run against it. Have the
>> script report the number of these messgaes that you get in a time period
>> (minute, hour, whatever you want) and log that count back into your log
>> stream
>>
>> as Marcus Ranum said in his Artificial Ignorance writeup, the number of
>> times that an uninteresting thing happens can be interesting.
>>
>> If you see a big spike (or drop) is these attempts, it can indicate cause
>> for concern.
>
> I run Debian with systemd-journald instead of rsyslog. AFAIK journald does
> not support filtering of its ingress log messages. Only the output can be
> filtered with journalctl, but by then it's already too late in terms of log
> spam on disk.
rsyslog is still available, and you don't have to keep everything in the journal
files (journald is not a modern logging system, in spite of it's date of
implementation :-) )
David Lang
More information about the openssh-unix-dev
mailing list