[Bug 2375] New: Non-informative log messages, invalid log message priorities etc.

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Apr 8 16:53:14 AEST 2015 

https://bugzilla.mindrot.org/show_bug.cgi?id=2375

            Bug ID: 2375
           Summary: Non-informative log messages, invalid log message
                    priorities etc.
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jaak+mindrot at ristioja.ee

A running SSH service is being scanned and brute-forced, subject to all
the "privileges" of running on a public IP address. For some random
connection, only the following messages are logged to syslog:

Apr  7 18:09:10 localhost sshd:20499:info Received disconnect from
77.233.89.158: 11: disconnected by user
Apr  7 18:09:10 localhost sshd:20499:info Disconnected from
77.233.89.158
Apr  7 18:09:10 localhost sshd:20496:err error: mm_request_receive:
socket closed

If the system administrator has configured syslog to drop messages with
informational priority, only the cryptic and rather useless "error:
mm_request_receive: socket closed" remain. These contain no IP address
of the client and seem useless from a systems administration point of
view. I mean what kind of reasonable action is the sysadmin supposed to
take on such error messages alone? It contains no information about
whether the disconnect happened before, during or after authentication,
or what was the IP address of the client etc. Additionally, the first
and second info messages contain more-or-less the same information, so
why can't there be one message instead?

Second example:

 Apr  8 07:01:55/sshd/info: User root from 218.65.30.23 not allowed
because not listed in AllowUsers
 Apr  8 07:01:55/sshd/info: input_userauth_request: invalid user root
[preauth]

The second message is again rather useless. It contains nothing useful
in addition to the first message. It should have debug priority not
info priority.

Additionally, there's no good way to trace certain log messages to a
client connection. Each log message related to a client connection
should contain an unique client connection ID (client IP:port pair
would be best).

In summary, the logs produced by OpenSSH are difficult to read, contain
duplicate, useless, incorrectly prioritized and untracable messages.
Could this please be improved?

PS: Are successful authentications without login (e.g. ForceCommand)
even logged?
PPS: bugzilla.mindrot.org provides an OpenSSH Version field for 6.9p1,
but not for 6.8p1.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list