Minimize sshd log clutter/spam from unauthenticated connections
Carsten Andrich
carsten.andrich at tu-ilmenau.de
Sat Mar 18 23:15:29 AEDT 2023
Dear OpenSSH developers,
a publicly accessible sshd on port 22 generates a lot of log clutter
from unauthenticated connections. For an exemplary host on a university
network, sshd accumulates 5~20k log lines on a single day (more than 90%
of the total amount of syslog lines). That is despite the host having a
restricted configuration (no SSH password authentication, firewall rate
limit for new SSH connections on /24 subnets permitting a few
connections per hour, however with a shorter timeout). I'd expect even
more log messages for a default configuration (password auth enabled and
no firewall rate limit).
Would you be open to introducing a new config option to suppress any log
messages from yet unauthenticated connections? If such a suggestion has
been discussed before, please direct me to it. I haven't found anything
in the archives.
Any log messages including successful authentication and afterwards are
still desired, so changing the log level to above INFO will not help.
Additionally, even unauthenticated connections cause messages with
levels ERROR ("kex_exchange_identification: Connection closed by remote
host") or even CRITICAL ("Timeout before authentication"). As I
periodically scan my hosts' syslogs for messages with level WARNING or
above, I currently have to filter these messages to keep my inbox from
overflowing.
Thanks and best regards,
Carsten
More information about the openssh-unix-dev
mailing list