Minimize sshd log clutter/spam from unauthenticated connections

David Lang david at lang.hm
Sun Mar 19 07:31:40 AEDT 2023


On Sat, 18 Mar 2023, Carsten Andrich wrote:

> Date: Sat, 18 Mar 2023 18:16:44 +0100
> From: Carsten Andrich <carsten.andrich at tu-ilmenau.de>
> To: David Lang <david at lang.hm>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: Minimize sshd log clutter/spam from unauthenticated connections
> 
> On 18.03.23 14:34, David Lang wrote:
>> modern syslog daemons (including rsyslog, which is default on just about 
>> every linux system) allow you to filter efficiently on the message 
>> contents, not just the severity, so you can opt to throw out the messages 
>> you don't want.
>> 
>> I advocate for a slightly different way of dealing with it, filter these 
>> messages from your main logstream, but put them into either a script 
>> directly, or a separate file and have a script run against it. Have the 
>> script report the number of these messgaes that you get in a time period 
>> (minute, hour, whatever you want) and log that count back into your log 
>> stream
>> 
>> as Marcus Ranum said in his Artificial Ignorance writeup, the number of 
>> times that an uninteresting thing happens can be interesting.
>> 
>> If you see a big spike (or drop) is these attempts, it can indicate cause 
>> for concern.
>
> I run Debian with systemd-journald instead of rsyslog. AFAIK journald does 
> not support filtering of its ingress log messages. Only the output can be 
> filtered with journalctl, but by then it's already too late in terms of log 
> spam on disk.

rsyslog is still available, and you don't have to keep everything in the journal 
files (journald is not a modern logging system, in spite of it's date of 
implementation :-) )

David Lang


More information about the openssh-unix-dev mailing list