Hi,
I was looking at my authlog today and as expected on a server exposed on the
public internet it is filled with random scanners and brute force attacks.
One thing I noticed is that there is a lot of information we log multiple
times for a each failed connection.
Some examples below:
sshd[6216]: error: kex_exchange_identification: banner line contains invalid
characters
sshd[6216]: banner exchange: Connection from xx.97.73.149 port 64744: invalid
format
sshd[68416]: error: kex_exchange_identification: banner line contains invalid
characters
sshd[68416]: banner exchange: Connection from xx.97.73.149 port 63955: invalid
format
There are a few more parsing errors like this that result in a print of the
exact
issue error followed by 'goto invalid' which causes the more general "invalid
format"
message. I think "invalid format" is enough information in most cases.
sshd[50752]: error: kex_exchange_identification: Connection closed by remote
host
sshd[50752]: Connection closed by xx.94.81.243 port 61000
Same as above, the kex_exchange_identification doesn't really add anything.
sshd[51579]: Invalid user tom from xx.134.191.142 port 35480
sshd[51579]: Received disconnect from xx.134.191.142 port 35480:11: Bye Bye
[preauth]
sshd[51579]: Disconnected from invalid user tom xx.134.191.142 port 35480
[preauth]
sshd[94857]: Invalid user long from xx.97.173.1 port 51140
sshd[94857]: Received disconnect from xx.97.173.1 port 51140:11: Bye Bye
[preauth]
sshd[94857]: Disconnected from invalid user long xx.97.173.1 port 51140
[preauth]
Here the "Disconnected" line contains all the info from "Invalid user" line.
Those invalid user messages make up the largest part of my log file,
so deduplicating them makes a huge difference.
Below is a diff to make some of those log to debug if the same information
is also logged elsewhere.
Is there some general interest in diffs to clean this up a bit?
Index: auth.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.160
diff -u -p -r1.160 auth.c
--- auth.c 5 Mar 2023 05:34:09 -0000 1.160
+++ auth.c 18 Aug 2023 14:22:55 -0000
@@ -431,7 +431,7 @@ getpwnamallow(struct ssh *ssh, const cha
pw = getpwnam(user);
if (pw == NULL) {
- logit("Invalid user %.100s from %.100s port %d",
+ debug("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
return (NULL);
}
Index: kex.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/kex.c,v
retrieving revision 1.179
diff -u -p -r1.179 kex.c
--- kex.c 18 Aug 2023 01:37:41 -0000 1.179
+++ kex.c 18 Aug 2023 14:22:55 -0000
@@ -1336,7 +1336,7 @@ kex_exchange_identification(struct ssh *
len = atomicio(read, ssh_packet_get_connection_in(ssh),
&c, 1);
if (len != 1 && errno == EPIPE) {
- error_f("Connection closed by remote host");
+ debug_f("Connection closed by remote host");
r = SSH_ERR_CONN_CLOSED;
goto out;
} else if (len != 1) {
@@ -1352,7 +1352,7 @@ kex_exchange_identification(struct ssh *
if (c == '\n')
break;
if (c == '\0' || expect_nl) {
- error_f("banner line contains invalid "
+ debug_f("banner line contains invalid "
"characters");
goto invalid;
}
@@ -1362,7 +1362,7 @@ kex_exchange_identification(struct ssh *
goto out;
}
if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
- error_f("banner line too long");
+ debug_f("banner line too long");
goto invalid;
}
}
@@ -1378,7 +1378,7 @@ kex_exchange_identification(struct ssh *
}
/* Do not accept lines before the SSH ident from a client */
if (ssh->kex->server) {
- error_f("client sent invalid protocol identifier "
+ debug_f("client sent invalid protocol identifier "
"\"%.256s\"", cp);
free(cp);
goto invalid;
