[gentoo-user] plenty of strange sshd-logs... what does it mean?

[gentoo-user] plenty of strange sshd-logs... what does it mean?

[Jarry]

Hi,

I just noticed my /var/log/sshd.log is suddenly somehow big.
After checking it out I have found a lot of messages like this:

> 2011-02-21T03:49:21+00:00 obelix sshd[19767]: SSH: Server;Ltype: Version;Remote: my.ip.add.ress-56254;Protocol: 2.0;Client: OpenSSH_5.8p1-hpn13v10

This message was recorded on 2011-02-14T17:45:24+00:00 for
the first time, and since then exactly every 2 minutes.
I think it was the day when I updated to openssh-5.6-p1-r2.

So first of all, what does the message mean? And next,
how can I turn it off, or at least reduce its frequency?

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

[gentoo-user] Re: plenty of strange sshd-logs... what does it mean?

[walt]

On 02/21/2011 11:48 AM, Jarry wrote:
> Hi,
>
> I just noticed my /var/log/sshd.log is suddenly somehow big.

That's interesting.  I have no such logfile.  Did you change something
in /etc/ssh/sshd_config?

Oh, wait, I'm running openssh-5.8-p1, and my config file says the logging
configuration has eliminated the "FascistLogging" option.  (Nerds are a
laugh a minute, eh?)

> After checking it out I have found a lot of messages like this:
>
>> 2011-02-21T03:49:21+00:00 obelix sshd[19767]: SSH: Server;Ltype:
>>Version;Remote: my.ip.add.ress-56254;Protocol: 2.0;Client:
>>OpenSSH_5.8p1-hpn13v10

>
> This message was recorded on 2011-02-14T17:45:24+00:00 for
> the first time, and since then exactly every 2 minutes.
> I think it was the day when I updated to openssh-5.6-p1-r2.

So, if your machine is running openssh-5.6 server, then whose machine
is running an openssh-5.8 client?

Could it be your cable or DSL router?  I can ssh into my DSL router,
but it doesn't send me any traffic unless I send some first.

I'd use a sniffer like ngrep or wireshark to see who is poking at your
ssh port, if anyone really is.

Anyway, my sshd_config file (version 5.8) has a "LogLevel" setting.
In your case I'd be tempted to increase the verbosity to figure out
what the messages are really trying to tell you.

Re: [gentoo-user] plenty of strange sshd-logs... what does it mean?

[Alex Schuster]

Jarry writes:

> I just noticed my /var/log/sshd.log is suddenly somehow big.
> 
> After checking it out I have found a lot of messages like this:
> > 2011-02-21T03:49:21+00:00 obelix sshd[19767]: SSH: Server;Ltype:
> > Version;Remote: my.ip.add.ress-56254;Protocol: 2.0;Client:
> > OpenSSH_5.8p1-hpn13v10
> 
> This message was recorded on 2011-02-14T17:45:24+00:00 for
> the first time, and since then exactly every 2 minutes.
> I think it was the day when I updated to openssh-5.6-p1-r2.
> 
> So first of all, what does the message mean? And next,
> how can I turn it off, or at least reduce its frequency?

Now that you mention it, I see the same messages. This also started 
happening since I upgraded to openssh-5.8_p1-r1.
But I have them only when someone connnects to my server, not every two 
minutes.

	Wonko

Re: [gentoo-user] Re: plenty of strange sshd-logs... what does it mean?

[Jarry]

On 22. 2. 2011 0:42, walt wrote:
> On 02/21/2011 11:48 AM, Jarry wrote:
>> Hi,
>>
>> I just noticed my /var/log/sshd.log is suddenly somehow big.
>
> That's interesting. I have no such logfile. Did you change something
> in /etc/ssh/sshd_config?

I forgot to say: I have set up filter for ssh-messages.
They would be otherwise logged probably into /var/log/messages

> Oh, wait, I'm running openssh-5.8-p1, and my config file says the logging
> configuration has eliminated the "FascistLogging" option. (Nerds are a
> laugh a minute, eh?)
>
>> After checking it out I have found a lot of messages like this:
>>
>>> 2011-02-21T03:49:21+00:00 obelix sshd[19767]: SSH: Server;Ltype:
>>> Version;Remote: my.ip.add.ress-56254;Protocol: 2.0;Client:
>>> OpenSSH_5.8p1-hpn13v10
>
>>
>> This message was recorded on 2011-02-14T17:45:24+00:00 for
>> the first time, and since then exactly every 2 minutes.
>> I think it was the day when I updated to openssh-5.6-p1-r2.
>
> So, if your machine is running openssh-5.6 server, then whose machine
> is running an openssh-5.8 client?

No, my machine has openssh-5.8_p1-r1. But these messages
startet since I updated to 5.6-p1-r2. Later I updated
to 5.8_p1-r1, and they still keep comming. So up to
5.6-p1-r1 everything was normal, but since 5.6-p1-r2
I have these strange log messages...

> Could it be your cable or DSL router? I can ssh into my DSL router,
> but it doesn't send me any traffic unless I send some first.

I doubt about it. There is not dsl-router, just switch and
direct connection to internet. Funny is, that "my.ip.add.ress"
is actually IP-address of this server, and exactly the same
IP on which sshd is running. So if "my.ip.add.ress" is "remote",
then it seems my server is trying to connect my server.
Very strange...


> I'd use a sniffer like ngrep or wireshark to see who is poking at your
> ssh port, if anyone really is.
>
> Anyway, my sshd_config file (version 5.8) has a "LogLevel" setting.
> In your case I'd be tempted to increase the verbosity to figure out
> what the messages are really trying to tell you.

OK, I'll try it. Though in reality, I would actually like
to decrease somehow this verbosity. My sshd.log gets terribly
big, and is rotated every day...

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] Re: plenty of strange sshd-logs... what does it mean?

[covici]

walt <w41ter@gmail.com> wrote:

> On 02/21/2011 11:48 AM, Jarry wrote:
> > Hi,
> >
> > I just noticed my /var/log/sshd.log is suddenly somehow big.
> 
> That's interesting.  I have no such logfile.  Did you change something
> in /etc/ssh/sshd_config?
> 
> Oh, wait, I'm running openssh-5.8-p1, and my config file says the logging
> configuration has eliminated the "FascistLogging" option.  (Nerds are a
> laugh a minute, eh?)
> 
> > After checking it out I have found a lot of messages like this:
> >
> >> 2011-02-21T03:49:21+00:00 obelix sshd[19767]: SSH: Server;Ltype:
> >>Version;Remote: my.ip.add.ress-56254;Protocol: 2.0;Client:
> >>OpenSSH_5.8p1-hpn13v10
> 
> >
> > This message was recorded on 2011-02-14T17:45:24+00:00 for
> > the first time, and since then exactly every 2 minutes.
> > I think it was the day when I updated to openssh-5.6-p1-r2.
> 
> So, if your machine is running openssh-5.6 server, then whose machine
> is running an openssh-5.8 client?
> 
> Could it be your cable or DSL router?  I can ssh into my DSL router,
> but it doesn't send me any traffic unless I send some first.
> 
> I'd use a sniffer like ngrep or wireshark to see who is poking at your
> ssh port, if anyone really is.
> 
> Anyway, my sshd_config file (version 5.8) has a "LogLevel" setting.
> In your case I'd be tempted to increase the verbosity to figure out
> what the messages are really trying to tell you.
> 

Its much simpler -- they changed what you get in the logs -- if you set
LOGLEVEL to QUIET you don't get much, if you set it to INFO you not only
get the usual public key or whatever accepted, but those extra lines for
each login.  VERBOSE is even worse, so we are stuck till someone has
sense enough to put that stuff in the VERBOSE level instead.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com