Re: [gentoo-user] Re: plenty of strange sshd-logs... what does it mean?
walt w41...@gmail.com wrote: On 02/21/2011 11:48 AM, Jarry wrote: Hi, I just noticed my /var/log/sshd.log is suddenly somehow big. That's interesting. I have no such logfile. Did you change something in /etc/ssh/sshd_config? Oh, wait, I'm running openssh-5.8-p1, and my config file says the logging configuration has eliminated the FascistLogging option. (Nerds are a laugh a minute, eh?) After checking it out I have found a lot of messages like this: 2011-02-21T03:49:21+00:00 obelix sshd[19767]: SSH: Server;Ltype: Version;Remote: my.ip.add.ress-56254;Protocol: 2.0;Client: OpenSSH_5.8p1-hpn13v10 This message was recorded on 2011-02-14T17:45:24+00:00 for the first time, and since then exactly every 2 minutes. I think it was the day when I updated to openssh-5.6-p1-r2. So, if your machine is running openssh-5.6 server, then whose machine is running an openssh-5.8 client? Could it be your cable or DSL router? I can ssh into my DSL router, but it doesn't send me any traffic unless I send some first. I'd use a sniffer like ngrep or wireshark to see who is poking at your ssh port, if anyone really is. Anyway, my sshd_config file (version 5.8) has a LogLevel setting. In your case I'd be tempted to increase the verbosity to figure out what the messages are really trying to tell you. Its much simpler -- they changed what you get in the logs -- if you set LOGLEVEL to QUIET you don't get much, if you set it to INFO you not only get the usual public key or whatever accepted, but those extra lines for each login. VERBOSE is even worse, so we are stuck till someone has sense enough to put that stuff in the VERBOSE level instead. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
[gentoo-user] Re: plenty of strange sshd-logs... what does it mean?
On 02/21/2011 11:48 AM, Jarry wrote: Hi, I just noticed my /var/log/sshd.log is suddenly somehow big. That's interesting. I have no such logfile. Did you change something in /etc/ssh/sshd_config? Oh, wait, I'm running openssh-5.8-p1, and my config file says the logging configuration has eliminated the FascistLogging option. (Nerds are a laugh a minute, eh?) After checking it out I have found a lot of messages like this: 2011-02-21T03:49:21+00:00 obelix sshd[19767]: SSH: Server;Ltype: Version;Remote: my.ip.add.ress-56254;Protocol: 2.0;Client: OpenSSH_5.8p1-hpn13v10 This message was recorded on 2011-02-14T17:45:24+00:00 for the first time, and since then exactly every 2 minutes. I think it was the day when I updated to openssh-5.6-p1-r2. So, if your machine is running openssh-5.6 server, then whose machine is running an openssh-5.8 client? Could it be your cable or DSL router? I can ssh into my DSL router, but it doesn't send me any traffic unless I send some first. I'd use a sniffer like ngrep or wireshark to see who is poking at your ssh port, if anyone really is. Anyway, my sshd_config file (version 5.8) has a LogLevel setting. In your case I'd be tempted to increase the verbosity to figure out what the messages are really trying to tell you.
Re: [gentoo-user] Re: plenty of strange sshd-logs... what does it mean?
On 22. 2. 2011 0:42, walt wrote: On 02/21/2011 11:48 AM, Jarry wrote: Hi, I just noticed my /var/log/sshd.log is suddenly somehow big. That's interesting. I have no such logfile. Did you change something in /etc/ssh/sshd_config? I forgot to say: I have set up filter for ssh-messages. They would be otherwise logged probably into /var/log/messages Oh, wait, I'm running openssh-5.8-p1, and my config file says the logging configuration has eliminated the FascistLogging option. (Nerds are a laugh a minute, eh?) After checking it out I have found a lot of messages like this: 2011-02-21T03:49:21+00:00 obelix sshd[19767]: SSH: Server;Ltype: Version;Remote: my.ip.add.ress-56254;Protocol: 2.0;Client: OpenSSH_5.8p1-hpn13v10 This message was recorded on 2011-02-14T17:45:24+00:00 for the first time, and since then exactly every 2 minutes. I think it was the day when I updated to openssh-5.6-p1-r2. So, if your machine is running openssh-5.6 server, then whose machine is running an openssh-5.8 client? No, my machine has openssh-5.8_p1-r1. But these messages startet since I updated to 5.6-p1-r2. Later I updated to 5.8_p1-r1, and they still keep comming. So up to 5.6-p1-r1 everything was normal, but since 5.6-p1-r2 I have these strange log messages... Could it be your cable or DSL router? I can ssh into my DSL router, but it doesn't send me any traffic unless I send some first. I doubt about it. There is not dsl-router, just switch and direct connection to internet. Funny is, that my.ip.add.ress is actually IP-address of this server, and exactly the same IP on which sshd is running. So if my.ip.add.ress is remote, then it seems my server is trying to connect my server. Very strange... I'd use a sniffer like ngrep or wireshark to see who is poking at your ssh port, if anyone really is. Anyway, my sshd_config file (version 5.8) has a LogLevel setting. In your case I'd be tempted to increase the verbosity to figure out what the messages are really trying to tell you. OK, I'll try it. Though in reality, I would actually like to decrease somehow this verbosity. My sshd.log gets terribly big, and is rotated every day... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
