On Fri, 18 Aug 2023, Tobias Heider wrote:
> Hi,
>
> I was looking at my authlog today and as expected on a server exposed on the
> public internet it is filled with random scanners and brute force attacks.
> One thing I noticed is that there is a lot of information we log multiple
> times for a each failed connection.
>
> Some examples below:
>
> sshd[6216]: error: kex_exchange_identification: banner line contains invalid
> characters
> sshd[6216]: banner exchange: Connection from xx.97.73.149 port 64744: invalid
> format
> sshd[68416]: error: kex_exchange_identification: banner line contains invalid
> characters
> sshd[68416]: banner exchange: Connection from xx.97.73.149 port 63955:
> invalid format
>
> There are a few more parsing errors like this that result in a print of the
> exact
> issue error followed by 'goto invalid' which causes the more general "invalid
> format"
> message. I think "invalid format" is enough information in most cases.
>
> sshd[50752]: error: kex_exchange_identification: Connection closed by remote
> host
> sshd[50752]: Connection closed by xx.94.81.243 port 61000
>
> Same as above, the kex_exchange_identification doesn't really add anything.
>
> sshd[51579]: Invalid user tom from xx.134.191.142 port 35480
> sshd[51579]: Received disconnect from xx.134.191.142 port 35480:11: Bye Bye
> [preauth]
> sshd[51579]: Disconnected from invalid user tom xx.134.191.142 port 35480
> [preauth]
> sshd[94857]: Invalid user long from xx.97.173.1 port 51140
> sshd[94857]: Received disconnect from xx.97.173.1 port 51140:11: Bye Bye
> [preauth]
> sshd[94857]: Disconnected from invalid user long xx.97.173.1 port 51140
> [preauth]
>
> Here the "Disconnected" line contains all the info from "Invalid user" line.
> Those invalid user messages make up the largest part of my log file,
> so deduplicating them makes a huge difference.
>
> Below is a diff to make some of those log to debug if the same information
> is also logged elsewhere.
> Is there some general interest in diffs to clean this up a bit?
ok to the kex.c ones, but no to the auth.c one. There are other exit
paths that sshd can take that might lose the "Invalid user" message and
then that information would be lost.
> Index: auth.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/auth.c,v
> retrieving revision 1.160
> diff -u -p -r1.160 auth.c
> --- auth.c 5 Mar 2023 05:34:09 -0000 1.160
> +++ auth.c 18 Aug 2023 14:22:55 -0000
> @@ -431,7 +431,7 @@ getpwnamallow(struct ssh *ssh, const cha
>
> pw = getpwnam(user);
> if (pw == NULL) {
> - logit("Invalid user %.100s from %.100s port %d",
> + debug("Invalid user %.100s from %.100s port %d",
> user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
> return (NULL);
> }
> Index: kex.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/kex.c,v
> retrieving revision 1.179
> diff -u -p -r1.179 kex.c
> --- kex.c 18 Aug 2023 01:37:41 -0000 1.179
> +++ kex.c 18 Aug 2023 14:22:55 -0000
> @@ -1336,7 +1336,7 @@ kex_exchange_identification(struct ssh *
> len = atomicio(read, ssh_packet_get_connection_in(ssh),
> &c, 1);
> if (len != 1 && errno == EPIPE) {
> - error_f("Connection closed by remote host");
> + debug_f("Connection closed by remote host");
> r = SSH_ERR_CONN_CLOSED;
> goto out;
> } else if (len != 1) {
> @@ -1352,7 +1352,7 @@ kex_exchange_identification(struct ssh *
> if (c == '\n')
> break;
> if (c == '\0' || expect_nl) {
> - error_f("banner line contains invalid "
> + debug_f("banner line contains invalid "
> "characters");
> goto invalid;
> }
> @@ -1362,7 +1362,7 @@ kex_exchange_identification(struct ssh *
> goto out;
> }
> if (sshbuf_len(peer_version) > SSH_MAX_BANNER_LEN) {
> - error_f("banner line too long");
> + debug_f("banner line too long");
> goto invalid;
> }
> }
> @@ -1378,7 +1378,7 @@ kex_exchange_identification(struct ssh *
> }
> /* Do not accept lines before the SSH ident from a client */
> if (ssh->kex->server) {
> - error_f("client sent invalid protocol identifier "
> + debug_f("client sent invalid protocol identifier "
> "\"%.256s\"", cp);
> free(cp);
> goto invalid;
>
>
