In recent months I started noticing a new type of log message. Here are some examples. One of each but my logs show many runs of these types of messages. Along with others but these are the majority type. Imagine lines like these repeated many times in the syslog. Dec 7 15:49:42 havoc sshd[7575]: Received disconnect from 114.80.246.178: 11: Normal Shutdown, Thank you for playing [preauth] Dec 10 12:05:45 havoc sshd[6580]: Received disconnect from 134.147.203.117: 11: Bye [preauth] Dec 24 11:33:05 havoc sshd[410]: Received disconnect from 183.136.213.228: 11: Normal [preauth] I don't recall that these were seen until recently. Of course I searched these out and found them in the libssh example source code. I know that attackers have done a simple hacking of the examples and are now using these and trying dictionary and other attacks on any server they can probe. I am not concerned about the attack itself. I have good password security and rate limiting and so forth and am not asking about the attack itself. Attackers have been attacking systems for a long time. I am only asking for background so that I can understand why these new messages are being logged now when they haven't been seen in the syslog previously. Just trying to understand what changed recently. Did the examples change to include disconnect messages when they previously did not? I do find it annoying that anyone on the net can log any message they want to the syslog by sending it in the disconnect message. It makes it more difficult to sift useful alert information from the syslog. Thanks, Bob
On Thu, 2 Jan 2014, Bob Proulx wrote:> In recent months I started noticing a new type of log message. Here > are some examples. One of each but my logs show many runs of these > types of messages. Along with others but these are the majority > type. Imagine lines like these repeated many times in the syslog. > > Dec 7 15:49:42 havoc sshd[7575]: Received disconnect from 114.80.246.178: 11: Normal Shutdown, Thank you for playing [preauth] > Dec 10 12:05:45 havoc sshd[6580]: Received disconnect from 134.147.203.117: 11: Bye [preauth] > Dec 24 11:33:05 havoc sshd[410]: Received disconnect from 183.136.213.228: 11: Normal [preauth]...> I am not concerned about the attack itself. I have good password > security and rate limiting and so forth and am not asking about the > attack itself. Attackers have been attacking systems for a long time. > I am only asking for background so that I can understand why these new > messages are being logged now when they haven't been seen in the > syslog previously. Just trying to understand what changed recently. > Did the examples change to include disconnect messages when they > previously did not?Not that I am aware - did you perhaps upgrade from some old version that was not logging the preauth messages?> I do find it annoying that anyone on the net can log any message they > want to the syslog by sending it in the disconnect message. It makes > it more difficult to sift useful alert information from the syslog.It's useful information in some cases. -d
Possibly Parallel Threads
- libssh2 is hanging during a file transfert
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- AIX SFTP with chroot : conection closed without error message
- Samba 4 / Kerberos / ssh
- Call for testing: OpenSSH 6.9