Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: covici@××××××××××.com
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: plenty of strange sshd-logs... what does it mean?
Date: Tue, 22 Feb 2011 12:07:23
Message-Id: 10763.1298374303@ccs.covici.com
In Reply to: [gentoo-user] Re: plenty of strange sshd-logs... what does it mean? by walt
1 walt <w41ter@×××××.com> wrote:
2
3 > On 02/21/2011 11:48 AM, Jarry wrote:
4 > > Hi,
5 > >
6 > > I just noticed my /var/log/sshd.log is suddenly somehow big.
7 >
8 > That's interesting. I have no such logfile. Did you change something
9 > in /etc/ssh/sshd_config?
10 >
11 > Oh, wait, I'm running openssh-5.8-p1, and my config file says the logging
12 > configuration has eliminated the "FascistLogging" option. (Nerds are a
13 > laugh a minute, eh?)
14 >
15 > > After checking it out I have found a lot of messages like this:
16 > >
17 > >> 2011-02-21T03:49:21+00:00 obelix sshd[19767]: SSH: Server;Ltype:
18 > >>Version;Remote: my.ip.add.ress-56254;Protocol: 2.0;Client:
19 > >>OpenSSH_5.8p1-hpn13v10
20 >
21 > >
22 > > This message was recorded on 2011-02-14T17:45:24+00:00 for
23 > > the first time, and since then exactly every 2 minutes.
24 > > I think it was the day when I updated to openssh-5.6-p1-r2.
25 >
26 > So, if your machine is running openssh-5.6 server, then whose machine
27 > is running an openssh-5.8 client?
28 >
29 > Could it be your cable or DSL router? I can ssh into my DSL router,
30 > but it doesn't send me any traffic unless I send some first.
31 >
32 > I'd use a sniffer like ngrep or wireshark to see who is poking at your
33 > ssh port, if anyone really is.
34 >
35 > Anyway, my sshd_config file (version 5.8) has a "LogLevel" setting.
36 > In your case I'd be tempted to increase the verbosity to figure out
37 > what the messages are really trying to tell you.
38 >
39
40 Its much simpler -- they changed what you get in the logs -- if you set
41 LOGLEVEL to QUIET you don't get much, if you set it to INFO you not only
42 get the usual public key or whatever accepted, but those extra lines for
43 each login. VERBOSE is even worse, so we are stuck till someone has
44 sense enough to put that stuff in the VERBOSE level instead.
45
46 --
47 Your life is like a penny. You're going to lose it. The question is:
48 How do
49 you spend it?
50
51 John Covici
52 covici@××××××××××.com
Report Message
Find on MARC Find on Google Groups