On Thu, 2 Jan 2014, Bob Proulx wrote: > In recent months I started noticing a new type of log message. Here > are some examples. One of each but my logs show many runs of these > types of messages. Along with others but these are the majority > type. Imagine lines like these repeated many times in the syslog. > > Dec 7 15:49:42 havoc sshd[7575]: Received disconnect from 114.80.246.178: 11: Normal Shutdown, Thank you for playing [preauth] > Dec 10 12:05:45 havoc sshd[6580]: Received disconnect from 134.147.203.117: 11: Bye [preauth] > Dec 24 11:33:05 havoc sshd[410]: Received disconnect from 183.136.213.228: 11: Normal [preauth] ... > I am not concerned about the attack itself. I have good password > security and rate limiting and so forth and am not asking about the > attack itself. Attackers have been attacking systems for a long time. > I am only asking for background so that I can understand why these new > messages are being logged now when they haven't been seen in the > syslog previously. Just trying to understand what changed recently. > Did the examples change to include disconnect messages when they > previously did not? Not that I am aware - did you perhaps upgrade from some old version that was not logging the preauth messages? > I do find it annoying that anyone on the net can log any message they > want to the syslog by sending it in the disconnect message. It makes > it more difficult to sift useful alert information from the syslog. It's useful information in some cases. -d
