Damien Miller wrote: > Bob Proulx wrote: > > In recent months I started noticing a new type of log message. > > ... > > Just trying to understand what changed recently. Did the examples > > change to include disconnect messages when they previously did > > not? > > Not that I am aware - did you perhaps upgrade from some old version that > was not logging the preauth messages? I am always hesitant to mention version numbers upstream because I am using a software distribution and as you know software distributions support a single release for the lifetime of the distro's stable release. I am running Debian Stable on my internet facing machines. For Debian it is about two years. For me this is perfect. In private mail I had someone point me to this serverfault question. Apparently I was not the only one who noticed this change and was asking questions about it. (shrug) http://serverfault.com/questions/559200/what-does-normal-shutdown-thank-you-for-playing-preauth-in-ssh-logs-mean And the answer proposed seems reasonable. That the disconnect message wasn't logged by sshd previously and now it is being logged. In your upstream sources this could have been a change any time in the last two years. I only made the upgrade on my machines last summer from a 5.x release to a 6.x release. I have been noticing these for some months but just finally decided to ask about it. > > I do find it annoying that anyone on the net can log any message they > > want to the syslog by sending it in the disconnect message. It makes > > it more difficult to sift useful alert information from the syslog. > > It's useful information in some cases. It has certainly seen use for some fun and games from the script kiddies trying to shake the doors and lift the windows. :-) Although thinking about it maybe I could write a rule for any unusual logged message to feed into the fail2ban rules? Maybe. In any case, thank you for maintaining ssh! Bob
