From: Frank C. <fr...@cr...> - 2017-01-10 10:53:38
|
Adam, You may be doing this the wrong way here. I think the message you are seeing is caused by your version of syslog, not SSH. I'm pretty sure that traditional syslog (i.e. not rsyslog or syslog-ng) grouped repeats of lines and wrote them out as you have here, i.e. with the lead in "message repeated X times". A quick look shows that there was a script to expand this in the path scripts/shared/expandrepeats, but the current version seems to now have the expansion commented out, and in fact may not be used any more. I think you would be better resurrecting this script, than adding this code to the sshd script, as it will be more generally usable. So, aside from looking at the distribution and version of ssh, it would be good to know what you have for syslog. RegardsFrank On Tue, 2017-01-10 at 03:53 +0000, Adam Lehenbauer wrote: > Sure thing; I'm running ubuntu 14.04.5 LTS,OpenSSH_6.6.1p1 Ubuntu- > 2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014 > > In /var/log/auth.log, I see messages like this > > Jan 6 10:27:31 localhost sshd[20662]: message repeated 5 times: [ > Failed password for sshd from 185.159.37.3 port 49969 ssh2] > > It has actually decreased in frequency lately but I did see one 3 > days ago. > > -Adam > On Mon, Jan 9, 2017 at 3:47 PM Erich Eckner <er...@ec...> wrote: > > Hi, > > > > > > > > the patch made it through. > > > > However, I can't comment on it, since these messages don't appear > > on my > > > > machines. > > > > > > > > What system (distribution, sshd version) are you running? Maybe > > someone > > > > with a similar setup can have a look? > > > > > > > > regards, > > > > Erich > > > > > > > > On 09.01.2017 21:16, Adam Lehenbauer wrote: > > > > > Did it come through that time? > > > > > > > > > > On Mon, Jan 2, 2017, 11:42 AM Adam Lehenbauer <adam.lehenbauer@gm > > ail.com> > > > > > wrote: > > > > > > > > > >> Re-attached patch. > > > > >> > > > > >> > > > > >> On Sun, Jan 1, 2017 at 10:50 PM Frank Crawford <frank@crawford.e > > mu.id.au> > > > > >> wrote: > > > > >> > > > > >> Related to this, what happened to the patch I sent in for SSHD > > in early > > > > >> September? If you want I can resubmit it. > > > > >> > > > > >> Regards > > > > >> Frank > > > > >> > > > > >> On Sun, 2017-01-01 at 14:14 -0500, Jason Pyeron wrote: > > > > >> > > > > >> no attachment! > > > > >> > > > > >> > > > > >> > > > > >> -----Original Message----- > > > > >> From: Adam Lehenbauer > > > > >> Sent: Sunday, January 01, 2017 13:02 > > > > >> > > > > >> Hi did this patch make it through to anyone back in > > > > >> September? I guess the html in the initial message caused an > > > > >> issue, so in plain text here's what I had said: > > > > >> > > > > >> I've noticed that I get a lot of "Unmatched Entries" for > > > > >> repeated password failures from sshd, e.g. > > > > >> > > > > >> > > > > >> > > > > >> message repeated 2 times: [ Failed password for root from > > > > >> x.x.x.x port x ssh2] : 1 time(s) > > > > >> > > > > >> > > > > >> Attached patch pulls out the '2 times' and increments the > > > > >> failed attempts for the report, and removes these unmatched > > entries. > > > > >> > > > > >> This is a really big cleanup for me and hopefully will help > > > > >> others. I've also added some options to the man page that are > > > > >> listed in the synopsis and in --usage but spelled out in the > > > > >> body of the man page. > > > > >> > > > > >> > > > > >> On Sun, Sep 25, 2016 at 11:23 AM Adam Lehenbauer > > > > >> <ada...@gm...> wrote: > > > > >> > > > > >> > > > > >> Hello, I've noticed that I get a lot of "Unmatched > > > > >> Entries" for repeated password failures from sshd, e.g. > > > > >> > > > > >> message repeated 2 times: [ Failed password for root from > > > > >> x.x.x.x port x ssh2] : 1 time(s) > > > > >> > > > > >> Attached patch pulls out the '2 times' and increments > > > > >> the failed attempts for the report, and removes these > > > > >> unmatched entries. > > > > >> > > > > >> This is a really big cleanup for me and hopefully will > > > > >> help others. I've also added some options to the man page > > > > >> that are listed in the synopsis and in --usage but spelled > > > > >> out in the body of the man page. > > > > >> > > > > >> -Adam > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> ---------------------------------------------------------------- > > -------------- > > > > >> Check out the vibrant tech community on one of the world's most > > > > >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > >> _______________________________________________ > > > > >> Logwatch-devel mailing lis...@li...h > > ttps://lists.sourceforge.net/lists/listinfo/logwatch-devel > > > > >> > > > > >> > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------- > > --------------- > > > > > Developer Access Program for Intel Xeon Phi Processors > > > > > Access to Intel Xeon Phi processor-based developer platforms. > > > > > With one year of Intel Parallel Studio XE. > > > > > Training and support from Colfax. > > > > > Order your platform today. http://sdm.link/xeonphi > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Logwatch-devel mailing list > > > > > Log...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/logwatch-devel > > > > > > > > > > > > > |