From: Frank C. <fr...@cr...> - 2017-01-10 11:14:10
|
In fact I just did a quick search and the message is probably caused by the rsyslog option $RepeatedMsgReduction (which I didn't even know existed). So, to address the issue it may be best to remove this option from /etc/rsyslog.conf. Longer term, the best place to fix this is by working on the expandrepeats option, because it isn't only affecting ssh, but all your logs. RegardsFrank On Tue, 2017-01-10 at 21:53 +1100, Frank Crawford wrote: > Adam, > > You may be doing this the wrong way here. I think the message you > are seeing is caused by your version of syslog, not SSH. I'm pretty > sure that traditional syslog (i.e. not rsyslog or syslog-ng) grouped > repeats of lines and wrote them out as you have here, i.e. with the > lead in "message repeated X times". > > A quick look shows that there was a script to expand this in the path > scripts/shared/expandrepeats, but the current version seems to now > have the expansion commented out, and in fact may not be used any > more. > > I think you would be better resurrecting this script, than adding > this code to the sshd script, as it will be more generally usable. > > So, aside from looking at the distribution and version of ssh, it > would be good to know what you have for syslog. > > Regards > Frank > > On Tue, 2017-01-10 at 03:53 +0000, Adam Lehenbauer wrote: > > Sure thing; I'm running ubuntu 14.04.5 LTS,OpenSSH_6.6.1p1 Ubuntu- > > 2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014 > > > > In /var/log/auth.log, I see messages like this > > > > Jan 6 10:27:31 localhost sshd[20662]: message repeated 5 times: [ > > Failed password for sshd from 185.159.37.3 port 49969 ssh2] > > > > It has actually decreased in frequency lately but I did see one 3 > > days ago. > > > > -Adam > > On Mon, Jan 9, 2017 at 3:47 PM Erich Eckner <er...@ec...> > > wrote: > > > Hi, > > > > > > > > > > > > the patch made it through. > > > > > > However, I can't comment on it, since these messages don't appear > > > on my > > > > > > machines. > > > > > > > > > > > > What system (distribution, sshd version) are you running? Maybe > > > someone > > > > > > with a similar setup can have a look? > > > > > > > > > > > > regards, > > > > > > Erich > > > > > > > > > > > > On 09.01.2017 21:16, Adam Lehenbauer wrote: > > > > > > > Did it come through that time? > > > > > > > > > > > > > > On Mon, Jan 2, 2017, 11:42 AM Adam Lehenbauer <adam.lehenbauer@ > > > gmail.com> > > > > > > > wrote: > > > > > > > > > > > > > >> Re-attached patch. > > > > > > >> > > > > > > >> > > > > > > >> On Sun, Jan 1, 2017 at 10:50 PM Frank Crawford <frank@crawford > > > .emu.id.au> > > > > > > >> wrote: > > > > > > >> > > > > > > >> Related to this, what happened to the patch I sent in for SSHD > > > in early > > > > > > >> September? If you want I can resubmit it. > > > > > > >> > > > > > > >> Regards > > > > > > >> Frank > > > > > > >> > > > > > > >> On Sun, 2017-01-01 at 14:14 -0500, Jason Pyeron wrote: > > > > > > >> > > > > > > >> no attachment! > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> -----Original Message----- > > > > > > >> From: Adam Lehenbauer > > > > > > >> Sent: Sunday, January 01, 2017 13:02 > > > > > > >> > > > > > > >> Hi did this patch make it through to anyone back in > > > > > > >> September? I guess the html in the initial message caused an > > > > > > >> issue, so in plain text here's what I had said: > > > > > > >> > > > > > > >> I've noticed that I get a lot of "Unmatched Entries" for > > > > > > >> repeated password failures from sshd, e.g. > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> message repeated 2 times: [ Failed password for root from > > > > > > >> x.x.x.x port x ssh2] : 1 time(s) > > > > > > >> > > > > > > >> > > > > > > >> Attached patch pulls out the '2 times' and increments the > > > > > > >> failed attempts for the report, and removes these unmatched > > > entries. > > > > > > >> > > > > > > >> This is a really big cleanup for me and hopefully will help > > > > > > >> others. I've also added some options to the man page that are > > > > > > >> listed in the synopsis and in --usage but spelled out in the > > > > > > >> body of the man page. > > > > > > >> > > > > > > >> > > > > > > >> On Sun, Sep 25, 2016 at 11:23 AM Adam Lehenbauer > > > > > > >> <ada...@gm...> wrote: > > > > > > >> > > > > > > >> > > > > > > >> Hello, I've noticed that I get a lot of "Unmatched > > > > > > >> Entries" for repeated password failures from sshd, e.g. > > > > > > >> > > > > > > >> message repeated 2 times: [ Failed password for root from > > > > > > >> x.x.x.x port x ssh2] : 1 time(s) > > > > > > >> > > > > > > >> Attached patch pulls out the '2 times' and increments > > > > > > >> the failed attempts for the report, and removes these > > > > > > >> unmatched entries. > > > > > > >> > > > > > > >> This is a really big cleanup for me and hopefully will > > > > > > >> help others. I've also added some options to the man page > > > > > > >> that are listed in the synopsis and in --usage but spelled > > > > > > >> out in the body of the man page. > > > > > > >> > > > > > > >> -Adam > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> -------------------------------------------------------------- > > > ---------------- > > > > > > >> Check out the vibrant tech community on one of the world's > > > most > > > > > > >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > >> _______________________________________________ > > > > > > >> Logwatch-devel mailing listLogwatch- > > > de...@li...https://lists.sourceforge.net/lists/li > > > stinfo/logwatch-devel > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------- > > > ----------------- > > > > > > > Developer Access Program for Intel Xeon Phi Processors > > > > > > > Access to Intel Xeon Phi processor-based developer platforms. > > > > > > > With one year of Intel Parallel Studio XE. > > > > > > > Training and support from Colfax. > > > > > > > Order your platform today. http://sdm.link/xeonphi > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Logwatch-devel mailing list > > > > > > > Log...@li... > > > > > > > https://lists.sourceforge.net/lists/listinfo/logwatch-devel > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------- > ----------- > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today. http://sdm.link/xeonphi___________________ > ____________________________ > Logwatch-devel mailing list > Log...@li... > https://lists.sourceforge.net/lists/listinfo/logwatch-devel |