Logwatch / Patches / #78 Unmatched entries related to MaxStartups throttling in OpenSSH

Unmatched entries related to MaxStartups throttling in OpenSSH

#78 Unmatched entries related to MaxStartups throttling in OpenSSH

Milestone: v7.7

Status: closed

Owner: Frank Crawford

Labels: None

Priority: 5

Updated: 2022-12-24

Created: 2022-12-15

Creator: Joe Horn

Private: No

Hi, here are some unmatched entries ( parsed with scripts/services/sshd ) which related to MaxStartups throttling in OpenSSH.

drop connection #10 from [152.228.206.64]:55784 on [10.0.0.133]:22 past MaxStartups : 1 Time
drop connection #10 from [186.122.177.117]:38222 on [10.0.0.133]:22 past MaxStartups : 1 Time
drop connection #10 from [203.76.241.10]:37490 on [10.0.0.133]:22 past MaxStartups : 1 Time
drop connection #12 from [101.206.243.239]:40874 on [10.0.0.133]:22 past MaxStartups : 1 Time
drop connection #18 from [141.94.110.90]:59020 on [10.0.0.133]:22 past MaxStartups : 1 Time
error: beginning MaxStartups throttling : 5 Times
exited MaxStartups throttling after 00:07:36, 16 connections dropped : 1 Time
exited MaxStartups throttling after 00:08:17, 14 connections dropped : 1 Time
exited MaxStartups throttling after 00:21:59, 10 connections dropped : 1 Time
exited MaxStartups throttling after 00:25:46, 13 connections dropped : 1 Time
exited MaxStartups throttling after 00:27:08, 31 connections dropped : 1 Time

Discussion

Frank Crawford - 2022-12-16

Joe,

Do you have any code to match them?

I've also been thinking of reporting on them, but was stuck with what do we want to not for them? Would it just be a count of MaxStartups by IP address, or something more complicated?

Frank

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Joe Horn - 2022-12-16
  
  Hi Frank,
  
  MaxStartups mechanism was designed for preventing DoS / DDoS.
  I think we don't have to count or report them by IP address.
  
  I have tried to modify the code and still verifying and testing.
  Here is recent committed & pushed result :
  https://sourceforge.net/u/joehorn/logwatch/ci/7ea8ce1ae47947e7bfe3558d42a82b83aeea36ae/
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Crawford - 2022-12-17

Joe,

Having a quick look at it, I don't see anything wrong with it. I'll give it a quick test.

I notice that you are also cleaning up some other formatting, which is not a problem.

If you want to create a PR for it, feel free, or if you want me to just roll it into the current code, I can do that.

Regards
Frank

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Joe Horn - 2022-12-18
  
  Hi, Frank,
  
  Please roll it into master tree if you agree that, thank you.
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Crawford - 2022-12-19

Will do, although I may expand it a little with some more stats for higher levels of detail.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Crawford - 2022-12-24

status: open --> closed

assigned_to: Frank Crawford
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Crawford - 2022-12-24

Joe,
I've taken your original code, expanded it with some more information at higher detail levels and now merged it into the tree.
You can either pull down the latest version in the git repo, or wait until the next version of Logwatch is released, which should be in a month or so.

Thanks
Frank

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Unmatched entries related to MaxStartups throttling in OpenSSH

Group

Searches

Help

#78 Unmatched entries related to MaxStartups throttling in OpenSSH

Discussion