[SOLVED] Configuring ssh to reduce the log reporting

nbd · 2021-08-16 22:33:26

Hello,

my question is how to stop reporting in the journal about attempts to connect to ssh from the web, in order to prevent log spamming.

I restrict ssh connections to local addresses only and deny all connections from the web. Currently, I have in /etc/hosts.allow the following entry:

sshd,sshdfwd-X11: 192.168.1.

hosts.deny contains the following:

sshd,sshdfwd-X11:ALL

And from time to time I see in the journal long series of such lines:

Aug 16 21:54:19 localhost sshd[5278]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:54:30 localhost sshd[5279]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:54:40 localhost sshd[5280]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:54:50 localhost sshd[5281]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:55:01 localhost sshd[5282]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:55:11 localhost sshd[5283]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:55:21 localhost sshd[5284]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:55:31 localhost sshd[5285]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:57:45 localhost sshd[5299]: refused connect from 78.106.181.145 (78.106.181.145)
... many more lines

Previously, I had another configuration where connections were restricted via /etc/ssh/sshd_config:

PasswordAuthentication no
AllowUsers user1@192.168.1.0/24
Match User user1
	PasswordAuthentication yes

But that didn't prevent log spamming as well.

So, how does one sets up ssh so that any attempts to connect to ssh from the web are dropped silently and not reported im the logs?

I guess, this certainly can be done with iptables, but is there a more simple way via options in /etc/ssh/sshd_config?

Last edited by nbd (2021-08-17 20:56:08)

pkill · 2021-08-17 04:59:36

IP Access Lists

http://0pointer.net/blog/ip-accounting- … stemd.html

seth · 2021-08-17 06:07:28

https://man.archlinux.org/man/sshd_config.5.en
Look for "LogLevel"

nbd · 2021-08-17 07:29:00

Thanks for the helpful advices. This solved my issue.

nbd · 2021-08-17 20:39:53

Forgot to remove ssh entries from hosts.allow and hosts.deny. Hope that the problem is solved.

Last edited by nbd (2021-08-17 20:54:17)

seth · 2021-08-17 21:12:50

The line is actually from https://archlinux.org/packages/communit … 4/libwrap/ so the sshd config doesn't apply here :-(

Edit: yes, hosts.deny would cause this

Last edited by seth (2021-08-17 21:13:27)

nbd · 2021-08-19 02:29:17

For those who will have a similar problem and find this thread: the

LogLevel ERROR

option added to the aforementioned sshd_config configuration seems to solve the issue.

Last edited by nbd (2021-08-20 03:12:08)

nbd · 2021-08-20 02:47:48

BTW, isn't ListenAddress a better option to use for limiting ssh connection? If one specifies in sshd_config the local address of the machine

ListenAddress 192.168.1.10

then this automatically should make ssh unreachable for the web?

seth · 2021-08-20 05:44:28

https://wiki.archlinux.org/title/OpenSS … management
See the note.

https://wiki.archlinux.org/title/OpenSS … ce_attacks
https://wiki.archlinux.org/title/OpenSSH#Protection
https://unix.stackexchange.com/question … ip-address

Personally: if you do not expect any benign traffic from certain areas in the world, block them in the firewall.
I've not vetted it but superficially looks an ok tutorial and gives you an idea of what to do.
https://docs.rackspace.com/support/how- … -iptables/

The geoip packages are in the repos, xtables in the AUR - so please use the package manager.

nbd · 2021-08-20 10:27:29

@seth, many thanks, very useful links.

So, I restore sshd's LogLevel to INFO, will use ListenAddress without sshd.socket, and if there are issues, I will resort to this:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

Issue resolved.

seth · 2021-08-20 14:03:28

This will block *all* incoming traffic for port 22 on eth0 - I assume that's not what you want?

nbd · 2021-08-20 17:47:33

That machine has two interfaces. eth0 is dedicated to WAN, eth1 is connected to LAN. ssh should only be accessible from LAN. Without ListenAddress option set, ssh listened on all interfaces.

Arch Linux

#1 2021-08-16 22:33:26

[SOLVED] Configuring ssh to reduce the log reporting

#2 2021-08-17 04:59:36

Re: [SOLVED] Configuring ssh to reduce the log reporting

#3 2021-08-17 06:07:28

Re: [SOLVED] Configuring ssh to reduce the log reporting

#4 2021-08-17 07:29:00

Re: [SOLVED] Configuring ssh to reduce the log reporting

#5 2021-08-17 20:39:53

Re: [SOLVED] Configuring ssh to reduce the log reporting

#6 2021-08-17 21:12:50

Re: [SOLVED] Configuring ssh to reduce the log reporting

#7 2021-08-19 02:29:17

Re: [SOLVED] Configuring ssh to reduce the log reporting

#8 2021-08-20 02:47:48

Re: [SOLVED] Configuring ssh to reduce the log reporting

#9 2021-08-20 05:44:28

Re: [SOLVED] Configuring ssh to reduce the log reporting

#10 2021-08-20 10:27:29

Re: [SOLVED] Configuring ssh to reduce the log reporting

#11 2021-08-20 14:03:28

Re: [SOLVED] Configuring ssh to reduce the log reporting

#12 2021-08-20 17:47:33

Re: [SOLVED] Configuring ssh to reduce the log reporting

Board footer