You are not logged in.

#1 2021-08-16 22:33:26

nbd
Member
Registered: 2014-08-04
Posts: 389

[SOLVED] Configuring ssh to reduce the log reporting

Hello,

my question is how to stop reporting in the journal about attempts to connect to ssh from the web, in order to prevent log spamming.

I restrict ssh connections to local addresses only and deny all connections from the web. Currently, I have in /etc/hosts.allow the following entry:

sshd,sshdfwd-X11: 192.168.1. 

hosts.deny contains the following:

sshd,sshdfwd-X11:ALL

And from time to time I see in the journal long series of such lines:

Aug 16 21:54:19 localhost sshd[5278]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:54:30 localhost sshd[5279]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:54:40 localhost sshd[5280]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:54:50 localhost sshd[5281]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:55:01 localhost sshd[5282]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:55:11 localhost sshd[5283]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:55:21 localhost sshd[5284]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:55:31 localhost sshd[5285]: refused connect from 78.106.181.145 (78.106.181.145)
Aug 16 21:57:45 localhost sshd[5299]: refused connect from 78.106.181.145 (78.106.181.145)
... many more lines

Previously, I had another configuration where connections were restricted via /etc/ssh/sshd_config:

PasswordAuthentication no
AllowUsers user1@192.168.1.0/24
Match User user1
	PasswordAuthentication yes

But that didn't prevent log spamming as well.

So, how does one sets up ssh so that any attempts to connect to ssh from the web are dropped silently and not reported im the logs?

I guess, this certainly can be done with iptables, but is there a more simple way via options in /etc/ssh/sshd_config?

Last edited by nbd (2021-08-17 20:56:08)


bing different

Offline

#2 2021-08-17 04:59:36

pkill
Member
Registered: 2019-08-16
Posts: 4

Re: [SOLVED] Configuring ssh to reduce the log reporting

Offline

#3 2021-08-17 06:07:28

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: [SOLVED] Configuring ssh to reduce the log reporting

Offline

#4 2021-08-17 07:29:00

nbd
Member
Registered: 2014-08-04
Posts: 389

Re: [SOLVED] Configuring ssh to reduce the log reporting

Thanks for the helpful advices. This solved my issue.


bing different

Offline

#5 2021-08-17 20:39:53

nbd
Member
Registered: 2014-08-04
Posts: 389

Re: [SOLVED] Configuring ssh to reduce the log reporting

Forgot to remove ssh entries from hosts.allow and hosts.deny. Hope that the problem is solved.

Last edited by nbd (2021-08-17 20:54:17)


bing different

Offline

#6 2021-08-17 21:12:50

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: [SOLVED] Configuring ssh to reduce the log reporting

The line is actually from https://archlinux.org/packages/communit … 4/libwrap/ so the sshd config doesn't apply here :-(

Edit: yes, hosts.deny would cause this

Last edited by seth (2021-08-17 21:13:27)

Offline

#7 2021-08-19 02:29:17

nbd
Member
Registered: 2014-08-04
Posts: 389

Re: [SOLVED] Configuring ssh to reduce the log reporting

For those who will have a similar problem and find this thread: the

LogLevel ERROR

option added to the aforementioned sshd_config configuration seems to solve the issue.

Last edited by nbd (2021-08-20 03:12:08)


bing different

Offline

#8 2021-08-20 02:47:48

nbd
Member
Registered: 2014-08-04
Posts: 389

Re: [SOLVED] Configuring ssh to reduce the log reporting

BTW, isn't ListenAddress a better option to use for limiting ssh connection? If one specifies in sshd_config the local address of the machine

ListenAddress 192.168.1.10

then this automatically should make ssh unreachable for the web?


bing different

Offline

#9 2021-08-20 05:44:28

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: [SOLVED] Configuring ssh to reduce the log reporting

https://wiki.archlinux.org/title/OpenSS … management
See the note.

https://wiki.archlinux.org/title/OpenSS … ce_attacks
https://wiki.archlinux.org/title/OpenSSH#Protection
https://unix.stackexchange.com/question … ip-address

Personally: if you do not expect any benign traffic from certain areas in the world, block them in the firewall.
I've not vetted it but superficially looks an ok tutorial and gives you an idea of what to do.
https://docs.rackspace.com/support/how- … -iptables/

The geoip packages are in the repos, xtables in the AUR - so please use the package manager.

Offline

#10 2021-08-20 10:27:29

nbd
Member
Registered: 2014-08-04
Posts: 389

Re: [SOLVED] Configuring ssh to reduce the log reporting

@seth, many thanks, very useful links.

So, I restore sshd's LogLevel to INFO, will use ListenAddress without sshd.socket, and if there are issues, I will resort to this:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

Issue resolved.


bing different

Offline

#11 2021-08-20 14:03:28

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: [SOLVED] Configuring ssh to reduce the log reporting

This will block *all* incoming traffic for port 22 on eth0 - I assume that's not what you want?

Offline

#12 2021-08-20 17:47:33

nbd
Member
Registered: 2014-08-04
Posts: 389

Re: [SOLVED] Configuring ssh to reduce the log reporting

That machine has two interfaces. eth0 is dedicated to WAN, eth1 is connected to LAN. ssh should only be accessible from LAN. Without ListenAddress option set, ssh listened on all interfaces.


bing different

Offline

Board footer

Powered by FluxBB