[hobbit] RE: [SOLVED][hobbit] sshd notification in syslog

Rob Munsch rmunsch at solutionsforprogress.com
Thu Mar 2 23:10:24 CET 2006


Hmm. yes.  sometimes it helps to keep reading the thread before replying.
Giving it the version number stopped the log-choking complaints here as 
well.
Thanks!

thomas.seglard.enata at cnp.fr wrote:

>
> Thank you !
>
> the second option (the one you preferred) was a good bet !
> I added the lines as you indicate and that's solved my problem.
>
> Best regards,
>
> Thomas Seglard
>
> "Schwimmer, Eric E *HS" <EES2Y at hscmail.mcc.virginia.edu> a écrit sur 
> 02/03/2006 17:31:10 :
>
> >
> > Three posibilities, off the top of my head:
> >
> > On the client side:
> > 1. Install syslog-ng instead of ksyslogd, and
> >    filter on the ip address of your hobbit server.
> > 2. Call your logrotate script (assuming you use one)
> >    more often, and/or make it compress your old syslog
> >    messages.
> >
> > On the hobbit server side:
> > (this is my preferred option)
> > 1. change your bb-services file ($HOBBIT/server/etc/bb-services)
> >    so that ssh test sends the version string.  I think that will
> >    stop your sshd from complaining.
> >
> > ie.:
> >
> > [ssh|ssh1|ssh2]
> >    send "SSH-2.0-OpenSSH_4.1\r\n"
> >    expect "SSH"
> >    options banner
> >    port 22
> >
> > I think if you disconnect after the version exchange, but
> > before the diffie-helman key exchance, sshd wont log anything.
> >
> > Now, if you arent accepting v2 connections on your clients,
> > you'll have to set up a separate [ssh1] stanza that supplies
> > an ssh v1 string (SSH-1.5-OpenSSH_4.2) and change your ssh
> > statement in your bb-hosts to ssh1 for those machines.  
> > Otherwise your logs are just going to be filled with
> > protocol mismatch messages instead.
> >
> > HTH,
> >
> > -Eric Schwimmer
> > Network Engineer
> > UVA HSCS Network Engineering  
> >
> > > -----Original Message-----
> > > From: thomas.seglard.enata at cnp.fr
> > > [mailto:thomas.seglard.enata at cnp.fr]
> > > Sent: Thursday, March 02, 2006 6:09 AM
> > > To: hobbit at hswn.dk
> > > Subject: [hobbit] sshd notification in syslog
> > >
> > >
> > > Hello,
> > >
> > > since deployment of hobbit's client on 200 servers (hpux,
> > > aix, sun, linux), I got this message in syslog :
> > >
> > > Feb 13 12:05:44 psa089 sshd[9813]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:06:47 psa089 sshd[9980]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:07:49 psa089 sshd[10006]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:08:17 psa089 sshd[10012]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:08:48 psa089 sshd[10078]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:09:52 psa089 sshd[10564]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:10:55 psa089 sshd[10871]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:11:57 psa089 sshd[10987]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:13:00 psa089 sshd[11060]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:13:20 psa089 sshd[11065]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:14:02 psa089 sshd[11166]: Did not receive
> > > identification string from 158.157.156.91
> > > Feb 13 12:15:06 psa089 sshd[11297]: Did not receive
> > > identification string from 158.157.156.91
> > >
> > > Ip address is the one from my hobbit's server
> > > (158.157.156.91). This message do not specify that the ssh
> > > test failed, so I'm not worried about this. The main problem
> > > is the size of syslog and /var is growing rapidly ! Anyone
> > > knows how to prevent this message to be display in syslog ?
> > > Thank you !
> > >
> > > Thomas Seglard
> > > (I'm using Lotus Notes, what a challenge...)
> > >
> > > Ce message (et toutes ses pieces jointes eventuelles) est
> > > confidentiel et etabli a l'intention exclusive de ses destinataires.
> > > Toute utilisation de ce message non conforme a sa
> > > destination, toute diffusion ou toute publication, totale ou
> > > partielle, est
> > > interdite, sauf autorisation expresse.
> > > L'internet ne permettant pas d'assurer l'integrite de ce
> > > message, CNP Assurances et ses filiales declinent toute responsabilite
> > > au titre de ce message, s'il a ete altere, deforme ou falsifie.
> > >
> > > *****
> > >
> > > This message and any attachments (the "message") are
> > > confidential and intended solely for the addressees.
> > > Any unauthorised use or dissemination is prohibited.
> > > E-mails are susceptible to alteration.
> > > Neither CNP Assurances nor any of its subsidiaries or
> > > affiliates shall be liable for the message if altered,
> > > changed or falsified.
> > >
> > >
> >
> > To unsubscribe from the hobbit list, send an e-mail to
> > hobbit-unsubscribe at hswn.dk
> >
> >
>
>
> Ce message (et toutes ses pieces jointes eventuelles) est confidentiel 
> et etabli a l'intention exclusive de ses destinataires.
> Toute utilisation de ce message non conforme a sa destination, toute 
> diffusion ou toute publication, totale ou partielle, est
> interdite, sauf autorisation expresse.
> L'internet ne permettant pas d'assurer l'integrite de ce message, CNP 
> Assurances et ses filiales declinent toute responsabilite
> au titre de ce message, s'il a ete altere, deforme ou falsifie.
>
> *****
>
> This message and any attachments (the "message") are confidential and 
> intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.
> E-mails are susceptible to alteration.
> Neither CNP Assurances nor any of its subsidiaries or affiliates shall 
> be liable for the message if altered, changed or falsified.



-- 
Rob Munsch
Solutions For Progress IT




More information about the Xymon mailing list