[hobbit] sshd notification in syslog
Schwimmer, Eric E *HS
EES2Y at hscmail.mcc.virginia.edu
Thu Mar 2 17:31:10 CET 2006
Three posibilities, off the top of my head:
On the client side:
1. Install syslog-ng instead of ksyslogd, and
filter on the ip address of your hobbit server.
2. Call your logrotate script (assuming you use one)
more often, and/or make it compress your old syslog
messages.
On the hobbit server side:
(this is my preferred option)
1. change your bb-services file ($HOBBIT/server/etc/bb-services)
so that ssh test sends the version string. I think that will
stop your sshd from complaining.
ie.:
[ssh|ssh1|ssh2]
send "SSH-2.0-OpenSSH_4.1\r\n"
expect "SSH"
options banner
port 22
I think if you disconnect after the version exchange, but
before the diffie-helman key exchance, sshd wont log anything.
Now, if you arent accepting v2 connections on your clients,
you'll have to set up a separate [ssh1] stanza that supplies
an ssh v1 string (SSH-1.5-OpenSSH_4.2) and change your ssh
statement in your bb-hosts to ssh1 for those machines.
Otherwise your logs are just going to be filled with
protocol mismatch messages instead.
HTH,
-Eric Schwimmer
Network Engineer
UVA HSCS Network Engineering
> -----Original Message-----
> From: thomas.seglard.enata at cnp.fr
> [mailto:thomas.seglard.enata at cnp.fr]
> Sent: Thursday, March 02, 2006 6:09 AM
> To: hobbit at hswn.dk
> Subject: [hobbit] sshd notification in syslog
>
>
> Hello,
>
> since deployment of hobbit's client on 200 servers (hpux,
> aix, sun, linux), I got this message in syslog :
>
> Feb 13 12:05:44 psa089 sshd[9813]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:06:47 psa089 sshd[9980]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:07:49 psa089 sshd[10006]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:08:17 psa089 sshd[10012]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:08:48 psa089 sshd[10078]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:09:52 psa089 sshd[10564]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:10:55 psa089 sshd[10871]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:11:57 psa089 sshd[10987]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:13:00 psa089 sshd[11060]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:13:20 psa089 sshd[11065]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:14:02 psa089 sshd[11166]: Did not receive
> identification string from 158.157.156.91
> Feb 13 12:15:06 psa089 sshd[11297]: Did not receive
> identification string from 158.157.156.91
>
> Ip address is the one from my hobbit's server
> (158.157.156.91). This message do not specify that the ssh
> test failed, so I'm not worried about this. The main problem
> is the size of syslog and /var is growing rapidly ! Anyone
> knows how to prevent this message to be display in syslog ?
> Thank you !
>
> Thomas Seglard
> (I'm using Lotus Notes, what a challenge...)
>
> Ce message (et toutes ses pieces jointes eventuelles) est
> confidentiel et etabli a l'intention exclusive de ses destinataires.
> Toute utilisation de ce message non conforme a sa
> destination, toute diffusion ou toute publication, totale ou
> partielle, est
> interdite, sauf autorisation expresse.
> L'internet ne permettant pas d'assurer l'integrite de ce
> message, CNP Assurances et ses filiales declinent toute responsabilite
> au titre de ce message, s'il a ete altere, deforme ou falsifie.
>
> *****
>
> This message and any attachments (the "message") are
> confidential and intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.
> E-mails are susceptible to alteration.
> Neither CNP Assurances nor any of its subsidiaries or
> affiliates shall be liable for the message if altered,
> changed or falsified.
>
>
More information about the Xymon
mailing list