[hobbit] sshd notification in syslog

Schwimmer, Eric E *HS EES2Y at hscmail.mcc.virginia.edu
Thu Mar 2 17:31:10 CET 2006


Three posibilities, off the top of my head:

On the client side:
1. Install syslog-ng instead of ksyslogd, and
   filter on the ip address of your hobbit server.
2. Call your logrotate script (assuming you use one)
   more often, and/or make it compress your old syslog
   messages.

On the hobbit server side:
(this is my preferred option)
1. change your bb-services file ($HOBBIT/server/etc/bb-services)
   so that ssh test sends the version string.  I think that will
   stop your sshd from complaining.

ie.:

[ssh|ssh1|ssh2]
   send "SSH-2.0-OpenSSH_4.1\r\n"
   expect "SSH"
   options banner
   port 22

I think if you disconnect after the version exchange, but
before the diffie-helman key exchance, sshd wont log anything.

Now, if you arent accepting v2 connections on your clients,
you'll have to set up a separate [ssh1] stanza that supplies
an ssh v1 string (SSH-1.5-OpenSSH_4.2) and change your ssh 
statement in your bb-hosts to ssh1 for those machines.  
Otherwise your logs are just going to be filled with
protocol mismatch messages instead.

HTH,

-Eric Schwimmer
Network Engineer
UVA HSCS Network Engineering  

> -----Original Message-----
> From: thomas.seglard.enata at cnp.fr 
> [mailto:thomas.seglard.enata at cnp.fr] 
> Sent: Thursday, March 02, 2006 6:09 AM
> To: hobbit at hswn.dk
> Subject: [hobbit] sshd notification in syslog
> 
> 
> Hello, 
> 
> since deployment of hobbit's client on 200 servers (hpux, 
> aix, sun, linux), I got this message in syslog : 
> 
> Feb 13 12:05:44 psa089 sshd[9813]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:06:47 psa089 sshd[9980]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:07:49 psa089 sshd[10006]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:08:17 psa089 sshd[10012]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:08:48 psa089 sshd[10078]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:09:52 psa089 sshd[10564]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:10:55 psa089 sshd[10871]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:11:57 psa089 sshd[10987]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:13:00 psa089 sshd[11060]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:13:20 psa089 sshd[11065]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:14:02 psa089 sshd[11166]: Did not receive 
> identification string from 158.157.156.91 
> Feb 13 12:15:06 psa089 sshd[11297]: Did not receive 
> identification string from 158.157.156.91 
> 
> Ip address is the one from my hobbit's server 
> (158.157.156.91). This message do not specify that the ssh 
> test failed, so I'm not worried about this. The main problem 
> is the size of syslog and /var is growing rapidly ! Anyone 
> knows how to prevent this message to be display in syslog ? 
> Thank you ! 
> 
> Thomas Seglard 
> (I'm using Lotus Notes, what a challenge...)
> 
> Ce message (et toutes ses pieces jointes eventuelles) est 
> confidentiel et etabli a l'intention exclusive de ses destinataires.
> Toute utilisation de ce message non conforme a sa 
> destination, toute diffusion ou toute publication, totale ou 
> partielle, est
> interdite, sauf autorisation expresse.
> L'internet ne permettant pas d'assurer l'integrite de ce 
> message, CNP Assurances et ses filiales declinent toute responsabilite
> au titre de ce message, s'il a ete altere, deforme ou falsifie.
> 
> *****
> 
> This message and any attachments (the "message") are 
> confidential and intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.
> E-mails are susceptible to alteration.
> Neither CNP Assurances nor any of its subsidiaries or 
> affiliates shall be liable for the message if altered, 
> changed or falsified.
> 
> 



More information about the Xymon mailing list