[hobbit] sshd notification in syslog

Rob Munsch rmunsch at solutionsforprogress.com
Thu Mar 2 23:04:49 CET 2006 

Funny you should mention.

 From the SSH list where i posted the same question (secureshell at 
securityfocus dot com):

"Generally, these are caused when a machine connects to the SSH port, but
doesn't attempt login.  they're very common if, for example, you're
making periodic connections to port 22 via some kind of monitoring
system.  However, any connection which never gets around to
authenticating, from a port scan to a user connecting and walking away
for a few minutes, can cause this message."

So... yeah.

thomas.seglard.enata at cnp.fr wrote:

>
> Hello,
>
> since deployment of hobbit's client on 200 servers (hpux, aix, sun, 
> linux), I got this message in syslog :
>
> Feb 13 12:05:44 psa089 sshd[9813]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:06:47 psa089 sshd[9980]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:07:49 psa089 sshd[10006]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:08:17 psa089 sshd[10012]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:08:48 psa089 sshd[10078]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:09:52 psa089 sshd[10564]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:10:55 psa089 sshd[10871]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:11:57 psa089 sshd[10987]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:13:00 psa089 sshd[11060]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:13:20 psa089 sshd[11065]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:14:02 psa089 sshd[11166]: Did not receive identification 
> string from 158.157.156.91
> Feb 13 12:15:06 psa089 sshd[11297]: Did not receive identification 
> string from 158.157.156.91
>
> Ip address is the one from my hobbit's server (158.157.156.91). This 
> message do not specify that the ssh test failed, so I'm not worried 
> about this. The main problem is the size of syslog and /var is growing 
> rapidly ! Anyone knows how to prevent this message to be display in 
> syslog ?
> Thank you !
>
> Thomas Seglard
> (I'm using Lotus Notes, what a challenge...)
>
> Ce message (et toutes ses pieces jointes eventuelles) est confidentiel 
> et etabli a l'intention exclusive de ses destinataires.
> Toute utilisation de ce message non conforme a sa destination, toute 
> diffusion ou toute publication, totale ou partielle, est
> interdite, sauf autorisation expresse.
> L'internet ne permettant pas d'assurer l'integrite de ce message, CNP 
> Assurances et ses filiales declinent toute responsabilite
> au titre de ce message, s'il a ete altere, deforme ou falsifie.
>
> *****
>
> This message and any attachments (the "message") are confidential and 
> intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.
> E-mails are susceptible to alteration.
> Neither CNP Assurances nor any of its subsidiaries or affiliates shall 
> be liable for the message if altered, changed or falsified.



-- 
Rob Munsch
Solutions For Progress IT

More information about the Xymon mailing list