2717 – MonitoringHosts option - suppress Connection reset entries from known hosts

Bug 2717 - MonitoringHosts option - suppress Connection reset entries from known hosts

Summary: MonitoringHosts option - suppress Connection reset entries from known hosts

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	7.5p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-05-15 13:02 AEST by john+mindrot
Modified:	2021-04-23 14:59 AEST (History)
CC List:	2 users (show)

See Also:

Attachments
Allow LogLevel to appear in sshd_config Match blocks (3.73 KB, patch) 2017-05-17 02:38 AEST, Damien Miller	dtucker: ok+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description john+mindrot 2017-05-15 13:02:00 AEST

In a system which is being monitored by a known monitoring server, or servers - for example using the nagios check_ssh plugin, the log file will have entries of the form

 sshd[30102]: Connection reset by 192.168.1.39 port 48706 [preauth]

Suppressing these messages, when the connection is made by a known monitoring server would make it easier to spot probes from hostile systems.

Comment 1 Damien Miller 2017-05-16 02:05:25 AEST

This looks like a bug in nagios: https://sourceforge.net/p/nagiosplug/bugs/196/

Comment 2 john+mindrot 2017-05-16 20:12:31 AEST

(In reply to Damien Miller from comment #1)
> This looks like a bug in nagios:
> https://sourceforge.net/p/nagiosplug/bugs/196/

That bug refers to where the connection is not properly closed by check_ssh. My point is that if there is a connection to my system, checking, for example to see if sshd is running, and possibly what version it is running, then if the connection came from a system outside my control then this is a probe by an attacker, and should be logged. If it comes from my monitoring system, which could be checking frequently to make sure that sshd is still running, then logging those checks just adds noise to the log file.

Systems which process those logs, such as fail2ban, denyhosts, snort etc can all post process the monitoring host (or hosts) entries out, but it would make real probes more obvious in the logs if the monitoring connections were suppressed.

Comment 3 Damien Miller 2017-05-17 02:38:47 AEST

Created attachment 2979 [details]
Allow LogLevel to appear in sshd_config Match blocks

I think the best way to do this would be to allow LogLevel to appear inside Match blocks, so you can do:

Match 192.20.123.45
  LogLevel quiet

LogLevel is only currently supported at the top level of config and not inside Match, so this patch fixes that.

Comment 4 Darren Tucker 2017-05-17 09:10:43 AEST

Comment on attachment 2979 [details]
Allow LogLevel to appear in sshd_config Match blocks

Nice solution!

Comment 5 Darren Tucker 2017-05-17 09:12:43 AEST

(In reply to Damien Miller from comment #3)
> Match 192.20.123.45

ITYM "Match Address 192.20.123.45"

Comment 6 john+mindrot 2017-05-17 18:17:15 AEST

(In reply to Damien Miller from comment #3)
> Created attachment 2979 [details]
> Allow LogLevel to appear in sshd_config Match blocks
> 
> I think the best way to do this would be to allow LogLevel to appear
> inside Match blocks, so you can do:
> 
> Match 192.20.123.45
>   LogLevel quiet
> 
> LogLevel is only currently supported at the top level of config and
> not inside Match, so this patch fixes that.


Very elegant solution - thank you

Comment 7 Damien Miller 2021-04-23 14:59:52 AEST

closing resolved bugs as of 8.6p1 release