In a system which is being monitored by a known monitoring server, or servers - for example using the nagios check_ssh plugin, the log file will have entries of the form sshd[30102]: Connection reset by 192.168.1.39 port 48706 [preauth] Suppressing these messages, when the connection is made by a known monitoring server would make it easier to spot probes from hostile systems.
This looks like a bug in nagios: https://sourceforge.net/p/nagiosplug/bugs/196/
(In reply to Damien Miller from comment #1) > This looks like a bug in nagios: > https://sourceforge.net/p/nagiosplug/bugs/196/ That bug refers to where the connection is not properly closed by check_ssh. My point is that if there is a connection to my system, checking, for example to see if sshd is running, and possibly what version it is running, then if the connection came from a system outside my control then this is a probe by an attacker, and should be logged. If it comes from my monitoring system, which could be checking frequently to make sure that sshd is still running, then logging those checks just adds noise to the log file. Systems which process those logs, such as fail2ban, denyhosts, snort etc can all post process the monitoring host (or hosts) entries out, but it would make real probes more obvious in the logs if the monitoring connections were suppressed.
Created attachment 2979 [details] Allow LogLevel to appear in sshd_config Match blocks I think the best way to do this would be to allow LogLevel to appear inside Match blocks, so you can do: Match 192.20.123.45 LogLevel quiet LogLevel is only currently supported at the top level of config and not inside Match, so this patch fixes that.
Comment on attachment 2979 [details] Allow LogLevel to appear in sshd_config Match blocks Nice solution!
(In reply to Damien Miller from comment #3) > Match 192.20.123.45 ITYM "Match Address 192.20.123.45"
(In reply to Damien Miller from comment #3) > Created attachment 2979 [details] > Allow LogLevel to appear in sshd_config Match blocks > > I think the best way to do this would be to allow LogLevel to appear > inside Match blocks, so you can do: > > Match 192.20.123.45 > LogLevel quiet > > LogLevel is only currently supported at the top level of config and > not inside Match, so this patch fixes that. Very elegant solution - thank you
closing resolved bugs as of 8.6p1 release