Excessive Disconnect unmatched entries from sshd

I think this is resolved upstream, and needs some verification of which patches would need backporting. sshd changed the log formatting to include the port, which broke logwatch's regex.

I have a variety of lines that do not fit into Logwatch' regex for sshd. They are mainly caused by the lack of a port in the formatting. There are three typical lines that are affected:

Received disconnect from [***] port [***]:11: [preauth] : 1 time(s)
Disconnected from [***] port [***] [preauth] : 1 time(s)
Connection reset by [***] port [***] [preauth] : 3 time(s)

The first line is matched by using a provided patch: https://bugzilla.redhat.com/attachment.cgi?id=1136417&action=diff
The other two still remain in my case, I manually patched /usr/share/logwatch/scripts/services/sshd for the "Received disconnect from"

What is the update for this issue? I couldn't find any details about patches from upstream, otherwise I could test those as well.

Is this likely to be fixed with a patch?

At the moment my LogWatch reports contain about 700-1000 lines per day in the SSHD "Unmatched Entries" section, which makes it difficult to read/check.

I'd rater not edit the LogWatch config files myself if it's going to be patched.

Sorry for the delay on my end.

Here is one upstream commit that is relevant: https://sourceforge.net/p/logwatch/git/ci/0490a1c4ccf1b811bce0cd68dfce8a9e346d7648/

This will correct for: "Received disconnect from..." with a port on the end.

Another upstream commit: https://sourceforge.net/p/logwatch/git/ci/50cd9b06

This will correct for:

"Disconnected from..." with a port on the end

and

"Connection reset by..."

I can build (hopefully later today) a test package of logwatch with only the sshd changes mentioned above. I will need to evaluate the latter commit, as it includes a number of further changes than what is explicitly requested in this bug.

Confirmed still happening in bionic.

This was fixed in cosmic in 7.4.3+git20161207-2ubuntu2. The bug didn't auto-close because the bug number wasn't correctly mentioned in the changelog of the package (it missed a "#").

I added tasks for xenial and bionic.

Status changed to 'Confirmed' because the bug affects multiple users.

Hello Ben, or anyone else affected,

Accepted logwatch into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/logwatch/7.4.3+git20161207-2ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Ben, or anyone else affected,

Accepted logwatch into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/logwatch/7.4.2-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

When sshd disconnects it leaves a pair of messages:

   Received disconnect from NN.NN.NN.NN port 42004:11: disconnected by user : 1 time(s)
   Disconnected from NN.NN.NN.NN port 42072 : 1 time(s)

The second message, "Disconnected from" is what this bug report deals with. The first message, "Received disconnect", was fixed in logwatch 7.4.3, so bionic and newer have this fix but xenial does not.

I've verified that the update in bionic-proposed displays a clean report:

 --------------------- SSHD Begin ------------------------

 SSHD Killed: 1 Time(s)

 SSHD Started: 2 Time(s)

 Failed logins from:
    127.0.0.1 (localhost): 1 time
       ubuntu/password: 1 time

 Users logging in through sshd:
    ubuntu:
       127.0.0.1 (localhost): 1 time

 Received disconnect:
    disconnected by user
       127.0.0.1 : 1 Time(s)

 ---------------------- SSHD End -------------------------

And the update in xenial-proposed is correct in that it suppresses the second message ("Disconnect..."), but the "Received disconnect" message is still present:

 --------------------- SSHD Begin ------------------------

 SSHD Killed: 1 Time(s)

 SSHD Started: 4 Time(s)

 Users logging in through sshd:
    ubuntu:
       127.0.0.1 (localhost): 1 time

 **Unmatched Entries**
 Received disconnect from 127.0.0.1 port 50276:11: disconnected by user : 1 time(s)

 ---------------------- SSHD End -------------------------

So, technically I think the fix can be validated in that it suppresses the log message as intended. However, a perfect fix for xenial would also address the additional log message. I think it could either be left to a follow up or I can respin the xenial portion of this SRU with the additional fix.

Per discussion on IRC, going to go with the SRU as-is since it's an incremental improvement that doesn't make things worse. A subsequent SRU could improve further.

This bug was fixed in the package logwatch - 7.4.3+git20161207-2ubuntu1.2

---------------
logwatch (7.4.3+git20161207-2ubuntu1.2) bionic; urgency=medium

  [ Bryce Harrington ]
  * d/p/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch:
    dhcpd: Ignore lease age under threshold messages
    (LP: #1578001)
  * d/p/0018-audit-Treat-Denial-Errors-same-as-Denied.patch:
    audit: Treat Denial-Errors same as Denied.
    (LP: #1577948)
  * d/p/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch:
    audit: Apparmor DENIED entries don't always include parent=N.
    (LP: #1577948)
  * d/p/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch:
    zz-sys: Suppress warnings if Sys::CPU or Sys::MemInfo are missing.
    These are not installed by default in Ubuntu's logwatch packaging.
    (LP: #1890749)
  * d/p/0012-postfix-Handle-backwards-compatible-mode.patch:
    postfix: Handle backwards-compatible mode.
    (LP: #1583705)
  * d/p/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch:
    postfix: Ignore Resolved loghost to 127.0.0.1.
    (LP: #1583705)
  * d/p/0010-00-debspecific-disable-su-reporting-in-secure.diff.patch:
    Use $PATH to determine location of zpool and zfs.
    (LP: #1880211)

  [ Karl Stenerud ]
  * d/p/ssh-ignore-disconnected.patch:
    sshd: ignore disconnected from user USER
    (LP: #1644057)

 -- Bryce Harrington <email address hidden> Thu, 03 Sep 2020 04:21:53 +0000

The verification of the Stable Release Update for logwatch has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package logwatch - 7.4.2-1ubuntu1.1

---------------
logwatch (7.4.2-1ubuntu1.1) xenial; urgency=medium

  [ Bryce Harrington ]
  * d/p/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch:
      dhcpd: Ignore lease age under threshold messages
      (LP: #1578001)
  * d/p/0018-audit-Treat-Denial-Errors-same-as-Denied.patch:
    audit: Treat Denial-Errors same as Denied.
    (LP: #1577948)
  * d/p/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch:
    audit: Apparmor DENIED entries don't always include parent=N.
    (LP: #1577948)
  * d/p/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch:
    zz-sys: Suppress warnings if Sys::CPU or Sys::MemInfo are missing.
    These are not installed by default in Ubuntu's logwatch packaging.
    (LP: #1890749)
  * d/p/0012-postfix-Handle-backwards-compatible-mode.patch:
    postfix: Handle backwards-compatible mode.
    (LP: #1583705)
  * d/p/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch:
    postfix: Ignore Resolved loghost to 127.0.0.1.
    (LP: #1583705)
  * d/p/0010-00-debspecific-disable-su-reporting-in-secure.diff.patch:
    Use $PATH to determine location of zpool and zfs.
    (LP: #1880211)

  [ Karl Stenerud ]
  * d/p/ssh-ignore-disconnected.patch:
    sshd: ignore disconnected from user USER
    (LP: #1644057)

 -- Bryce Harrington <email address hidden> Thu, 03 Sep 2020 04:21:50 +0000