Excessive Disconnect unmatched entries from sshd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
logwatch (Debian) |
Fix Released
|
Unknown
|
|||
logwatch (Ubuntu) |
Fix Released
|
Low
|
Karl Stenerud | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
User ssh disconnect messages in syslog aren't handled by logwatch, and thus end up in the "Unmatched Entries" section, one per event. This clutters up the logwatch reports unnecessarily.
[Test Case]
# lxc launch ubuntu-daily:cosmic tester
# lxc exec tester bash
# apt update
# apt dist-upgrade -y
# apt install -y logwatch openssh-server mailutils
* mail configuration : Local only
* System mail name: (use default)
# sed -i 's/PasswordAuth
# systemctl restart sshd
# passwd ubuntu
* choose a password
# ssh ubuntu@localhost
* login, then exit
# logwatch --detail Med --mailto root --service all --range today
# sleep 1
# mail
* select message 1
* Search for SSHD:
/SSHD
You will see unmatched entries:
**Unmatched Entries**
Disconnected from user ubuntu 127.0.0.1 port 53084 : 1 time(s)
[Original Description]
# lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
# apt-cache policy logwatch
logwatch:
Installed: 7.4.2-1ubuntu1
Candidate: 7.4.2-1ubuntu1
Version table:
*** 7.4.2-1ubuntu1 500
500 http://
500 http://
100 /var/lib/
The issue seems to be exactly as described here:
https:/
In synopsis, Logwatch's "SSHD" output contains excessive "Unmatched Entries" regarding SSH disconnections. They look like this:
Received disconnect from 123.123.123.123 port 6887:11: disconnected by user : 1 time(s)
Received disconnect from 123.123.123.123 port 8310:11: disconnected by user : 1 time(s)
Disconnected from 123.123.123.123 port 1306 : 1 time(s)
Received disconnect from 123.123.123.123 port 3720:11: disconnected by user : 1 time(s)
Received disconnect from 123.123.123.123 port 3001:11: disconnected by user : 1 time(s)
Disconnected from 123.123.123.123 port 1054 : 1 time(s)
Received disconnect from 123.123.123.123 port 9741:11: disconnected by user : 1 time(s)
Received disconnect from 123.123.123.123 port 3261:11: disconnected by user : 1 time(s)
Received disconnect from 123.123.123.123 port 4650:11: disconnected by user : 1 time(s)
Received disconnect from 123.123.123.123 port 13235:11: disconnected by user : 1 time(s)
Received disconnect from 123.123.123.123 port 1065:11: disconnected by user : 1 time(s)
Received disconnect from 123.123.123.123 port 13868:11: disconnected by user : 1 time(s)
Disconnected from 123.123.123.123 port 8542 : 1 time(s)
I should mention that these connections are from me, and are legitimate; they are not from "bots" or other types of probes/scans that are, for example, check for the availability of vulnerable ciphers.
The key finding from the above report seems to be:
"I don't know why there are two different format disconnect messages, but the bit that seems to confuse logwatch was adding the port number to the message."
There seem to be several (3-5) such messages that result from a normal connect/disconnect cycle.
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- Sergio Durigan Junior: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 419 lines (+355/-0)10 files modifieddebian/changelog (+33/-0)
debian/patches/0010-00-debspecific-disable-su-reporting-in-secure.diff.patch (+34/-0)
debian/patches/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch (+42/-0)
debian/patches/0012-postfix-Handle-backwards-compatible-mode.patch (+74/-0)
debian/patches/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch (+52/-0)
debian/patches/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch (+28/-0)
debian/patches/0018-audit-Treat-Denial-Errors-same-as-Denied.patch (+28/-0)
debian/patches/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch (+32/-0)
debian/patches/series (+9/-0)
debian/patches/ssh-ignore-disconnected.patch (+23/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- Sergio Durigan Junior: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 419 lines (+354/-0)10 files modifieddebian/changelog (+33/-0)
debian/patches/0010-00-debspecific-disable-su-reporting-in-secure.diff.patch (+34/-0)
debian/patches/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch (+42/-0)
debian/patches/0012-postfix-Handle-backwards-compatible-mode.patch (+74/-0)
debian/patches/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch (+52/-0)
debian/patches/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch (+28/-0)
debian/patches/0018-audit-Treat-Denial-Errors-same-as-Denied.patch (+28/-0)
debian/patches/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch (+32/-0)
debian/patches/series (+8/-0)
debian/patches/ssh-ignore-disconnected.patch (+23/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 53 lines (+31/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ssh-ignore-disconnected.patch (+23/-0)
Changed in logwatch (Debian): | |
status: | Unknown → New |
Changed in logwatch (Ubuntu): | |
assignee: | Nish Aravamudan (nacc) → nobody |
importance: | Undecided → Low |
description: | updated |
Changed in logwatch (Ubuntu): | |
assignee: | nobody → Karl Stenerud (kstenerud) |
status: | Triaged → In Progress |
Changed in logwatch (Debian): | |
status: | New → Fix Released |
Changed in logwatch (Ubuntu Xenial): | |
status: | Confirmed → Triaged |
Changed in logwatch (Ubuntu Bionic): | |
status: | Confirmed → Triaged |
tags: |
added: verification-done verification-done-xenial removed: verification-needed verification-needed-xenial |
I think this is resolved upstream, and needs some verification of which patches would need backporting. sshd changed the log formatting to include the port, which broke logwatch's regex.