/var/log/auth spam every 2 mins: sshd[*]: Connection closed by [preauth]

Bug #965654 reported by JP Vossen on 2012-03-26
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)

Bug Description

Description: Ubuntu precise (development branch)
Release: 12.04


Not really sure that OpenSSH is the real culprit, but it's what has been reporting the log spam since I upgraded from 10.10 to 12.04 a day or two ago:

$ sudo grep 'Connection closed by' /var/log/auth.log | tail
Mar 26 14:27:19 perry2 sshd[16380]: Connection closed by [preauth]
Mar 26 14:29:19 perry2 sshd[16383]: Connection closed by [preauth]
Mar 26 14:31:19 perry2 sshd[26767]: Connection closed by [preauth]
Mar 26 14:33:19 perry2 sshd[7300]: Connection closed by [preauth]
Mar 26 14:35:19 perry2 sshd[19270]: Connection closed by [preauth]
Mar 26 14:37:19 perry2 sshd[31926]: Connection closed by [preauth]
Mar 26 14:39:19 perry2 sshd[1696]: Connection closed by [preauth]
Mar 26 14:41:19 perry2 sshd[1700]: Connection closed by [preauth]
Mar 26 14:43:19 perry2 sshd[1703]: Connection closed by [preauth]
Mar 26 14:45:19 perry2 sshd[1709]: Connection closed by [preauth]

$ sudo zgrep -c 'Connection closed by' /var/log/auth.log*

$ ll /var/log/auth.log*
-rw-r----- 1 syslog adm 128K Mar 26 14:52 /var/log/auth.log
-rw-r----- 1 syslog adm 132K Mar 25 07:52 /var/log/auth.log.1
-rw-r----- 1 syslog adm 2.1K Mar 23 16:25 /var/log/auth.log.2.gz
-rw-r----- 1 syslog adm 18K Feb 26 07:45 /var/log/auth.log.3.gz
-rw-r----- 1 syslog adm 19K Feb 19 07:45 /var/log/auth.log.4.gz

James Page (james-page) on 2012-04-02
Changed in openssh (Ubuntu):
importance: Undecided → Low

I have this same problem, however I know the cause of the problem.

I am using Monit which checks that SSHd is responding, so every time it checks, a log entry is made.

Is there possibly some way to reduce the amount of logging by SSHd?

I changed LogLevel to ERROR in /etc/ssh/sshd_config and the warnings are now gone

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers