On our systems we are automatically escalating syslog messages with severity>=3. IMHO the severity for the folowing entries from the OpenSSH daemon should be significantly downgraded to something below 4 (Warning). They appear on all systems exposing a sshd to the world within normal operation. Observed on Debian 8.5 with OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL 1.0.1t 1 Alert: action must be taken immediately - PAM service(sshd) ignoring max retries; 5 > 3 2 Critical: critical conditions - fatal: Read from socket failed: Connection reset by peer [preauth] - fatal: no matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth] - fatal: Unable to negotiate a key exchange method [preauth] 3 Error: error conditions - error: Received disconnect from XXX.XXX.XXX.XXX: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] - pam_unix(sshd:auth): check pass; user unknown 4 Warning: warning conditions - pam_unix(sshd:auth): check pass; user unknown 5 Notice: normal but significant condition - PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXX.XXX.XXX.XXX user=root - pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXX.XXX.XXX.XXX user=root 6 Informational: informational messages All observed messages fit to this severity level. However, to mark lookup failures/inconsitencies with - POSSIBLE BREAK-IN ATTEMPT! is unnecessary (and missleading). All of the above messages probably belong to break-in attemps. IMHWO this sentence should be removed.
(In reply to Quabla from comment #0) > On our systems we are automatically escalating syslog messages with > severity>=3. IMHO the severity for the folowing entries from the > OpenSSH daemon should be significantly downgraded to something below > 4 (Warning). They appear on all systems exposing a sshd to the world > within normal operation. > > Observed on Debian 8.5 with OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL > 1.0.1t > > 1 Alert: action must be taken immediately > > - PAM service(sshd) ignoring max retries; 5 > 3 That's from PAM, not sshd. https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n349 It seems to be complaining that sshd doesn't take specific action when pam_authenticate() returns PAM_MAXTRIES (which wasn't in the original PAM spec but is in XSSO). > 2 Critical: critical conditions > > - fatal: Read from socket failed: Connection reset by peer [preauth] > - fatal: no matching cipher found: client > aes128-cbc,blowfish-cbc,3des-cbc server > aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256- > gcm@openssh.com,chacha20-poly1305@openssh.com [preauth] > - fatal: Unable to negotiate a key exchange method [preauth] > > 3 Error: error conditions > > - error: Received disconnect from XXX.XXX.XXX.XXX: 3: > com.jcraft.jsch.JSchException: Auth fail [preauth] these are from sshd. I'll look into whether it's feasible to change them. > 4 Warning: warning conditions > > - pam_unix(sshd:auth): check pass; user unknown That's also from PAM. https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n753 > 5 Notice: normal but significant condition > > - PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh > ruser= rhost=XXX.XXX.XXX.XXX user=root > - pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 > tty=ssh ruser= rhost=XXX.XXX.XXX.XXX user=root > also from PAM. > 6 Informational: informational messages > > All observed messages fit to this severity level. However, to mark > lookup failures/inconsitencies with > > - POSSIBLE BREAK-IN ATTEMPT! Yeah that one is probably a bit hysterical these days since we no longer support any authentication methods rely on (solely) source of the connection.
The "POSSIBLE BREAKIN ATTEMPT" was removed in https://anongit.mindrot.org/openssh.git/commit/?id=e690fe85750e93fca1fb7c7c8587d4130a4f7aba The PAM_MAXTRIES thing was previously reported in bug#2249
Thanks for looking into those issues! I am unable to locate the code lines where the sshd critical/error messages are issued. Otherwise I would provide a patch. I have reported the Linux PAM part there: <https://fedorahosted.org/linux-pam/ticket/63>
Created attachment 2851 [details] Reduce severity of client-initiated protocol error.s I've just committed this patch to OpenBSD which reduces the severity of the some of these errors. I'll bubble through to openssh portable shortly and will be in the 7.3 release.
The change for the protocol errors ("Connection reset by peer", "no matching cipher found" and "Received disconnect from" has made it to portable: https://anongit.mindrot.org/openssh.git/commit/?id=af1f084857621f14bd9391aba8033d35886c2455 I'm about to commit the fix for the PAM_MAXTRIES thing over at bug #2249, which will also be in the 7.3p1 release. Thanks.
Close all resolved bugs after 7.3p1 release