Mailing List Archive

On Mon, 5 Jun 2023 at 16:29, Yuri <yuri@rawbw.com> wrote:
> ssh_kex_exchange_identification: banner line contains invalid characters
[...]
> It would be easier to figure out where offending connections come from.

The subsequent log line from sshpkt_fatal contains the source address
and port of that connection:

$ sudo `pwd`/sshd -ddd -p 2022
[...]
kex_exchange_identification: banner line contains invalid characters
banner exchange: Connection from 127.0.0.1 port 52410: invalid format

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 6/4/23 23:59, Darren Tucker wrote:
> The subsequent log line from sshpkt_fatal contains the source address
> and port of that connection:
>
> $ sudo `pwd`/sshd -ddd -p 2022
> [...]
> kex_exchange_identification: banner line contains invalid characters
> banner exchange: Connection from 127.0.0.1 port 52410: invalid format


I am using sshd on FreeBSD 13.2 and it only logs the first line.

Does the second line require some special setting values to be printed?


Yuri


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Mon, 5 Jun 2023 at 17:06, Yuri <yuri@rawbw.com> wrote:
> On 6/4/23 23:59, Darren Tucker wrote:
> > The subsequent log line from sshpkt_fatal contains the source address
> > and port of that connection:
[...]
> I am using sshd on FreeBSD 13.2 and it only logs the first line.

FreeBSD 13's OpenSSH is based on 8.0p1, which is a bit over four years
old at this point.

> Does the second line require some special setting values to be printed?

No. It was added in 2022 in this commit, which was first in OpenSSH 8.3:
https://github.com/openssh/openssh-portable/commit/5becbec023f2037394987f85ed7f74b9a28699e0

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Mon, 5 Jun 2023 at 18:11, Darren Tucker <dtucker@dtucker.net> wrote:
> On Mon, 5 Jun 2023 at 17:06, Yuri <yuri@rawbw.com> wrote:
[...]
> > Does the second line require some special setting values to be printed?
>
> No. It was added in 2022 in this commit, which was first in OpenSSH 8.3:

correction: 2020.


> https://github.com/openssh/openssh-portable/commit/5becbec023f2037394987f85ed7f74b9a28699e0

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 05.06.23 08:59, Darren Tucker wrote:
> On Mon, 5 Jun 2023 at 16:29, Yuri <yuri@rawbw.com> wrote:
>> ssh_kex_exchange_identification: banner line contains invalid characters
> [...]
>> It would be easier to figure out where offending connections come from.
>
> The subsequent log line from sshpkt_fatal contains the source address
> and port of that connection:

I think that Yuri meant (one of his several) ssh*d*-side port(s).

There is SyslogFacility (plus the filtering capabilities of modern
syslogd's), but since that would quite likely leak sensitive information
out of the (better-protected) /var/log/secure on RHEL-like systems, I
can't really recommend (ab)using it.

However, I guess that allowing the sysadmin to change the progname/ident
parameter of the syslogging (like you can with the "daemon XYZ" setting
for multi-instance OpenVPN servers), rather than having it fixed to
"sshd", would prove more versatile than specifically adding the Port to
selected message( string)s ...

Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH

On Mon, 5 Jun 2023 at 18:37, Jochen Bern <Jochen.Bern@binect.de> wrote:
> On 05.06.23 08:59, Darren Tucker wrote:
[...]
> > The subsequent log line from sshpkt_fatal contains the source address
> > and port of that connection:
>
> I think that Yuri meant (one of his several) ssh*d*-side port(s).

Yes he asked about server side ports, but the stated reason was "It
would be easier to figure out where offending connections come from"
hence my answer.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Darren Tucker:

> > I am using sshd on FreeBSD 13.2 and it only logs the first line.
>
> FreeBSD 13's OpenSSH is based on 8.0p1, which is a bit over four years
> old at this point.

It has been upgraded over the course of the 13.x branch:
13.2 has OpenSSH 9.2p1.

--
Christian "naddy" Weisgerber naddy@mips.inka.de
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 6/6/23 13:46, Christian Weisgerber wrote:
> It has been upgraded over the course of the 13.x branch: 13.2 has
> OpenSSH 9.2p1.


The current version of OpenSSH in the FreeBSD 13.x branch is 9.3p1


But the log doesn't contain the listening port information,
For example, /var/log/messages has:
> Jun  6 19:05:02 xx sshd[6528]: error:
Fssh_kex_exchange_identification: read: Connection reset by peer

The same incident also has these lines in /var/log/auth.log:
> Jun  6 19:05:02 xx sshd[6528]: error:
Fssh_kex_exchange_identification: read: Connection reset by peer
> Jun  6 19:05:02 xx sshd[6528]: Connection reset by 69.164.217.245
port 47272

But the listening port information isn't printed.


What is wrong?




Yuri


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev