[feature suggestion] sshd should log the listening port number while logging errors/warnings

[Yuri]

I have sshd listening on several ports for various reasons.

sshd periodically logs errors like these:

> Jun  4 22:52:52 xx sshd[30708]: error:
Fssh_kex_exchange_identification: banner line contains invalid characters

This message would be a lot more helpful if it would contain the port
number for this connection.

It would be easier to figure out where offending connections come from.

Thanks,

Yuri

_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Darren Tucker]

On Mon, 5 Jun 2023 at 16:29, Yuri <yu...@rawbw.com> wrote:
> ssh_kex_exchange_identification: banner line contains invalid characters

[...]

> It would be easier to figure out where offending connections come from.

The subsequent log line from sshpkt_fatal contains the source address
and port of that connection:

$ sudo `pwd`/sshd -ddd -p 2022
[...]

kex_exchange_identification: banner line contains invalid characters

banner exchange: Connection from 127.0.0.1 port 52410: invalid format

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Yuri]

On 6/4/23 23:59, Darren Tucker wrote:
> The subsequent log line from sshpkt_fatal contains the source address
> and port of that connection:
>
> $ sudo `pwd`/sshd -ddd -p 2022
> [...]
> kex_exchange_identification: banner line contains invalid characters
> banner exchange: Connection from 127.0.0.1 port 52410: invalid format

I am using sshd on FreeBSD 13.2 and it only logs the first line.

Does the second line require some special setting values to be printed?


Yuri

[Darren Tucker]

On Mon, 5 Jun 2023 at 17:06, Yuri <yu...@rawbw.com> wrote:
> On 6/4/23 23:59, Darren Tucker wrote:
> > The subsequent log line from sshpkt_fatal contains the source address
> > and port of that connection:

[...]

> I am using sshd on FreeBSD 13.2 and it only logs the first line.

FreeBSD 13's OpenSSH is based on 8.0p1, which is a bit over four years
old at this point.

> Does the second line require some special setting values to be printed?

No. It was added in 2022 in this commit, which was first in OpenSSH 8.3:
https://github.com/openssh/openssh-portable/commit/5becbec023f2037394987f85ed7f74b9a28699e0

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Darren Tucker]

On Mon, 5 Jun 2023 at 18:11, Darren Tucker <dtu...@dtucker.net> wrote:
> On Mon, 5 Jun 2023 at 17:06, Yuri <yu...@rawbw.com> wrote:

[...]

> > Does the second line require some special setting values to be printed?
>
> No. It was added in 2022 in this commit, which was first in OpenSSH 8.3:

correction: 2020.

[Jochen Bern]

On 05.06.23 08:59, Darren Tucker wrote:
> On Mon, 5 Jun 2023 at 16:29, Yuri <yu...@rawbw.com> wrote:
>> ssh_kex_exchange_identification: banner line contains invalid characters
> [...]
>> It would be easier to figure out where offending connections come from.
>

> The subsequent log line from sshpkt_fatal contains the source address
> and port of that connection:

I think that Yuri meant (one of his several) ssh*d*-side port(s).

There is SyslogFacility (plus the filtering capabilities of modern
syslogd's), but since that would quite likely leak sensitive information
out of the (better-protected) /var/log/secure on RHEL-like systems, I
can't really recommend (ab)using it.

However, I guess that allowing the sysadmin to change the progname/ident
parameter of the syslogging (like you can with the "daemon XYZ" setting
for multi-instance OpenVPN servers), rather than having it fixed to
"sshd", would prove more versatile than specifically adding the Port to
selected message( string)s ...

Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH

[Darren Tucker]

On Mon, 5 Jun 2023 at 18:37, Jochen Bern <Joche...@binect.de> wrote:
> On 05.06.23 08:59, Darren Tucker wrote:

[...]

> > The subsequent log line from sshpkt_fatal contains the source address
> > and port of that connection:
>
> I think that Yuri meant (one of his several) ssh*d*-side port(s).

Yes he asked about server side ports, but the stated reason was "It

would be easier to figure out where offending connections come from"

hence my answer.

[Christian Weisgerber]

Darren Tucker:

> > I am using sshd on FreeBSD 13.2 and it only logs the first line.
>
> FreeBSD 13's OpenSSH is based on 8.0p1, which is a bit over four years
> old at this point.

It has been upgraded over the course of the 13.x branch:
13.2 has OpenSSH 9.2p1.

--
Christian "naddy" Weisgerber na...@mips.inka.de

[Yuri]

On 6/6/23 13:46, Christian Weisgerber wrote:
> It has been upgraded over the course of the 13.x branch: 13.2 has
> OpenSSH 9.2p1.

The current version of OpenSSH in the FreeBSD 13.x branch is 9.3p1

But the log doesn't contain the listening port information,
For example, /var/log/messages has:
> Jun  6 19:05:02 xx sshd[6528]: error:
Fssh_kex_exchange_identification: read: Connection reset by peer

The same incident also has these lines in /var/log/auth.log:
> Jun  6 19:05:02 xx sshd[6528]: error:
Fssh_kex_exchange_identification: read: Connection reset by peer
> Jun  6 19:05:02 xx sshd[6528]: Connection reset by 69.164.217.245
port 47272

But the listening port information isn't printed.

What is wrong?

Yuri