check_ssh
Christian Kujau
lists at nerdbynature.de
Thu May 27 18:47:57 CEST 2021
On Thu, 13 May 2021, Tomáš Tomčák wrote:
> type=USER_LOGIN msg=audit(05/13/2021 09:28:05.018:4011474) : pid=1147767
> uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct=(unknown) exe=/usr/sbin/sshd hostname=?
> addr=XXXX.XXXX.XXXX.XXXX terminal=ssh res=failed'
>
> Do you know please how to prevent or get rid of this behaviour ? Looks like
> plugin can not authenticate maybe with some authentication method and
> eventually it success but will cause these failed login messages on targets.
Indeed, check_ssh is not supposed to login, it only checks if an SSH login
is possible.
$ /usr/lib/naemon/plugins/check_ssh --help
[...]
Try to connect to an SSH server at specified server and port
But even if check_ssh would be able to perform a full login, you will then
see successful login messages in your (audit) logs. Some syslog daemons
(rsyslog, syslog-ng) can be configured to not log specific log messages,
maybe you try and tune that on your side.
HTH,
C.
PS: For some reason this email was delivered only today, weird:
Received: from mail-wm1-f49.google.com [...]
by orwell.monitoring-plugins.org (Postfix) with ESMTPS id 8D4D920010A0;
Thu, 13 May 2021 10:07:50 +0200 (CEST)
Received: from orwell.monitoring-plugins.org (localhost [127.0.0.1])
by orwell.monitoring-plugins.org (Postfix) for <lists at nerdbynature.de>;
Thu, 27 May 2021 18:21:50 +0200 (CEST)
--
BOFH excuse #68:
only available on a need to know basis
More information about the Help
mailing list