SSH
Secure Shell or SSH is the process that offers secure, trusted connection to a restricted shell on the SafeNet Luna Network HSM appliance for administrative purposes.
|
Facility Keyword |
Software Process |
Log File |
|---|---|---|
|
|
|
|
This version of Syslog and SNMP Monitoring Guide shows some examples of log messages you might find for SSH but is not a comprehensive account of all possible messages.
Expected Log Messages
2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Server listening on 0.0.0.0 port 22. 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Received signal 15; terminating. 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Accepted password for <user name> from 192.168.10.100 port 51286 ssh2 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Received disconnect from 192.168.10.100: 11: disconnected by user 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Did not receive identification string from 192.168.0.100 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Received disconnect from 192.168.0.100: 11: The user disconnected the application 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Accepted publickey for <admin | monitor> from 192.168.0.100 port 2299 ssh2 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: pam_unix(ssdh[1234]:session): session opened for user admin by (uid=0) 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: pam_unix(ssdh[1234]:session): session closed for user admin 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Received disconnect from 192.168.0.100: 2: disconnected by server request 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Connection closed by 192.168.0.100 [preauth]
These messages indicate normal SSH activity. <user name> is “admin”, “operator”, “monitor”, “audit” or a customer-defined name.
Unexpected Log Messages
Under normal circumstances, you should not see any of these log messages. If you do, please contact Thales Group Technical Support to report the message and seek guidance on what to do next.
2012 Feb 29 12:05:01 myLuna authpriv err ssdh[1234]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. 2012 Feb 29 12:05:01 myLuna authpriv crit ssdh[1234]: fatal: Cannot bind any address. 2012 Feb 29 12:05:01 myLuna authpriv crit ssdh[1234]: fatal: Read from socket failed: Connection reset by peer [preauth] 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Disconnecting: Too many authentication failures for <user name> [preauth] 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Invalid user <user name> from 192.168.0.100 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: input_userauth_request: invalid user <user name> [preauth] 2012 Feb 29 12:05:01 myLuna authpriv notice ssdh[1234]: pam_unix(ssdh[1234]:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.100 user=admin 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Failed password for admin from 192.168.0.100 port 1615 ssh2 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: subsystem request for sftp 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: subsystem request for sftp failed, subsystem not found 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: syslogin_perform_logout: logout() returned an error 2012 Feb 29 12:05:01 myLuna authpriv alert ssdh[1234]: pam_unix(ssdh[1234]:auth): check pass; user unknown 2012 Feb 29 12:05:01 myLuna authpriv crit ssdh[1234]: pam_succeed_if(ssdh[1234]:auth): error retrieving information about user <user name> 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: User root from 192.168.0.100 not allowed because not listed in AllowUsers 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Bad protocol version identification 'id' from 10.168.64.4 2012 Feb 29 12:05:01 myLuna authpriv warn ssdh[1234]: Deprecated pam_stack module called from service "ssdh[1234]" 2012 Feb 29 12:05:01 myLuna authpriv notice ssdh[1234]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.101.18.32 user=admin 2012 Feb 29 12:05:01 myLuna authpriv alert ssdh[1234]: PAM service(ssdh[1234]) ignoring max retries; 5 > 3 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Received request to connect to host 127.0.0.1 port 3306, but the request was denied. 2012 Feb 29 12:05:01 myLuna authpriv err ssdh[1234]: error: Received disconnect from 192.168.0.100: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] 2012 Feb 29 12:05:01 myLuna authpriv crit ssdh[1234]: fatal: Access denied for user admin by PAM account configuration [preauth] 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Setting tty modes failed: Invalid argument 2012 Feb 29 12:05:01 myLuna authpriv crit ssdh[1234]: fatal: PAM: pam_chauthtok(): Authentication token manipulation error 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: syslogin_perform_logout: logout() returned an error 2012 Feb 29 12:05:01 myLuna authpriv info ssdh[1234]: Received SIGHUP; restarting.
These messages indicate abnormal SSH activity. A future revision of Syslog and SNMP Monitoring Guide will provide more details of what each message means.
