# ssh audit messages in dmesg

## evoweiss

Hi all,

For some strange reason I have recently been getting messages in dmesg related to ssh. I haven't changed my configuration in any way and I haven't found any indication of what it might be. Here's what I have so far, though it usually builds up more. 

```

[ 1366.978630] audit: type=1326 audit(1422551004.132:2): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=2351 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb7669aa8 code=0x0

[ 1552.767898] audit: type=1326 audit(1422551189.921:3): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=4209 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb76e9aa8 code=0x0

[ 1733.752967] audit: type=1326 audit(1422551370.910:4): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=13673 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb765eaa8 code=0x0

[ 1924.744755] audit: type=1326 audit(1422551561.900:5): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=27673 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb7621aa8 code=0x0

[ 2114.616020] audit: type=1326 audit(1422551751.773:6): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=1104 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb7615aa8 code=0x0

[ 2304.773969] audit: type=1326 audit(1422551941.930:7): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=1830 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb76ebaa8 code=0x0

[ 2497.640622] audit: type=1326 audit(1422552134.799:8): auid=4294967295 uid=22 gid=22 ses=4294967295 pid=10021 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=102 compat=0 ip=0xb7651aa8 code=0x0

```

Finally, I use paired ssh keys and not passwords to get into my system. I am using a dynamic dns service, though.

Best,

Alex

----------

## teliot

do you have anything that looks like "connection closed preauth" ?

i am guessing its not sshd login attempts but something else with ssh that isn't actually anything bad (but just a guess). when i have had to open up ssh publicly in the past i would setup pam with sshd. then i could block IP address after x number of failed attempts. additionally i would change the ssh port to 6022 (the 6xxx ports are microsoft outgoing traffic ports and seem to never get scanned). The safest thing is to block the port, and then allow incoming traffic from a range of trusted IP's, this does not always allow you access though  :Sad: 

----------

## evoweiss

 *teliot wrote:*   

> do you have anything that looks like "connection closed preauth" ?
> 
> i am guessing its not sshd login attempts but something else with ssh that isn't actually anything bad (but just a guess). when i have had to open up ssh publicly in the past i would setup pam with sshd. then i could block IP address after x number of failed attempts. additionally i would change the ssh port to 6022 (the 6xxx ports are microsoft outgoing traffic ports and seem to never get scanned). The safest thing is to block the port, and then allow incoming traffic from a range of trusted IP's, this does not always allow you access though 

 

I do have people trying to get into the system, though I lock it down very tight as I'm the only user allowed to access it, I have good passwords, etc. This is new behavior that was not present before, though the break-in attempts were.

I just compared my sshd_config file with a server that didn't appear to have the problem. There were differences and I changed the two to be similar, particularly as I have the same needs in both cases. We'll see whether that takes care of the problem.

Best,

Alex

----------

## toralf

 *evoweiss wrote:*   

> , I have good passwords, etc. 
> 
> Alex

 Pff - best practise IMO is nowadays to disallow ssh password login and just to allow login per ssh key (and even then not for root)

----------

## evoweiss

 *toralf wrote:*   

>  *evoweiss wrote:*   , I have good passwords, etc. 
> 
> Alex Pff - best practise IMO is nowadays to disallow ssh password login and just to allow login per ssh key (and even then not for root)

 

I meant passwords on my main system. As per ssh, I do that all with keys and disallow passwords. I've always disallowed root logins.

Best,

Alex

----------

## mDup

 *evoweiss wrote:*   

>  *toralf wrote:*    *evoweiss wrote:*   , I have good passwords, etc. 
> 
> Alex Pff - best practise IMO is nowadays to disallow ssh password login and just to allow login per ssh key (and even then not for root) 
> 
> I meant passwords on my main system. As per ssh, I do that all with keys and disallow passwords. I've always disallowed root logins.
> ...

 

did you actually find a solution?

update

upgrade openssl fixed issue in my case

----------

