Hi all,
Weeks later it happened again and I'm not any less puzzled:
/var/log/syslog
Aug 28 10:12:30 deb10 sshd[145]: /etc/ssh/sshd_config line 25:
Deprecated option UsePrivilegeSeparation
Aug 28 10:12:30 deb10 sshd[145]: /etc/ssh/sshd_config line 28:
Deprecated option KeyRegenerationInterval
Aug 28 10:12:30 deb10 sshd[145]: /etc/ssh/sshd_config line 29:
Deprecated option ServerKeyBits
Aug 28 10:12:30 deb10 sshd[145]: /etc/ssh/sshd_config line 49:
Deprecated option RSAAuthentication
Aug 28 10:12:30 deb10 sshd[145]: /etc/ssh/sshd_config line 57:
Deprecated option RhostsRSAAuthentication
Aug 28 10:12:31 deb10 sshd[207]: /etc/ssh/sshd_config line 25:
Deprecated option UsePrivilegeSeparation
Aug 28 10:12:31 deb10 sshd[207]: /etc/ssh/sshd_config line 28:
Deprecated option KeyRegenerationInterval
Aug 28 10:12:31 deb10 sshd[207]: /etc/ssh/sshd_config line 29:
Deprecated option ServerKeyBits
Aug 28 10:12:31 deb10 sshd[207]: /etc/ssh/sshd_config line 49:
Deprecated option RSAAuthentication
Aug 28 10:12:31 deb10 sshd[207]: /etc/ssh/sshd_config line 57:
Deprecated option RhostsRSAAuthentication
Not matching what's in the file:
awk 'NR==25' /etc/ssh/sshd_config
awk 'NR==28' /etc/ssh/sshd_config
awk 'NR==29' /etc/ssh/sshd_config
# Lifetime and size of ephemeral version 1 server key
etc.
The service hasn't been restarted around that time and the file hasn't
been modified for even longer:
systemctl status ssh.service | grep running
Active: active (running) since Wed 2021-08-18 17:36:45 UTC; 3 weeks
1 days ago
stat /etc/ssh/sshd_config
File: /etc/ssh/sshd_config
Size: 3864 Blocks: 9 IO Block: 4096 regular file
Device: 34h/52d Inode: 94834 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2021-09-10 06:48:08.449310637 +0000
Modify: 2021-07-06 07:15:34.222154544 +0000
Change: 2021-07-06 07:15:34.222154544 +0000
Birth: -
This is a Proxmox LXC container and I thought that maybe the syslog
entries were for some reason referring to the master host, but not!
awk 'NR==25' /etc/ssh/sshd_config
# Logging
awk 'NR==28' /etc/ssh/sshd_config
awk 'NR==29' /etc/ssh/sshd_config
# Authentication:
What's going on here? :)
Regards,
Adam
On 16/08/2021 18:27, David Wright wrote:
On Mon 16 Aug 2021 at 16:49:16 (+0100), Adam Weremczuk wrote:
Installation and configuration was straightforward:
sudo apt install logwatch
/etc/cron.daily/00logwatch
#execute
/usr/sbin/logwatch --detail low --mailto x...@domain.com
The master config file /usr/share/logwatch/default.conf/logwatch.conf
left with defaults.
Only one report per day arrives. Same as for the other dozen of Debian
(mostly older) machines it's installed on and which don't show this
issue.
I presume logwatch is watching your logs, so the first place to check
is the actual logs themselves.
My guess (it's no more than that) is that one of the other dozen
machines that you occasionally log into has a slightly different
configuration from this one, perhaps older, with options that are
now considered less secure (but no extra lines inserted).
The options that are commented out in each machine's config file are
the defaults being used by the server, so they /are/ in force.
When you connect to a remote machine's server, I'm assuming it gets
told what the remote's options are, and it's remonstrating about them.
(The fact that options are commented will be irrelevant, therefore.)
Note that I may have all this in reverse: the remote machine could be
complaining about yours, and sending you the log by email. So, as I say,
the first step is to find the log entries that logwatch has watched for.
Cheers,
David.
