[Bug 1644057] [NEW] Excessive Disconnect unmatched entries from sshd

[Ben Johnson]

Public bug reported:

# lsb_release -rd
Description:    Ubuntu 16.04.1 LTS
Release:        16.04

# apt-cache policy logwatch
logwatch:
  Installed: 7.4.2-1ubuntu1
  Candidate: 7.4.2-1ubuntu1
  Version table:
 *** 7.4.2-1ubuntu1 500
        500 http://mirrors.digitalocean.com/ubuntu xenial/main amd64 Packages
        500 http://mirrors.digitalocean.com/ubuntu xenial/main i386 Packages
        100 /var/lib/dpkg/status


The issue seems to be exactly as described here:

https://bugzilla.redhat.com/show_bug.cgi?id=1317620

In synopsis, Logwatch's "SSHD" output contains excessive "Unmatched
Entries" regarding SSH disconnections. They look like this:

Received disconnect from 123.123.123.123 port 6887:11: disconnected by user : 1 
time(s)
 Received disconnect from 123.123.123.123 port 8310:11: disconnected by user : 
1 time(s)
 Disconnected from 123.123.123.123 port 1306 : 1 time(s)
 Received disconnect from 123.123.123.123 port 3720:11: disconnected by user : 
1 time(s)
 Received disconnect from 123.123.123.123 port 3001:11: disconnected by user : 
1 time(s)
 Disconnected from 123.123.123.123 port 1054 : 1 time(s)
 Received disconnect from 123.123.123.123 port 9741:11: disconnected by user : 
1 time(s)
 Received disconnect from 123.123.123.123 port 3261:11: disconnected by user : 
1 time(s)
 Received disconnect from 123.123.123.123 port 4650:11: disconnected by user : 
1 time(s)
 Received disconnect from 123.123.123.123 port 13235:11: disconnected by user : 
1 time(s)
 Received disconnect from 123.123.123.123 port 1065:11: disconnected by user : 
1 time(s)
 Received disconnect from 123.123.123.123 port 13868:11: disconnected by user : 
1 time(s)
 Disconnected from 123.123.123.123 port 8542 : 1 time(s)

I should mention that these connections are from me, and are legitimate;
they are not from "bots" or other types of probes/scans that are, for
example, check for the availability of vulnerable ciphers.

The key finding from the above report seems to be:

"I don't know why there are two different format disconnect messages,
but the bit that seems to confuse logwatch was adding the port number to
the message."

There seem to be several (3-5) such messages that result from a normal
connect/disconnect cycle.

** Affects: logwatch (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1644057

Title:
  Excessive Disconnect unmatched entries from sshd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1644057/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs