Three posibilities, off the top of my head:
On the client side:
- Install syslog-ng instead of ksyslogd, and filter on the ip address of your hobbit server.
- Call your logrotate script (assuming you use one) more often, and/or make it compress your old syslog messages.
On the hobbit server side: (this is my preferred option)
- change your bb-services file ($HOBBIT/server/etc/bb-services) so that ssh test sends the version string. I think that will stop your sshd from complaining.
ie.:
[ssh|ssh1|ssh2] send "SSH-2.0-OpenSSH_4.1\r\n" expect "SSH" options banner port 22
I think if you disconnect after the version exchange, but before the diffie-helman key exchance, sshd wont log anything.
Now, if you arent accepting v2 connections on your clients,
you'll have to set up a separate [ssh1] stanza that supplies
an ssh v1 string (SSH-1.5-OpenSSH_4.2) and change your ssh
statement in your bb-hosts to ssh1 for those machines.
Otherwise your logs are just going to be filled with
protocol mismatch messages instead.
HTH,
-Eric Schwimmer Network Engineer UVA HSCS Network Engineering
-----Original Message----- From: thomas.seglard.enata at cnp.fr [mailto:thomas.seglard.enata at cnp.fr] Sent: Thursday, March 02, 2006 6:09 AM To: hobbit at hswn.dk Subject: [hobbit] sshd notification in syslog
Hello,
since deployment of hobbit's client on 200 servers (hpux, aix, sun, linux), I got this message in syslog :
Feb 13 12:05:44 psa089 sshd[9813]: Did not receive identification string from 158.157.156.91 Feb 13 12:06:47 psa089 sshd[9980]: Did not receive identification string from 158.157.156.91 Feb 13 12:07:49 psa089 sshd[10006]: Did not receive identification string from 158.157.156.91 Feb 13 12:08:17 psa089 sshd[10012]: Did not receive identification string from 158.157.156.91 Feb 13 12:08:48 psa089 sshd[10078]: Did not receive identification string from 158.157.156.91 Feb 13 12:09:52 psa089 sshd[10564]: Did not receive identification string from 158.157.156.91 Feb 13 12:10:55 psa089 sshd[10871]: Did not receive identification string from 158.157.156.91 Feb 13 12:11:57 psa089 sshd[10987]: Did not receive identification string from 158.157.156.91 Feb 13 12:13:00 psa089 sshd[11060]: Did not receive identification string from 158.157.156.91 Feb 13 12:13:20 psa089 sshd[11065]: Did not receive identification string from 158.157.156.91 Feb 13 12:14:02 psa089 sshd[11166]: Did not receive identification string from 158.157.156.91 Feb 13 12:15:06 psa089 sshd[11297]: Did not receive identification string from 158.157.156.91
Ip address is the one from my hobbit's server (158.157.156.91). This message do not specify that the ssh test failed, so I'm not worried about this. The main problem is the size of syslog and /var is growing rapidly ! Anyone knows how to prevent this message to be display in syslog ? Thank you !
Thomas Seglard (I'm using Lotus Notes, what a challenge...)
Ce message (et toutes ses pieces jointes eventuelles) est confidentiel et etabli a l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, CNP Assurances et ses filiales declinent toute responsabilite au titre de ce message, s'il a ete altere, deforme ou falsifie.
This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. E-mails are susceptible to alteration. Neither CNP Assurances nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified.