Bug#880595: logwatch: sshd: summarise "Unable to negotiate" messages

Thu, 02 Nov 2017 09:36:25 -0700 

Package: logwatch
Version: 7.4.3+git20161207-2
Severity: minor
Tags: patch upstream

As we are all encouraged to lock down our SSH/SSL protocols further, I now
get hundreds of log lines telling me that things like key exchange methods
cannot be negotiated.

The patch below summarises the "Unable to negotiate" log messages...

--- /usr/share/logwatch/scripts/services/sshd   2017-01-21 16:44:03.000000000 
+0000
+++ /etc/logwatch/scripts/services/sshd 2017-11-02 16:14:48.000000000 +0000
@@ -200,6 +200,7 @@
 my %BindFailed = ();
 my %BadLogins = ();
 my %NoRevMap = ();
+my %UnableNegotiate = ();
 my %RefusedConnections = ();
 my %RefusedAuthentication = ();
 my %DisconnectReceived = ();
@@ -384,6 +385,8 @@
       $MisMatch{$Addresses}++;
    } elsif ( $ThisLine =~ m/subsystem request for sftp/ ) {
       $sftpRequests++;
+   } elsif ( $ThisLine =~ m/Unable to negotiate with ([^ ]+)/ ) {
+      $UnableNegotiate{$1}++;
    } elsif ( $ThisLine =~ m/refused connect from (.*)$/ ) {
       $RefusedConnections{$1}++;
    } elsif ( my ($Reason) = ($ThisLine =~ /^Authentication refused: (.*)$/ ) ) 
{
@@ -685,6 +688,13 @@
    }
 }

+if (keys %UnableNegotiate) {
+   print "\n\nUnable to negotiate with:\n";
+   foreach my $unlucky (sort {$a cmp $b} keys %UnableNegotiate) {
+      print "   $unlucky : $UnableNegotiate{$unlucky} Time(s)\n";
+   }
+}
+
 if (keys %RefusedAuthentication) {
    print "\n\nAuthentication refused:\n";
    foreach my $Reason (sort {$a cmp $b} keys %RefusedAuthentication) {

Output looks like:

 Unable to negotiate with:
    121.18.238.111 : 1 Time(s)
    198.98.57.111 : 64 Time(s)
    61.155.169.111 : 415 Time(s)


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.utf8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to 
en_GB.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages logwatch depends on:
ii  perl                            5.24.1-3+deb9u2
ii  postfix [mail-transport-agent]  3.1.4-7

Versions of packages logwatch recommends:
ii  libdate-manip-perl   6.57-1
ii  libsys-cpu-perl      0.61-2+b1
ii  libsys-meminfo-perl  0.99-1

Versions of packages logwatch suggests:
pn  fortune-mod  <none>

-- no debconf information

Reply via email to