check_ssh

Christian Kujau lists at nerdbynature.de
Thu May 27 18:47:57 CEST 2021

Previous message: check_ssh
Next message: [Nagiosplug-help] check_ldaps problems
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 13 May 2021, Tomáš Tomčák wrote:
> type=USER_LOGIN msg=audit(05/13/2021 09:28:05.018:4011474) : pid=1147767
> uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=login acct=(unknown) exe=/usr/sbin/sshd hostname=?
> addr=XXXX.XXXX.XXXX.XXXX  terminal=ssh res=failed'
> 
> Do you know please how to prevent or get rid of this behaviour ? Looks like
> plugin can not authenticate maybe with some authentication method and
> eventually it success but will cause these failed login messages on targets.

Indeed, check_ssh is not supposed to login, it only checks if an SSH login 
is possible.

 $ /usr/lib/naemon/plugins/check_ssh --help
 [...]
 Try to connect to an SSH server at specified server and port

But even if check_ssh would be able to perform a full login, you will then 
see successful login messages in your (audit) logs. Some syslog daemons 
(rsyslog, syslog-ng) can be configured to not log specific log messages, 
maybe you try and tune that on your side.

HTH,
C.

PS: For some reason this email was delivered only today, weird:

Received: from mail-wm1-f49.google.com [...]
 by orwell.monitoring-plugins.org (Postfix) with ESMTPS id 8D4D920010A0; 
 Thu, 13 May 2021 10:07:50 +0200 (CEST)

Received: from orwell.monitoring-plugins.org (localhost [127.0.0.1])
 by orwell.monitoring-plugins.org (Postfix) for <lists at nerdbynature.de>; 
 Thu, 27 May 2021 18:21:50 +0200 (CEST)
-- 
BOFH excuse #68:

only available on a need to know basis

Previous message: check_ssh
Next message: [Nagiosplug-help] check_ldaps problems
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Help mailing list