Ticket #3461 (new Bugs)

Opened 4 years ago

Last modified 1 year ago

Freebpx causes sshd errors in /var/log/secure log file

Reported by: ronw Assigned to: gregmac
Priority: major Milestone: Undetermined
Component: FreePBX System Status Version:
Keywords: Cc:
Confirmation: Unreviewed Distro:
Backend Engine: Asterisk 1.4.x Distro Ver:
Backend Ver: SVN Revision (if applicable):

Description

Every time freepbx polls SSH Server status an error log is created in /var/log/secure. Dec 30 11:38:02 pbx sshd[5384]: Did not receive identification string from UNKNOWN Dec 30 11:38:33 pbx sshd[5421]: Did not receive identification string from UNKNOWN Dec 30 11:39:03 pbx sshd[5458]: Did not receive identification string from UNKNOWN Dec 30 11:39:33 pbx sshd[5493]: Did not receive identification string from UNKNOWN Dec 30 11:40:03 pbx sshd[5529]: Did not receive identification string from UNKNOWN Dec 30 11:40:35 pbx sshd[5573]: Did not receive identification string from UNKNOWN

When the check_port function is called from page.index.php for $ssh_port, the log entry is generated. The check_port function is located in class.procinfo.php.

This issue exists for all configurations with Centos 5.2, Asterisk 1.4.21 and FreeBPX 2.5.1.3. Since this status is checked every 30 seconds, the log file size increases quickly.

Change History

(follow-up: ↓ 2 ) 03/11/09 11:40:30 changed by vietbach

The error message in /var/log/secure is generated by sshd and is the normal result of a scan of sshd port. Since FreePbx? dashboard needs to scan this port every 30 seconds to report the status of SSH server on the dashboard, you will get a line every 30 seconds. If you run command "telnet localhost 22", you'll get the exact same message in /var/log/secure. As a result, this is not a FreePbx? bug, it is just the way sshd behaves.

If you want to turn off this message, because you don't want the log file to increase, you can change the level of logging in /etc/ssh/sshd_config from "LogLevel? INFO" to "LogLevel? ERROR"

The proper way to handle this however is to keep sshd LogLevel? at INFO and have software processing /var/log/secure to sort out the different type of port scans. You don't want to miss the port scans that are prelude to a penetration attack.

(in reply to: ↑ 1 ) 04/07/09 23:25:45 changed by ronw

A better way to check sshd server status would be to use the system command: service sshd status

Other commands that could be used:

lsof -i -n -P | grep 22 netstat -nan | grep 22

None of these commands generate errors in the log files.

08/22/09 22:20:27 changed by p_lindheimer

  • version deleted.
  • milestone changed from 2.6 to 2.7.

moving to 2.7. If there is a suggestion that will be consistent across different OS versions we are happy to have a look, but the above looks questionable as well as a pretty heavy command to be running especially if multiple users are running dashboard.

12/03/09 05:02:45 changed by robfantini

I am using Debian etch and we do not have this problem.

sshd_config : # Logging SyslogFacility? AUTH LogLevel? INFO

01/28/10 14:45:27 changed by p_lindheimer

  • milestone changed from 2.7 to 2.8.

01/13/12 14:06:34 changed by miken32

This is still an annoyance. lsof require root to list other users' open files so is not an option. Checking the service status could work, but the code in question is just looking for a port number, not a service name. 

netstat -lnt

This command provides the most concise output. The PHP code in question also provides the option to check port status on a remote host, so we have just put in a code block at the top to use netstat if it's checking localhost.

http://www.freepbx.org/trac/browser/modules/branches/2.10/dashboard/class.procinfo.php#L11