sshd LogLevel 不起作用

sshd LogLevel 不起作用

那里

有一天,我的 ubuntu(22.04) 机器写入 auth.log 太短。
以下 auth.log 无法从 fail2ban(sshd) 识别

Mar  6 17:52:03 laphs sshd[13792]: pam_unix(sshd:auth): check pass; user unknown
Mar  6 17:52:03 laphs sshd[13792]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.225.107.69
Mar  6 17:54:52 laphs sshd[13958]: pam_unix(sshd:auth): check pass; user unknown
Mar  6 17:54:52 laphs sshd[13958]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.179.157.95
Mar  6 18:05:29 laphs sshd[15051]: pam_unix(sshd:auth): check pass; user unknown
Mar  6 18:05:29 laphs sshd[15051]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.179.157.95
Mar  6 18:12:41 laphs sshd[15643]: pam_unix(sshd:auth): check pass; user unknown
Mar  6 18:12:41 laphs sshd[15643]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.190.49.157
Mar  6 18:16:23 laphs sshd[15976]: pam_unix(sshd:auth): check pass; user unknown
Mar  6 18:16:23 laphs sshd[15976]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.190.49.157
Mar  6 18:16:41 laphs sshd[16001]: pam_unix(sshd:auth): check pass; user unknown
Mar  6 18:16:41 laphs sshd[16001]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.179.157.95
Mar  6 18:17:17 laphs sshd[16030]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=209.141.34.151  user=root
Mar  6 18:20:11 laphs sshd[16343]: pam_unix(sshd:auth): check pass; user unknown
Mar  6 18:20:11 laphs sshd[16343]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.225.107.69
Mar  6 18:28:06 laphs sshd[16711]: pam_unix(sshd:auth): check pass; user unknown

上个月的 auth.log

Jan 15 21:54:58 laphs sshd[1555]: pam_unix(sshd:auth): check pass; user unknown
Jan 15 21:54:58 laphs sshd[1555]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=170.83.79.29
Jan 15 21:55:00 laphs sshd[1555]: Failed password for invalid user wangkun from 170.83.79.29 port 44724 ssh2
Jan 15 21:55:00 laphs sshd[1555]: Received disconnect from 170.83.79.29 port 44724:11: Bye Bye [preauth]
Jan 15 21:55:00 laphs sshd[1555]: Disconnected from invalid user wangkun 170.83.79.29 port 44724 [preauth]
Jan 15 21:55:03 laphs sshd[1557]: Invalid user huachen from 159.89.132.160 port 32798
Jan 15 21:55:03 laphs sshd[1557]: pam_unix(sshd:auth): check pass; user unknown
Jan 15 21:55:03 laphs sshd[1557]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.89.132.160
Jan 15 21:55:05 laphs sshd[1557]: Failed password for invalid user huachen from 159.89.132.160 port 32798 ssh2
Jan 15 21:55:07 laphs sshd[1557]: Received disconnect from 159.89.132.160 port 32798:11: Bye Bye [preauth]
Jan 15 21:55:07 laphs sshd[1557]: Disconnected from invalid user huachen 159.89.132.160 port 32798 [preauth]
Jan 15 21:55:12 laphs sshd[1651]: Connection closed by authenticating user root 192.168.0.34 port 49550 [preauth]

更改 sshd 的 LogLevel。但不起作用 /etc/ssh/sshd_config

...
# Logging
#SyslogFacility AUTH
# LogLevel VERBOSE
LogLevel DEBUG3
...

找不到任何解决方案...有人能帮忙吗?

etc/rsyslog.d/50-默认.conf

...
auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none  -/var/log/syslog
...

答案1

自己解决问题

一个月前,我在 /etc/systemd/journald.conf 中更改了 systemd 日志级别

MaxLevelStore=notice
MaxLevelSyslog=notice

由于 /var/log/syslog 上有太多 systemd 日志

Mar  7 15:26:47 laphs systemd[1]: run-docker-runtime\x2drunc-moby-01de1a288d671d1b55cd95662c3c26341aa029b403e923a7b94a535ffa3daaa1-runc.h
LmUbB.mount: Deactivated successfully.
Mar  7 15:27:17 laphs systemd[1]: run-docker-runtime\x2drunc-moby-01de1a288d671d1b55cd95662c3c26341aa029b403e923a7b94a535ffa3daaa1-runc.1
okAs8.mount: Deactivated successfully.
Mar  7 15:27:47 laphs systemd[1]: run-docker-runtime\x2drunc-moby-01de1a288d671d1b55cd95662c3c26341aa029b403e923a7b94a535ffa3daaa1-runc.5
o2GHy.mount: Deactivated successfully.

参考:https://stackoverflow.com/questions/63622619/docker-flooding-syslog-with-run-docker-runtime-logs#comment124722942_69415949

注释两行并重启 systemdsystemctl restart systemd-journald

相关内容