Disable "Failed password" ssh logs

Question

Bots are tirelessly trying to log into my server using ssh. That does not bother me, because my passwords are good, but I don't like the fact that ssh spam fills journald logs. I'd like to filter out this noise. Please note that I don't want to impose any additional restrictions like changing ssh port, limiting input IP addresses, etc.

My OS is CentOS 8 with latest updates.

Here's typical logs (from journalctl -f):

Apr 13 17:03:29 msk.vbezhenar.com sshd[14305]: Invalid user jhall from 51.132.145.250 port 46022
Apr 13 17:03:29 msk.vbezhenar.com sshd[14305]: pam_unix(sshd:auth): check pass; user unknown
Apr 13 17:03:29 msk.vbezhenar.com sshd[14305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.132.145.250
Apr 13 17:03:32 msk.vbezhenar.com sshd[14305]: Failed password for invalid user jhall from 51.132.145.250 port 46022 ssh2
Apr 13 17:03:33 msk.vbezhenar.com sshd[14305]: Received disconnect from 51.132.145.250 port 46022:11: Bye Bye [preauth]
Apr 13 17:03:33 msk.vbezhenar.com sshd[14305]: Disconnected from invalid user jhall 51.132.145.250 port 46022 [preauth]
Apr 13 17:03:46 msk.vbezhenar.com unix_chkpwd[14310]: password check failed for user (root)
Apr 13 17:03:46 msk.vbezhenar.com sshd[14308]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=51.68.44.74  user=root
Apr 13 17:03:48 msk.vbezhenar.com sshd[14308]: Failed password for root from 51.68.44.74 port 44088 ssh2
Apr 13 17:03:48 msk.vbezhenar.com sshd[14308]: Received disconnect from 51.68.44.74 port 44088:11: Bye Bye [preauth]
Apr 13 17:03:48 msk.vbezhenar.com sshd[14308]: Disconnected from authenticating user root 51.68.44.74 port 44088 [preauth]

so there's 5-6 log lines for every attempt.

I managed to remove few lines using LogLevel ERROR in /etc/ssh/sshd_config but I don't entirely like this solution, because I'd like to see informational messages from ssh, just not those about unsuccessful log in attempts. And it still did not remove all lines, logs after that change:

Apr 13 18:07:46 msk.vbezhenar.com unix_chkpwd[15522]: password check failed for user (root)
Apr 13 18:07:46 msk.vbezhenar.com sshd[15520]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.48.4.15  user=root
Apr 13 18:07:55 msk.vbezhenar.com sshd[15523]: pam_unix(sshd:auth): check pass; user unknown
Apr 13 18:07:55 msk.vbezhenar.com sshd[15523]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.107.131.9

so there's still 2 lines per log.

So ideally my question is about how to remove ONLY those lines about authentication failure and other logs should kept intact. If it's not possible, then I'd like to know how to remove those 2 lines from pam_unix which weren't removed by setting LogLevel ERROR.

Maybe filter the output with awk? Like `journalctl | tail | awk '!/Failed password|authentication failure/'`. Just concatenate a few more patterns you want to rule out with `|`. If that solution works, you can create a shell alias so you don't need to type it every time. — Max1, Apr 13 '20 at 16:02
I would suggest you to deploy a `fail2ban` service to automatically block IP addresses that perform repeated authentication attempts via SSH. However, that is an additional restriction that you don't want to impose. — Anderson Medeiros Gomes, Apr 13 '20 at 21:15
I could not find a directive in `journald.conf` that allows an administrator to selectively ignore messages coming from daemons according to defined patterns. A possible alternative is configuring SSH service to log their messages directly to `syslog`, setting `StandardError=null` on its systemd unit (thus removing all `sshd` messages from journal) and filtering messages via configuration parameters in syslog daemon (`syslog-ng` or `rsyslog`). — Anderson Medeiros Gomes, Apr 13 '20 at 21:28

Disable "Failed password" ssh logs

0 Answers0