48

Recently, My SSH log summaries for my Ubuntu 12.04 servers in Logwatch have started showing entries for "11: Normal Shutdown, Thank you for playing [preauth]" along with the "11: Bye Bye [preauth]" and "11: disconnected by user" messages they had been showing previously.

I have not seen this message in my logs before the past few weeks, nor have I seen it on my older servers which are stuck on Ubuntu 10.04. I have googled this message and can't find any clear explanations there either.

The IPs attempting to login and receiving this message are random hack attempts, and judging from the preauth I assume (hope) they are not successful, but I would like to know exactly what this message means and how it differs from others to be sure.

EDIT for additional information: My servers have password authentication and root authentication both disabled

Dave Stern
  • 605
  • 1
  • 6
  • 7
  • What version of libssh2, and was it recently updated? As far as I know, this is just a normal termination when the server can't auth the user. – nerve Dec 04 '13 at 16:26
  • SSH itself has the following "ssh -V" output: OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012. I am not sure where to track down the libssh2 version number. – Dave Stern Dec 05 '13 at 15:38

3 Answers3

43

When the ssh client does a "normal" connection shutdown, it sends a packet with a message in it. When the ssh daemon gets such a packet when it's not expecting it -- in this case, before the user managed to authenticate -- it logs the message. (Older versions of OpenSSH did not do this.) So your surmise is exactly correct: it's a side effect of a brute-force ssh password-guessing attack. You should probably be running something like fail2ban or sshguard to block these in iptables; even if you think everything is correctly configured to disallow passwords, it's well to have a second layer of defense.

Garrett Wollman
  • 446
  • 5
  • 2
14

The accepted answer is correct but I thought I’d post this answer to complement it with a reason for the change explaining why administrators didn’t previously see such messages in their log files.

This issue was discussed on the OpenSSH developer's list in January 2014. According to Damien Miller, OpenSSH developer,

The message has been there basically forever:

1.41 (markus 02-Jan-01): log("Received disconnect from %s: %d: %.400s", ...

The only thing to have changed semi-recently is that we improved logging of preauthentication messages in privsep mode in the 5.9 release to no longer need a /dev/log inside the privsep chroot. If your old OpenSSH version was <5.9 and the /var/empty chroot didn't have a /dev/log in it then you may have been missing these messages.

Anthony Geoghegan
  • 2,800
  • 1
  • 23
  • 34
2

I too have noticed these messages in my log files since recently upgrading the open-ssh package on my servers.

However, I don't think the messages necessarily imply hack attempts. Some of the phrases are hardcoded into legitimate ssh clients, presumably as remnants from the original development code. My iOS ssh-client (iSSH) for instance emits this phrase when I disconnect from my own servers.

ebahn
  • 33
  • 6
  • 1
    Not with [preauth]. This specifically indicates that the client did not successfully authenticate to the server. – Michael Hampton Apr 10 '14 at 22:05
  • 1
    You're right, Michael. I was only referring to the phrase "Normal Shutdown, Thank you for playing". Obviously, when I legitimately connect to my own server athentication proceeds. I think the attention on this and similar phrases ('Normal Shutdown..') is because they were previously not visible in the logs, and now they are. There is no change in the ssh client's behaviour. – ebahn Apr 11 '14 at 08:26