MikeL's FreeBSD sshd HowTo

[20190130] Still logspam, now looks like:
saslauthd[638]: do_request : NULL password received
I'm at LogLevel=FATAL, and still getting tons of this shit. Again, this is just some jerkface out there trying to break into my system, there's nothing I can do about it, there's no use in telling me about it. Guess that's what we're stuck with.

I do not remember if I had to install sshd manually or if it was automatically installed when I installed the OS, sorry. If I did have to install it, it must have been painless as I didn't document any special fight in my HowTo's. It does appear in my /etc/rc.conf.

Now that the system is running, I'm getting boatloads of logspam like the following:

Oct 10 00:49:49 rachis sshd[70986]: reverse mapping checking getaddrinfo for [...] failed - POSSIBLE BREAK-IN ATTEMPT!
Plenty of web searching yields that although this could be a real breakin attempt, two things:
a) It probably is just a mis-configured reverse DNS on the users end;
b) There's nothing you can do about it anyway. You would have to look up their sysadmin, contact them, and recommend they fix their problem -- unlikely to have a positive result.
So the moral of the story is to get rid of the log entry, it is reasonable to consider it to be spurious.

Edit your /etc/ssh/sshd_config file. There was already one there on my system. If not present on yours, you should be able to find a default version at /usr/src/crypto/openssh/ssh_config Then, comment in and change the line:
  #UseDNS yes
  UseDNS no
And of course don't forget to restart:
service sshd restart


I am also now getting completely swamped with logspam like the following:

Nov 19 11:10:03 [...] sshd[69969]: fatal: Unable to negotiate with xx.xx.xx.xx port 58399: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
What this message really means, is simply that the caller is using an old version of SSH that doesn't know SHA2. Please note that this is a change as of FreeBSD 11, or maybe version 10. [Actually it's determined by which version of SSHD you're running, but they changed the default in the OS installation about here.]

In my case, I know this is just some creep out there trying to break in to my system. My customers are not sophisticated enough to use SSH, so I know these messages are for bogus callers. So in my case, it's reasonable to consider this message as spurious as well.
This can be disabled in sshd_config by changing:
  #LogLevel INFO
  LogLevel ERROR
and remember to restart.

20181206 -- Now seeing tons of this:
Dec 6 14:02:09 rachis sshd[45877]: error: PAM: authentication error for illegal user pi from zzz.zzz.zzz.zzz
Dec 6 14:02:09 rachis sshd[45877]: error: Received disconnect from zzz.zzz.zzz.zzz port 59750:14: No more user authentication methods available. [preauth]

Same discussion as above, I know these are breakin attempts. I just can't care about them. They're usually dictionary attacks trying a whole list of users that are not present on my system.
Copyright © 1995-2023 Mike Lempriere (running on host pedicel)