Monit and Dovecot and SSHD logs.

Comments (2)

Lutz Mader

Hello,
to your sshd log comment,
this is working as designed. The message is being generated by the sshd because a process opened a connection but never authenticated.

sshd[28955]: Connection closed by 127.0.0.1 port 33568 [preauth]

You get some more messages if you authenticate (via login/logout or public key).

With regards,
Lutz

Appendage:
With protocol default you will see
if failed port 22 timeout 10 seconds for 3 cycles then alert
sshd[19005]: Did not receive identification string from 127.0.0.1

With protocol ssh you will see
if failed port 22 protocol ssh timeout 10 seconds for 3 cycles then alert
sshd[19089]: Connection closed by 127.0.0.1 [preauth]

‌

2021-09-08T19:21:13+00:00

Henning Bopp

I think the same as mentioned by Lutz also applies to your dovecot logs. Monit simply connects to the service, so dovecot registers that.

You could however clean up the log files using sed for example:

sed -i '/, rip=192\.168\.1\.2, lip=192\.168\.1\.2,/d' /var/log/dovecot/dovecot.log
sed -i '/Connection closed by 127\.0\.0\.1 port/d' /var/log/auth.log

Where:

-i means inline, so it changes the file in-place
'<regex>' is the regular expression to match
/d means to remove the lines matching the regex

Keep in mind that this will delete all lines that belong to local connections. So if you use a local application to check mails with dovecot, these lines will also get deleted - you could enhance the regex if needed. Same applies to loopback connections on ssh, but those should most likely not happen.

Another thing: My examples do work on GNU sed, but not on BSD/MacOS sed. See this SO thread for hints if you use BSD/MacOS.

2021-09-09T07:01:34+00:00

Lutz Mader
Hello,
to your sshd log comment,
this is working as designed. The message is being generated by the sshd because a process opened a connection but never authenticated.

sshd[28955]: Connection closed by 127.0.0.1 port 33568 [preauth]

You get some more messages if you authenticate (via login/logout or public key).

With regards,
Lutz

Appendage:
With protocol default you will see
if failed port 22 timeout 10 seconds for 3 cycles then alert
sshd[19005]: Did not receive identification string from 127.0.0.1

With protocol ssh you will see
if failed port 22 protocol ssh timeout 10 seconds for 3 cycles then alert
sshd[19089]: Connection closed by 127.0.0.1 [preauth]

‌
- 2021-09-08T19:21:13+00:00
Henning Bopp
I think the same as mentioned by Lutz also applies to your dovecot logs. Monit simply connects to the service, so dovecot registers that.

You could however clean up the log files using sed for example:
```
sed -i '/, rip=192\.168\.1\.2, lip=192\.168\.1\.2,/d' /var/log/dovecot/dovecot.log
sed -i '/Connection closed by 127\.0\.0\.1 port/d' /var/log/auth.log
```
Where:
- -i means inline, so it changes the file in-place
- '<regex>' is the regular expression to match
- /d means to remove the lines matching the regex
Keep in mind that this will delete all lines that belong to local connections. So if you use a local application to check mails with dovecot, these lines will also get deleted - you could enhance the regex if needed. Same applies to loopback connections on ssh, but those should most likely not happen.

Another thing: My examples do work on GNU sed, but not on BSD/MacOS sed. See this SO thread for hints if you use BSD/MacOS.
- 2021-09-09T07:01:34+00:00
Log in to comment