When examining SSH logs on Ubuntu 12.04 systems, you might encounter entries like:
11: Normal Shutdown, Thank you for playing [preauth] 11: Bye Bye [preauth] 11: disconnected by user
These messages typically appear during authentication attempts, particularly from random IP addresses scanning for vulnerabilities. The [preauth] tag indicates these events occurred before successful authentication.
The "Normal Shutdown" message originates from OpenSSH's session termination protocol. Here's what each component means:
- Normal Shutdown: Indicates a clean connection termination
- Thank you for playing: A humorous artifact from OpenSSH's source code (often seen in debugging output)
- [preauth]: Confirms no successful authentication occurred
| Message | Meaning | Security Implication |
|---|---|---|
| "Normal Shutdown..." | Connection closed without authentication | Low risk - failed attempt |
| "Bye Bye [preauth]" | Immediate disconnection | Very low risk |
| "disconnected by user" | Legitimate session ended | Normal operation |
The message became more prevalent due to:
- OpenSSH version differences between Ubuntu releases
- Changed verbosity levels in logging
- Newer attack scripts triggering specific responses
For maximum security, consider these sshd_config settings:
# Disable password authentication PasswordAuthentication no # Disable root login PermitRootLogin no # Restrict protocol versions Protocol 2 # Limit login attempts MaxAuthTries 3 # Configure fail2ban for additional protection # Install with: sudo apt-get install fail2ban
Create a custom logwatch filter to track these events:
# /etc/logwatch/conf/services/ssh.conf Title = "SSH" LogFile = messages LogFile = secure *OnlyService = sshd *RemoveHeaders
Then analyze patterns with this command:
grep "preauth" /var/log/auth.log | awk '{print $NF}' | sort | uniq -c | sort -n
While these messages typically indicate failed attempts, watch for:
- Sudden spikes in frequency
- Messages without
[preauth]tags - Repeated attempts from the same IP ranges
While reviewing Logwatch summaries for Ubuntu 12.04 servers, I noticed a new log pattern appearing alongside familiar authentication messages:
11: Normal Shutdown, Thank you for playing [preauth]
11: Bye Bye [preauth]
11: disconnected by userThese messages exclusively appear in connection attempts from suspicious IPs (typically brute-force scanners) and weren't present in my Ubuntu 10.04 systems.
The log entry consists of three significant parts:
- Normal Shutdown: Indicates a clean connection termination
- Thank you for playing: A non-standard message suggesting client-side behavior
- [preauth]: Confirms no authentication occurred
This behavior stems from modern SSH clients (particularly newer versions of OpenSSH) that:
- Send a polite exit message before disconnecting
- Include this message even when authentication fails
Example of a typical failed login sequence:
sshd[1234]: Failed password for invalid user admin from 192.0.2.1 port 54321 ssh2
sshd[1234]: Received disconnect from 192.0.2.1: 11: Normal Shutdown, Thank you for playing [preauth]Despite the unusual wording, this message doesn't indicate a security breach when:
- Password authentication is disabled (as in your configuration)
- Root login is prohibited
- The
[preauth]tag is present
To further harden your SSH server, consider these /etc/ssh/sshd_config settings:
# Basic security
PasswordAuthentication no
PermitRootLogin no
ChallengeResponseAuthentication no
# Connection handling
MaxAuthTries 3
LoginGraceTime 30
ClientAliveInterval 300
# Logging verbosity
LogLevel VERBOSEThis Python script helps monitor suspicious SSH attempts:
#!/usr/bin/env python3
import re
from collections import Counter
def analyze_auth_log(logfile='/var/log/auth.log'):
pattern = r'Failed password|Invalid user|preauth\]$'
ip_counter = Counter()
with open(logfile) as f:
for line in f:
if re.search(pattern, line):
ip_match = re.search(r'from (\d+\.\d+\.\d+\.\d+)', line)
if ip_match:
ip_counter[ip_match.group(1)] += 1
print("Top suspicious IPs:")
for ip, count in ip_counter.most_common(10):
print(f"{ip}: {count} attempts")
if __name__ == "__main__":
analyze_auth_log()For critical systems, implement these additional controls:
- Fail2ban with custom filters
- Port knocking for SSH access
- Two-factor authentication
- SSH certificate-based authentication