What does "Normal Shutdown, Thank you for playing [preauth]" In SSH logs mean?
Recently, My SSH log summaries for my Ubuntu 12.04 servers in Logwatch have started showing entries for "11: Normal Shutdown, Thank you for playing [preauth]" along with the "11: Bye Bye [preauth]" and "11: disconnected by user" messages they had been showing previously.
I have not seen this message in my logs before the past few weeks, nor have I seen it on my older servers which are stuck on Ubuntu 10.04. I have googled this message and can't find any clear explanations there either.
The IPs attempting to login and receiving this message are random hack attempts, and judging from the preauth I assume (hope) they are not successful, but I would like to know exactly what this message means and how it differs from others to be sure.
EDIT for additional information: My servers have password authentication and root authentication both disabled
Solution 1:
When the ssh client does a "normal" connection shutdown, it sends a packet with a message in it. When the ssh daemon gets such a packet when it's not expecting it -- in this case, before the user managed to authenticate -- it logs the message. (Older versions of OpenSSH did not do this.) So your surmise is exactly correct: it's a side effect of a brute-force ssh password-guessing attack. You should probably be running something like fail2ban or sshguard to block these in iptables; even if you think everything is correctly configured to disallow passwords, it's well to have a second layer of defense.
Solution 2:
The accepted answer is correct but I thought I’d post this answer to complement it with a reason for the change explaining why administrators didn’t previously see such messages in their log files.
This issue was discussed on the OpenSSH developer's list in January 2014. According to Damien Miller, OpenSSH developer,
The message has been there basically forever:
1.41 (markus 02-Jan-01): log("Received disconnect from %s: %d: %.400s", ...
The only thing to have changed semi-recently is that we improved logging of preauthentication messages in privsep mode in the 5.9 release to no longer need a
/dev/log
inside the privsep chroot. If your old OpenSSH version was <5.9 and the/var/empty
chroot didn't have a/dev/log
in it then you may have been missing these messages.