Why do I see "Connection closed by 127.0.0.1 [preauth]" every 5 minutes?

After installing a new OES 11 SP2 server, the following message was observed in the /var/log/messages log every 5 minutes:

   sshd[15690]: Connection closed by 127.0.0.1 [preauth]

This is working as designed.

The message is being generated by sshd because a process opened a connection but never authenticated.  Nagios is used for monitoring service health on OES 11 SP2 and it is the process that opens the sessions but never authenticates (as it does not need to).  Further, Nagios is configured to run every 5 minutes -- hence the message appears every 5 minutes.

There are a number of ways to have this message not appear, below are a few:

1. Turn off ssh monitoring in Nagios.
   This will immediately stop the messages from appearing but will also not track if/when ssh is unavailable.
   To turn off:
   
   • log into NRM
   • click "Server Health Services"
   • click "Nagios Service Details" and authenticate as your nagiosadmin
     
   • click "SSH" in the bottom pane -- by default, it's the third service from the bottom
   • in the "Service Commands" box, click "Disable active checks of this service"
   • refresh the window and it should show active checks are disabled (near the bottom)
     
     
2. Log sshd messages to a separate file (or set of files).
   This is well documented at syslog-ng ssh logging.  As this is a log file, you will want to include logrotation as part of good grooming.  An example is included in a comment near the bottom.
   
   
3. Decrease logging level of sshd from "INFO" to "ERROR"
   
   • edit the /etc/ssh/sshd_config file
   • uncomment the #LogLevel INFO
   • change INFO to ERROR
     NOTE: the above will disable all such ssh attempts, even those by nefarious sources that might be trying to cause a denial of service.  Therefore, you should implement only after considering all of the ramifications.