Update logcheck rules for ssh

author: Hendrik Jaeger <root@netwichtig.de> 2019-04-02 10:07:51 +0200
committer: Hendrik Jaeger <root@netwichtig.de> 2019-04-02 10:07:51 +0200
commit: 5d1b1393b8fd2d85ae0f9218d13ee01d9561e674 (patch)
tree: 2b9da0021c342219e36bfe916127270571324d9b /files/etc/logcheck
parent: ec166d5d4a44e23c111cbb634cce2207674fa316 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-ssh b/files/etc/logcheck/ignore.d.server/local-ssh
index b53a496..3d35320 100644
--- a/files/etc/logcheck/ignore.d.server/local-ssh
+++ b/files/etc/logcheck/ignore.d.server/local-ssh
@@ -14,12 +14,13 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: connect_to .* port [[:digit:]]+: failed\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex protocol error: type 30 seq 1 \[preauth\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: maximum authentication attempts exceeded for (invalid user [[:alnum:][:space:][:digit:]@\\!._-]*|root) from [:.[:xdigit:]]+ port [[:digit:]]+ ssh2 \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: maximum authentication attempts exceeded for (invalid user [[:alnum:][:space:][:digit:]@\\!._-]*|root|sshd) from [:.[:xdigit:]]+ port [[:digit:]]+ ssh2 \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for( illegal user)? [^[:space:]]* from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: service\(sshd\) ignoring max retries; [[:digit:]] > [[:digit:]]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: User not known to the underlying authentication module for illegal user [^[:space:]]* from [^[:space:]]*$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?10: user closed connection \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: BUNNYBYTEv0.1 \[preauth\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: BYE!BYE! \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: (Bye )?(Goodb|B)ye \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Client disconnecting normally \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Closed due to user request\. \[preauth\]$
author	Hendrik Jaeger <root@netwichtig.de>	2019-04-02 10:07:51 +0200
committer	Hendrik Jaeger <root@netwichtig.de>	2019-04-02 10:07:51 +0200
commit	5d1b1393b8fd2d85ae0f9218d13ee01d9561e674 (patch)
tree	2b9da0021c342219e36bfe916127270571324d9b /files/etc/logcheck
parent	ec166d5d4a44e23c111cbb634cce2207674fa316 (diff)