From: Hendrik Jäger <gitcommit@henk.geekmail.org>
Date: Sun, 29 Aug 2021 20:42:57 +0000 (+0300)
Subject: Update logcheck rules
X-Git-Url: https://git.netwichtig.de/gitweb/?a=commitdiff_plain;h=2a55431510d3f1c19122ce7d507bc4d3234e4327;p=user%2Fhenk%2Fcode%2Fpuppet%2Fmodules%2Flogcheck.git

Update logcheck rules
---

diff --git a/files/etc/logcheck/ignore.d.server/local-dovecot b/files/etc/logcheck/ignore.d.server/local-dovecot
index 93d76b3..a13e246 100644
--- a/files/etc/logcheck/ignore.d.server/local-dovecot
+++ b/files/etc/logcheck/ignore.d.server/local-dovecot
@@ -1,4 +1,3 @@
-
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=([-_.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?(  user=[-_.@[:alnum:]]+)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:[[:alnum:]]+\): check pass; user unknown$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([-_.[:alnum:]]+\): pam\([[:alnum:]]+,[[:digit:].]+\): unknown user$
@@ -49,6 +48,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low, session=<[[:alnum:]/+]+>$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? failed: error:141A20F4:SSL routines:ossl_statem_server_read_transition:unexpected message, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(((no auth( attempts in [[:digit:]]+ secs)?|auth failed, [[:digit:]]+) attempts in [[:digit:]]+ secs|client didn't finish SASL auth, waited 0 secs|disconnected before auth was ready, waited [[:digit:]] secs)?\): user=<[[:alnum:]@_.-]*>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS|SSL)( handshaking)?(:)? SSL_(accept|read)\(?\)? syscall failed: (Broken pipe|Connection reset by peer|Success)(, session=<[[:alnum:]/+]+>)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Inactivity)? \(tried to use disallowed plaintext auth\): user=<>, rip=[.[:xdigit:]]+, lip=[.[:xdigit:]]+, session=<[[:alnum:]/+]+>$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Disconnected|Aborted login)(: Too many (invalid|bad) commands\.?)? \(no auth attempts( in [[:digit:]]+ secs)?\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+,( TLS,)? session=<[[:alnum:]/+]+>$
diff --git a/files/etc/logcheck/ignore.d.server/local-ssh b/files/etc/logcheck/ignore.d.server/local-ssh
index 1a454f0..a3f516e 100644
--- a/files/etc/logcheck/ignore.d.server/local-ssh
+++ b/files/etc/logcheck/ignore.d.server/local-ssh
@@ -101,3 +101,6 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [._[:alnum:]-]+ from [[:alnum:].-]+ not allowed because none of user's groups are listed in AllowGroups$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: warning: can't get client address: Connection reset by peer$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: WARNING: no suitable primes in /etc/ssh/moduli$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: beginning MaxStartups throttling$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: drop connection #[[:digit:]]+ from \[[:.[:xdigit:]]+\]:[[:digit:]]+ on \[[:.[:xdigit:]]+\]:[[:digit:]]+ past MaxStartups$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: exited MaxStartups throttling after [[:digit:]:]+, [[:digit:]]+ connections dropped$