From 10652fada3f6c02c805adc5cfc7311266eeca4fb Mon Sep 17 00:00:00 2001 From: Hendrik Jaeger Date: Wed, 31 Jul 2019 14:28:53 +0200 Subject: [PATCH] Update logcheck rules for ssh --- files/etc/logcheck/ignore.d.server/local-ssh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/files/etc/logcheck/ignore.d.server/local-ssh b/files/etc/logcheck/ignore.d.server/local-ssh index 014b83d..6e0c484 100644 --- a/files/etc/logcheck/ignore.d.server/local-ssh +++ b/files/etc/logcheck/ignore.d.server/local-ssh @@ -19,6 +19,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: service\(sshd\) ignoring max retries; [[:digit:]] > [[:digit:]]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: User not known to the underlying authentication module for illegal user [^[:space:]]* from [^[:space:]]*$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?10: user closed connection \[preauth\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: Bafta \\\\n \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: BUNNYBYTEv0.1 \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: BYE!BYE! \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [:.[:xdigit:]]+ port [[:digit:]]+: ?11: (Bye )?(Goodb|B)ye \[preauth\]$ @@ -65,7 +66,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Connection reset by peer \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user [[:alnum:][:space:].:+-]+\[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: invalid public DH value: <= 1 \[preauth\]$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user [[:alnum:][:space:][:digit:]()"\^%@\$#&\\!.,:;=~_+*-]* from [:.[:xdigit:]]+ port [[:digit:]]+$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user [[:alnum:][:space:][:digit:]()\[\]{}<>`'"\^%@|\$#&\\!?.,:;=~_+*-]* from [:.[:xdigit:]]+ port [[:digit:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM service\(sshd\) ignoring max retries; [[:digit:]] > [[:digit:]]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=(root|nobody|backup|daemon|www-data|games|news|mail|lp|sync|uucp|identd|gnats|irc|list|proxy|sys|nagios|mysql|bin|ftp|sshd|smmsp|snmp|man|ntp|quagga|libuuid|Debian-exim|proftpd|logcheck|vmail|statd|dovecot|postfix|puppet|bacula))?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): check pass; user unknown @@ -74,5 +75,6 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [._[:alnum:]-]+ from [[:alnum:].-]+ not allowed because none of user's groups are listed in AllowGroups$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: warning: can't get client address: Connection reset by peer$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: Broken pipe \[preauth\]$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: message authentication code incorrect \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: packet_write_wait: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: Broken pipe \[preauth\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: WARNING: no suitable primes in /etc/ssh/moduli$ -- 2.39.5