From 0d9a6b6c9fc98f2a5a00af0992cec8b02ab378ab Mon Sep 17 00:00:00 2001
From: =?utf8?q?Hendrik=20J=C3=A4ger?= <gitcommit@henk.geekmail.org>
Date: Sun, 31 Mar 2024 11:29:36 +0200
Subject: [PATCH] update rules

---
 files/etc/logcheck/ignore.d.server/local-ssh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/files/etc/logcheck/ignore.d.server/local-ssh b/files/etc/logcheck/ignore.d.server/local-ssh
index fbf026d..332175f 100644
--- a/files/etc/logcheck/ignore.d.server/local-ssh
+++ b/files/etc/logcheck/ignore.d.server/local-ssh
@@ -83,10 +83,10 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client .*$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching mac found: client .*$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Timeout before authentication for [[:xdigit:]:.]+ port [[:digit:]]+$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: userauth_finish: (Connection reset by peer|Broken pipe) \[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: (Connection reset by peer|Broken pipe) \[preauth\]$
-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Timeout before authentication for [[:xdigit:]:.]+ port [[:digit:]]+$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user [[:alnum:][:space:].:+-]+\[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: invalid public DH value: <= 1 \[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user [[:alnum:][:space:][:digit:][:punct:]]* from [:.[:xdigit:]]+ port [[:digit:]]+$
@@ -104,10 +104,11 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: Connection corrupted \[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: DH GEX group out of range \[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: incomplete message \[preauth\]$
-^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: message authentication code incorrect \[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: invalid format \[preauth\]$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [:.[:xdigit:]]+ port [[:digit:]]+: message authentication code incorrect \[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Unable to negotiate with [:.[:xdigit:]]+ port [[:digit:]]+: no matching (cipher|key exchange method|host key type|MAC) found\. Their offer: .* \[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [._[:alnum:]-]+ from [[:alnum:].-]+ not allowed because none of user's groups are listed in AllowGroups$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes \[preauth\]$
+^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms \[preauth\]$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: warning: can't get client address: Connection reset by peer$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: WARNING: no suitable primes in /etc/ssh/moduli$
-- 
2.39.5