[Logcheck-commits] martin f. krafft: ignore messages about packets with wrong encapsulated lengths, which are mostly portscanners, or hosts connecting to openvpn on ports like 443.

Wed Jul 16 11:03:48 UTC 2008

Module: logcheck
Branch: etch-backports
Commit: c0483a166853bdd435d6380c922c46bc0b02ba03
URL:    http://git.debian.org/?p=logcheck/logcheck.git;a=commit;h=c0483a166853bdd435d6380c922c46bc0b02ba03

Author: martin f. krafft <madduck at debian.org>
Date:   Wed Jun 25 11:56:12 2008 +0100

ignore messages about packets with wrong encapsulated lengths, which are mostly portscanners, or hosts connecting to openvpn on ports like 443.

---

 debian/changelog                                   |    2 ++
 .../linux/violations.ignore.d/logcheck-openvpn     |    1 +
 2 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 4eec6e2..32ae7c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -37,6 +37,8 @@ logcheck (1.2.65) unstable; urgency=low
   * ignore.d.server/openvpn:
     - ignore messages about dropped packets due to bad source addresses (out
       of connection messages).
+    - ignore messages about packets with wrong encapsulated lengths, which are
+      mostly portscanners, or hosts connecting to openvpn on ports like 443.
   * fix wording in header.txt (closes: #472937).
 
  -- martin f. krafft <madduck at debian.org>  Tue, 24 Jun 2008 18:56:26 +0100
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-openvpn b/rulefiles/linux/violations.ignore.d/logcheck-openvpn
index 8cd4301..8dee81b 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-openvpn
+++ b/rulefiles/linux/violations.ignore.d/logcheck-openvpn
@@ -1,5 +1,6 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: TLS key negotiation failed to occur within [[:digit:]]+ seconds( \(check your network connectivity\))?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: TLS handshake failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? WARNING: Bad encapsulated packet length from peer \([[:digit:]]+\), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- \[Attempt?ing restart\.\.\.\]$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[ECONNREFUSED\]: Connection refused \(code=111\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[ECONNREFUSED\|ECONNREFUSED\]: Connection refused \(code=111\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[ECONNREFUSED\|ECONNREFUSED\|ECONNREFUSED\]: Connection refused \(code=111\)$


