[Logcheck-commits] Frédéric Brière : Adjusted ssh " Authentication failure" rule for "invalid user"
Frédéric Brière
fbriere-guest at alioth.debian.org
Mon Aug 17 19:48:27 UTC 2009
Module: logcheck
Branch: master
Commit: dd199d9f919f722af43884a68040696c05c1e6e3
URL: http://git.debian.org/?p=logcheck/logcheck.git;a=commit;h=dd199d9f919f722af43884a68040696c05c1e6e3
Author: Frédéric Brière <fbriere at fbriere.net>
Date: Mon Aug 17 15:46:56 2009 -0400
Adjusted ssh "Authentication failure" rule for "invalid user"
---
debian/changelog | 1 +
rulefiles/linux/ignore.d.server/ssh | 2 +-
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 0ca69b8..e061612 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ logcheck (1.3.4) experimental; urgency=low
* Updated acpid "client has disconnected" rule
* Updated libpam-mount "realpath of X is Y" rule
* Added libpam-mount "Command successful" rule
+ * Adjusted ssh "Authentication failure" rule for "invalid user"
-- Frédéric Brière <fbriere at fbriere.net> Mon, 17 Aug 2009 11:48:08 -0400
diff --git a/rulefiles/linux/ignore.d.server/ssh b/rulefiles/linux/ignore.d.server/ssh
index 8c64c95..fccf08c 100644
--- a/rulefiles/linux/ignore.d.server/ssh
+++ b/rulefiles/linux/ignore.d.server/ssh
@@ -20,7 +20,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) bad username \[[^]]+\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for( illegal user)? [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: User not known to the underlying authentication module for i(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: ssh_msg_send: write$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Timeout before authentication for [:[:alnum:].]+$
More information about the Logcheck-commits
mailing list