[Logcheck-devel] Bug#333233: ssh's own reverse DNS lookup failure messages are not ignored

Elmar Hoffmann debian-logcheck-devel-ml at elho.net
Fri Oct 14 14:41:01 UTC 2005 

Hi,

on Tue, Oct 11, 2005 at 02:34:31 +0200, Elmar Hoffmann wrote:

> While violations.ignore.d/logcheck-ssh does filter out the warnings
> about failed reverse DNS lookup from the TCP wrappers, it does not for
> ssh's own messages (which are quite overly dramatic, too).
> The attached patch fixes this.

Added another variant of these messages.
Note that I also used the pattern [._[:alnum:]-]+ for the IP address,
instead of a more restrictive one, just like the existing rules in
this file for the TCP wrappers entries do - you might want to tighten
them both.

elmar

-- 

 .'"`.                                                            /"\
| :' :   Elmar Hoffmann <elho at elho.net>    ASCII Ribbon Campaign  \ /
`. `'    GPG key available via pgp.net        against HTML email   X
  `-                                                    & vCards  / \
-------------- next part --------------
--- /etc/logcheck/violations.ignore.d/logcheck-ssh.dpkg-dist	2005-10-11 01:37:46.356925928 +0200
+++ /etc/logcheck/violations.ignore.d/logcheck-ssh	2005-10-14 16:33:27.129387970 +0200
@@ -1,2 +1,4 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: host name/name mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAKIN ATTEMPT!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051014/c84c279b/attachment.pgp

More information about the Logcheck-devel mailing list