[Logcheck-devel] Bug#333233: ssh's own reverse DNS lookup failure messages are not ignored
Elmar Hoffmann
debian-logcheck-devel-ml at elho.net
Fri Oct 14 14:41:01 UTC 2005
Hi,
on Tue, Oct 11, 2005 at 02:34:31 +0200, Elmar Hoffmann wrote:
> While violations.ignore.d/logcheck-ssh does filter out the warnings
> about failed reverse DNS lookup from the TCP wrappers, it does not for
> ssh's own messages (which are quite overly dramatic, too).
> The attached patch fixes this.
Added another variant of these messages.
Note that I also used the pattern [._[:alnum:]-]+ for the IP address,
instead of a more restrictive one, just like the existing rules in
this file for the TCP wrappers entries do - you might want to tighten
them both.
elmar
--
.'"`. /"\
| :' : Elmar Hoffmann <elho at elho.net> ASCII Ribbon Campaign \ /
`. `' GPG key available via pgp.net against HTML email X
`- & vCards / \
-------------- next part --------------
--- /etc/logcheck/violations.ignore.d/logcheck-ssh.dpkg-dist 2005-10-11 01:37:46.356925928 +0200
+++ /etc/logcheck/violations.ignore.d/logcheck-ssh 2005-10-14 16:33:27.129387970 +0200
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: host name/name mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAKIN ATTEMPT!$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051014/c84c279b/attachment.pgp
More information about the Logcheck-devel
mailing list