[Logcheck-devel] Bug#369497: fixed violations ignore rules for openssh 4.3

Wed Jun 21 09:51:55 UTC 2006

Hi,

on Tue, May 30, 2006 at 10:35:23 +0200, Elmar Hoffmann wrote:

> The new openssh 4.3 changed the message for failed reverse-lookups to
> contain BREAK-IN instead of BREAKIN. [...]

I just found that this also applies to the other "POSSIBLE BREAKIN
ATTEMPT" rule in violations.ignore.d/logcheck-ssh. Additionally that
other rule does not contain the word "failed" and thus these messages
actually are in the system events level and not the violations one.
Thus the attached patch against CVS fixes and moves that rule over to
ignore.d.server/ssh.

elmar

-- 

 .'"`.                                                            /"\
| :' :   Elmar Hoffmann <elho at elho.net>    ASCII Ribbon Campaign  \ /
`. `'    GPG key available via pgp.net        against HTML email   X
  `-                                                    & vCards  / \
-------------- next part --------------
Index: rulefiles/linux/ignore.d.server/ssh
===================================================================
RCS file: /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/ssh,v
retrieving revision 1.14
diff -u -r1.14 ssh

--- rulefiles/linux/ignore.d.server/ssh	15 Oct 2005 14:06:13 -0000	1.14
+++ rulefiles/linux/ignore.d.server/ssh	21 Jun 2006 09:46:50 -0000
@@ -11,3 +11,4 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from (::ffff:)?[:0-9a-f.]{7,15}$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Authorized to [^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$
Index: rulefiles/linux/violations.ignore.d/logcheck-ssh
===================================================================
RCS file: /cvsroot/logcheck/logcheck/rulefiles/linux/violations.ignore.d/logcheck-ssh,v
retrieving revision 1.4
diff -u -r1.4 logcheck-ssh
--- rulefiles/linux/violations.ignore.d/logcheck-ssh	4 Jun 2006 19:22:35 -0000	1.4
+++ rulefiles/linux/violations.ignore.d/logcheck-ssh	21 Jun 2006 09:46:50 -0000
@@ -1,4 +1,3 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: host name/name mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060621/89a0c35d/attachment.pgp 
