[Logcheck-devel] [PATCH] Adjusted proftpd rules to catch unresolved IPv6 hosts

[Frédéric Brière]

Signed-off-by: Frédéric Brière <fbriere at fbriere.net>
---
 rulefiles/linux/ignore.d.workstation/proftpd       |    2 +-
 .../linux/violations.ignore.d/logcheck-proftpd     |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/rulefiles/linux/ignore.d.workstation/proftpd b/rulefiles/linux/ignore.d.workstation/proftpd
index a2801fe..c1133bc 100644
--- a/rulefiles/linux/ignore.d.workstation/proftpd
+++ b/rulefiles/linux/ignore.d.workstation/proftpd
@@ -1 +1 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Maximum login attempts \([[:digit:]]+\) exceeded$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Maximum login attempts \([[:digit:]]+\) exceeded$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-proftpd b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
index 472992d..93e9837 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-proftpd
+++ b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
@@ -1,6 +1,6 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: pam_unix\(proftpd:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) PAM\([-_.[:alnum:]]+\): Authentication failure\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Connection from [._[:alnum:]-]+ \[[.:[:xdigit:]]+\] denied\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER [-._[:alnum:]]+ \(Login failed\): (Limit access denies login|Incorrect password\.)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) SECURITY VIOLATION: root login attempted\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) PAM\([-_.[:alnum:]]+\): Authentication failure\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Connection from [._[:alnum:]-]+ \[[.:[:xdigit:]]+\] denied\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER [-._[:alnum:]]+ \(Login failed\): (Limit access denies login|Incorrect password\.)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:? [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) SECURITY VIOLATION: root login attempted\.$
-- 
1.5.3.8