[Logcheck-devel] Bug#504100: logcheck-database: Minor change to /etc/logcheck/violations.ignore.d/logcheck-ssh fixes whitespace related problem.
Tim Small
tim at seoss.co.uk
Fri Oct 31 13:03:37 UTC 2008
Package: logcheck-database
Version: 1.2.68
Severity: normal
Tags: patch
SSHD in lenny and etch emit white space at the end of ssh login
authentication failure lines. It would appear that line 11 of the current
/etc/logcheck/violations.ignore.d/logcheck-ssh intends to filter such lines
(in fact it does manage to filter ones that include the user=username field,
but not lines without), but fails to do so because of the trailing
whitespace. The problematic part of the regex is the final:
rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
replacing it with:
rhost=[^[:space:]]+[[:space:]]+(user=[^[:space:]]+)?$
fixes the problem, but the following is probably less brittle:
rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$
in the case that sshd gets fixed to remove the trailing whitespace at some
point in the future...
Thanks,
Tim.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-openvz-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- no debconf information
-------------- next part --------------
--- /tmp/logcheck-ssh.old 2008-10-31 12:39:03.000000000 +0000
+++ /etc/logcheck/violations.ignore.d/logcheck-ssh 2008-10-31 12:40:50.000000000 +0000
@@ -8,6 +8,6 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (i(llegal|nvalid) user )?[^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: pam_unix\(ssh:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$
More information about the Logcheck-devel
mailing list