[Logcheck-devel] Bug#504100: logcheck-database: Minor change to /etc/logcheck/violations.ignore.d/logcheck-ssh fixes whitespace related problem.

[Tim Small]

Package: logcheck-database
Version: 1.2.68
Severity: normal
Tags: patch

SSHD in lenny and etch emit white space at the end of ssh login
authentication failure lines.  It would appear that line 11 of the current
/etc/logcheck/violations.ignore.d/logcheck-ssh intends to filter such lines
(in fact it does manage to filter ones that include the user=username field,
but not lines without), but fails to do so because of the trailing
whitespace.  The problematic part of the regex is the final:

rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$

replacing it with:

rhost=[^[:space:]]+[[:space:]]+(user=[^[:space:]]+)?$

fixes the problem, but the following is probably less brittle:

rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$

in the case that sshd gets fixed to remove the trailing whitespace at some
point in the future...


Thanks,

Tim.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-openvz-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-- no debconf information
-------------- next part --------------
--- /tmp/logcheck-ssh.old	2008-10-31 12:39:03.000000000 +0000
+++ /etc/logcheck/violations.ignore.d/logcheck-ssh	2008-10-31 12:40:50.000000000 +0000
@@ -8,6 +8,6 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (i(llegal|nvalid) user )?[^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: pam_unix\(ssh:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$