[Logcheck-devel] Bug#652148: closed by Hannes von Haugwitz <hannes at vonhaugwitz.com> (Bug#652148: fixed in logcheck 1.3.15)
debian-bugs at nospam.pz.podzone.net
debian-bugs at nospam.pz.podzone.net
Mon Jul 16 13:38:37 UTC 2012
Hi,
Thank you for creating the filter rules for dropbear.
I do not run Debian 'testing' so in order to test I have applied the
rules on a machine installed with Debian 'squeeze'. As follows:
~# wget 'http://ftp.uk.debian.org/debian/pool/main/l/logcheck/logcheck_1.3.15.tar.gz'
~# tar xzf logcheck_1.3.15.tar.gz logcheck-1.3.15/rulefiles/linux/ignore.d.server/dropbear
~# cp logcheck-1.3.15/rulefiles/linux/ignore.d.server/dropbear /etc/logcheck/ignore.d.server/
For reference, Debian 'squeeze' has Logwatch 7.3.6 and Dropbear v0.52,
and the stock install of Dropbear uses /var/log/auth.log
With the new rules installed as above, the "System Events" email for
*succesful* logins is now inhibited, i.e. desired behaviour - thanks.
However, I think the expectation is that *failed* logins should
generate a "Security Events" email and not a "System Events" email.
Here is the text of such a login failure:
///
This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).
System Events
=-=-=-=-=-=-=
Jul 16 12:02:12 host dropbear[15094]: bad password attempt for 'foo' from 82.125.214.201:38407
Jul 16 12:02:29 host dropbear[15094]: bad password attempt for 'foo' from 82.125.214.201:38407
Jul 16 12:02:37 host dropbear[15094]: exit before auth (user 'foo', 10 fails): Max auth tries reached - user 'foo' from 82.125.214.201:38407
///
Just to note: It is possible that latest Logwatch version does treat
this as a Security Event and my method of back-porting the ruleset is
insufficient to capture that - my apologies if that is the case.
On Sat, Jun 30, 2012 at 04:39:25PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the logcheck-database package:
>
> #652148: Please add rules for dropbear
>
> It has been closed by Hannes von Haugwitz <hannes at vonhaugwitz.com>.
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Hannes von Haugwitz <hannes at vonhaugwitz.com> by
> replying to this email.
>
>
> --
> 652148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652148
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems
> X-Spam-Level:
> Date: Sat, 30 Jun 2012 16:38:37 +0000
> From: Hannes von Haugwitz <hannes at vonhaugwitz.com>
> To: 652148-close at bugs.debian.org
> Subject: Bug#652148: fixed in logcheck 1.3.15
>
> Source: logcheck
> Source-Version: 1.3.15
>
> We believe that the bug you reported is fixed in the latest version of
> logcheck, which is due to be installed in the Debian FTP archive:
>
> logcheck-database_1.3.15_all.deb
> to main/l/logcheck/logcheck-database_1.3.15_all.deb
> logcheck_1.3.15.dsc
> to main/l/logcheck/logcheck_1.3.15.dsc
> logcheck_1.3.15.tar.gz
> to main/l/logcheck/logcheck_1.3.15.tar.gz
> logcheck_1.3.15_all.deb
> to main/l/logcheck/logcheck_1.3.15_all.deb
> logtail_1.3.15_all.deb
> to main/l/logcheck/logtail_1.3.15_all.deb
>
>
>
> A summary of the changes between this version and the previous one is
> attached.
>
> Thank you for reporting the bug, which will now be closed. If you
> have further comments please address them to 652148 at bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
>
> Debian distribution maintenance software
> pp.
> Hannes von Haugwitz <hannes at vonhaugwitz.com> (supplier of updated logcheck package)
>
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster at debian.org)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Sat, 30 Jun 2012 16:24:49 +0200
> Source: logcheck
> Binary: logcheck logcheck-database logtail
> Architecture: source all
> Version: 1.3.15
> Distribution: unstable
> Urgency: low
> Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org>
> Changed-By: Hannes von Haugwitz <hannes at vonhaugwitz.com>
> Description:
> logcheck - mails anomalies in the system logfiles to the administrator
> logcheck-database - database of system log rules for the use of log checkers
> logtail - Print log file lines that have not been read (deprecated)
> Closes: 647622 647943 652148
> Changes:
> logcheck (1.3.15) unstable; urgency=low
> .
> [ Hannes von Haugwitz ]
> * ignore.d.server/dropbear: new
> - ignore successful logins (closes: #652148)
> * src/logcheck:
> - fixed broken '-t' option, thanks to Jon Daley (closes: #647622,
> LP: #1010431)
> * debian/control:
> - bumped to Standards-Version 3.9.3 (no changes necessary)
> - adjusted URLs of Vcs-* fields
> * debian/copyright:
> - updated copyright year to 2012
> .
> [ Frédéric Brière ]
> * ignore.d.server/postfix:
> - ignore "offered null AUTH mechanism list"
> - ignore "lost connection while receiving the initial server greeting"
> - fixed "lost connection while sending end of data" rule
> * ignore.d.server/proftpd:
> - ignore "authentication failure" even if ruser is provided
> * ignore.d.server/ssh:
> - ignore "PAM $n more authentication failures"
> - ignore "Too many authentication failures"
> - ignore "Closed due to user request." (closes: #647943)
> - ignore "Bye Bye"
> - ignore "Connection closed"
> - ignore yet one more variation of "invalid user"
> - updated "Postponed ..." rule with "[preauth]" suffix
> - updated "Postponed ..." rule with "invalid user"
> * ignore.d.workstation/libmtp-runtime:
> - ignore mtp-probe messages when plugging a non-MTP device
> * ignore.d.workstation/kernel:
> - ignore "No Caching mode page present"
> - ignore "usb-storage: Quirks match"
> - ignore "sensor detected" for various GSPCA webcams
> - updated FAT messages to new fat_msg() format
> - updated "new USB device" message to new usb_speed_string() format
> - updated bttv messages to new prefix
> Checksums-Sha1:
> df8e621f5c5190d8237ef56591393556db8160c2 1851 logcheck_1.3.15.dsc
> c1fef9d602f208e5cae64d39900834c216568fb0 162397 logcheck_1.3.15.tar.gz
> d6d9cf45c515886ad134b2474d68d7c43832ed2a 78664 logcheck_1.3.15_all.deb
> 6c9ea758e52f62b13a5171a487163ebe22347798 121414 logcheck-database_1.3.15_all.deb
> 215d19a434319dfcf1561e88a59893e8c93eb170 61270 logtail_1.3.15_all.deb
> Checksums-Sha256:
> 4928dbc5921f663425aef8661e7ffeb09f6fc86ee385da9f9d21e7a075e3e28f 1851 logcheck_1.3.15.dsc
> b29b4753940a9130b5f19f60d2d89af23be220674625f4bd2fb1d40945d0b9e5 162397 logcheck_1.3.15.tar.gz
> 3314e5d1d3d65417c16beb55a3f8e7ad3f9b047f298b670385e04b6fc17937b7 78664 logcheck_1.3.15_all.deb
> c76bccbb0fc7b07d3839c5a972f93b01dc0afe1253227360af6c7376e5a841ff 121414 logcheck-database_1.3.15_all.deb
> c9a59d0844b12b5ef79607798006a07cb8d5aa3647d4a119a91ec0e5ea4980b0 61270 logtail_1.3.15_all.deb
> Files:
> b6f9422e2bd0079c5e534f777d8f5aac 1851 admin optional logcheck_1.3.15.dsc
> e3f002fddcdc01856c811872f4082a11 162397 admin optional logcheck_1.3.15.tar.gz
> a0eb536acd94c2e4a45b6a3c9c30765e 78664 admin optional logcheck_1.3.15_all.deb
> d1b05745baed4e80d6d984778724457d 121414 admin optional logcheck-database_1.3.15_all.deb
> f65e15cfa881576ab027da7852901ce5 61270 admin optional logtail_1.3.15_all.deb
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQGcBAEBCAAGBQJP7xTNAAoJEBjuhjhgIu9XjCYL/0Xv4094bDzoVcYxXGfaYAKA
> 6ZGSXuE5I0TQgI9D5CxqWvPOAPq9qBWbXKhnAfvAfQVZapD4fR/OHHPNQtMen/lD
> WRQF0pW8ELsqi+NWCbDF4BAqHwQxyhvvHDgP8/BdbWG9TC9oF50/nWYUiIFA16Vd
> 01TdVNLr1MO5zZQprNqaDyRS+BskBrDsXVsGgnhTTcWg+73wY6BTu/7o8jc0c81F
> EaFRtqxHEFcEIP0CgeK21g+6NrrzfdWfhlTwKBAChq7ElkIIMqqSunSJlHowcBv9
> X0sv5/J3sky2vRWr9SPlgwnpXupvf9PfQvWuDpxqK5sA7Utjjp4i2cqFLu3LWHtu
> fVHWvxhmAUsDYqoT15h3GkRzEh/QwlBq26mmvT/+Dd24Ea22z/ns49kGLrY49LHl
> T5qTg44KVTURtrEJhGBFTlyX+wgGF3Vd1gV/er0FSIBbXI6eIIlXOnJN0AF4/MQz
> aE9iVYLKNbP+CrKBuyoyKqNULnyH6QKoo8XhXpBmhg==
> =B31d
> -----END PGP SIGNATURE-----
>
>
> X-Spam-Level:
> Date: Thu, 15 Dec 2011 09:19:26 +0000
> From: debian-bugs at nospam.pz.podzone.net
> To: submit at bugs.debian.org
> Subject: Please add rules for dropbear
>
> Package: logcheck
> Version: 1.2.69
>
> "dropbear" is a lightweight ssh server which can be installed in place
> of openssh-server. Log entries for dropbear are not currently
> filtered by logcheck resulting in a "System Events" email for each and
> every ssh login as below:
>
>
> This email is sent by logcheck. If you no longer wish to receive
> such mails, you can either deinstall the logcheck package or modify
> its configuration file (/etc/logcheck/logcheck.conf).
>
> System Events
> =-=-=-=-=-=-=
> Dec 15 07:48:24 captain dropbear[20011]: Child connection from ::ffff:82.125.214.201:55874
> Dec 15 07:48:27 captain dropbear[20011]: pubkey auth succeeded for 'user' with key md5 68:07:18:0a:d8:4a:8b:61:2d:a6:15:94:1e:cb:b9:85 from
> +::ffff:82.125.214.201:55874
> Dec 15 07:49:32 captain dropbear[20011]: exit after auth (user): Exited normally
>
>
> The above is from an install of logcheck 1.2.69 and dropbear 0.51-1 on
> an installation of lenny. I have looked at the package files in
> wheezy for logcheck (1.3.14) and it appears dropbear remains
> unaccounted for (although note that dropbear is now at 0.52).
>
> I have not yet attempted to create a ruleset to filter the above
> however if a fix is proposed then I will happily test it.
>
> Thanks.
>
>
More information about the Logcheck-devel
mailing list