[Logcheck-devel] Bug#652148: closed by Hannes von Haugwitz <hannes at vonhaugwitz.com> (Bug#652148: fixed in logcheck 1.3.15)

debian-bugs at nospam.pz.podzone.net debian-bugs at nospam.pz.podzone.net
Mon Jul 16 13:38:37 UTC 2012 

Hi,

Thank you for creating the filter rules for dropbear.

I do not run Debian 'testing' so in order to test I have applied the
rules on a machine installed with Debian 'squeeze'.  As follows:

~# wget 'http://ftp.uk.debian.org/debian/pool/main/l/logcheck/logcheck_1.3.15.tar.gz'
~# tar xzf logcheck_1.3.15.tar.gz logcheck-1.3.15/rulefiles/linux/ignore.d.server/dropbear
~# cp logcheck-1.3.15/rulefiles/linux/ignore.d.server/dropbear /etc/logcheck/ignore.d.server/

For reference, Debian 'squeeze' has Logwatch 7.3.6 and Dropbear v0.52,
and the stock install of Dropbear uses /var/log/auth.log

With the new rules installed as above, the "System Events" email for
*succesful* logins is now inhibited, i.e. desired behaviour - thanks.

However, I think the expectation is that *failed* logins should
generate a "Security Events" email and not a "System Events" email.

Here is the text of such a login failure:

///

This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

System Events
=-=-=-=-=-=-=
Jul 16 12:02:12 host dropbear[15094]: bad password attempt for 'foo' from 82.125.214.201:38407
Jul 16 12:02:29 host dropbear[15094]: bad password attempt for 'foo' from 82.125.214.201:38407
Jul 16 12:02:37 host dropbear[15094]: exit before auth (user 'foo', 10 fails): Max auth tries reached - user 'foo' from 82.125.214.201:38407

///

Just to note: It is possible that latest Logwatch version does treat
this as a Security Event and my method of back-porting the ruleset is
insufficient to capture that - my apologies if that is the case.


On Sat, Jun 30, 2012 at 04:39:25PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the logcheck-database package:
> 
> #652148: Please add rules for dropbear
> 
> It has been closed by Hannes von Haugwitz <hannes at vonhaugwitz.com>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Hannes von Haugwitz <hannes at vonhaugwitz.com> by
> replying to this email.
> 
> 
> -- 
> 652148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652148
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems

> X-Spam-Level: 
> Date: Sat, 30 Jun 2012 16:38:37 +0000
> From: Hannes von Haugwitz <hannes at vonhaugwitz.com>
> To: 652148-close at bugs.debian.org
> Subject: Bug#652148: fixed in logcheck 1.3.15
> 
> Source: logcheck
> Source-Version: 1.3.15
> 
> We believe that the bug you reported is fixed in the latest version of
> logcheck, which is due to be installed in the Debian FTP archive:
> 
> logcheck-database_1.3.15_all.deb
>   to main/l/logcheck/logcheck-database_1.3.15_all.deb
> logcheck_1.3.15.dsc
>   to main/l/logcheck/logcheck_1.3.15.dsc
> logcheck_1.3.15.tar.gz
>   to main/l/logcheck/logcheck_1.3.15.tar.gz
> logcheck_1.3.15_all.deb
>   to main/l/logcheck/logcheck_1.3.15_all.deb
> logtail_1.3.15_all.deb
>   to main/l/logcheck/logtail_1.3.15_all.deb
> 
> 
> 
> A summary of the changes between this version and the previous one is
> attached.
> 
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 652148 at bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> 
> Debian distribution maintenance software
> pp.
> Hannes von Haugwitz <hannes at vonhaugwitz.com> (supplier of updated logcheck package)
> 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster at debian.org)
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Format: 1.8
> Date: Sat, 30 Jun 2012 16:24:49 +0200
> Source: logcheck
> Binary: logcheck logcheck-database logtail
> Architecture: source all
> Version: 1.3.15
> Distribution: unstable
> Urgency: low
> Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org>
> Changed-By: Hannes von Haugwitz <hannes at vonhaugwitz.com>
> Description: 
>  logcheck   - mails anomalies in the system logfiles to the administrator
>  logcheck-database - database of system log rules for the use of log checkers
>  logtail    - Print log file lines that have not been read (deprecated)
> Closes: 647622 647943 652148
> Changes: 
>  logcheck (1.3.15) unstable; urgency=low
>  .
>    [ Hannes von Haugwitz ]
>    * ignore.d.server/dropbear: new
>      - ignore successful logins (closes: #652148)
>    * src/logcheck:
>      - fixed broken '-t' option, thanks to Jon Daley (closes: #647622,
>        LP: #1010431)
>    * debian/control:
>      - bumped to Standards-Version 3.9.3 (no changes necessary)
>      - adjusted URLs of Vcs-* fields
>    * debian/copyright:
>      - updated copyright year to 2012
>  .
>    [ Frédéric Brière ]
>    * ignore.d.server/postfix:
>      - ignore "offered null AUTH mechanism list"
>      - ignore "lost connection while receiving the initial server greeting"
>      - fixed "lost connection while sending end of data" rule
>    * ignore.d.server/proftpd:
>      - ignore "authentication failure" even if ruser is provided
>    * ignore.d.server/ssh:
>      - ignore "PAM $n more authentication failures"
>      - ignore "Too many authentication failures"
>      - ignore "Closed due to user request." (closes: #647943)
>      - ignore "Bye Bye"
>      - ignore "Connection closed"
>      - ignore yet one more variation of "invalid user"
>      - updated "Postponed ..." rule with "[preauth]" suffix
>      - updated "Postponed ..." rule with "invalid user"
>    * ignore.d.workstation/libmtp-runtime:
>      - ignore mtp-probe messages when plugging a non-MTP device
>    * ignore.d.workstation/kernel:
>      - ignore "No Caching mode page present"
>      - ignore "usb-storage: Quirks match"
>      - ignore "sensor detected" for various GSPCA webcams
>      - updated FAT messages to new fat_msg() format
>      - updated "new USB device" message to new usb_speed_string() format
>      - updated bttv messages to new prefix
> Checksums-Sha1: 
>  df8e621f5c5190d8237ef56591393556db8160c2 1851 logcheck_1.3.15.dsc
>  c1fef9d602f208e5cae64d39900834c216568fb0 162397 logcheck_1.3.15.tar.gz
>  d6d9cf45c515886ad134b2474d68d7c43832ed2a 78664 logcheck_1.3.15_all.deb
>  6c9ea758e52f62b13a5171a487163ebe22347798 121414 logcheck-database_1.3.15_all.deb
>  215d19a434319dfcf1561e88a59893e8c93eb170 61270 logtail_1.3.15_all.deb
> Checksums-Sha256: 
>  4928dbc5921f663425aef8661e7ffeb09f6fc86ee385da9f9d21e7a075e3e28f 1851 logcheck_1.3.15.dsc
>  b29b4753940a9130b5f19f60d2d89af23be220674625f4bd2fb1d40945d0b9e5 162397 logcheck_1.3.15.tar.gz
>  3314e5d1d3d65417c16beb55a3f8e7ad3f9b047f298b670385e04b6fc17937b7 78664 logcheck_1.3.15_all.deb
>  c76bccbb0fc7b07d3839c5a972f93b01dc0afe1253227360af6c7376e5a841ff 121414 logcheck-database_1.3.15_all.deb
>  c9a59d0844b12b5ef79607798006a07cb8d5aa3647d4a119a91ec0e5ea4980b0 61270 logtail_1.3.15_all.deb
> Files: 
>  b6f9422e2bd0079c5e534f777d8f5aac 1851 admin optional logcheck_1.3.15.dsc
>  e3f002fddcdc01856c811872f4082a11 162397 admin optional logcheck_1.3.15.tar.gz
>  a0eb536acd94c2e4a45b6a3c9c30765e 78664 admin optional logcheck_1.3.15_all.deb
>  d1b05745baed4e80d6d984778724457d 121414 admin optional logcheck-database_1.3.15_all.deb
>  f65e15cfa881576ab027da7852901ce5 61270 admin optional logtail_1.3.15_all.deb
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> 
> iQGcBAEBCAAGBQJP7xTNAAoJEBjuhjhgIu9XjCYL/0Xv4094bDzoVcYxXGfaYAKA
> 6ZGSXuE5I0TQgI9D5CxqWvPOAPq9qBWbXKhnAfvAfQVZapD4fR/OHHPNQtMen/lD
> WRQF0pW8ELsqi+NWCbDF4BAqHwQxyhvvHDgP8/BdbWG9TC9oF50/nWYUiIFA16Vd
> 01TdVNLr1MO5zZQprNqaDyRS+BskBrDsXVsGgnhTTcWg+73wY6BTu/7o8jc0c81F
> EaFRtqxHEFcEIP0CgeK21g+6NrrzfdWfhlTwKBAChq7ElkIIMqqSunSJlHowcBv9
> X0sv5/J3sky2vRWr9SPlgwnpXupvf9PfQvWuDpxqK5sA7Utjjp4i2cqFLu3LWHtu
> fVHWvxhmAUsDYqoT15h3GkRzEh/QwlBq26mmvT/+Dd24Ea22z/ns49kGLrY49LHl
> T5qTg44KVTURtrEJhGBFTlyX+wgGF3Vd1gV/er0FSIBbXI6eIIlXOnJN0AF4/MQz
> aE9iVYLKNbP+CrKBuyoyKqNULnyH6QKoo8XhXpBmhg==
> =B31d
> -----END PGP SIGNATURE-----
> 
> 

> X-Spam-Level: 
> Date: Thu, 15 Dec 2011 09:19:26 +0000
> From: debian-bugs at nospam.pz.podzone.net
> To: submit at bugs.debian.org
> Subject: Please add rules for dropbear
> 
> Package: logcheck
> Version: 1.2.69
> 
> "dropbear" is a lightweight ssh server which can be installed in place
> of openssh-server.  Log entries for dropbear are not currently
> filtered by logcheck resulting in a "System Events" email for each and
> every ssh login as below:
> 
> 
> This email is sent by logcheck. If you no longer wish to receive
> such mails, you can either deinstall the logcheck package or modify
> its configuration file (/etc/logcheck/logcheck.conf).
> 
> System Events
> =-=-=-=-=-=-=
> Dec 15 07:48:24 captain dropbear[20011]: Child connection from ::ffff:82.125.214.201:55874
> Dec 15 07:48:27 captain dropbear[20011]: pubkey auth succeeded for 'user' with key md5 68:07:18:0a:d8:4a:8b:61:2d:a6:15:94:1e:cb:b9:85 from
> +::ffff:82.125.214.201:55874
> Dec 15 07:49:32 captain dropbear[20011]: exit after auth (user): Exited normally
> 
> 
> The above is from an install of logcheck 1.2.69 and dropbear 0.51-1 on
> an installation of lenny.  I have looked at the package files in
> wheezy for logcheck (1.3.14) and it appears dropbear remains
> unaccounted for (although note that dropbear is now at 0.52).
> 
> I have not yet attempted to create a ruleset to filter the above
> however if a fix is proposed then I will happily test it.
> 
> Thanks.
> 
>

More information about the Logcheck-devel mailing list