diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2006-08-05 08:27:56 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2006-08-05 08:27:56 +0000 |
| commit | a20d9a455a3e57d1e6ec30e9d8fca40fae7fd72c (patch) | |
| tree | 7b5c1b2d07c7e110db86efc2cca5fcf65805b66e /logcheck | |
| parent | ae5c1d17e696652315721c010648bb124d1c3636 (diff) | |
Ignore more authentication failures. Ignore more spam filtering.
Diffstat (limited to 'logcheck')
| -rw-r--r-- | logcheck/violations.ignore.d/amavisd-new | 6 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/local | 15 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/postfix | 6 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/temp | 4 |
4 files changed, 16 insertions, 15 deletions
diff --git a/logcheck/violations.ignore.d/amavisd-new b/logcheck/violations.ignore.d/amavisd-new index 702f4ba..0a48dc1 100644 --- a/logcheck/violations.ignore.d/amavisd-new +++ b/logcheck/violations.ignore.d/amavisd-new @@ -5,8 +5,6 @@ #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: DSN contains BAD HEADER & SPAM; bounce is not bouncable, mail intentionally dropped$ #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) NOTICE: UNABLE TO SEND DSN to <[^[:space:]]*>: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$ #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) mail_via_smtp: 550 5\.1\.0 <[^[:space:]]*>: Recipient address rejected: User unknown in virtual alias table$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Blocked SPAM, [0-9-]+ <[^[:space:]]*> -> <[^[:space:]]*>, quarantine: [^[:space:]]+, Message-ID: [^[:space:]]+, mail_id: [^[:space:]]+, Hits: [-\.0-9]+, [0-9]+ ms$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) INFO: unfolded [0-9]+ illegal all-whitespace continuation lines$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Passed BAD-HEADER,( \[[\.0-9]+\])? <[^[:space:]]*> -> <[^[:space:]]*>, Message-ID: [^[:space:]]+, mail_id: [^[:space:]]+, Hits: [-\.0-9]+, [0-9]+ ms$ -# Suspicious words within email addresses are ok -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^>[:space:]]*(attack|BAD|debug|deny|error|expn|promisc|refused)[^>[:space:]]*>.*$ + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) (Passed BAD-HEADER|Blocked SPAM), \[[0-9-]+\] <[^[:space:]]*> -> <[^[:space:]]*>(, (quarantine|Message-ID|mail_id|Hits|queued_as): [^[:space:]]+)+, [0-9]+ ms$ diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index 8cfa811..5a1597c 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -1,7 +1,6 @@ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Blocked SPAM, [0-9-]+ <[^[:space:]]*> -> <[^[:space:]]*>, quarantine: [^[:space:]]+, Message-ID: [^[:space:]]+, mail_id: [^[:space:]]+, Hits: [-\.0-9]+, [0-9]+ ms$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) INFO: unfolded [0-9]+ illegal all-whitespace continuation lines$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) Passed BAD-HEADER,( \[[\.0-9]+\])? <[^[:space:]]*> -> <[^[:space:]]*>, Message-ID: [^[:space:]]+, mail_id: [^[:space:]]+, Hits: [-\.0-9]+, [0-9]+ ms$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: .*<[^>[:space:]]*(attack|BAD|debug|deny|error|expn|promisc|refused)[^>[:space:]]*>.*$ + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) (Passed BAD-HEADER|Blocked SPAM), \[[0-9-]+\] <[^[:space:]]*> -> <[^[:space:]]*>(, (quarantine|Message-ID|mail_id|Hits|queued_as): [^[:space:]]+)+, [0-9]+ ms$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: client [\.0-9]+#[0-9]+: update forwarding denied$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: zone .*: refresh: failure trying master .*: timed out ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dccproc\[[0-9]+\]: continue not asking DCC [0-9]+ seconds after failure$ @@ -44,11 +43,11 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate peer name verification failed for [^[:space:]]+: (CommonName mis-match:.*|[0-9]+ dNSNames in certificate found, but none matches)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate verification failed for [^[:space:]]+:( num=7:certificate signature failure|( num=10:)?certificate has expired| num=24:invalid CA certificate)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:xdigit:]]+: (to|relay|delay|delays|dsn)=([^[:space:]]+, )status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:xdigit:]]+: ((to|relay|delay|delays|dsn)=[^[:space:]]+, )status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:xdigit:]]+: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: [[:xdigit:]]+: ([^[:space:]]+=[^[:space:]]+, )*(from|helo|message\-id|to)=<[^>]*(attack|BAD|debug|denied|deny|error|expn|refused)[^>]*>.*$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|BAD|debug|denied|deny|error|expn|refused)[^[:space:]]* has a valid A record$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: [[:xdigit:]]+: ([^[:space:]]+=[^[:space:]]+, )*(from|helo|message-id|to)=<[^>]*(attack|BAD|debug|denied|deny|error|expn|promisc|refused)[^>]*>.*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|BAD|debug|denied|deny|error|expn|promisc|refused)[^[:space:]]* has a valid A record$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [^[:space:]]+ \([^[:space:]\[]+\[[\.0-9]+\]\) - USER anonymous \(Login failed\): Can't find user\.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: read(_socket)?_data: (read|recv) failure for [[:digit:]]+\. Error = (No route to host|Connection (reset by peer|timed out)) ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smbd\[[0-9]+\]: write_socket_data: write failure\. Error = Connection reset by peer ?$ @@ -81,5 +80,7 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=[^[:space:]]*)?( auth=[^[:space:]]*)? host=([^[:space:]]* )?\[[^[:space:]]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mod_auth_shadow: VALIDATE: user: [^[:space:]]+, Authentication failure$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: SASL LOGIN authentication failed: authentication failure$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: SASL authentication failure: Password verification failed$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: SASL (LOGIN|PLAIN) authentication failed: authentication failure$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.imapproxyd\[[0-9]+\]: LOGIN: '[^[:space:]]+' \([:\.0-9]+\) failed: non-OK server response to LOGIN command$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([0-9-]+\) do_executable/do_unzip failed, ignoring: format error: bad signature: 0x00905a4d at offset 0 in file /var/lib/amavis/amavis-[0-9T-]+/parts/part-[0-9]+$ diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix index 4f9cc32..2f7bebc 100644 --- a/logcheck/violations.ignore.d/postfix +++ b/logcheck/violations.ignore.d/postfix @@ -13,9 +13,9 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate verification failed for [^[:space:]]+:( num=7:certificate signature failure|( num=10:)?certificate has expired| num=24:invalid CA certificate)$ # Remote hosts refusing to talk is not a security thread -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:xdigit:]]+: (to|relay|delay|delays|dsn)=([^[:space:]]+, )status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:xdigit:]]+: ((to|relay|delay|delays|dsn)=[^[:space:]]+, )status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [[:xdigit:]]+: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: .*$ # Suspiciously worded hostname or email address is not a security thread -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: [[:xdigit:]]+: ([^[:space:]]+=[^[:space:]]+, )*(from|helo|message\-id|to)=<[^>]*(attack|BAD|debug|denied|deny|error|expn|refused)[^>]*>.*$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|BAD|debug|denied|deny|error|expn|refused)[^[:space:]]* has a valid A record$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: [[:xdigit:]]+: ([^[:space:]]+=[^[:space:]]+, )*(from|helo|message-id|to)=<[^>]*(attack|BAD|debug|denied|deny|error|expn|promisc|refused)[^>]*>.*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/[[:alnum:]]+\[[0-9]+\]: warning: no MX host for [^[:space:]]*(attack|BAD|debug|denied|deny|error|expn|promisc|refused)[^[:space:]]* has a valid A record$ diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp index cda4242..45baa84 100644 --- a/logcheck/violations.ignore.d/temp +++ b/logcheck/violations.ignore.d/temp @@ -26,7 +26,9 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=[^[:space:]]*)?( auth=[^[:space:]]*)? host=([^[:space:]]* )?\[[^[:space:]]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ mod_auth_shadow: VALIDATE: user: [^[:space:]]+, Authentication failure$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: SASL LOGIN authentication failed: authentication failure$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: SASL authentication failure: Password verification failed$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: warning: [^[:space:]]+\[[\.0-9]+\]: SASL (LOGIN|PLAIN) authentication failed: authentication failure$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in\.imapproxyd\[[0-9]+\]: LOGIN: '[^[:space:]]+' \([:\.0-9]+\) failed: non-OK server response to LOGIN command$ # sm@xayide.jones.dk tries aggressively to auto-login #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_unix\) (authentication failure|2 more authentication failures); logname= uid=0 euid=0 tty=ssh ruser= rhost=81.19.251.(69|74) user=sm$ #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: error: PAM: Authentication failure for sm from 81.19.251.(69|74)$ |