diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2005-12-13 01:41:29 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2005-12-13 01:41:29 +0000 |
| commit | a85319f4f8ca2e3bcadc20c05d907ac5ba0da69f (patch) | |
| tree | 940b36137c27effbbf501ca07b1ef590dce15fed /logcheck | |
| parent | e970b213fe4e01e10e7392a8bebcac2c3c00af1f (diff) | |
Enhance temporarily ignoring SSH failed logins to include illegal (non-existing) users.
Diffstat (limited to 'logcheck')
| -rw-r--r-- | logcheck/violations.ignore.d/local | 2 | ||||
| -rw-r--r-- | logcheck/violations.ignore.d/temp | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index c49a653..88bcc20 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -97,7 +97,7 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .* ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|afpd|kdm: :0|pop|samba)\[[0-9]+\]):( \(pam_unix\))? authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*( user=[[:alnum:]]+)?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_unix\) pam_setcred(DELETE_CRED) for [^[:space:]]* failed: Error in service module -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for (illegal user )?[^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=[^[:space:]]*)?( auth=[^[:space:]]*)? host=([^[:space:]]* )?\[[^[:space:]]+\]$ diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp index 90662ae..0982913 100644 --- a/logcheck/violations.ignore.d/temp +++ b/logcheck/violations.ignore.d/temp @@ -20,7 +20,7 @@ # Failed logins is impossible to deal with through logcheck anyway ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|afpd|kdm: :0|pop|samba)\[[0-9]+\]):( \(pam_unix\))? authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*( user=[[:alnum:]]+)?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_unix\) pam_setcred(DELETE_CRED) for [^[:space:]]* failed: Error in service module -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for (illegal user )?[^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$ #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> [^[:space:]]+ for (imap|netatalk|pop|samba|ssh) service$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+$ |