From 4c4497c0be794cc6b8d8b33a60e5fad949a5432f Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Mon, 12 Dec 2005 00:55:18 +0000 Subject: Move postfix smtp refusals to violations. --- logcheck/ignore.d.server/local | 19 ++++++++++--------- logcheck/ignore.d.server/postfix | 6 ++++-- logcheck/violations.ignore.d/local | 3 +-- logcheck/violations.ignore.d/postfix | 4 ++-- 4 files changed, 17 insertions(+), 15 deletions(-) diff --git a/logcheck/ignore.d.server/local b/logcheck/ignore.d.server/local index c1410ad..9abe2ab 100644 --- a/logcheck/ignore.d.server/local +++ b/logcheck/ignore.d.server/local @@ -64,6 +64,13 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: DHCP(ACK|OFFER) from [\.0-9]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: bound to [\.0-9]+ -- renewal in [0-9]+ seconds\.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient(-2.2.x)?: irda0: unknown hardware address type 783$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: Abandoning IP address [\.0-9]+: (declined\.|pinged before offer) ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: BOOT(DISCOVER|REQUEST) from [0-9a-f:]+ via eth[0-9]+ (\(non-rfc1048)\) ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: BOOTREPLY for [\.0-9]+ to [^[:space:]]+ \([0-9a-f:]+\) via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+ via eth[0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCP(DECLINE on|RELEASE of|REQUEST for) [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+ \((not )?found\) ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCPINFORM from [\.0-9]+ ?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCPREQUEST for [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+: wrong network\. ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Abandoning IP address [\.0-9]+: pinged before offer ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: BOOTREQUEST from [0-9a-f:]+ ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+( \([^\)]+\))? via eth[0-9]+ ?$ @@ -76,13 +83,6 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: Wrote [0-9]+ (leases|deleted host decls|new dynamic host decls) to leases file\. ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: accepting packet with data after udp payload. ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd: ip length 576 disagrees with bytes received 590. ?$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: Abandoning IP address [\.0-9]+: (declined\.|pinged before offer) ?$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: BOOT(DISCOVER|REQUEST) from [0-9a-f:]+ via eth[0-9]+ (\(non-rfc1048)\) ?$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: BOOTREPLY for [\.0-9]+ to [^[:space:]]+ \([0-9a-f:]+\) via eth[0-9]+ ?$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCP(ACK|NAK|OFFER) on [\.0-9]+ to [0-9a-f:]+ via eth[0-9]+ ?$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCP(DECLINE on|RELEASE of|REQUEST for) [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+ \((not )?found\) ?$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCPINFORM from [\.0-9]+ ?$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhcpd-2.2.x: DHCPREQUEST for [\.0-9]+ from [0-9a-f:]+( \([^[:space:]]+\))? via eth[0-9]+: wrong network\. ?$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: run_pictures: Directory [^[:space:]] does not exist\.$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: Pingning af.* mislykkedes, deaktiver terminal! ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: \(child [0-9]+\) gdm_slave_xioerror_handler: Fatal X-fejl - genstarter [0-9:\.]*$ @@ -182,8 +182,9 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer certi?ficate could not be verified$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: SSL_connect error to [^[:space:]]+: -1 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX \. workaround for [^[:space:]]+\[[\.0-9]+\]$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service)\)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection|refused to talk to me: .*)|No route to host) \(port 25\)$ + +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection (reset by peer|timed out)|read timeout|server dropped connection|No route to host) +\(port 25\)$ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: no MX host for [^[:space:]]+ has a valid A record$ diff --git a/logcheck/ignore.d.server/postfix b/logcheck/ignore.d.server/postfix index 8c12809..bca6b88 100644 --- a/logcheck/ignore.d.server/postfix +++ b/logcheck/ignore.d.server/postfix @@ -9,8 +9,10 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: Peer certi?ficate could not be verified$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: SSL_connect error to [^[:space:]]+: -1 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [A-Z0-9]+: enabling PIX \. workaround for [^[:space:]]+\[[\.0-9]+\]$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [^[:space:]]+ status=deferred \(connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service)\)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection (refused|reset by peer|timed out)|read timeout|server (refused mail service|dropped connection|refused to talk to me: .*)|No route to host) \(port 25\)$ + +# Ignore common errors on remote hosts (refusals are in violations.ignore.d) +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection (reset by peer|timed out)|read timeout|server dropped connection|No route to host) +\(port 25\)$ + #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: verify error:num=10:certificate has expired$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: bad size limit "truncates" in EHLO reply from [^[:space:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: warning: host [^[:space:]]+\[[\.0-9]+\] (greeted me|replied to HELO/EHLO) with my own hostname [^[:space:]]+$ diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local index bdc180c..4c4e2f7 100644 --- a/logcheck/violations.ignore.d/local +++ b/logcheck/violations.ignore.d/local @@ -54,8 +54,7 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate peer name verification failed for [^[:space:]]+: (CommonName mis-match: .+|[0-9]+ dNSNames in certificate found, but none matches)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate verification failed for [^[:space:]]+:( num=10:)?certificate has expired$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(qmgr|smtp)\[[0-9]+\]: [^[:space:]]+: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\))$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused (mail service|to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\)))) +\(port 25\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [^[:space:]]+: to=<[^>]*>, relay=none, delay=[0-9]+, status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm\)|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\))$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [^[:space:]]+: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\)|554 <[^[:space:]]+\[[\.0-9]+\]>: Client host rejected: No mail accepted from you)$ diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix index a7d4ded..dc917c1 100644 --- a/logcheck/violations.ignore.d/postfix +++ b/logcheck/violations.ignore.d/postfix @@ -13,8 +13,8 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate peer name verification failed for [^[:space:]]+: (CommonName mis-match: .+|[0-9]+ dNSNames in certificate found, but none matches)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: certificate verification failed for [^[:space:]]+:( num=10:)?certificate has expired$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service) \(port 25\)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/(qmgr|smtp)\[[0-9]+\]: [^[:space:]]+: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\))$ +# Too much spam refuse to eat their own shit +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused (mail service|to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\)))) +\(port 25\)$ # Ignore blacklisting due to being dynamic - or without explaining/hinting at all ## Grr - could've been a single rule if only logcheck supported custom classes -- cgit v1.2.3