From 62c63f4c65d969e8d7da9ed11bdfee386194d6ae Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Mon, 19 Dec 2005 16:45:19 +0000
Subject: Ignore another smtp refusal. Ignore illegal ssh users.

---
 logcheck/violations.ignore.d/local   | 4 ++--
 logcheck/violations.ignore.d/postfix | 2 +-
 logcheck/violations.ignore.d/temp    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'logcheck/violations.ignore.d')

diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local
index 23677bd..e27ba52 100644
--- a/logcheck/violations.ignore.d/local
+++ b/logcheck/violations.ignore.d/local
@@ -58,7 +58,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service) +\(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: ([^[:space:]]+ +)?521 [^[:space:]]+ access denied +\(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: ([^[:space:]]+ +)?550 (<[^[:space:]]+>: Client host rejected: Blocked|[\.0-9]+, Sorry access denied to you|ERROR: Mail Refused - [\.0-9]+ - See [^[:space:]]+|Host [\.0-9]+ is reject as in dynamic reject list \(dynamic\.reject\)) +\(port 25\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: ([^[:space:]]+ +)?554 (<[^[:space:]]+>: Client host rejected: Reject Dynamic ip|#5\.5\.4 Relaying denied\. IP name lookup failed|#5\.7\.1 <[^[:space:]]+\[[\.0-9]+\]>: Client host rejected: No mail accepted from you) +\(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: ([^[:space:]]+ +)?554 (<[^[:space:]]+>: Client host rejected: Reject Dynamic ip|#5\.5\.4 Relaying denied\. IP name lookup failed for [\.0-9]+|#5\.7\.1 <[^[:space:]]+\[[\.0-9]+\]>: Client host rejected: No mail accepted from you) +\(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [^[:space:]]+: to=<[^>]*>, relay=none, delay=[0-9]+, status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm\)|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\))$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: [^[:space:]]+: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\)|554 <[^[:space:]]+\[[\.0-9]+\]>: Client host rejected: No mail accepted from you)$
 
@@ -100,7 +100,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postgres\[[0-9]+\]: \[[0-9-]+\] DEBUG: .*
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|afpd|kdm: :0|pop|samba)\[[0-9]+\]):( \(pam_unix\))? authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*(  user=[[:alnum:]]+)?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_unix\) pam_setcred(DELETE_CRED) for [^[:space:]]* failed: Error in service module
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for (illegal user )?[^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (Failed password for( illegal user)?|Illegal user) [^[:space:]]+ from [\.0-9]+( port [0-9]+ ssh2)?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ i(map|pop3)d\[[0-9]+\]: (AUTHENTICATE (LOGIN|PLAIN) failure|Login failed)( user=[^[:space:]]*)?( auth=[^[:space:]]*)? host=([^[:space:]]* )?\[[^[:space:]]+\]$
diff --git a/logcheck/violations.ignore.d/postfix b/logcheck/violations.ignore.d/postfix
index 7b67e56..e86e037 100644
--- a/logcheck/violations.ignore.d/postfix
+++ b/logcheck/violations.ignore.d/postfix
@@ -17,7 +17,7 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: (Connection refused|server refused mail service) +\(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: ([^[:space:]]+ +)?521 [^[:space:]]+ access denied +\(port 25\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: ([^[:space:]]+ +)?550 (<[^[:space:]]+>: Client host rejected: Blocked|[\.0-9]+, Sorry access denied to you|ERROR: Mail Refused - [\.0-9]+ - See [^[:space:]]+|Host [\.0-9]+ is reject as in dynamic reject list \(dynamic\.reject\)) +\(port 25\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: ([^[:space:]]+ +)?554 (<[^[:space:]]+>: Client host rejected: Reject Dynamic ip|#5\.5\.4 Relaying denied\. IP name lookup failed|#5\.7\.1 <[^[:space:]]+\[[\.0-9]+\]>: Client host rejected: No mail accepted from you) +\(port 25\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]: connect to [^[:space:]]+\[[\.0-9]+\]: server refused to talk to me: ([^[:space:]]+ +)?554 (<[^[:space:]]+>: Client host rejected: Reject Dynamic ip|#5\.5\.4 Relaying denied\. IP name lookup failed for [\.0-9]+|#5\.7\.1 <[^[:space:]]+\[[\.0-9]+\]>: Client host rejected: No mail accepted from you) +\(port 25\)$
 # Ignore blacklisting due to being dynamic - or without explaining/hinting at all
 ## Grr - could've been a single rule if only logcheck supported custom classes
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [^[:space:]]+: to=<[^>]*>, relay=none, delay=[0-9]+, status=deferred \(delivery temporarily suspended: host [^[:space:]]+\[[\.0-9]+\] refused to talk to me: ([^[:space:]]+ 550 ERROR: Mail Refused - [\.0-9]+ - See http://security.rr.com/mail_blocks.htm\)|550 Host [\.0-9]+ is reject as in dynamic reject list \(dynamic.reject\))$
diff --git a/logcheck/violations.ignore.d/temp b/logcheck/violations.ignore.d/temp
index 0982913..d25f894 100644
--- a/logcheck/violations.ignore.d/temp
+++ b/logcheck/violations.ignore.d/temp
@@ -20,7 +20,7 @@
 # Failed logins is impossible to deal with through logcheck anyway
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (dovecot-auth|(imap|i(map|pop3)d|afpd|kdm: :0|pop|samba)\[[0-9]+\]):( \(pam_unix\))? authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*(  user=[[:alnum:]]+)?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_unix\) pam_setcred(DELETE_CRED) for [^[:space:]]* failed: Error in service module
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Failed password for (illegal user )?[^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: (Failed password for( illegal user)?|Illegal user) [^[:space:]]+ from [\.0-9]+( port [0-9]+ ssh2)?$
 #^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_unix\[[0-9]+\]: authentication failure; \(uid=0\) -> [^[:space:]]+ for (imap|netatalk|pop|samba|ssh) service$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ afpd\[[0-9]+\]: [^[:space:]]+: I:UAMSDaemon: uams_dhx_pam\.c :PAM: PAM_Error: Authentication failure$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ IMP\[[0-9]+\]: FAILED [^[:space:]]+ to [^[:space:]]+:143 as [^[:space:]]+$
-- 
cgit v1.2.3