Hi, on Tue, May 30, 2006 at 10:35:23 +0200, Elmar Hoffmann wrote:
> The new openssh 4.3 changed the message for failed reverse-lookups to > contain BREAK-IN instead of BREAKIN. [...] I just found that this also applies to the other "POSSIBLE BREAKIN ATTEMPT" rule in violations.ignore.d/logcheck-ssh. Additionally that other rule does not contain the word "failed" and thus these messages actually are in the system events level and not the violations one. Thus the attached patch against CVS fixes and moves that rule over to ignore.d.server/ssh. elmar -- .'"`. /"\ | :' : Elmar Hoffmann <[EMAIL PROTECTED]> ASCII Ribbon Campaign \ / `. `' GPG key available via pgp.net against HTML email X `- & vCards / \
Index: rulefiles/linux/ignore.d.server/ssh
===================================================================
RCS file: /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/ssh,v
retrieving revision 1.14
diff -u -r1.14 ssh
--- rulefiles/linux/ignore.d.server/ssh 15 Oct 2005 14:06:13 -0000 1.14
+++ rulefiles/linux/ignore.d.server/ssh 21 Jun 2006 09:46:50 -0000
@@ -11,3 +11,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: nss_ldap: reconnect(ing|ed)
to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive
identification string from (::ffff:)?[:0-9a-f.]{7,15}$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Authorized to
[^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+
maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE
BREAK-?IN ATTEMPT!$
Index: rulefiles/linux/violations.ignore.d/logcheck-ssh
===================================================================
RCS file:
/cvsroot/logcheck/logcheck/rulefiles/linux/violations.ignore.d/logcheck-ssh,v
retrieving revision 1.4
diff -u -r1.4 logcheck-ssh
--- rulefiles/linux/violations.ignore.d/logcheck-ssh 4 Jun 2006 19:22:35
-0000 1.4
+++ rulefiles/linux/violations.ignore.d/logcheck-ssh 21 Jun 2006 09:46:50
-0000
@@ -1,4 +1,3 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny,
line [0-9]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\)
failed$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny,
line [0-9]+: host name/name mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking
getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+
maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE
BREAKIN ATTEMPT!$
signature.asc
Description: Digital signature
_______________________________________________ Logcheck-devel mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
