Bug#703936: logcheck-database: SSH Bad Protocol Version Idenitifcation Rule is incomplete
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 tags 703936 + patch thanks Hi, replacing [^'] with [^[:space:] does the trick here. cheers, piem -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJVxG/7XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCODhBNTA3MkQ0OTE1QUVDRjgxQTI0MzQ2 QTQ5QjE5NzI4QUJERDkyAAoJEGpJsZcoq92SeVEP/ReFS6gHhpgDJVzJNVJ3Pbvq iRHiZKWI22R0WaCgt1tzmQuYS4Ogf4JrpRkMUF5yBxl/ePmOz0MpaVjnlB2aMAFI gyEZQNXLxMl5ImggjHM1K2czZcFF9Cw8TSfMuuKc1BzPQ8+dWduW1tBj1VQFn3vp Wu46QW+X9JrUb8CrMR7p4fadf530MLWO3Y/VIKXrdE/XRDaX2lwsj1GVWjyF5yhA 82U+tGr8GIJj4CyBEv/vin0H4n0xU2PE4AcxP2PhDXlbEZP2dsZqlkJfwQDrjwTp 7pKfzyI3wIhywBIiZmMkc0s5LxvJshj/hIUHcf6Mo7OoTmO+HKz3ObBG0QO5oQ6h CuFcZy3PLfGUScS8DJByZHi7mY6V0po9NPvISor6t3Fbp2x5iakc+DqgdEX+RCaf xb+zM9nGIXZ6t0qoooPTE7o6P6Oa4Vo7HDYQMJC6dPvNT5jbGjI8mW5gL6n/SEKi LeUEMBN3om5sJO8pIfhEdg9Dftzbr7FLT09WeYWUCAyDZVj/94sLyJLCymc+SMoy ay8S8UDTXpzU53PsOPxReSNUuZVPlECd0Hpa/f0vPfjpPBRSWetWuE+WT/YtZWqs tE3KKWFSWgGNoUEASGbX1I6XZhJx8mEFJAvoizIgHkzCQq56RPAxaF9nRDwHlvy8 3avrwnnsDK2dJUzU4/iY =uUHi -END PGP SIGNATURE- --- logcheck/ignore.d.server/ssh.orig 2015-05-11 10:57:32.745101129 -0300 +++ logcheck/ignore.d.server/ssh2015-05-11 10:58:00.849240490 -0300 @@ -1,7 +1,7 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted (gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?(: (RSA|ECDSA) ([[:xdigit:]]{2}:){15}[[:xdigit:]]{2})?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Authorized to [^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '[^']*' from ([:.[:xdigit:]]+|UNKNOWN)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification ‘[^[:space:]]*’ from ([:.[:xdigit:]]+|UNKNOWN) port [[:digit:]]{1,5}$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ([:[:xdigit:].]+|UNKNOWN)+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Bad packet length [[:digit:]]+\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Corrupted MAC on input\.$ logchecker-ssh-bad-proto-port-2.patch.sig Description: Binary data
Bug#703936: logcheck-database: SSH Bad Protocol Version Idenitifcation Rule is incomplete
Package: logcheck-database Version: 1.3.13 Severity: normal The rule for SSH ignoring Bad protocol version identification assumes there are no single quotes inside the version string ('[^']'). I am however getting mails including those lines: Mar 25 22:57:04 Debian-60-squeeze-64-minimal sshd[12144]: Bad protocol version identification '\004\241\031\a\232k\273#\203J\223\030\246\354t\260n\346q\004*\231\264q\035\321.l5\260)r\224!\030C\f#ytS8\344\343\363\334'{_D\033\317[e\006\362\327\344\006-pH\356\0205\271\306\360\002\217\325y\023~\026\3412dc\021u\354\004\353m\225\210\272\030\311w\030I)\031\016\206\345\342' from 119.78.236.189 Mar 25 16:21:14 Debian-60-squeeze-64-minimal sshd[4015]: Bad protocol version identification '\354\035\371^\277\376\323\332{0\016Dd\351\237\356\302\252\275\331\315w\306\343\246m\377@waj\231\374C\236\234\207\210p\363C9}\366\2532xiM\255f\232!\376\335[\363'\b\217!Zp(\314\266\253?' from 210.73.57.141 Mar 25 13:18:36 Debian-60-squeeze-64-minimal sshd[317]: Bad protocol version identification '\301h\355\243\375\2106\005/H\256\001\362\250\365d\333Hd\235\353\322\232vC\335\003\274\353JBW\374\353\263\272#\337\020\250\376\247\344\\\v\301\336\036\236\t\235\026\273\003/\021C\307\264\2338E7\341\303'B\246\357\321^\366\200Q\364\234G\374\302\207\3113\016\306\222\244\217\216\216\177\351\212j\325\255;' from 122.206.34.166 -- System Information: Debian Release: 6.0.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Configuration Files: /etc/logcheck/cracking.d/kernel [Errno 13] Permission denied: u'/etc/logcheck/cracking.d/kernel' /etc/logcheck/cracking.d/rlogind [Errno 13] Permission denied: u'/etc/logcheck/cracking.d/rlogind' /etc/logcheck/cracking.d/rsh [Errno 13] Permission denied: u'/etc/logcheck/cracking.d/rsh' /etc/logcheck/cracking.d/smartd [Errno 13] Permission denied: u'/etc/logcheck/cracking.d/smartd' /etc/logcheck/cracking.d/tftpd [Errno 13] Permission denied: u'/etc/logcheck/cracking.d/tftpd' /etc/logcheck/cracking.d/uucico [Errno 13] Permission denied: u'/etc/logcheck/cracking.d/uucico' /etc/logcheck/ignore.d.paranoid/bind [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/bind' /etc/logcheck/ignore.d.paranoid/cron [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/cron' /etc/logcheck/ignore.d.paranoid/incron [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/incron' /etc/logcheck/ignore.d.paranoid/logcheck [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/logcheck' /etc/logcheck/ignore.d.paranoid/postfix [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/postfix' /etc/logcheck/ignore.d.paranoid/ppp [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/ppp' /etc/logcheck/ignore.d.paranoid/pureftp [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/pureftp' /etc/logcheck/ignore.d.paranoid/qpopper [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/qpopper' /etc/logcheck/ignore.d.paranoid/squid [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/squid' /etc/logcheck/ignore.d.paranoid/ssh [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/ssh' /etc/logcheck/ignore.d.paranoid/stunnel [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/stunnel' /etc/logcheck/ignore.d.paranoid/sysklogd [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/sysklogd' /etc/logcheck/ignore.d.paranoid/telnetd [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/telnetd' /etc/logcheck/ignore.d.paranoid/tripwire [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/tripwire' /etc/logcheck/ignore.d.paranoid/usb [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.paranoid/usb' /etc/logcheck/ignore.d.server/acpid [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/acpid' /etc/logcheck/ignore.d.server/amandad [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/amandad' /etc/logcheck/ignore.d.server/amavisd-new [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/amavisd-new' /etc/logcheck/ignore.d.server/anacron [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/anacron' /etc/logcheck/ignore.d.server/anon-proxy [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/anon-proxy' /etc/logcheck/ignore.d.server/apache [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/apache' /etc/logcheck/ignore.d.server/apcupsd [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/apcupsd' /etc/logcheck/ignore.d.server/arpwatch [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/arpwatch' /etc/logcheck/ignore.d.server/asterisk [Errno 13] Permission denied: u'/etc/logcheck/ignore.d.server/asterisk' /etc/logcheck/ignore.d.server/automount [Errno 13] Permission denied: