Bug#703936: logcheck-database: SSH Bad Protocol Version Idenitifcation Rule is incomplete
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
tags 703936 + patch
thanks
Hi,
replacing [^'] with [^[:space:] does the trick here.
cheers, piem
-BEGIN PGP SIGNATURE-
iQJ8BAEBCgBmBQJVxG/7XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCODhBNTA3MkQ0OTE1QUVDRjgxQTI0MzQ2
QTQ5QjE5NzI4QUJERDkyAAoJEGpJsZcoq92SeVEP/ReFS6gHhpgDJVzJNVJ3Pbvq
iRHiZKWI22R0WaCgt1tzmQuYS4Ogf4JrpRkMUF5yBxl/ePmOz0MpaVjnlB2aMAFI
gyEZQNXLxMl5ImggjHM1K2czZcFF9Cw8TSfMuuKc1BzPQ8+dWduW1tBj1VQFn3vp
Wu46QW+X9JrUb8CrMR7p4fadf530MLWO3Y/VIKXrdE/XRDaX2lwsj1GVWjyF5yhA
82U+tGr8GIJj4CyBEv/vin0H4n0xU2PE4AcxP2PhDXlbEZP2dsZqlkJfwQDrjwTp
7pKfzyI3wIhywBIiZmMkc0s5LxvJshj/hIUHcf6Mo7OoTmO+HKz3ObBG0QO5oQ6h
CuFcZy3PLfGUScS8DJByZHi7mY6V0po9NPvISor6t3Fbp2x5iakc+DqgdEX+RCaf
xb+zM9nGIXZ6t0qoooPTE7o6P6Oa4Vo7HDYQMJC6dPvNT5jbGjI8mW5gL6n/SEKi
LeUEMBN3om5sJO8pIfhEdg9Dftzbr7FLT09WeYWUCAyDZVj/94sLyJLCymc+SMoy
ay8S8UDTXpzU53PsOPxReSNUuZVPlECd0Hpa/f0vPfjpPBRSWetWuE+WT/YtZWqs
tE3KKWFSWgGNoUEASGbX1I6XZhJx8mEFJAvoizIgHkzCQq56RPAxaF9nRDwHlvy8
3avrwnnsDK2dJUzU4/iY
=uUHi
-END PGP SIGNATURE-
--- logcheck/ignore.d.server/ssh.orig 2015-05-11 10:57:32.745101129 -0300
+++ logcheck/ignore.d.server/ssh2015-05-11 10:58:00.849240490 -0300
@@ -1,7 +1,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted
(gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased)
for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?(:
(RSA|ECDSA) ([[:xdigit:]]{2}:){15}[[:xdigit:]]{2})?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Address
[._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the
address - POSSIBLE BREAK-?IN ATTEMPT!$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Authorized to
[^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol
version identification '[^']*' from ([:.[:xdigit:]]+|UNKNOWN)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol
version identification ‘[^[:space:]]*’ from ([:.[:xdigit:]]+|UNKNOWN) port
[[:digit:]]{1,5}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive
identification string from ([:[:xdigit:].]+|UNKNOWN)+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting:
Bad packet length [[:digit:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting:
Corrupted MAC on input\.$
logchecker-ssh-bad-proto-port-2.patch.sig
Description: Binary data
Bug#703936: logcheck-database: SSH Bad Protocol Version Idenitifcation Rule is incomplete
Package: logcheck-database
Version: 1.3.13
Severity: normal
The rule for SSH ignoring Bad protocol version identification assumes there
are no single quotes
inside the version string ('[^']'). I am however getting mails including those
lines:
Mar 25 22:57:04 Debian-60-squeeze-64-minimal sshd[12144]: Bad protocol version
identification
'\004\241\031\a\232k\273#\203J\223\030\246\354t\260n\346q\004*\231\264q\035\321.l5\260)r\224!\030C\f#ytS8\344\343\363\334'{_D\033\317[e\006\362\327\344\006-pH\356\0205\271\306\360\002\217\325y\023~\026\3412dc\021u\354\004\353m\225\210\272\030\311w\030I)\031\016\206\345\342'
from 119.78.236.189
Mar 25 16:21:14 Debian-60-squeeze-64-minimal sshd[4015]: Bad protocol version
identification
'\354\035\371^\277\376\323\332{0\016Dd\351\237\356\302\252\275\331\315w\306\343\246m\377@waj\231\374C\236\234\207\210p\363C9}\366\2532xiM\255f\232!\376\335[\363'\b\217!Zp(\314\266\253?'
from 210.73.57.141
Mar 25 13:18:36 Debian-60-squeeze-64-minimal sshd[317]: Bad protocol version
identification
'\301h\355\243\375\2106\005/H\256\001\362\250\365d\333Hd\235\353\322\232vC\335\003\274\353JBW\374\353\263\272#\337\020\250\376\247\344\\\v\301\336\036\236\t\235\026\273\003/\021C\307\264\2338E7\341\303'B\246\357\321^\366\200Q\364\234G\374\302\207\3113\016\306\222\244\217\216\216\177\351\212j\325\255;'
from 122.206.34.166
-- System Information:
Debian Release: 6.0.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-- Configuration Files:
/etc/logcheck/cracking.d/kernel [Errno 13] Permission denied:
u'/etc/logcheck/cracking.d/kernel'
/etc/logcheck/cracking.d/rlogind [Errno 13] Permission denied:
u'/etc/logcheck/cracking.d/rlogind'
/etc/logcheck/cracking.d/rsh [Errno 13] Permission denied:
u'/etc/logcheck/cracking.d/rsh'
/etc/logcheck/cracking.d/smartd [Errno 13] Permission denied:
u'/etc/logcheck/cracking.d/smartd'
/etc/logcheck/cracking.d/tftpd [Errno 13] Permission denied:
u'/etc/logcheck/cracking.d/tftpd'
/etc/logcheck/cracking.d/uucico [Errno 13] Permission denied:
u'/etc/logcheck/cracking.d/uucico'
/etc/logcheck/ignore.d.paranoid/bind [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/bind'
/etc/logcheck/ignore.d.paranoid/cron [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/cron'
/etc/logcheck/ignore.d.paranoid/incron [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/incron'
/etc/logcheck/ignore.d.paranoid/logcheck [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/logcheck'
/etc/logcheck/ignore.d.paranoid/postfix [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/postfix'
/etc/logcheck/ignore.d.paranoid/ppp [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/ppp'
/etc/logcheck/ignore.d.paranoid/pureftp [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/pureftp'
/etc/logcheck/ignore.d.paranoid/qpopper [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/qpopper'
/etc/logcheck/ignore.d.paranoid/squid [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/squid'
/etc/logcheck/ignore.d.paranoid/ssh [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/ssh'
/etc/logcheck/ignore.d.paranoid/stunnel [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/stunnel'
/etc/logcheck/ignore.d.paranoid/sysklogd [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/sysklogd'
/etc/logcheck/ignore.d.paranoid/telnetd [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/telnetd'
/etc/logcheck/ignore.d.paranoid/tripwire [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/tripwire'
/etc/logcheck/ignore.d.paranoid/usb [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.paranoid/usb'
/etc/logcheck/ignore.d.server/acpid [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/acpid'
/etc/logcheck/ignore.d.server/amandad [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/amandad'
/etc/logcheck/ignore.d.server/amavisd-new [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/amavisd-new'
/etc/logcheck/ignore.d.server/anacron [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/anacron'
/etc/logcheck/ignore.d.server/anon-proxy [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/anon-proxy'
/etc/logcheck/ignore.d.server/apache [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/apache'
/etc/logcheck/ignore.d.server/apcupsd [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/apcupsd'
/etc/logcheck/ignore.d.server/arpwatch [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/arpwatch'
/etc/logcheck/ignore.d.server/asterisk [Errno 13] Permission denied:
u'/etc/logcheck/ignore.d.server/asterisk'
/etc/logcheck/ignore.d.server/automount [Errno 13] Permission denied:
