Elmar Hoffmann
2006-May-30 08:35 UTC
[Logcheck-devel] Bug#369497: fixed violations ignore rules for openssh 4.3
Package: logcheck-database Version: 1.2.44 Severity: normal Tags: patch The new openssh 4.3 changed the message for failed reverse-lookups to contain BREAK-IN instead of BREAKIN. The attached patch fixes the corresponding rule in violations.ignore.d/logcheck-ssh to match both. elmar -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16-bdclaim Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages logcheck-database depends on: ii debconf [debconf-2.0] 1.5.1 Debian configuration management sy logcheck-database recommends no packages. -- debconf information: logcheck-database/conffile-cleanup: false logcheck-database/rules-directories-note: logcheck-database/standard-rename-note: -- .'"`. /"\ | :' : Elmar Hoffmann <elho at elho.net> ASCII Ribbon Campaign \ / `. `' GPG key available via pgp.net against HTML email X `- & vCards / \ -------------- next part -------------- --- /etc/logcheck/violations.ignore.d/logcheck-ssh.dpkg-dist 2005-10-14 16:33:27.000000000 +0200 +++ /etc/logcheck/violations.ignore.d/logcheck-ssh 2006-05-30 10:24:44.450358753 +0200 @@ -1,4 +1,4 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: host name/name mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAKIN ATTEMPT!$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!$ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060530/f162be9c/attachment.pgp
Jamie L. Penman-Smithson
2006-Jun-04 19:25 UTC
Bug#369497: [Logcheck-devel] Bug#369497: fixed violations ignore rules for openssh 4.3
package logcheck-database tags 369497 pending thanks On 30 May 2006, at 09:35, Elmar Hoffmann wrote:> The new openssh 4.3 changed the message for failed reverse-lookups to > contain BREAK-IN instead of BREAKIN. The attached patch fixes the > corresponding rule in violations.ignore.d/logcheck-ssh to match both.This will be fixed in the next release. Thanks for your bug report! -j -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060604/049a1cc2/attachment.pgp
Debian Bug Tracking System
2006-Jun-04 19:48 UTC
Processed: Re: [Logcheck-devel] Bug#369497: fixed violations ignore rules for openssh 4.3
Processing commands for control at bugs.debian.org:> package logcheck-databaseIgnoring bugs not assigned to: logcheck-database> tags 369497 pendingBug#369497: fixed violations ignore rules for openssh 4.3 Tags were: patch Tags added: pending> thanksStopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Elmar Hoffmann
2006-Jun-21 09:51 UTC
[Logcheck-devel] Bug#369497: fixed violations ignore rules for openssh 4.3
Hi, on Tue, May 30, 2006 at 10:35:23 +0200, Elmar Hoffmann wrote:> The new openssh 4.3 changed the message for failed reverse-lookups to > contain BREAK-IN instead of BREAKIN. [...]I just found that this also applies to the other "POSSIBLE BREAKIN ATTEMPT" rule in violations.ignore.d/logcheck-ssh. Additionally that other rule does not contain the word "failed" and thus these messages actually are in the system events level and not the violations one. Thus the attached patch against CVS fixes and moves that rule over to ignore.d.server/ssh. elmar -- .'"`. /"\ | :' : Elmar Hoffmann <elho at elho.net> ASCII Ribbon Campaign \ / `. `' GPG key available via pgp.net against HTML email X `- & vCards / \ -------------- next part -------------- Index: rulefiles/linux/ignore.d.server/ssh ==================================================================RCS file: /cvsroot/logcheck/logcheck/rulefiles/linux/ignore.d.server/ssh,v retrieving revision 1.14 diff -u -r1.14 ssh --- rulefiles/linux/ignore.d.server/ssh 15 Oct 2005 14:06:13 -0000 1.14 +++ rulefiles/linux/ignore.d.server/ssh 21 Jun 2006 09:46:50 -0000 @@ -11,3 +11,4 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: nss_ldap: reconnect(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Did not receive identification string from (::ffff:)?[:0-9a-f.]{7,15}$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Authorized to [^[:space:]]+, krb5 principal [^[:space:]]+ \(krb5_kuserok\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$ Index: rulefiles/linux/violations.ignore.d/logcheck-ssh ==================================================================RCS file: /cvsroot/logcheck/logcheck/rulefiles/linux/violations.ignore.d/logcheck-ssh,v retrieving revision 1.4 diff -u -r1.4 logcheck-ssh --- rulefiles/linux/violations.ignore.d/logcheck-ssh 4 Jun 2006 19:22:35 -0000 1.4 +++ rulefiles/linux/violations.ignore.d/logcheck-ssh 21 Jun 2006 09:46:50 -0000 @@ -1,4 +1,3 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: warning: /etc/hosts.deny, line [0-9]+: host name/name mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!$ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060621/89a0c35d/attachment.pgp