Tim Small
2008-Oct-31 13:03 UTC
[Logcheck-devel] Bug#504100: logcheck-database: Minor change to /etc/logcheck/violations.ignore.d/logcheck-ssh fixes whitespace related problem.
Package: logcheck-database Version: 1.2.68 Severity: normal Tags: patch SSHD in lenny and etch emit white space at the end of ssh login authentication failure lines. It would appear that line 11 of the current /etc/logcheck/violations.ignore.d/logcheck-ssh intends to filter such lines (in fact it does manage to filter ones that include the user=username field, but not lines without), but fails to do so because of the trailing whitespace. The problematic part of the regex is the final: rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$ replacing it with: rhost=[^[:space:]]+[[:space:]]+(user=[^[:space:]]+)?$ fixes the problem, but the following is probably less brittle: rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$ in the case that sshd gets fixed to remove the trailing whitespace at some point in the future... Thanks, Tim. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-openvz-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- no debconf information -------------- next part -------------- --- /tmp/logcheck-ssh.old 2008-10-31 12:39:03.000000000 +0000 +++ /etc/logcheck/violations.ignore.d/logcheck-ssh 2008-10-31 12:40:50.000000000 +0000 @@ -8,6 +8,6 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (i(llegal|nvalid) user )?[^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: pam_unix\(ssh:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$
Gerfried Fuchs
2009-Feb-10 23:09 UTC
[Logcheck-devel] Bug#504100: logcheck-database: Minor change to /etc/logcheck/violations.ignore.d/logcheck-ssh fixes whitespace related problem.
tag 504100 + moreinfo tag 504100 - patch thanks * Tim Small <tim at seoss.co.uk> [2008-10-31 14:03:37 CET]:> SSHD in lenny and etch emit white space at the end of ssh login > authentication failure lines. It would appear that line 11 of the current > /etc/logcheck/violations.ignore.d/logcheck-ssh intends to filter such lines > (in fact it does manage to filter ones that include the user=username field, > but not lines without), but fails to do so because of the trailing > whitespace.That's a false analysis, trailing whitespace is explicitly stripped off by logcheck so the rules must not have it.> The problematic part of the regex is the final: > rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$ > replacing it with: > rhost=[^[:space:]]+[[:space:]]+(user=[^[:space:]]+)?$ > fixes the problem,I really doubt that, trailing whitespace isn't any problem for logcheck in lenny - and I believe it's the same for etch too, can't unfortunately check it right now, am offline. Line 675 in lenny: $SORT $TMPDIR/logoutput/* | sed -e 's/[[:space:]]\+$//' | cat \ > $TMPDIR/logoutput-sorted \ So it stripps off trailing whitespace.> but the following is probably less brittle: > rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$That's even worse: It will match even when there is no whitespace at all between the rhost= and user= line, something you surely didn't want to achieve - so this renders your patch invalid. Can you please offer the lines that appear in your logcheck mails that you didn't expect to get displayed? If they don't contain too sensitive informations, that is. Private mail is alright, too. Thanks. :) Rhonda
Debian Bug Tracking System
2009-Feb-11 07:33 UTC
[Logcheck-devel] Processed: Re: Bug#504100: logcheck-database: Minor change to /etc/logcheck/violations.ignore.d/logcheck-ssh fixes whitespace related problem.
Processing commands for control at bugs.debian.org:> tag 504100 + moreinfoBug#504100: logcheck-database: Minor change to /etc/logcheck/violations.ignore.d/logcheck-ssh fixes whitespace related problem. Tags were: patch Tags added: moreinfo> tag 504100 - patchBug#504100: logcheck-database: Minor change to /etc/logcheck/violations.ignore.d/logcheck-ssh fixes whitespace related problem. Tags were: moreinfo patch Tags removed: patch> thanksStopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)