thr3ads.net - Logcheck devel - [Logcheck-devel] [PATCH] Added "Incorrect password" proftpd rule [Jan 2008]

If this information is useful, please help other people find it:
Share via:

Frédéric Brière

2008-Jan-24 08:44 UTC

[Logcheck-devel] [PATCH] Added "Incorrect password" proftpd rule

Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net>
---
 .../linux/violations.ignore.d/logcheck-proftpd     |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/rulefiles/linux/violations.ignore.d/logcheck-proftpd
b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
index 2bf2c3e..472992d 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-proftpd
+++ b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
@@ -2,5 +2,5 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd:
pam_unix\(proftpd:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0
tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -)
PAM\([-_.[:alnum:]]+\): Authentication failure\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Connection from
[._[:alnum:]-]+ \[[.:[:xdigit:]]+\] denied\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER
[-._[:alnum:]]+ \(Login failed\): Limit access denies login$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER
[-._[:alnum:]]+ \(Login failed\): (Limit access denies login|Incorrect
password\.)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) SECURITY VIOLATION:
root login attempted\.$
-- 
1.5.3.8

Frédéric Brière

2008-Jan-24 08:44 UTC

head link

[Logcheck-devel] [PATCH] Adjusted proftpd rules to catch unresolved IPv6 hosts

Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net>
---
 rulefiles/linux/ignore.d.workstation/proftpd       |    2 +-
 .../linux/violations.ignore.d/logcheck-proftpd     |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/rulefiles/linux/ignore.d.workstation/proftpd
b/rulefiles/linux/ignore.d.workstation/proftpd
index a2801fe..c1133bc 100644
--- a/rulefiles/linux/ignore.d.workstation/proftpd
+++ b/rulefiles/linux/ignore.d.workstation/proftpd
@@ -1 +1 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+
\([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Maximum login attempts
\([[:digit:]]+\) exceeded$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]:? [._[:alnum:]-]+
\([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Maximum login attempts
\([[:digit:]]+\) exceeded$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-proftpd
b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
index 472992d..93e9837 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-proftpd
+++ b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
@@ -1,6 +1,6 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ 
user=[-_.[:alnum:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd:
pam_unix\(proftpd:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0
tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -)
PAM\([-_.[:alnum:]]+\): Authentication failure\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Connection from
[._[:alnum:]-]+ \[[.:[:xdigit:]]+\] denied\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER
[-._[:alnum:]]+ \(Login failed\): (Limit access denies login|Incorrect
password\.)$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) SECURITY VIOLATION:
root login attempted\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -)
PAM\([-_.[:alnum:]]+\): Authentication failure\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) Connection from
[._[:alnum:]-]+ \[[.:[:xdigit:]]+\] denied\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) USER
[-._[:alnum:]]+ \(Login failed\): (Limit access denies login|Incorrect
password\.)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:?
[._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\)(:| -) SECURITY
VIOLATION: root login attempted\.$
-- 
1.5.3.8

Logcheck devel - Jan 2008 - [PATCH] Added "Incorrect password" proftpd rule

[Logcheck-devel] [PATCH] Added "Incorrect password" proftpd rule

[Logcheck-devel] [PATCH] Adjusted proftpd rules to catch unresolved IPv6 hosts