Logcheck devel - Sep 2007 - Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated "authentication failure" rule

Package: logcheck-database
Version: 1.2.62
Severity: normal
File: /etc/logcheck/violations.ignore.d/logcheck-ssh

Here's an updated version of the ssh/pam_unix "authentication
failure"
rule:

  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:
pam_unix\(ssh:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$


This reflects the change that occurred in pam_unix in September 2005,
where the logging went from "(pam_unix)" to
"pam_unix(ssh:auth)".  This
was already done in the second auth.fail rule, but not in the first,
hence this report.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.21-2-k7 (SMP w/1 CPU core)
Locale: LANG=en_CA.utf-8, LC_CTYPE=en_CA.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- debconf information excluded

Hi,

on Fri, Sep 28, 2007 at 17:18:33 -0400, Fr?d?ric Bri?re wrote:
> This reflects the change that occurred in pam_unix in September 2005,
> where the logging went from "(pam_unix)" to
"pam_unix(ssh:auth)".  This
> was already done in the second auth.fail rule, but not in the first,
> hence this report.
Looking at those two lines, they could just be different versions of
the same thing, here are the commented differences:

* the second omits the PID of the ssh daemon - mistake or did older
  messages look like that? (the ones I see do have the PID)
* the second does use the new PAM format - but does the part after
  ssh: really need to match anything but auth?
* the first uses tty=ssh (which I do see in current mesages) if the
  second form with the empty tty also currently exists, a tty=(ssh)?
  won't hurt
* the first uses much wider (just any non-space char) patterns for
  rhost= and user* the first makes the user= part optional, I see that in
current
  messages

elmar

-- 

 .'"`.                                                           
/"\
| :' :   Elmar Hoffmann <elho at elho.net>    ASCII Ribbon Campaign  \
/
`. `'    GPG key available via pgp.net        against HTML email   X
  `-                                                    & vCards  / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080120/039a69bc/attachment.pgp

Your message dated Mon, 7 Jul 2008 19:55:03 +0200
with message-id <20080707175503.GA12570 at edna.gwendoline.at>
and subject line Re: Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh:
Updated "authentication failure" rule
has caused the Debian Bug report #444470,
regarding /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated
"authentication failure" rule
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
444470: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444470
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: =?utf-8?b?RnLDqWTDqXJpYyBCcmnDqHJl?= <fbriere at fbriere.net>
Subject: /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated
"authentication
 failure" rule
Date: Fri, 28 Sep 2007 17:18:33 -0400
Size: 2412
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080707/640d18bd/attachment.eml
-------------- next part --------------
An embedded message was scrubbed...
From: Gerfried Fuchs <rhonda at deb.at>
Subject: Re: Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh:
	Updated "authentication failure" rule
Date: Mon, 7 Jul 2008 19:55:03 +0200
Size: 2508
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080707/640d18bd/attachment-0001.eml