Logcheck devel - Oct 2007 - Bug#445072: /etc/logcheck/violations.ignore.d/logcheck-ssh: Failed password for ...

Package: logcheck-database
Version: 1.2.62
Severity: normal
File: /etc/logcheck/violations.ignore.d/logcheck-ssh

Somewhere between etch and now, ssh stopped reporting failed passwords
as "error: PAM: Authentication failure for foo", and switched to
"Failed
password for foo", similar to what it already did for unknown users, but
without the "invalid user" part.

Here's an updated version of the "Failed X for Y" rule with the
"illegal/invalid user" part made optional:

  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed
(keyboard-interactive/pam|password|none) for (i(llegal|nvalid) user
)?[^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port
[[:digit:]]{1,5} ssh2?$


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.21-2-k7 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- debconf information excluded

On Tue, Oct 02, 2007 at 10:58:32PM -0400, Fr?d?ric Bri?re
wrote:
> Somewhere between etch and now, ssh stopped reporting failed passwords
> as "error: PAM: Authentication failure for foo", and switched to
"Failed
> password for foo", similar to what it already did for unknown users,
but
I was actually mistaken -- even etch logs such attempts as "Failed
password".  (Except when *I* try it, at which point I still get the PAM
error, for some mysterious reason.)


-- 
<liiwi> udp - universal dropping of an pigeon

Your message dated Tue, 03 Jun 2008 22:47:04 +0000
with message-id <E1K3fHU-0000ML-F8 at ries.debian.org>
and subject line Bug#445072: fixed in logcheck 1.2.64
has caused the Debian Bug report #445072,
regarding /etc/logcheck/violations.ignore.d/logcheck-ssh: Failed password for
...
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
445072: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445072
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: =?utf-8?b?RnLDqWTDqXJpYyBCcmnDqHJl?= <fbriere at fbriere.net>
Subject: /etc/logcheck/violations.ignore.d/logcheck-ssh: Failed password for ...
Date: Tue, 02 Oct 2007 22:58:32 -0400
Size: 2467
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080603/d0bb791f/attachment.eml
-------------- next part --------------
An embedded message was scrubbed...
From: maximilian attems <maks at debian.org>
Subject: Bug#445072: fixed in logcheck 1.2.64
Date: Tue, 03 Jun 2008 22:47:04 +0000
Size: 9508
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080603/d0bb791f/attachment-0001.eml