Logcheck devel - Dec 2011 - Bug#652148: Please add rules for dropbear

Package: logcheck
Version: 1.2.69

"dropbear" is a lightweight ssh server which can be installed in place
of openssh-server.  Log entries for dropbear are not currently
filtered by logcheck resulting in a "System Events" email for each and
every ssh login as below:


This email is sent by logcheck. If you no longer wish to receive
such mails, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

System Events
=-=-=-=-=-=-Dec 15 07:48:24 captain dropbear[20011]: Child connection from
::ffff:82.125.214.201:55874
Dec 15 07:48:27 captain dropbear[20011]: pubkey auth succeeded for
'user' with key md5 68:07:18:0a:d8:4a:8b:61:2d:a6:15:94:1e:cb:b9:85 from
+::ffff:82.125.214.201:55874
Dec 15 07:49:32 captain dropbear[20011]: exit after auth (user): Exited normally


The above is from an install of logcheck 1.2.69 and dropbear 0.51-1 on
an installation of lenny.  I have looked at the package files in
wheezy for logcheck (1.3.14) and it appears dropbear remains
unaccounted for (although note that dropbear is now at 0.52).

I have not yet attempted to create a ruleset to filter the above
however if a fix is proposed then I will happily test it.

Thanks.

# fixed in 20a68db
tags 652148 + pending
thanks

Hello,

Thanks for your contribution. I've added the rules to git[0].

Best regards

Hannes

[0]
http://anonscm.debian.org/gitweb/?p=logcheck/logcheck.git;a=commit;h=20a68dbcc687700e37fdcefdc423bdc24822f4ad

Processing commands for control at bugs.debian.org:
> # fixed in 20a68db
> tags 652148 + pending
Bug #652148 [logcheck] Please add rules for dropbear
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
652148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652148
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems

Your message dated Sat, 30 Jun 2012 16:38:37 +0000
with message-id <E1Sl0gv-0000Su-MG at franck.debian.org>
and subject line Bug#652148: fixed in logcheck 1.3.15
has caused the Debian Bug report #652148,
regarding Please add rules for dropbear
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
652148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652148
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: debian-bugs at nospam.pz.podzone.net
Subject: Please add rules for dropbear
Date: Thu, 15 Dec 2011 09:19:26 +0000
Size: 2913
URL:
<http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20120630/d90d0389/attachment.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Hannes von Haugwitz <hannes at vonhaugwitz.com>
Subject: Bug#652148: fixed in logcheck 1.3.15
Date: Sat, 30 Jun 2012 16:38:37 +0000
Size: 7187
URL:
<http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20120630/d90d0389/attachment-0001.mht>

Hi,

Thank you for creating the filter rules for dropbear.

I do not run Debian 'testing' so in order to test I have applied the
rules on a machine installed with Debian 'squeeze'.  As follows:

~# wget
'http://ftp.uk.debian.org/debian/pool/main/l/logcheck/logcheck_1.3.15.tar.gz'
~# tar xzf logcheck_1.3.15.tar.gz
logcheck-1.3.15/rulefiles/linux/ignore.d.server/dropbear
~# cp logcheck-1.3.15/rulefiles/linux/ignore.d.server/dropbear
/etc/logcheck/ignore.d.server/

For reference, Debian 'squeeze' has Logwatch 7.3.6 and Dropbear v0.52,
and the stock install of Dropbear uses /var/log/auth.log

With the new rules installed as above, the "System Events" email for
*succesful* logins is now inhibited, i.e. desired behaviour - thanks.

However, I think the expectation is that *failed* logins should
generate a "Security Events" email and not a "System Events"
email.

Here is the text of such a login failure:

///

This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

System Events
=-=-=-=-=-=-Jul 16 12:02:12 host dropbear[15094]: bad password attempt for
'foo' from 82.125.214.201:38407
Jul 16 12:02:29 host dropbear[15094]: bad password attempt for 'foo'
from 82.125.214.201:38407
Jul 16 12:02:37 host dropbear[15094]: exit before auth (user 'foo', 10
fails): Max auth tries reached - user 'foo' from 82.125.214.201:38407

///

Just to note: It is possible that latest Logwatch version does treat
this as a Security Event and my method of back-porting the ruleset is
insufficient to capture that - my apologies if that is the case.


On Sat, Jun 30, 2012 at 04:39:25PM +0000, Debian Bug Tracking System
wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the logcheck-database package:
> 
> #652148: Please add rules for dropbear
> 
> It has been closed by Hannes von Haugwitz <hannes at
vonhaugwitz.com>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Hannes von Haugwitz
<hannes at vonhaugwitz.com> by
> replying to this email.
> 
> 
> -- 
> 652148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652148
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems
> X-Spam-Level: 
> Date: Sat, 30 Jun 2012 16:38:37 +0000
> From: Hannes von Haugwitz <hannes at vonhaugwitz.com>
> To: 652148-close at bugs.debian.org
> Subject: Bug#652148: fixed in logcheck 1.3.15
> 
> Source: logcheck
> Source-Version: 1.3.15
> 
> We believe that the bug you reported is fixed in the latest version of
> logcheck, which is due to be installed in the Debian FTP archive:
> 
> logcheck-database_1.3.15_all.deb
>   to main/l/logcheck/logcheck-database_1.3.15_all.deb
> logcheck_1.3.15.dsc
>   to main/l/logcheck/logcheck_1.3.15.dsc
> logcheck_1.3.15.tar.gz
>   to main/l/logcheck/logcheck_1.3.15.tar.gz
> logcheck_1.3.15_all.deb
>   to main/l/logcheck/logcheck_1.3.15_all.deb
> logtail_1.3.15_all.deb
>   to main/l/logcheck/logtail_1.3.15_all.deb
> 
> 
> 
> A summary of the changes between this version and the previous one is
> attached.
> 
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 652148 at bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> 
> Debian distribution maintenance software
> pp.
> Hannes von Haugwitz <hannes at vonhaugwitz.com> (supplier of updated
logcheck package)
> 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster at debian.org)
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Format: 1.8
> Date: Sat, 30 Jun 2012 16:24:49 +0200
> Source: logcheck
> Binary: logcheck logcheck-database logtail
> Architecture: source all
> Version: 1.3.15
> Distribution: unstable
> Urgency: low
> Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
> Changed-By: Hannes von Haugwitz <hannes at vonhaugwitz.com>
> Description: 
>  logcheck   - mails anomalies in the system logfiles to the administrator
>  logcheck-database - database of system log rules for the use of log
checkers
>  logtail    - Print log file lines that have not been read (deprecated)
> Closes: 647622 647943 652148
> Changes: 
>  logcheck (1.3.15) unstable; urgency=low
>  .
>    [ Hannes von Haugwitz ]
>    * ignore.d.server/dropbear: new
>      - ignore successful logins (closes: #652148)
>    * src/logcheck:
>      - fixed broken '-t' option, thanks to Jon Daley (closes:
#647622,
>        LP: #1010431)
>    * debian/control:
>      - bumped to Standards-Version 3.9.3 (no changes necessary)
>      - adjusted URLs of Vcs-* fields
>    * debian/copyright:
>      - updated copyright year to 2012
>  .
>    [ Fr?d?ric Bri?re ]
>    * ignore.d.server/postfix:
>      - ignore "offered null AUTH mechanism list"
>      - ignore "lost connection while receiving the initial server
greeting"
>      - fixed "lost connection while sending end of data" rule
>    * ignore.d.server/proftpd:
>      - ignore "authentication failure" even if ruser is provided
>    * ignore.d.server/ssh:
>      - ignore "PAM $n more authentication failures"
>      - ignore "Too many authentication failures"
>      - ignore "Closed due to user request." (closes: #647943)
>      - ignore "Bye Bye"
>      - ignore "Connection closed"
>      - ignore yet one more variation of "invalid user"
>      - updated "Postponed ..." rule with "[preauth]"
suffix
>      - updated "Postponed ..." rule with "invalid user"
>    * ignore.d.workstation/libmtp-runtime:
>      - ignore mtp-probe messages when plugging a non-MTP device
>    * ignore.d.workstation/kernel:
>      - ignore "No Caching mode page present"
>      - ignore "usb-storage: Quirks match"
>      - ignore "sensor detected" for various GSPCA webcams
>      - updated FAT messages to new fat_msg() format
>      - updated "new USB device" message to new usb_speed_string()
format
>      - updated bttv messages to new prefix
> Checksums-Sha1: 
>  df8e621f5c5190d8237ef56591393556db8160c2 1851 logcheck_1.3.15.dsc
>  c1fef9d602f208e5cae64d39900834c216568fb0 162397 logcheck_1.3.15.tar.gz
>  d6d9cf45c515886ad134b2474d68d7c43832ed2a 78664 logcheck_1.3.15_all.deb
>  6c9ea758e52f62b13a5171a487163ebe22347798 121414
logcheck-database_1.3.15_all.deb
>  215d19a434319dfcf1561e88a59893e8c93eb170 61270 logtail_1.3.15_all.deb
> Checksums-Sha256: 
>  4928dbc5921f663425aef8661e7ffeb09f6fc86ee385da9f9d21e7a075e3e28f 1851
logcheck_1.3.15.dsc
>  b29b4753940a9130b5f19f60d2d89af23be220674625f4bd2fb1d40945d0b9e5 162397
logcheck_1.3.15.tar.gz
>  3314e5d1d3d65417c16beb55a3f8e7ad3f9b047f298b670385e04b6fc17937b7 78664
logcheck_1.3.15_all.deb
>  c76bccbb0fc7b07d3839c5a972f93b01dc0afe1253227360af6c7376e5a841ff 121414
logcheck-database_1.3.15_all.deb
>  c9a59d0844b12b5ef79607798006a07cb8d5aa3647d4a119a91ec0e5ea4980b0 61270
logtail_1.3.15_all.deb
> Files: 
>  b6f9422e2bd0079c5e534f777d8f5aac 1851 admin optional logcheck_1.3.15.dsc
>  e3f002fddcdc01856c811872f4082a11 162397 admin optional
logcheck_1.3.15.tar.gz
>  a0eb536acd94c2e4a45b6a3c9c30765e 78664 admin optional
logcheck_1.3.15_all.deb
>  d1b05745baed4e80d6d984778724457d 121414 admin optional
logcheck-database_1.3.15_all.deb
>  f65e15cfa881576ab027da7852901ce5 61270 admin optional
logtail_1.3.15_all.deb
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> 
> iQGcBAEBCAAGBQJP7xTNAAoJEBjuhjhgIu9XjCYL/0Xv4094bDzoVcYxXGfaYAKA
> 6ZGSXuE5I0TQgI9D5CxqWvPOAPq9qBWbXKhnAfvAfQVZapD4fR/OHHPNQtMen/lD
> WRQF0pW8ELsqi+NWCbDF4BAqHwQxyhvvHDgP8/BdbWG9TC9oF50/nWYUiIFA16Vd
> 01TdVNLr1MO5zZQprNqaDyRS+BskBrDsXVsGgnhTTcWg+73wY6BTu/7o8jc0c81F
> EaFRtqxHEFcEIP0CgeK21g+6NrrzfdWfhlTwKBAChq7ElkIIMqqSunSJlHowcBv9
> X0sv5/J3sky2vRWr9SPlgwnpXupvf9PfQvWuDpxqK5sA7Utjjp4i2cqFLu3LWHtu
> fVHWvxhmAUsDYqoT15h3GkRzEh/QwlBq26mmvT/+Dd24Ea22z/ns49kGLrY49LHl
> T5qTg44KVTURtrEJhGBFTlyX+wgGF3Vd1gV/er0FSIBbXI6eIIlXOnJN0AF4/MQz
> aE9iVYLKNbP+CrKBuyoyKqNULnyH6QKoo8XhXpBmhg=> =B31d
> -----END PGP SIGNATURE-----
> 
> 
> X-Spam-Level: 
> Date: Thu, 15 Dec 2011 09:19:26 +0000
> From: debian-bugs at nospam.pz.podzone.net
> To: submit at bugs.debian.org
> Subject: Please add rules for dropbear
> 
> Package: logcheck
> Version: 1.2.69
> 
> "dropbear" is a lightweight ssh server which can be installed in
place
> of openssh-server.  Log entries for dropbear are not currently
> filtered by logcheck resulting in a "System Events" email for
each and
> every ssh login as below:
> 
> 
> This email is sent by logcheck. If you no longer wish to receive
> such mails, you can either deinstall the logcheck package or modify
> its configuration file (/etc/logcheck/logcheck.conf).
> 
> System Events
> =-=-=-=-=-=-> Dec 15 07:48:24 captain dropbear[20011]: Child connection
from ::ffff:82.125.214.201:55874
> Dec 15 07:48:27 captain dropbear[20011]: pubkey auth succeeded for
'user' with key md5 68:07:18:0a:d8:4a:8b:61:2d:a6:15:94:1e:cb:b9:85 from
> +::ffff:82.125.214.201:55874
> Dec 15 07:49:32 captain dropbear[20011]: exit after auth (user): Exited
normally
> 
> 
> The above is from an install of logcheck 1.2.69 and dropbear 0.51-1 on
> an installation of lenny.  I have looked at the package files in
> wheezy for logcheck (1.3.14) and it appears dropbear remains
> unaccounted for (although note that dropbear is now at 0.52).
> 
> I have not yet attempted to create a ruleset to filter the above
> however if a fix is proposed then I will happily test it.
> 
> Thanks.
> 
>