[Logcheck-commits] martin f. krafft: ignore messages about packets with wrong encapsulated lengths, which are mostly portscanners, or hosts connecting to openvpn on ports like 443.

Martin F. Krafft madduck at alioth.debian.org
Wed Jun 25 12:40:55 UTC 2008


Module: logcheck
Branch: master
Commit: c0483a166853bdd435d6380c922c46bc0b02ba03
URL:    http://git.debian.org/?p=logcheck/logcheck.git;a=commit;h=c0483a166853bdd435d6380c922c46bc0b02ba03

Author: martin f. krafft <madduck at debian.org>
Date:   Wed Jun 25 11:56:12 2008 +0100

ignore messages about packets with wrong encapsulated lengths, which are mostly portscanners, or hosts connecting to openvpn on ports like 443.

---

 debian/changelog                                   |    2 ++
 .../linux/violations.ignore.d/logcheck-openvpn     |    1 +
 2 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 4eec6e2..32ae7c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -37,6 +37,8 @@ logcheck (1.2.65) unstable; urgency=low
   * ignore.d.server/openvpn:
     - ignore messages about dropped packets due to bad source addresses (out
       of connection messages).
+    - ignore messages about packets with wrong encapsulated lengths, which are
+      mostly portscanners, or hosts connecting to openvpn on ports like 443.
   * fix wording in header.txt (closes: #472937).
 
  -- martin f. krafft <madduck at debian.org>  Tue, 24 Jun 2008 18:56:26 +0100
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-openvpn b/rulefiles/linux/violations.ignore.d/logcheck-openvpn
index 8cd4301..8dee81b 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-openvpn
+++ b/rulefiles/linux/violations.ignore.d/logcheck-openvpn
@@ -1,5 +1,6 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: TLS key negotiation failed to occur within [[:digit:]]+ seconds( \(check your network connectivity\))?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? TLS Error: TLS handshake failed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]:( ([-_.[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? WARNING: Bad encapsulated packet length from peer \([[:digit:]]+\), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- \[Attempt?ing restart\.\.\.\]$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[ECONNREFUSED\]: Connection refused \(code=111\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[ECONNREFUSED\|ECONNREFUSED\]: Connection refused \(code=111\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[0-9]+\]: read UDPv4 \[ECONNREFUSED\|ECONNREFUSED\|ECONNREFUSED\]: Connection refused \(code=111\)$




More information about the Logcheck-commits mailing list