[Logcheck-commits] =?UTF-8?Q?Fr=C3=A9d=C3=A9ric=20Bri=C3=A8re?=: i.d.s/ssh: ignore " PAM $n more authentication failures"
Frédéric Brière
fbriere-guest at alioth.debian.org
Mon Jan 16 16:14:50 UTC 2012
Module: logcheck
Branch: master
Commit: dfc4bcfe7ce0a275e26e1b392e5f626716550171
URL: http://git.debian.org/?p=logcheck/logcheck.git;a=commit;h=dfc4bcfe7ce0a275e26e1b392e5f626716550171
Author: Frédéric Brière <fbriere at fbriere.net>
Date: Sun Jan 15 18:04:07 2012 -0500
i.d.s/ssh: ignore "PAM $n more authentication failures"
---
debian/changelog | 5 +++++
rulefiles/linux/ignore.d.server/ssh | 2 +-
2 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index ab96dbd..2acab44 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,13 @@
logcheck (1.3.15) UNRELEASED; urgency=low
+ [ Hannes von Haugwitz ]
* ignore.d.server/dropbear: new
- ignore successful logins (closes: #652148)
+ [ Frédéric Brière ]
+ * ignore.d.server/ssh:
+ - ignore "PAM $n more authentication failures"
+
-- Hannes von Haugwitz <hannes at vonhaugwitz.com> Fri, 16 Dec 2011 08:06:47 +0100
logcheck (1.3.14) unstable; urgency=low
diff --git a/rulefiles/linux/ignore.d.server/ssh b/rulefiles/linux/ignore.d.server/ssh
index 56bab98..d6678ef 100644
--- a/rulefiles/linux/ignore.d.server/ssh
+++ b/rulefiles/linux/ignore.d.server/ssh
@@ -33,7 +33,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_[[:alnum:]]+\(sshd?:session\): session opened for user [^[:space:]]+( by ([[:alnum:]-]+)?\(uid=[[:digit:]]+\))?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd?:[[:alnum:]]+\): check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd?:auth\): auth could not identify password for \[[-_.[:alnum:]]*\]$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (\(pam_unix\)|pam_unix\(sshd?:auth\):) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (\(pam_unix\)|pam_unix\(sshd?:auth\):|PAM [[:digit:]]+ more) authentication failures?; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: refused connect from [:[:alnum:]._-]+ \([:[:alnum:].]+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ (\[[:.[:xdigit:]]+\] )?failed - POSSIBLE BREAK-?IN ATTEMPT!$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: scanned from [:[:xdigit:].]+ with SSH-[.[:digit:]]+-SSH_Version_Mapper\. Don't panic\.$
More information about the Logcheck-commits
mailing list