[Logcheck-commits] [SCM] logcheck source and rules branch, master, updated. debian/1.3.14-13-gd7e9a7b

Frédéric Brière fbriere at fbriere.net
Mon Jan 16 16:15:01 UTC 2012 

The following commit has been merged in the master branch:
commit b6d177d3ce86410d5c572f5ac4ae0f8eb7a71216
Author: Frédéric Brière <fbriere at fbriere.net>
Date:   Sun Jan 15 20:00:02 2012 -0500

    i.d.s/ssh: ignore yet one more variation of "invalid user"
    
    (I swear these messages keep changing every six months, depending on
    which version of OpenSSH, libssh and PAM are installed.)

diff --git a/debian/changelog b/debian/changelog
index 7f671c8..2c0ddc0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,7 @@ logcheck (1.3.15) UNRELEASED; urgency=low
     - ignore "Closed due to user request." (closes: #647943)
     - ignore "Bye Bye"
     - ignore "Connection closed"
+    - ignore yet one more variation of "invalid user"
 
  -- Hannes von Haugwitz <hannes at vonhaugwitz.com>  Fri, 16 Dec 2011 08:06:47 +0100
 
diff --git a/rulefiles/linux/ignore.d.server/ssh b/rulefiles/linux/ignore.d.server/ssh
index 37743d9..29587df 100644
--- a/rulefiles/linux/ignore.d.server/ssh
+++ b/rulefiles/linux/ignore.d.server/ssh
@@ -7,6 +7,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Corrupted MAC on input\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (i(llegal|nvalid) user )?[^[:space:]]* from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]* from ([:.[:xdigit:]]+|UNKNOWN)$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user [^[:space:]]* \[preauth\]$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Nasty PTR record "[:[:xdigit:].]+" is set up for [:[:xdigit:].]+, ignoring$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM pam_putenv: delete non-existent entry; [[:alnum:]]+$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed keyboard-interactive(/pam)? for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?$

-- 
logcheck source and rules

More information about the Logcheck-commits mailing list