[Logcheck-devel] Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated "authentication failure" rule
Frédéric Brière
fbriere at fbriere.net
Fri Sep 28 21:18:33 UTC 2007
Package: logcheck-database
Version: 1.2.62
Severity: normal
File: /etc/logcheck/violations.ignore.d/logcheck-ssh
Here's an updated version of the ssh/pam_unix "authentication failure"
rule:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(ssh:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
This reflects the change that occurred in pam_unix in September 2005,
where the logging went from "(pam_unix)" to "pam_unix(ssh:auth)". This
was already done in the second auth.fail rule, but not in the first,
hence this report.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.21-2-k7 (SMP w/1 CPU core)
Locale: LANG=en_CA.utf-8, LC_CTYPE=en_CA.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-- debconf information excluded
More information about the Logcheck-devel
mailing list