[Logcheck-devel] Bug#567355: Add "disconnected by user" ignore for recent openssh-client
Loïc Minier
lool at dooz.org
Thu Jan 28 17:14:48 UTC 2010
Package: logcheck-database
Version: 1.3.5
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu lucid ubuntu-patch
Hi
With the most recent openssh-client in Ubuntu lucid (10.04), I get new
warnings with an Ubuntu karmic (9.10) openssh-server. I think openssh
in Ubuntu and Debian are really close, so I believe this will hit
Debian pretty soon too.
Please find a patch to address these. According to the OpenSSH
maintainer these are expected:
10:53 < lool> cjwatson: Hi, since a recent upgrade of the ssh client on lucid,
I get warnings in logcheck from auth.log; the following lines now
appear everytime I close a ssh connection:
10:53 < lool> Jan 28 10:52:51 fox sshd[26563]: Received disconnect from
192.168.0.119: 11: disconnected by user
10:53 < lool> (before pam session is closed)
10:54 < lool> cjwatson: I don't know whether this is expected or not, in which
case I'll update the logcheck rules
12:52 < cjwatson> lool: it appears to be intentional
12:52 < cjwatson> lool: from what I can tell it was part of the preparation for
roaming support
Thanks,
--
Loïc Minier
-------------- next part --------------
diff -Nru logcheck-1.3.5ubuntu1/debian/changelog logcheck-1.3.5ubuntu2/debian/changelog
--- logcheck-1.3.5ubuntu1/debian/changelog 2010-01-21 23:36:34.000000000 +0100
+++ logcheck-1.3.5ubuntu2/debian/changelog 2010-01-28 18:10:35.000000000 +0100
@@ -1,3 +1,11 @@
+logcheck (1.3.5ubuntu2) lucid; urgency=low
+
+ * rulefiles/linux/ignore.d.server/ssh: Add "disconnected by user" re in the
+ "Received disconnect from" series; this now occurs frequently with lucid
+ ssh clients.
+
+ -- Loïc Minier <loic.minier at ubuntu.com> Thu, 28 Jan 2010 18:09:22 +0100
+
logcheck (1.3.5ubuntu1) lucid; urgency=low
* rulefiles/linux/ignore.d.paranoid/cron: make /usr/sbin/ optional in
diff -Nru logcheck-1.3.5ubuntu1/rulefiles/linux/ignore.d.server/ssh logcheck-1.3.5ubuntu2/rulefiles/linux/ignore.d.server/ssh
--- logcheck-1.3.5ubuntu1/rulefiles/linux/ignore.d.server/ssh 2009-09-05 12:45:08.000000000 +0200
+++ logcheck-1.3.5ubuntu2/rulefiles/linux/ignore.d.server/ssh 2010-01-28 18:09:15.000000000 +0100
@@ -13,6 +13,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: [12]: Timeout, server not responding\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: Client disconnect$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: Disconnect requested by Windows SSH Client\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Server listening on [:[:xdigit:].]+ port [[:digit:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because (listed in Deny|not listed in Allow)Users$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_[[:alnum:]]+\) session opened for user [^[:space:]]+( by ([[:alnum:]-]+)?\(uid=[[:digit:]]+\))?$
More information about the Logcheck-devel
mailing list