[Logcheck-devel] Bug#652148: Please add rules for dropbear
debian-bugs at nospam.pz.podzone.net
debian-bugs at nospam.pz.podzone.net
Thu Dec 15 09:19:26 UTC 2011
Package: logcheck
Version: 1.2.69
"dropbear" is a lightweight ssh server which can be installed in place
of openssh-server. Log entries for dropbear are not currently
filtered by logcheck resulting in a "System Events" email for each and
every ssh login as below:
This email is sent by logcheck. If you no longer wish to receive
such mails, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).
System Events
=-=-=-=-=-=-=
Dec 15 07:48:24 captain dropbear[20011]: Child connection from ::ffff:82.125.214.201:55874
Dec 15 07:48:27 captain dropbear[20011]: pubkey auth succeeded for 'user' with key md5 68:07:18:0a:d8:4a:8b:61:2d:a6:15:94:1e:cb:b9:85 from
+::ffff:82.125.214.201:55874
Dec 15 07:49:32 captain dropbear[20011]: exit after auth (user): Exited normally
The above is from an install of logcheck 1.2.69 and dropbear 0.51-1 on
an installation of lenny. I have looked at the package files in
wheezy for logcheck (1.3.14) and it appears dropbear remains
unaccounted for (although note that dropbear is now at 0.52).
I have not yet attempted to create a ruleset to filter the above
however if a fix is proposed then I will happily test it.
Thanks.
More information about the Logcheck-devel
mailing list