[Logcheck-users] ssh failed login rule problem

[Sergi Baila]

Hi there,

I know this is the classic RTFM list question but... I've really tried
hard on this and no result!

This is what I'm receving from logcheck:

System Events
=-=-=-=-=-=-=
Apr  3 06:55:13 bsg sshd[32246]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
Apr  3 06:55:19 bsg sshd[32248]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
Apr  3 06:55:25 bsg sshd[32250]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root


I want to filter it out so, on /etc/logcheck/ignore.d.server/local
I've put this line:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:
pam_unix\(sshd?:[[:alnum:]]+\): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=[0-9.]{7,15}( +user=[a-Z0-9]+)?$

Which I tested as this:

bsg:/etc/logcheck/ignore.d.server# sed -e 's/[[:space:]]*$//'
/var/log/auth.log | egrep '^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+
sshd\[[[:digit:]]+\]: pam_unix\(sshd?:[[:alnum:]]+\): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[0-9.]{7,15}(
+user=[a-Z0-9]+)?$'
Apr  1 09:33:19 bsg sshd[19707]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.218.176
user=root
Apr  1 09:33:28 bsg sshd[19710]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.218.176
user=root
Apr  1 09:33:37 bsg sshd[19713]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.218.176
user=root
Apr  2 22:44:14 bsg sshd[32730]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.184.76.83
Apr  2 22:44:19 bsg sshd[32732]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.184.76.83
user=root
Apr  2 22:44:26 bsg sshd[32734]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.184.76.83
Apr  3 06:55:13 bsg sshd[32246]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
Apr  3 06:55:19 bsg sshd[32248]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
Apr  3 06:55:25 bsg sshd[32250]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root


Which as you see seems a correct rule.

And yes, my report level is configured to server. This is my config
(whithout comments/blank lines):

INTRO=0
REPORTLEVEL="server"
SENDMAILTO="root"
MAILASATTACH=0
FQDN=1
TMP="/tmp"


But the line keeps coming. Please... HELP! :)

-- 
www.sargue.net