|
|
678df9 |
Resolves: #1504979
|
|
|
678df9 |
|
|
|
678df9 |
--- logwatch-svn140/scripts/services/sshd 2018-06-19 10:56:44.035379006 +0200
|
|
|
678df9 |
+++ logwatch-svn140-new/scripts/services/sshd 2018-06-19 11:00:19.788028922 +0200
|
|
|
678df9 |
@@ -229,6 +229,7 @@ my %OtherList = ();
|
|
|
678df9 |
my %ChmodErr = ();
|
|
|
678df9 |
my %ChownErr = ();
|
|
|
678df9 |
my %Krb_relm = ();
|
|
|
678df9 |
+my %MaxAuthAttempts = ();
|
|
|
678df9 |
|
|
|
678df9 |
my $sftpRequests = 0;
|
|
|
678df9 |
my $NetworkErrors = 0;
|
|
|
678df9 |
@@ -249,6 +250,8 @@ while (defined(my $ThisLine = <STDIN>))
|
|
|
678df9 |
chomp($ThisLine);
|
|
|
678df9 |
if (
|
|
|
678df9 |
($ThisLine =~ /^pam_succeed_if: requirement "uid < 100" (not|was) met by user /) or
|
|
|
678df9 |
+ ($ThisLine =~ /^pam_succeed_if\(.*?\): requirement "uid >= 1000" (not|was) met by user /) or
|
|
|
678df9 |
+ ($ThisLine =~ /^PAM service\(.*?\) ignoring max retries/) or
|
|
|
678df9 |
($ThisLine =~ m/^(log: )?$/ ) or
|
|
|
678df9 |
($ThisLine =~ m/^(log: )?\^\[\[60G/ ) or
|
|
|
678df9 |
($ThisLine =~ m/^(log: )? succeeded$/ ) or
|
|
|
678df9 |
@@ -260,6 +263,7 @@ while (defined(my $ThisLine = <STDIN>))
|
|
|
678df9 |
($ThisLine =~ m/^Connection closed by/) or
|
|
|
678df9 |
($ThisLine =~ m/^Disconnecting: Command terminated on signal \d+/) or
|
|
|
678df9 |
($ThisLine =~ m/^Disconnecting: server_input_channel_req: unknown channel -?\d+/) or
|
|
|
678df9 |
+ ($ThisLine =~ m/^Disconnecting: Change of username or service not allowed/) or
|
|
|
678df9 |
($ThisLine =~ m/^connect from \d+\.\d+\.\d+\.\d+/) or
|
|
|
678df9 |
($ThisLine =~ m/^fatal: Timeout before authentication/ ) or
|
|
|
678df9 |
($ThisLine =~ m/Connection from .* port /) or
|
|
|
678df9 |
@@ -286,13 +290,19 @@ while (defined(my $ThisLine = <STDIN>))
|
|
|
678df9 |
($ThisLine =~ /pam_winbind\(sshd:account\): user .* granted access/) or
|
|
|
678df9 |
($ThisLine =~ /pam_winbind\(sshd:account\): user .* OK/) or
|
|
|
678df9 |
($ThisLine =~ /pam_systemd\(sshd:session\): Moving/) or
|
|
|
678df9 |
+ ($ThisLine =~ /pam_sepermit\(sshd:auth\): Cannot determine the user's name/) or
|
|
|
678df9 |
($ThisLine =~ /PAM \d+ more authentication failures?;/) or
|
|
|
678df9 |
($ThisLine =~ /^Failed keyboard-interactive for <invalid username> from/ ) or
|
|
|
678df9 |
($ThisLine =~ /^Keyboard-interactive \(PAM\) userauth failed/ ) or
|
|
|
678df9 |
($ThisLine =~ /^debug1: /) or
|
|
|
678df9 |
($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/) or
|
|
|
678df9 |
($ThisLine =~ /Exiting on signal .*$/) or
|
|
|
678df9 |
- ($ThisLine =~ /Disconnected from (?:[^ ]*) port .*$/)
|
|
|
678df9 |
+ ($ThisLine =~ /Disconnected from (?:[^ ]*) port .*$/) or
|
|
|
678df9 |
+ ($ThisLine =~ /Connection reset by .*$/) or
|
|
|
678df9 |
+ ($ThisLine =~ /Unable to negotiate with .*$/) or
|
|
|
678df9 |
+ ($ThisLine =~ /Protocol major versions differ for .*$/) or
|
|
|
678df9 |
+ ($ThisLine =~ /dispatch_protocol_error:.*$/) or
|
|
|
678df9 |
+ ($ThisLine =~ /invalid public DH value:.*$/)
|
|
|
678df9 |
) {
|
|
|
678df9 |
# Ignore these
|
|
|
678df9 |
} elsif ( my ($Method,$User,$Host,$Port) = ($ThisLine =~ /^Accepted (\S+) for (\S+) from ([\d\.:a-f]+) port (\d+)/) ) {
|
|
|
678df9 |
@@ -310,6 +320,9 @@ while (defined(my $ThisLine = <STDIN>))
|
|
|
678df9 |
$IllegalUsers{$Host}{$User}++;
|
|
|
678df9 |
} elsif ( my ($User) = ( $ThisLine =~ /Disconnecting: Too many authentication failures for ([^ ]+)/)) {
|
|
|
678df9 |
$TooManyFailures{$User}++;
|
|
|
678df9 |
+ # Apparently, the new format doesn't have to specify where the failures came from
|
|
|
678df9 |
+ } elsif ( my ($User) = ( $ThisLine =~ /Disconnecting: Too many authentication failures(?: \[.*\])$/)) {
|
|
|
678df9 |
+ $TooManyFailures{"<unknown>"}++;
|
|
|
678df9 |
} elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (.+)/ ) { # ssh/openssh
|
|
|
678df9 |
my $name = LookupIP($3);
|
|
|
678df9 |
$NoIdent{$name}++;
|
|
|
678df9 |
@@ -382,8 +395,8 @@ while (defined(my $ThisLine = <STDIN>))
|
|
|
678df9 |
} elsif ( my ($Reason) = ($ThisLine =~ /^Authentication refused: (.*)$/ ) ) {
|
|
|
678df9 |
$RefusedAuthentication{$Reason}++;
|
|
|
678df9 |
# Old format: Received disconnect from 192.168.122.1: 11: disconnected by user
|
|
|
678df9 |
- # New format: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user
|
|
|
678df9 |
- } elsif ( my ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ]*)(?: port \d+)?: ?(.*)$/)) {
|
|
|
678df9 |
+ # New format: error: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user
|
|
|
678df9 |
+ } elsif ( my ($Host,$Reason) = ($ThisLine =~ /Received disconnect from ([^ ]+)(?: port \d+)?: ?(.*)$/)) {
|
|
|
678df9 |
$DisconnectReceived{$Reason}{$Host}++;
|
|
|
678df9 |
} elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) {
|
|
|
678df9 |
$RootLogin{$Host}++;
|
|
|
678df9 |
@@ -442,6 +455,8 @@ while (defined(my $ThisLine = <STDIN>))
|
|
|
678df9 |
$ChownErr{"$File,$From,$To,$Why"}++;
|
|
|
678df9 |
} elsif (my ($user,$relm) = ($ThisLine =~ /Authorized to ([^ ]+), krb5 principal \1@([^ ]+) \(krb5_kuserok\)/)) {
|
|
|
678df9 |
$Krb_relm{$relm}{$user}++;
|
|
|
678df9 |
+ } elsif (my ($user,$ip) = ($ThisLine =~ /maximum authentication attempts exceeded for (?:invalid user )?([^ ]+) from ([^ ]+)/)) {
|
|
|
678df9 |
+ $MaxAuthAttempts{$user}{$ip}++;
|
|
|
678df9 |
} else {
|
|
|
678df9 |
# Report any unmatched entries...
|
|
|
678df9 |
unless ($ThisLine =~ /fwd X11 connect/) {
|
|
|
678df9 |
@@ -817,6 +832,16 @@ if ( ($Detail == 7 && keys %Krb_relm > 1
|
|
|
678df9 |
}
|
|
|
678df9 |
}
|
|
|
678df9 |
|
|
|
678df9 |
+if (keys %MaxAuthAttempts) {
|
|
|
678df9 |
+ print "\nMaximum authentication attemps exceeded:\n ";
|
|
|
678df9 |
+ foreach my $user (keys %MaxAuthAttempts) {
|
|
|
678df9 |
+ print " ",$user,":\n";
|
|
|
678df9 |
+ foreach my $ip (keys $MaxAuthAttempts{$user}) {
|
|
|
678df9 |
+ print " ",$ip,": ". $MaxAuthAttempts{$user}{$ip} . " Times(s)\n";
|
|
|
678df9 |
+ }
|
|
|
678df9 |
+ }
|
|
|
678df9 |
+}
|
|
|
678df9 |
+
|
|
|
678df9 |
if (keys %OtherList) {
|
|
|
678df9 |
print "\n**Unmatched Entries**\n";
|
|
|
678df9 |
print "$_ : $OtherList{$_} time(s)\n" foreach keys %OtherList;
|