Resolves: #1504979
--- logwatch-svn140/scripts/services/sshd 2018-06-19 10:56:44.035379006 +0200
+++ logwatch-svn140-new/scripts/services/sshd 2018-06-19 11:00:19.788028922 +0200
@@ -229,6 +229,7 @@ my %OtherList = ();
my %ChmodErr = ();
my %ChownErr = ();
my %Krb_relm = ();
+my %MaxAuthAttempts = ();
my $sftpRequests = 0;
my $NetworkErrors = 0;
@@ -249,6 +250,8 @@ while (defined(my $ThisLine = <STDIN>))
chomp($ThisLine);
if (
($ThisLine =~ /^pam_succeed_if: requirement "uid < 100" (not|was) met by user /) or
+ ($ThisLine =~ /^pam_succeed_if\(.*?\): requirement "uid >= 1000" (not|was) met by user /) or
+ ($ThisLine =~ /^PAM service\(.*?\) ignoring max retries/) or
($ThisLine =~ m/^(log: )?$/ ) or
($ThisLine =~ m/^(log: )?\^\[\[60G/ ) or
($ThisLine =~ m/^(log: )? succeeded$/ ) or
@@ -260,6 +263,7 @@ while (defined(my $ThisLine = <STDIN>))
($ThisLine =~ m/^Connection closed by/) or
($ThisLine =~ m/^Disconnecting: Command terminated on signal \d+/) or
($ThisLine =~ m/^Disconnecting: server_input_channel_req: unknown channel -?\d+/) or
+ ($ThisLine =~ m/^Disconnecting: Change of username or service not allowed/) or
($ThisLine =~ m/^connect from \d+\.\d+\.\d+\.\d+/) or
($ThisLine =~ m/^fatal: Timeout before authentication/ ) or
($ThisLine =~ m/Connection from .* port /) or
@@ -286,13 +290,19 @@ while (defined(my $ThisLine = <STDIN>))
($ThisLine =~ /pam_winbind\(sshd:account\): user .* granted access/) or
($ThisLine =~ /pam_winbind\(sshd:account\): user .* OK/) or
($ThisLine =~ /pam_systemd\(sshd:session\): Moving/) or
+ ($ThisLine =~ /pam_sepermit\(sshd:auth\): Cannot determine the user's name/) or
($ThisLine =~ /PAM \d+ more authentication failures?;/) or
($ThisLine =~ /^Failed keyboard-interactive for <invalid username> from/ ) or
($ThisLine =~ /^Keyboard-interactive \(PAM\) userauth failed/ ) or
($ThisLine =~ /^debug1: /) or
($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/) or
($ThisLine =~ /Exiting on signal .*$/) or
- ($ThisLine =~ /Disconnected from (?:[^ ]*) port .*$/)
+ ($ThisLine =~ /Disconnected from (?:[^ ]*) port .*$/) or
+ ($ThisLine =~ /Connection reset by .*$/) or
+ ($ThisLine =~ /Unable to negotiate with .*$/) or
+ ($ThisLine =~ /Protocol major versions differ for .*$/) or
+ ($ThisLine =~ /dispatch_protocol_error:.*$/) or
+ ($ThisLine =~ /invalid public DH value:.*$/)
) {
# Ignore these
} elsif ( my ($Method,$User,$Host,$Port) = ($ThisLine =~ /^Accepted (\S+) for (\S+) from ([\d\.:a-f]+) port (\d+)/) ) {
@@ -310,6 +320,9 @@ while (defined(my $ThisLine = <STDIN>))
$IllegalUsers{$Host}{$User}++;
} elsif ( my ($User) = ( $ThisLine =~ /Disconnecting: Too many authentication failures for ([^ ]+)/)) {
$TooManyFailures{$User}++;
+ # Apparently, the new format doesn't have to specify where the failures came from
+ } elsif ( my ($User) = ( $ThisLine =~ /Disconnecting: Too many authentication failures(?: \[.*\])$/)) {
+ $TooManyFailures{"<unknown>"}++;
} elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (.+)/ ) { # ssh/openssh
my $name = LookupIP($3);
$NoIdent{$name}++;
@@ -382,8 +395,8 @@ while (defined(my $ThisLine = <STDIN>))
} elsif ( my ($Reason) = ($ThisLine =~ /^Authentication refused: (.*)$/ ) ) {
$RefusedAuthentication{$Reason}++;
# Old format: Received disconnect from 192.168.122.1: 11: disconnected by user
- # New format: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user
- } elsif ( my ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ]*)(?: port \d+)?: ?(.*)$/)) {
+ # New format: error: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user
+ } elsif ( my ($Host,$Reason) = ($ThisLine =~ /Received disconnect from ([^ ]+)(?: port \d+)?: ?(.*)$/)) {
$DisconnectReceived{$Reason}{$Host}++;
} elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) {
$RootLogin{$Host}++;
@@ -442,6 +455,8 @@ while (defined(my $ThisLine = <STDIN>))
$ChownErr{"$File,$From,$To,$Why"}++;
} elsif (my ($user,$relm) = ($ThisLine =~ /Authorized to ([^ ]+), krb5 principal \1@([^ ]+) \(krb5_kuserok\)/)) {
$Krb_relm{$relm}{$user}++;
+ } elsif (my ($user,$ip) = ($ThisLine =~ /maximum authentication attempts exceeded for (?:invalid user )?([^ ]+) from ([^ ]+)/)) {
+ $MaxAuthAttempts{$user}{$ip}++;
} else {
# Report any unmatched entries...
unless ($ThisLine =~ /fwd X11 connect/) {
@@ -817,6 +832,16 @@ if ( ($Detail == 7 && keys %Krb_relm > 1
}
}
+if (keys %MaxAuthAttempts) {
+ print "\nMaximum authentication attemps exceeded:\n ";
+ foreach my $user (keys %MaxAuthAttempts) {
+ print " ",$user,":\n";
+ foreach my $ip (keys $MaxAuthAttempts{$user}) {
+ print " ",$ip,": ". $MaxAuthAttempts{$user}{$ip} . " Times(s)\n";
+ }
+ }
+}
+
if (keys %OtherList) {
print "\n**Unmatched Entries**\n";
print "$_ : $OtherList{$_} time(s)\n" foreach keys %OtherList;