rpms / logwatch

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   logwatch-sshd-format-2.patch
Blob Blame History Raw 
Resolves: #1504979

--- logwatch-svn140/scripts/services/sshd	2018-06-19 10:56:44.035379006 +0200
+++ logwatch-svn140-new/scripts/services/sshd	2018-06-19 11:00:19.788028922 +0200
@@ -229,6 +229,7 @@ my %OtherList = ();
 my %ChmodErr = ();
 my %ChownErr = ();
 my %Krb_relm = ();
+my %MaxAuthAttempts = ();
 
 my $sftpRequests = 0;
 my $NetworkErrors = 0;
@@ -249,6 +250,8 @@ while (defined(my $ThisLine = <STDIN>))
    chomp($ThisLine);
    if (
        ($ThisLine =~ /^pam_succeed_if: requirement "uid < 100" (not|was) met by user /) or
+       ($ThisLine =~ /^pam_succeed_if\(.*?\): requirement "uid >= 1000" (not|was) met by user /) or
+       ($ThisLine =~ /^PAM service\(.*?\) ignoring max retries/) or
        ($ThisLine =~ m/^(log: )?$/ ) or
        ($ThisLine =~ m/^(log: )?\^\[\[60G/ ) or
        ($ThisLine =~ m/^(log: )? succeeded$/ ) or
@@ -260,6 +263,7 @@ while (defined(my $ThisLine = <STDIN>))
        ($ThisLine =~ m/^Connection closed by/) or
        ($ThisLine =~ m/^Disconnecting: Command terminated on signal \d+/) or
        ($ThisLine =~ m/^Disconnecting: server_input_channel_req: unknown channel -?\d+/) or
+       ($ThisLine =~ m/^Disconnecting: Change of username or service not allowed/) or
        ($ThisLine =~ m/^connect from \d+\.\d+\.\d+\.\d+/) or
        ($ThisLine =~ m/^fatal: Timeout before authentication/ ) or
        ($ThisLine =~ m/Connection from .* port /) or
@@ -286,13 +290,19 @@ while (defined(my $ThisLine = <STDIN>))
        ($ThisLine =~ /pam_winbind\(sshd:account\): user .* granted access/) or
        ($ThisLine =~ /pam_winbind\(sshd:account\): user .* OK/) or
        ($ThisLine =~ /pam_systemd\(sshd:session\): Moving/) or
+       ($ThisLine =~ /pam_sepermit\(sshd:auth\): Cannot determine the user's name/) or
        ($ThisLine =~ /PAM \d+ more authentication failures?;/) or
        ($ThisLine =~ /^Failed keyboard-interactive for <invalid username> from/ ) or
        ($ThisLine =~ /^Keyboard-interactive \(PAM\) userauth failed/ ) or
        ($ThisLine =~ /^debug1: /) or
        ($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/) or
        ($ThisLine =~ /Exiting on signal .*$/) or
-       ($ThisLine =~ /Disconnected from (?:[^ ]*) port .*$/)
+       ($ThisLine =~ /Disconnected from (?:[^ ]*) port .*$/) or
+       ($ThisLine =~ /Connection reset by .*$/) or
+       ($ThisLine =~ /Unable to negotiate with .*$/) or
+       ($ThisLine =~ /Protocol major versions differ for .*$/) or
+       ($ThisLine =~ /dispatch_protocol_error:.*$/) or
+       ($ThisLine =~ /invalid public DH value:.*$/)
    ) {
       # Ignore these
    } elsif ( my ($Method,$User,$Host,$Port) = ($ThisLine =~ /^Accepted (\S+) for (\S+) from ([\d\.:a-f]+) port (\d+)/) ) {
@@ -310,6 +320,9 @@ while (defined(my $ThisLine = <STDIN>))
       $IllegalUsers{$Host}{$User}++;
    } elsif ( my ($User) = ( $ThisLine =~ /Disconnecting: Too many authentication failures for ([^ ]+)/)) {
       $TooManyFailures{$User}++;
+   # Apparently, the new format doesn't have to specify where the failures came from
+   } elsif ( my ($User) = ( $ThisLine =~ /Disconnecting: Too many authentication failures(?: \[.*\])$/)) {
+      $TooManyFailures{"<unknown>"}++;
    } elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (.+)/ ) { # ssh/openssh
       my $name = LookupIP($3);
       $NoIdent{$name}++;
@@ -382,8 +395,8 @@ while (defined(my $ThisLine = <STDIN>))
    } elsif ( my ($Reason) = ($ThisLine =~ /^Authentication refused: (.*)$/ ) ) {
       $RefusedAuthentication{$Reason}++;
    # Old format: Received disconnect from 192.168.122.1: 11: disconnected by user
-   # New format: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user
-   } elsif ( my ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ]*)(?: port \d+)?: ?(.*)$/)) {
+   # New format: error: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user
+   } elsif ( my ($Host,$Reason) = ($ThisLine =~ /Received disconnect from ([^ ]+)(?: port \d+)?: ?(.*)$/)) {
       $DisconnectReceived{$Reason}{$Host}++;
    } elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) {
       $RootLogin{$Host}++;
@@ -442,6 +455,8 @@ while (defined(my $ThisLine = <STDIN>))
       $ChownErr{"$File,$From,$To,$Why"}++;
    } elsif (my ($user,$relm) = ($ThisLine =~ /Authorized to ([^ ]+), krb5 principal \1@([^ ]+) \(krb5_kuserok\)/)) {
       $Krb_relm{$relm}{$user}++;  
+   } elsif (my ($user,$ip) = ($ThisLine =~ /maximum authentication attempts exceeded for (?:invalid user )?([^ ]+) from ([^ ]+)/)) {
+      $MaxAuthAttempts{$user}{$ip}++;
    } else {
       # Report any unmatched entries...
       unless ($ThisLine =~ /fwd X11 connect/) {
@@ -817,6 +832,16 @@ if ( ($Detail == 7 && keys %Krb_relm > 1
   }
 }
 
+if (keys %MaxAuthAttempts) {
+   print "\nMaximum authentication attemps exceeded:\n ";
+   foreach my $user (keys %MaxAuthAttempts) {
+      print "   ",$user,":\n";
+      foreach my $ip (keys $MaxAuthAttempts{$user}) {
+         print "     ",$ip,": ". $MaxAuthAttempts{$user}{$ip} . " Times(s)\n";
+      }
+   }
+}
+
 if (keys %OtherList) {
    print "\n**Unmatched Entries**\n";
    print "$_ : $OtherList{$_} time(s)\n" foreach keys %OtherList;

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation