diff --git a/SOURCES/logwatch-sshd-format-2.patch b/SOURCES/logwatch-sshd-format-2.patch new file mode 100644 index 0000000..9811a06 --- /dev/null +++ b/SOURCES/logwatch-sshd-format-2.patch @@ -0,0 +1,97 @@ +Resolves: #1504979 + +--- logwatch-svn140/scripts/services/sshd 2018-06-19 10:56:44.035379006 +0200 ++++ logwatch-svn140-new/scripts/services/sshd 2018-06-19 11:00:19.788028922 +0200 +@@ -229,6 +229,7 @@ my %OtherList = (); + my %ChmodErr = (); + my %ChownErr = (); + my %Krb_relm = (); ++my %MaxAuthAttempts = (); + + my $sftpRequests = 0; + my $NetworkErrors = 0; +@@ -249,6 +250,8 @@ while (defined(my $ThisLine = )) + chomp($ThisLine); + if ( + ($ThisLine =~ /^pam_succeed_if: requirement "uid < 100" (not|was) met by user /) or ++ ($ThisLine =~ /^pam_succeed_if\(.*?\): requirement "uid >= 1000" (not|was) met by user /) or ++ ($ThisLine =~ /^PAM service\(.*?\) ignoring max retries/) or + ($ThisLine =~ m/^(log: )?$/ ) or + ($ThisLine =~ m/^(log: )?\^\[\[60G/ ) or + ($ThisLine =~ m/^(log: )? succeeded$/ ) or +@@ -260,6 +263,7 @@ while (defined(my $ThisLine = )) + ($ThisLine =~ m/^Connection closed by/) or + ($ThisLine =~ m/^Disconnecting: Command terminated on signal \d+/) or + ($ThisLine =~ m/^Disconnecting: server_input_channel_req: unknown channel -?\d+/) or ++ ($ThisLine =~ m/^Disconnecting: Change of username or service not allowed/) or + ($ThisLine =~ m/^connect from \d+\.\d+\.\d+\.\d+/) or + ($ThisLine =~ m/^fatal: Timeout before authentication/ ) or + ($ThisLine =~ m/Connection from .* port /) or +@@ -286,13 +290,19 @@ while (defined(my $ThisLine = )) + ($ThisLine =~ /pam_winbind\(sshd:account\): user .* granted access/) or + ($ThisLine =~ /pam_winbind\(sshd:account\): user .* OK/) or + ($ThisLine =~ /pam_systemd\(sshd:session\): Moving/) or ++ ($ThisLine =~ /pam_sepermit\(sshd:auth\): Cannot determine the user's name/) or + ($ThisLine =~ /PAM \d+ more authentication failures?;/) or + ($ThisLine =~ /^Failed keyboard-interactive for from/ ) or + ($ThisLine =~ /^Keyboard-interactive \(PAM\) userauth failed/ ) or + ($ThisLine =~ /^debug1: /) or + ($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/) or + ($ThisLine =~ /Exiting on signal .*$/) or +- ($ThisLine =~ /Disconnected from (?:[^ ]*) port .*$/) ++ ($ThisLine =~ /Disconnected from (?:[^ ]*) port .*$/) or ++ ($ThisLine =~ /Connection reset by .*$/) or ++ ($ThisLine =~ /Unable to negotiate with .*$/) or ++ ($ThisLine =~ /Protocol major versions differ for .*$/) or ++ ($ThisLine =~ /dispatch_protocol_error:.*$/) or ++ ($ThisLine =~ /invalid public DH value:.*$/) + ) { + # Ignore these + } elsif ( my ($Method,$User,$Host,$Port) = ($ThisLine =~ /^Accepted (\S+) for (\S+) from ([\d\.:a-f]+) port (\d+)/) ) { +@@ -310,6 +320,9 @@ while (defined(my $ThisLine = )) + $IllegalUsers{$Host}{$User}++; + } elsif ( my ($User) = ( $ThisLine =~ /Disconnecting: Too many authentication failures for ([^ ]+)/)) { + $TooManyFailures{$User}++; ++ # Apparently, the new format doesn't have to specify where the failures came from ++ } elsif ( my ($User) = ( $ThisLine =~ /Disconnecting: Too many authentication failures(?: \[.*\])$/)) { ++ $TooManyFailures{""}++; + } elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (.+)/ ) { # ssh/openssh + my $name = LookupIP($3); + $NoIdent{$name}++; +@@ -382,8 +395,8 @@ while (defined(my $ThisLine = )) + } elsif ( my ($Reason) = ($ThisLine =~ /^Authentication refused: (.*)$/ ) ) { + $RefusedAuthentication{$Reason}++; + # Old format: Received disconnect from 192.168.122.1: 11: disconnected by user +- # New format: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user +- } elsif ( my ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ]*)(?: port \d+)?: ?(.*)$/)) { ++ # New format: error: Received disconnect from 192.168.122.1 port 43680:11: disconnected by user ++ } elsif ( my ($Host,$Reason) = ($ThisLine =~ /Received disconnect from ([^ ]+)(?: port \d+)?: ?(.*)$/)) { + $DisconnectReceived{$Reason}{$Host}++; + } elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) { + $RootLogin{$Host}++; +@@ -442,6 +455,8 @@ while (defined(my $ThisLine = )) + $ChownErr{"$File,$From,$To,$Why"}++; + } elsif (my ($user,$relm) = ($ThisLine =~ /Authorized to ([^ ]+), krb5 principal \1@([^ ]+) \(krb5_kuserok\)/)) { + $Krb_relm{$relm}{$user}++; ++ } elsif (my ($user,$ip) = ($ThisLine =~ /maximum authentication attempts exceeded for (?:invalid user )?([^ ]+) from ([^ ]+)/)) { ++ $MaxAuthAttempts{$user}{$ip}++; + } else { + # Report any unmatched entries... + unless ($ThisLine =~ /fwd X11 connect/) { +@@ -817,6 +832,16 @@ if ( ($Detail == 7 && keys %Krb_relm > 1 + } + } + ++if (keys %MaxAuthAttempts) { ++ print "\nMaximum authentication attemps exceeded:\n "; ++ foreach my $user (keys %MaxAuthAttempts) { ++ print " ",$user,":\n"; ++ foreach my $ip (keys $MaxAuthAttempts{$user}) { ++ print " ",$ip,": ". $MaxAuthAttempts{$user}{$ip} . " Times(s)\n"; ++ } ++ } ++} ++ + if (keys %OtherList) { + print "\n**Unmatched Entries**\n"; + print "$_ : $OtherList{$_} time(s)\n" foreach keys %OtherList; diff --git a/SPECS/logwatch.spec b/SPECS/logwatch.spec index 49e6565..649f8ff 100644 --- a/SPECS/logwatch.spec +++ b/SPECS/logwatch.spec @@ -1,7 +1,7 @@ Summary: A log file analysis program Name: logwatch Version: 7.4.0 -Release: 34.20130522svn140%{?dist} +Release: 35.20130522svn140%{?dist} License: MIT Group: Applications/System URL: http://www.logwatch.org/ @@ -37,6 +37,7 @@ Patch28: logwatch-sshd-format.patch Patch29: logwatch-base64.patch ### upstreamed Patch30: logwatch-journald.patch +Patch31: logwatch-sshd-format-2.patch Requires: textutils sh-utils grep mailx Requires: perl(Date::Manip) @@ -72,6 +73,7 @@ of the package on many systems. %patch28 -p1 %patch29 -p1 %patch30 -p1 +%patch31 -p1 rm -f scripts/services/*.orig %build @@ -171,6 +173,9 @@ echo "# Configuration overrides for specific logfiles/services may be placed her %{_mandir}/man*/* %changelog +* Tue Jun 19 2018 Jan Synáček - 7.4.0-35.20130522svn140 +- unmatched entries after ssh changed log format (#1504979) + * Mon Nov 27 2017 Jan Synáček - 7.4.0-34.20130522svn140 - add support for systemd journal (#1504984)