From 7858c1ffd4ff6f0c86e361a12fadf58fc1ac419f Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Thu, 2 Nov 2017 08:51:50 +0100
Subject: [PATCH 1/2] =?UTF-8?q?Ny=20regler=20f=C3=B6r=20Ubuntu=2017.10?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 logcheck_ubuntu | 15 +++++++++++++--
 testlog         |  9 +++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/logcheck_ubuntu b/logcheck_ubuntu
index 7eec4a1..26bd751 100644
--- a/logcheck_ubuntu
+++ b/logcheck_ubuntu
@@ -78,7 +78,8 @@
 #
 
 #Mar  2 14:16:53 marconi sshd[4282]: Connection closed by 163.172.210.106 port 56708 [preauth]
-\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by [.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
+#Nov  2 07:25:58 marconi sshd[22932]: Connection closed by invalid user foo 175.6.27.49 port 6920 [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by (invalid user [[:alnum:]]+ )?[.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
 
 #Mar  2 13:42:26 marconi sshd[25003]: Received disconnect from 155.4.131.66 port 2983:11: disconnected by user
 #Mar  2 17:00:04 marconi sshd[31419]: Received disconnect from 116.31.116.18 port 20137:11:  [preauth]
@@ -87,6 +88,10 @@
 #Mar  2 13:42:26 marconi sshd[25003]: Disconnected from 155.4.131.66 port 2983
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from [.:[:digit:]]+ (port [.:[:digit:]]+ )?
 
+#Nov  2 07:59:27 marconi sshd[1655]: Disconnected from invalid user admin 121.156.90.110 port 46078 [preauth]
+#Nov  2 08:01:51 marconi sshd[3848]: Disconnected from authenticating user root 121.18.238.123 port 47854 [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from (invalid|authenticating) user [[:alnum:]]+ [.:[:digit:]]+ (port [.:[:digit:]]+ )?
+
 #Mar  2 17:00:24 marconi sshd[556]: Connection reset by 119.147.115.37 port 1841 [preauth]
 #Mar  2 17:07:35 marconi sshd[2635]: Connection reset by 119.147.115.37 port 1070 [preauth]
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection reset by [.:[:digit:]]+ port [.:[:digit:]]+ \[preauth\]
@@ -118,9 +123,15 @@
 #Feb 27 18:16:55 marconi sshd[30123]: fatal: mm_answer_moduli: bad parameters: 2048 2048 1024
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: mm_answer_moduli: bad parameters: 2048 2048 1024
 
+#Nov  2 07:34:15 marconi sshd[26033]: Did not receive identification string from 163.172.136.101 port 37627
+#Nov  2 07:48:30 marconi sshd[30673]: Did not receive identification string from 121.156.90.110 port 44398
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from [.:[:digit:]]+ port [.:[:digit:]]+
 
+#Nov  2 07:34:03 marconi sshd[25979]: ssh_dispatch_run_fatal: Connection from 170.250.140.52 port 45852: DH GEX group out of range [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [.:[:digit:]]+ port [.:[:digit:]]+: DH GEX group out of range \[preauth\]
 
-
+#Nov  2 07:49:45 marconi sshd[30998]: Disconnecting authenticating user root 180.130.191.9 port 45306: Too many authentication failures [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting authenticating user root [.:[:digit:]]+ port [.:[:digit:]]+: Too many authentication failures \[preauth\]
 
 #
 # SYSTEMD
diff --git a/testlog b/testlog
index 1014174..3d23e31 100644
--- a/testlog
+++ b/testlog
@@ -585,6 +585,15 @@ Sep  8 20:49:21 nada sm-mta[14243]: STARTTLS: read error=syscall error (-1), err
 Sep 11 00:02:05 cocacola sm-mta[4678]: STARTTLS=client, relay=mail.wahlberg.se., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
 Sep 11 11:32:09 cocacola sshd[5924]: Received disconnect from 5.189.139.2: 11: Normal Shutdown, Thank you for playing [preauth]
 Sep  8 13:32:49 marconi sshd[20127]: Received disconnect from 103.27.239.143 port 40512:11: Normal Shutdown, Thank you for playing [preauth]
+Sep 12 00:02:08 cocacola sm-mta[8158]: STARTTLS=client, relay=mail.wahlberg.se., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
+Nov  2 07:25:58 marconi sshd[22932]: Connection closed by invalid user foo 175.6.27.49 port 6920 [preauth]
+Nov  2 07:34:03 marconi sshd[25979]: ssh_dispatch_run_fatal: Connection from 170.250.140.52 port 45852: DH GEX group out of range [preauth]
+Nov  2 07:34:15 marconi sshd[26033]: Did not receive identification string from 163.172.136.101 port 37627
+Nov  2 07:48:30 marconi sshd[30673]: Did not receive identification string from 121.156.90.110 port 44398
+Nov  2 07:49:45 marconi sshd[30998]: Disconnecting authenticating user root 180.130.191.9 port 45306: Too many authentication failures [preauth]
+Nov  2 07:59:27 marconi sshd[1655]: Disconnected from invalid user admin 121.156.90.110 port 46078 [preauth]
+Nov  2 08:01:51 marconi sshd[3848]: Disconnected from authenticating user root 121.18.238.123 port 47854 [preauth]
+
 
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
 Aug 23 18:39:24 nada fredrik[1713]: Sista raden

From c975d3a48c2ea08ba2a6691bfe86fb827caf0ebe Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Thu, 2 Nov 2017 13:26:11 +0100
Subject: [PATCH 2/2] Fler regler

---
 logcheck_ubuntu |  6 ++++--
 testlog         | 11 +++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/logcheck_ubuntu b/logcheck_ubuntu
index 26bd751..9db1a1c 100644
--- a/logcheck_ubuntu
+++ b/logcheck_ubuntu
@@ -79,7 +79,9 @@
 
 #Mar  2 14:16:53 marconi sshd[4282]: Connection closed by 163.172.210.106 port 56708 [preauth]
 #Nov  2 07:25:58 marconi sshd[22932]: Connection closed by invalid user foo 175.6.27.49 port 6920 [preauth]
-\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by (invalid user [[:alnum:]]+ )?[.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
+#Nov  2 11:19:59 marconi sshd[20563]: Connection closed by authenticating user root 58.214.22.74 port 6920 [preauth]
+#Nov  2 11:55:16 marconi sshd[496]: Connection closed by authenticating user root 112.29.245.145 port 2049 [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by ((invalid|authenticating) user [[:alnum:]]+ )?[.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
 
 #Mar  2 13:42:26 marconi sshd[25003]: Received disconnect from 155.4.131.66 port 2983:11: disconnected by user
 #Mar  2 17:00:04 marconi sshd[31419]: Received disconnect from 116.31.116.18 port 20137:11:  [preauth]
@@ -90,7 +92,7 @@
 
 #Nov  2 07:59:27 marconi sshd[1655]: Disconnected from invalid user admin 121.156.90.110 port 46078 [preauth]
 #Nov  2 08:01:51 marconi sshd[3848]: Disconnected from authenticating user root 121.18.238.123 port 47854 [preauth]
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from (invalid|authenticating) user [[:alnum:]]+ [.:[:digit:]]+ (port [.:[:digit:]]+ )?
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from (invalid|authenticating) user [[:alnum:]]+ [.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
 
 #Mar  2 17:00:24 marconi sshd[556]: Connection reset by 119.147.115.37 port 1841 [preauth]
 #Mar  2 17:07:35 marconi sshd[2635]: Connection reset by 119.147.115.37 port 1070 [preauth]
diff --git a/testlog b/testlog
index 3d23e31..241b021 100644
--- a/testlog
+++ b/testlog
@@ -593,6 +593,17 @@ Nov  2 07:48:30 marconi sshd[30673]: Did not receive identification string from
 Nov  2 07:49:45 marconi sshd[30998]: Disconnecting authenticating user root 180.130.191.9 port 45306: Too many authentication failures [preauth]
 Nov  2 07:59:27 marconi sshd[1655]: Disconnected from invalid user admin 121.156.90.110 port 46078 [preauth]
 Nov  2 08:01:51 marconi sshd[3848]: Disconnected from authenticating user root 121.18.238.123 port 47854 [preauth]
+Nov  2 11:03:21 marconi sshd[15313]: Disconnecting authenticating user root 72.1.255.192 port 56702: Too many authentication failures [preauth]
+Nov  2 11:03:25 marconi sshd[15340]: Did not receive identification string from 212.83.136.85 port 63067
+Nov  2 11:03:44 marconi sshd[15390]: Did not receive identification string from 212.83.136.85 port 49903
+Nov  2 11:48:29 marconi sshd[30727]: Did not receive identification string from 97.79.239.20 port 43399
+Nov  2 11:03:28 marconi sshd[15354]: Disconnected from invalid user admin 212.83.136.85 port 62912 [preauth]
+Nov  2 11:05:41 marconi sshd[16346]: Disconnected from authenticating user root 121.18.238.119 port 47256 [preauth]
+Nov  2 11:55:07 marconi sshd[32705]: Disconnected from authenticating user root 221.194.47.221 port 40633 [preauth]
+Nov  2 11:19:59 marconi sshd[20563]: Connection closed by authenticating user root 58.214.22.74 port 6920 [preauth]
+Nov  2 11:28:15 marconi sshd[23379]: Connection closed by invalid user admin 218.206.69.40 port 2049 [preauth]
+Nov  2 11:29:01 marconi sshd[23537]: Connection closed by invalid user test 106.247.228.75 port 6920 [preauth]
+Nov  2 11:55:16 marconi sshd[496]: Connection closed by authenticating user root 112.29.245.145 port 2049 [preauth]
 
 
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...