Ett antal små regler till
This commit is contained in:
Fredrik Wahlberg
@@ -138,6 +138,9 @@
|
||||
#Mar 26 22:10:17 nada dovecot: pop3(ammis): Connection closed top=0/0, retr=29/1819516, del=0/73, size=4433634
|
||||
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3\([[:alnum:]]+\): Connection closed top=[/[:digit:]]+, retr=[/[:digit:]]+, del=[/[:digit:]]+, size=[[:digit:]]+
|
||||
|
||||
#Mar 30 20:59:38 nada dovecot: imap(katarina): Disconnected: Disconnected in=139 out=8902
|
||||
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected: Disconnected in=[[:digit:]]+ out=[[:digit:]]+
|
||||
|
||||
|
||||
|
||||
#
|
||||
@@ -218,7 +221,8 @@
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=<[-_.@[:alnum:]]+>, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 <[-_.@[:alnum:]]+>... Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
|
||||
|
||||
#Mar 11 13:55:34 nada sm-mta[10612]: u2BCtW1I010612: ruleset=check_rcpt, arg1=<star.pop3@hotmail.com>, relay=rdns2.fastmkt.xyz [177.11.51.157] (may be forged), reject=550 5.7.1 <star.pop3@hotmail.com>... Relaying denied. IP name possibly forged [177.11.51.157]
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=<[-_.@[:alnum:]]+>, relay=[-.[:alnum:]]+ \[[.:[:digit:]]+\] \(may be forged\), reject=550 5.7.1 <[-_.@[:alnum:]]+>... Relaying denied. IP name possibly forged \[[.:[:digit:]]+\]
|
||||
#Mar 27 22:21:47 nada sm-mta[3607]: u2RKLiXq003607: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=125-227-60-218.HINET-IP.hinet.net [125.227.60.218] (may be forged), reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name possibly forged [125.227.60.218]
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=(<)?[-_.@[:alnum:]]+(>)?, relay=[-.[:alnum:]]+ \[[.:[:digit:]]+\] \(may be forged\), reject=550 5.7.1 (<)?[-_.@[:alnum:]]+(>)?... Relaying denied. IP name possibly forged \[[.:[:digit:]]+\]
|
||||
|
||||
#Mar 9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: collect: premature EOM: Connection reset by [208.87.25.77]
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: Connection reset by \[[.:[:digit:]]+\]
|
||||
@@ -237,7 +241,9 @@
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=[-_.@[:alnum:]]+, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 [-_.@[:alnum:]]+ Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
|
||||
|
||||
#Mar 15 11:26:20 nada sm-mta[6679]: STARTTLS=client, relay=mail.compenta.se., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
|
||||
#Mar 30 20:47:04 nada sm-mta[9603]: STARTTLS=client, relay=mail-gw01.fsdata.se., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
|
||||
#Mar 30 13:04:11 nada sm-mta[30164]: STARTTLS=client, relay=mailgw.swip.net., field=cn_subject, status=failed to extract CN
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, (version=TLSv1/SSLv3, verify=FAIL, cipher=[-[:alnum:]]+, bits=128/128|field=cn_subject, status=failed to extract CN)
|
||||
|
||||
#Mar 22 13:31:42 nada sendmail[24653]: gethostbyaddr(127.0.0.2) failed: 1
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: gethostbyaddr\(127.0.0.2\) failed: 1
|
||||
@@ -250,6 +256,11 @@
|
||||
# Mar 25 05:10:17 nada sm-mta[16638]: u2P0LqlN016638: Milter (clamav): to error state
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter \([[:alnum:]]+\): (to error state|write\(Q\) returned -1, expected 5: Broken pipe)
|
||||
|
||||
#Mar 30 15:36:53 nada sm-mta[12291]: u2U9XkgT020620: u2UDarTR012291: sender notify: Warning: could not send message for past 4 hours
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: sender notify: Warning: could not send message for past 4 hours
|
||||
|
||||
#Mar 30 19:01:40 nada sm-mta[30590]: u2UGiH7o030590: collect: premature EOM: No route to host
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: No route to host
|
||||
|
||||
|
||||
|
||||
@@ -280,6 +291,10 @@
|
||||
#Mar 26 06:57:05 nada spamd.pid[10050]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid'
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd.pid\[[0-9]+\]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid'
|
||||
|
||||
#Mar 28 10:48:05 nada spamd[17905]: prefork: server reached --max-children setting, consider raising it
|
||||
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: server reached --max-children setting, consider raising it
|
||||
|
||||
|
||||
|
||||
|
||||
#
|
||||
@@ -300,8 +315,9 @@
|
||||
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel [[:digit:]]: open failed: administratively prohibited: open failed
|
||||
|
||||
#Mar 10 11:22:52 kvarnen sshd[12813]: error: PAM: Cannot make/remove an entry for the specified session for illegal user support from 40.76.54.16
|
||||
#Mar 30 14:57:07 nada sshd[8420]: error: PAM: Cannot make/remove an entry for the specified session for illegal user admin from d5152db40.static.telenet.be
|
||||
#Mar 14 01:39:26 nada sshd[14346]: error: PAM: Cannot make/remove an entry for the specified session for root from 6e.a0.caa1.ip4.static.sl-reverse.com
|
||||
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Cannot make/remove an entry for the specified session for (illegal user )?[[:alnum:]]+ from [.:[:digit:]]+
|
||||
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Cannot make/remove an entry for the specified session for (illegal user )?[[:alnum:]]+ from [-.:[:alnum:]]+
|
||||
|
||||
#Mar 14 02:25:08 nada sshd[18347]: fatal: Read from socket failed: Connection reset by peer [preauth]
|
||||
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]
|
||||
|
||||
13
testlog
13
testlog
@@ -117,7 +117,6 @@ Mar 26 06:57:13 nada spamd[17910]: server socket setup failed, retry 8: spamd: c
|
||||
Mar 26 06:57:14 nada spamd[17910]: server socket setup failed, retry 9: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
|
||||
Mar 26 06:57:15 nada spamd[17910]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
|
||||
Mar 26 16:18:46 nada sshd[3298]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
|
||||
Mar 26 17:21:15 kvarnen epmd: epmd: invalid packet size (18245)
|
||||
Mar 26 18:09:14 nada monit[5075]: 'localhost' 'localhost' cpu wait usage check succeeded [current cpu wait usage=0.0%]
|
||||
Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
|
||||
Mar 26 21:45:26 nada named[5002]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success
|
||||
@@ -130,5 +129,17 @@ Mar 27 06:31:18 nada monit[5075]: 'clamav-milter' process PID changed from 26461
|
||||
Mar 27 06:33:18 nada monit[5075]: 'clamav-milter' process PID has not changed since last cycle
|
||||
Mar 27 10:28:35 nada sshd[2326]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
|
||||
Mar 27 10:28:38 nada sshd[2328]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
|
||||
Mar 27 22:21:47 nada sm-mta[3607]: u2RKLiXq003607: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=125-227-60-218.HINET-IP.hinet.net [125.227.60.218] (may be forged), reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name possibly forged [125.227.60.218]
|
||||
Mar 28 06:34:18 nada sshd[16291]: Received disconnect from 91.193.74.33: 11: Bye [preauth]
|
||||
Mar 28 10:48:05 nada spamd[17905]: prefork: server reached --max-children setting, consider raising it
|
||||
Mar 30 03:49:50 nada sshd[9974]: Received disconnect from 125.212.232.159: 11: Closed due to user request. [preauth]
|
||||
Mar 30 13:04:11 nada sm-mta[30164]: STARTTLS=client, relay=mailgw.swip.net., field=cn_subject, status=failed to extract CN
|
||||
Mar 30 14:57:07 nada sshd[8420]: error: PAM: Cannot make/remove an entry for the specified session for illegal user admin from d5152db40.static.telenet.be
|
||||
Mar 30 14:57:09 nada sshd[8420]: error: PAM: Cannot make/remove an entry for the specified session for illegal user admin from d5152db40.static.telenet.be
|
||||
Mar 30 15:36:53 nada sm-mta[12291]: u2U9XkgT020620: u2UDarTR012291: sender notify: Warning: could not send message for past 4 hours
|
||||
Mar 30 19:01:40 nada sm-mta[30590]: u2UGiH7o030590: collect: premature EOM: No route to host
|
||||
Mar 30 20:47:04 nada sm-mta[9603]: STARTTLS=client, relay=mail-gw01.fsdata.se., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
|
||||
Mar 30 20:59:38 nada dovecot: imap(katarina): Disconnected: Disconnected in=139 out=8902
|
||||
Apr 1 06:03:28 nada dovecot: imap(gregory): Disconnected: Disconnected in=219 out=22999
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user