diff --git a/logcheck-fw-httpd b/logcheck-fw-httpd index e8b47ad..b1b4bb7 100644 --- a/logcheck-fw-httpd +++ b/logcheck-fw-httpd @@ -33,3 +33,6 @@ #Apr 24 09:35:01 nada HORDE: [horde] User stiy logged out of Horde (80.251.192.97) [pid 6775 on line 107 of "/usr/share/horde/login.php"] ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[horde\] User [[:alnum:]]+ logged out of Horde \([.[:digit:]]+\) +#Oct 28 10:01:06 nada HORDE: Guest user is not authorized for Mail (Host: msnbot-157-55-39-113.search.msn.com). [pid 30077 on line 324 of "/usr/share/php/Horde/Registry.php"] +#Oct 28 10:58:51 nada HORDE: Guest user is not authorized for Horde (Host: 33.bl.bot.semrush.com). [pid 5104 on line 324 of "/usr/share/php/Horde/Registry.php"] +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: Guest user is not authorized for (Mail|Horde) \(Host: [-.[:alnum:]]+\). \[pid [[:digit:]]+ on line 324 of "/usr/share/php/Horde/Registry.php"\] diff --git a/logcheck-fw-sshd b/logcheck-fw-sshd index fdd4ec9..2eb5d89 100644 --- a/logcheck-fw-sshd +++ b/logcheck-fw-sshd @@ -135,8 +135,12 @@ #Oct 28 07:58:37 nada sshd[1041]: error: kex_exchange_identification: Connection closed by remote host -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: Connection closed by remote host +#Oct 28 12:23:29 nada sshd[14913]: error: kex_exchange_identification: read: Connection reset by peer +\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: (read: )?Connection (closed|reset) by (remote host|peer) + + #Oct 28 07:58:37 nada sshd[1041]: Connection closed by 141.98.10.82 port 40176 -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by [.:[:digit:]]+ port [[:digit:]]+ +#Oct 28 12:23:29 nada sshd[14913]: Connection reset by 185.73.124.100 port 12384 +\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection (closed|reset) by [.:[:digit:]]+ port [[:digit:]]+ diff --git a/logcheck_debian b/logcheck_debian index ad8896b..725c87d 100644 --- a/logcheck_debian +++ b/logcheck_debian @@ -185,33 +185,6 @@ -# -# HORDE -# -#Apr 2 18:34:46 nada HORDE: [horde] Login success for fredrik to horde (46.162.117.83) [pid 25921 on line 164 of "/usr/share/horde/login.php"] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[horde\] Login success for [[:alnum:]]+ to horde \([.[:digit:]]+\) \[pid [[:digit:]]+ on line 164 of "/usr/share/horde/login.php"\] - -#Apr 2 18:34:47 nada HORDE: [imp] Login success for fredrik (46.162.117.83) to {imap://nada.wahlberg.se:993/} [pid 25921 on line 157 of "/usr/share/horde/imp/lib/Auth.php"] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[imp\] Login success for [[:alnum:]]+ \([.[:digit:]]+\) to \{imap://nada.wahlberg.se:993\/\} \[pid [[:digit:]]+ on line 157 of "/usr/share/horde/imp/lib/Auth.php"\] - -#Apr 2 19:31:34 nada HORDE: [kronolith] Failed to retrieve remote calendar: url = "https://calendar.google.com/calendar/ical/wahlis%40gmail.com/private-d6b56e71ef78fa437bcb4df46aaeebad/basic.ics", status = 28 [pid 25488 on line 593 of "/usr/share/horde/kronolith/lib/Driver/Ical.php"] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[kronolith\] Failed to retrieve remote calendar: url = - -#Apr 2 20:17:48 nada HORDE: User is not authorized for imp [pid 21121 on line 324 of "/usr/share/php/Horde/Registry.php"] -#Apr 10 21:18:28 nada HORDE: User is not authorized for horde [pid 28010 on line 324 of "/usr/share/php/Horde/Registry.php"] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: User is not authorized for (imp|horde) - -#Apr 18 13:27:36 nada HORDE: [imp] Message sent to fram.art@comhem.se from katarina (213.112.4.122) [pid 12862 on line 964 of "/usr/share/horde/imp/lib/Compose.php"] -#Apr 18 14:38:04 nada HORDE: [imp] Message sent to hello@happysthlm.se from katarina (213.112.4.122) [pid 1013 on line 964 of "/usr/share/horde/imp/lib/Compose.php"] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[imp\] Message sent to - -#Apr 21 04:37:54 nada HORDE: [imp] PHP ERROR: Invalid argument supplied for foreach() [pid 7168 on line 96 of "/usr/share/horde/imp/lib/Factory/MailboxList.php"] -#Apr 20 04:49:50 nada HORDE: [imp] PHP ERROR: Invalid argument supplied for foreach() [pid 27097 on line 96 of "/usr/share/horde/imp/lib/Factory/MailboxList.php"] -#Apr 20 13:03:42 nada HORDE: [gollem] PHP ERROR: Invalid argument supplied for foreach() [pid 6356 on line 338 of "/usr/share/horde/gollem/lib/Auth.php"] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[(imp|gollem)\] PHP ERROR: Invalid argument supplied for foreach\(\) - -#Apr 24 09:35:01 nada HORDE: [horde] User stiy logged out of Horde (80.251.192.97) [pid 6775 on line 107 of "/usr/share/horde/login.php"] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[horde\] User [[:alnum:]]+ logged out of Horde \([.[:digit:]]+\) # # MILTER-GREYLIST @@ -248,89 +221,6 @@ -# -# NAMED -# -#Mar 11 06:34:44 nada named[1771]: received control channel command 'reload' -#Mar 11 06:34:44 nada named[1771]: reading built-in trusted keys from file '/etc/bind/bind.keys' -#Mar 11 06:34:44 nada named[1771]: sizing zone task pool based on 21 zones -#Mar 11 06:34:44 nada named[1771]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones|sizing zone task pool based on [[:digit:]]+ zones|received control channel command 'reload( [.[:alnum:]]+)?'|reading built-in trusted keys from file '/etc/bind/bind.keys') - -#Mar 10 06:43:39 nada named[1771]: client 95.170.86.14#50337: received notify for zone 'happysthlm.com' -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: received notify for zone '[-.[:alnum:]]+' - -#Mar 13 19:06:05 nada named[1771]: client 95.170.86.14#54781: transfer of 'stiy.com/IN': IXFR ended -#Mar 3 18:45:43 nada named[31321]: client 46.21.104.9#48923: transfer of 'wahlberg.se/IN': AXFR-style IXFR started -#Mar 3 18:45:43 nada named[31321]: client 46.21.104.9#48923: transfer of 'wahlberg.se/IN': AXFR-style IXFR ended -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: transfer of '[-.[:alnum:]]+/IN':( AXFR-style) IXFR (started|ended) - -#Mar 11 06:34:44 nada named[1771]: reloading configuration succeeded -#Mar 11 06:34:44 nada named[1771]: reloading zones succeeded -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: reloading (configuration|zones) succeeded - -#Mar 11 06:34:44 nada named[1771]: using default UDP/IPv4 port range: [1024, 65535] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: using default UDP/IPv(4|6) port range: \[[[:digit:]]+, [[:digit:]]+\] - -#Mar 13 19:02:30 kvarnen named[8896]: transfer of 'acroyoga.se/IN' from 66.23.226.92#53: Transfer completed: 0 messages, 0 records, 0 bytes, 127.193 secs (0 bytes/sec) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: Transfer completed: [[:digit:]]+ messages, [[:digit:]]+ records, [[:digit:]]+ bytes, [.[:digit:]]+ secs \([[:digit:]]+ bytes/sec\) - -#Mar 21 05:58:39 kvarnen named[8896]: transfer of 'happysthlm.se/IN' from 66.23.226.92#53: connected using 95.170.86.14#33872 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: connected using [.[:digit:]]+#[[:digit:]]+ - -#Mar 21 05:58:32 kvarnen named[8896]: zone happysthlm.se/IN: refresh: retry limit for master 66.23.226.92#53 exceeded (source 0.0.0.0#0) -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: zone [-.[:alnum:]]+/IN: refresh: retry limit for master [.[:digit:]]+#[[:digit:]]+ exceeded \(source [.[:digit:]]+#[[:digit:]]+\) - -#Mar 16 21:43:05 kvarnen named[8896]: master 66.23.226.92#53 (source 0.0.0.0#0) deleted from unreachable cache -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: master [.[:digit:]]+#[[:digit:]]+ \(source [.[:digit:]]+#[[:digit:]]+\) deleted from unreachable cache - -#Mar 24 02:08:41 nada named[5002]: client 192.42.132.103#45345: notify question section contains no SOA -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: notify question section contains no SOA - -#Mar 26 21:45:26 nada named[5002]: managed-keys-zone ./IN: No DNSKEY RRSIGs found for '.': success -#Apr 2 22:17:28 nada named[300]: managed-keys-zone: No DNSKEY RRSIGs found for '.': succes -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone( ./IN)?: No DNSKEY RRSIGs found for '.': success - -#Apr 2 22:49:14 nada named[5002]: managed-keys-zone ./IN: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL -#Apr 13 16:22:06 nada named[296]: managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': SERVFAIL -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone( ./IN)?: Unable to fetch DNSKEY set '[.[:alnum:]]+': SERVFAIL - -#Dec 19 17:32:19 nada named[5082]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org - - -#Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: validating [@[:alnum:]]+: . NS: got insecure response; parent indicates it should be secure - -#Apr 10 05:59:24 marconi named[7781]: validating formelracing.se/SOA: no valid signature found -#Apr 10 05:59:24 marconi named[7781]: validating formelracing.se/A: no valid signature found -#Apr 10 05:59:24 marconi named[7781]: validating cmqpg0nlq5bi4s4ucti6jj2avrd7mhtj.formelracing.se/NSEC3: no valid signature found -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]:[[:space:]]+validating [.[:alnum:]]+/(A|SOA|NSEC3): no valid signature found - -#Mar 3 18:03:34 marconi named[27570]: transfer of 'wahlberg.se/IN' from 66.23.226.92#53: Transfer status: success -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [#.[:digit:]]+: Transfer status: success - -#Mar 4 15:06:28 marconi named[27570]: client 113.240.250.154#43169: message parsing failed: bad compression pointer -#Apr 20 20:40:11 marconi named[11602]: client 125.64.94.201#52717: message parsing failed: bad label type -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: message parsing failed: bad (compression pointer|label type) - -#Mar 16 10:33:41 nada named[31321]: zone happysthlm.se/IN: loaded serial 2017031600 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: zone [-.[:alnum:]]+/IN: loaded serial [[:digit:]]+ - -#Apr 10 06:49:43 nada named[297]: automatic empty zone: 10.IN-ADDR.ARPA -#Apr 10 06:49:43 nada named[297]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: automatic empty zone: [.[:alnum:]]+(IN-ADDR|IP6).ARPA - -#Apr 11 06:48:06 nada named[297]: all zones loaded -#Apr 11 06:48:06 nada named[297]: running -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (all zones loaded|running) - -#Apr 11 06:48:06 nada rndc[15568]: server reload successful -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ rndc\[[[:digit:]]+\]: server reload successful - -#Apr 13 00:24:51 marconi named[7781]: DNS format error from 8.8.8.8#53 resolving slashdot.org/DS: Name . (SOA) not subdomain of zone org -- invalid response -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: DNS format error from [\#.[:digit:]]+ resolving [-_.[:alnum:]]+/DS: Name . \(SOA\) not subdomain of zone org -- invalid response - # # SASLAUTHD @@ -460,224 +350,6 @@ -# -# SPAMD -# -#Mar 9 15:31:44 nada spamd[27511]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_* R/W: lock failed: File exists -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_\* R/W: lock failed: File exists - -#Mar 23 13:36:12 nada spamd[3731]: pyzor: check failed: internal error, python traceback seen in response -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: pyzor: check failed: internal error, python traceback seen in response - -#Mar 26 06:57:06 nada spamd[17910]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: server socket setup failed, retry [[:digit:]]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use - -#Mar 26 06:57:15 nada spamd[17910]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use - -#Mar 26 06:57:09 nada spamd[17905]: spamd: server started on port 783/tcp (running version 3.3.2) -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on port 783/tcp \(running version [.[:digit:]]+\) - -#Mar 26 06:57:05 nada spamd[10050]: spamd: server hit by SIGHUP, restarting -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server hit by SIGHUP, restarting - -#Mar 26 06:57:05 nada spamd[10050]: spamd: child [23926] killed successfully: interrupted, signal 2 (0002) -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: child \[[[:digit:]]+\] killed successfully: interrupted, signal 2 \(0002\) - -#Mar 26 06:57:05 nada spamd.pid[10050]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid' -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd.pid\[[0-9]+\]: spamd: restarting using '/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir --user-config -d --pidfile=/var/run/spamd.pid' - -#Mar 9 06:51:00 nada spamassassin.pid --create-prefs --max-children 5 --helper-home-dir --user-config: spamd: restarting using '/usr/sbin/spamd -d --pidfile=/var/run/spamassassin.pid --create-prefs --max-children 5 --helper-home-dir --user-config' -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamassassin.pid --create-prefs --max-children 5 --helper-home-dir --user-config: spamd: restarting using - -#Mar 28 10:48:05 nada spamd[17905]: prefork: server reached --max-children setting, consider raising it -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: server reached --max-children setting, consider raising it - -#Apr 2 06:38:03 nada spamd[16362]: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping: -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping: - -#Apr 27 00:44:20 nada spamd[23159]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325. -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325. - -#Mar 2 07:21:44 nada spamc[16024]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamc\[[0-9]+\]: connect to spamd on (127.0.0.1|::1) failed, retrying \(#(1|2) of 3\): Connection refused - -#Apr 2 18:28:04 nada spamd[12078]: spamd: connection from localhost.localdomain [127.0.0.1]:57662 to port 783, fd 5 -#Nov 16 07:08:39 nada spamd[20266]: spamd: connection from 127.0.0.1 [127.0.0.1]:49978 to port 783, fd 5 -#Oct 29 09:03:40 nada spamd[11605]: spamd: connection from ::1 [::1]:33100 to port 783, fd 5 -#Oct 29 09:08:44 nada spamd[11605]: spamd: connection from ::1 [::1]:38096 to port 783, fd 5 - -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: connection from (localhost.localdomain|127.0.0.1|::1) \[(127.0.0.1|::1)\]:[[:digit:]]+ to port 783, fd 5 - -#Apr 2 18:28:06 nada spamd[12078]: dns: reply to 9869/IN/A/22211110.com truncated (EDNS 4096 bytes), 89 answer records -#Apr 2 20:37:14 nada spamd[12078]: dns: reply to 52792/IN/TXT/freemediainternet.com truncated (EDNS 4096 bytes), 2 answer records -#Apr 2 21:13:53 nada spamd[12078]: dns: reply to 28509/IN/TXT/bronto.com truncated (EDNS 4096 bytes), 13 answer records -#Apr 11 00:55:11 nada spamd[13608]: dns: reply to 34774/IN/A/relayhi2.mysmtp.com truncated (EDNS 4096 bytes), 120 answer records -#Apr 16 16:46:57 nada spamd[17910]: dns: reply to 27982/IN/TXT/micro-campus.com truncated (EDNS 4096 bytes), 1 answer records -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: reply to [[:digit:]]+\/IN\/(A|TXT)\/[-_.[:alnum:]]+ truncated \(EDNS 4096 bytes\), [[:digit:]]+ answer records - -#Apr 2 19:45:30 nada spamd[12078]: spamd: result: Y 17 - BAYES_50,DATE_IN_PAST_96_XX,HTML_MESSAGE,MIMEOLE_DIRECT_TO_MX,MISSING_MID,PYZOR_CHECK,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK scantime=1.8,size=1914,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33068,mid=(unknown),bayes=0.499958,autolearn=no autolearn_force=no -#Apr 2 19:49:28 nada spamd[12078]: spamd: result: Y 11 - BAYES_50,DATE_IN_FUTURE_24_48,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BRBL_LASTEXT,SPF_HELO_SOFTFAIL,URIBL_DBL_SPAM,URIBL_SBL_A scantime=2.5,size=3208,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=39030,mid=(unknown),bayes=0.508483,autolearn=no autolearn_force=no -#Apr 9 22:13:12 nada spamd[15599]: spamd: result: . 4 - BAYES_50,DATE_IN_FUTURE_96_Q,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,MISSING_MID,RP_MATCHES_RCVD,SPF_PASS scantime=2.6,size=11507,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45326,mid=(unknown),bayes=0.485144,autolearn=no autolearn_force=no -#Apr 14 13:41:44 nada spamd[3869]: spamd: result: . -2 - BAYES_00,DATE_IN_FUTURE_48_96,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FROM_EXCESS_BASE64,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_MID,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_HELO_PASS scantime=2.1,size=34843,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=60296,mid=(unknown),bayes=0.000000,autolearn=ham autolearn_force=no -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: (.|Y) [-[:digit:]]+ - - -#Mar 9 06:51:00 nada spamd[29947]: spamd: server socket closed, type IO::Socket::IP -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server socket closed, type IO::Socket::IP - -Mar 9 06:51:04 nada spamd[31055]: spamd: server started on IO::Socket::IP [127.0.0.1]:783 (running version 3.4.0) -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: server started on IO::Socket::IP \[127.0.0.1\]:783 \(running version 3.4.0\) - -#Mar 9 06:51:02 nada spamd[31055]: zoom: able to use 345/345 'body_0' compiled rules (100%) -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: zoom: able to use [[:digit:]]+/[[:digit:]]+ 'body_0' compiled rules \(100%\) - -#Nov 16 07:08:09 nada spamd[15284]: util: setuid: ruid=111 euid=111 rgid=65534 65534 egid=65534 65534 -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: util: setuid: ruid=111 euid=111 rgid=65534 65534 egid=65534 65534 - - - - - -# -# SSHD -# - -#Mar 10 06:59:17 nada sshd(pam_google_authenticator)[3478]: Failed to read "/bin/.google_authenticator" -#May 19 10:39:19 nada sshd(pam_google_authenticator)[18265]: Failed to compute location of secret file -#May 19 14:05:07 nada sshd(pam_google_authenticator)[20232]: Did not receive verification code from user -#May 19 14:05:17 nada sshd(pam_google_authenticator)[20399]: Invalid verification code -#Feb 28 21:45:36 nada sshd(pam_google_authenticator)[26185]: Failed to update secret file "/root/.google_authenticator" -#Mar 3 12:57:42 nada sshd(pam_google_authenticator)[20838]: Failed to update secret file "/root/.google_authenticator" -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: (Failed to (read|update)( secret file)? \"[/[:alnum:]]+\/.google_authenticator\"|Invalid verification code|Failed to compute location of secret file|Did not receive verification code from user) - -# Mar 10 11:12:56 nada sshd[26548]: Received disconnect from 94.102.49.198: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] -# Apr 7 05:56:43 kvarnen sshd[2034]: error: Received disconnect from 212.83.191.8: 3: com.jcraft.jsch.JSchException: Auth fail [preauth] -# Mar 12 04:09:09 nada sshd[23908]: Received disconnect from 195.154.52.9: 3: java.net.SocketTimeoutException: Read timed out [preauth] -# Mar 8 12:09:30 nada sshd[26267]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 66.23.226.92 [preauth] -# Feb 28 03:09:57 nada sshd[30462]: Received disconnect from 47.89.188.218: 3: com.jcraft.jsch.JSchException: Auth cancel [preauth] -#Mar 3 21:19:31 marconi sshd[17576]: error: Received disconnect from 212.83.160.203 port 57458:3: com.jcraft.jsch.JSchException: Auth cancel [preauth] -#Mar 19 04:36:45 marconi sshd[26598]: error: Received disconnect from 46.165.220.212 port 52999:13: User request [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:( error:)? Received disconnect from [.:[:digit:]]+( port [[:digit:]]+:|: )(3|13): (java.net.SocketTimeoutException|com.jcraft.jsch.JSchException|User request)(: )?(reject HostKey: [.:[:digit:]]+|Auth fail|Read timed out|Auth cancel)? \[preauth\] - -#Mar 26 16:18:46 nada sshd[3298]: Received disconnect from 91.193.74.33: 11: Bye [preauth] -#Apr 7 13:59:42 nada sshd[19013]: Received disconnect from 2.234.148.20: 11: ok [preauth] -#Apr 3 12:26:03 nada sshd[15236]: Received disconnect from 125.212.232.83: 11: Closed due to user request. [preauth] -#May 14 10:15:47 nada sshd[26005]: Received disconnect from 115.239.230.223: 11: disconnect [preauth] -#Aug 17 10:52:11 nada sshd[24804]: Received disconnect from 89.97.55.33: 11: disconnected by user [preauth] -#Mar 17 07:29:31 nada sshd[7692]: Received disconnect from 178.162.211.197: 13: User request [preauth] -#Apr 2 16:50:49 nada sshd[1363]: Received disconnect from 58.218.199.145: 11: [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: (11|13): (User request|disconnect(ed by user)?|ok|Bye|Closed due to user request.)? \[preauth\] - -#Mar 24 11:06:21 kvarnen sshd[5495]: channel 4: open failed: administratively prohibited: open failed -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel [[:digit:]]: open failed: administratively prohibited: open failed - -#Mar 10 11:22:52 kvarnen sshd[12813]: error: PAM: Cannot make/remove an entry for the specified session for illegal user support from 40.76.54.16 -#Mar 30 14:57:07 nada sshd[8420]: error: PAM: Cannot make/remove an entry for the specified session for illegal user admin from d5152db40.static.telenet.be -#Mar 14 01:39:26 nada sshd[14346]: error: PAM: Cannot make/remove an entry for the specified session for root from 6e.a0.caa1.ip4.static.sl-reverse.com -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Cannot make/remove an entry for the specified session for (illegal user )?[[:alnum:]]+ from [-.:[:alnum:]]+ - -#Mar 14 02:25:08 nada sshd[18347]: fatal: Read from socket failed: Connection reset by peer [preauth] -#Mar 6 04:03:02 nada sshd[11959]: fatal: Write failed: Connection reset by peer [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: (Read from socket|Write) failed: Connection reset by peer \[preauth\] - -#Mar 13 10:10:06 kvarnen sshd[31901]: Disconnecting: Too many authentication failures for root from 74.74.67.164 port 43335 ssh2 [preauth] -#Feb 3 11:52:58 nada sshd[16082]: Disconnecting: Too many authentication failures for root [preauth] -#Apr 2 19:44:16 nada sshd[15909]: Disconnecting: Too many authentication failures for invalid user openvpn from 177.40.96.203 port 58746 ssh2 [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for (invalid user )?[[:alnum:]]+ (from [.:[:digit:]]+ port [[:digit:]]+ ssh2 )?\[preauth\] - -#Mar 12 12:26:38 kvarnen sshd[6051]: fatal: no matching cipher found: client aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client - -#Mar 15 09:24:00 kvarnen sshd[3572]: Protocol major versions differ for 40.76.48.189: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u1 vs. SSH-1.5-NmapNSE_1.0 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Protocol major versions differ for [.:[:digit:]]+: - -#Apr 10 20:46:18 nada sshd[6046]: pam_unix(sshd:auth): conversation failed -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): conversation failed - -#May 11 19:13:29 nada sshd[10882]: pam_krb5(sshd:auth): authentication failure; logname=ai_luat uid=0 euid=0 tty=ssh ruser= rhost=218.200.188.213 -#May 15 03:18:15 nada sshd[23461]: pam_krb5(sshd:auth): authentication failure; logname=.php uid=0 euid=0 tty=ssh ruser= rhost=59.0.85.43 -#May 27 23:53:37 nada sshd[499]: pam_krb5(sshd:auth): authentication failure; logname=tbs#015 uid=0 euid=0 tty=ssh ruser= rhost=58.117.82.210 -#May 28 00:22:32 nada sshd[4355]: pam_krb5(sshd:auth): authentication failure; logname=oliver#015 uid=0 euid=0 tty=ssh ruser= rhost=58.117.82.210 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_krb5\(sshd:auth\): authentication failure; logname=[.#_[:alnum:]]+ uid=0 euid=0 tty=ssh ruser= rhost=[.:[:digit:]]+ - -#Apr 10 20:50:19 nada sshd(pam_google_authenticator)[6490]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack - -#May 11 01:17:42 kvarnen sshd[14739]: fatal: Unable to negotiate a key exchange method [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\] - -#Mar 17 09:44:38 marconi sshd[27920]: fatal: Unable to negotiate with 212.129.20.230 port 51562: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth] -#Feb 5 05:36:40 marconi sshd[12309]: Unable to negotiate with 36.255.159.233 port 65061: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:( fatal:)? Unable to negotiate with [.[:digit:]]+ port [[:alnum:]]+: no matching cipher found. Their offer: .* \[preauth\] - -#Apr 27 12:36:56 kvarnen sshd[26293]: Bad protocol version identification 'GET http://clientapi.ipip.net/echo.php?info=20160427185402 HTTP/1.1' from 106.184.2.29 port 7680 -#May 13 16:59:50 kvarnen sshd[21380]: Bad protocol version identification '' from 171.13.14.52 port 59637 -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '.*' from [.:[:digit:]]+ port [[:digit:]]+ - -#May 5 10:08:49 nada sshd[4523]: fatal: no hostkey alg [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no hostkey alg \[preauth\] - -#Aug 16 19:28:06 nada sshd[12135]: Postponed keyboard-interactive/pam for invalid user admin from 75.149.180.141 port 65264 ssh2 [preauth] -#Aug 16 21:57:30 nada sshd[26976]: Postponed keyboard-interactive/pam for invalid user support from 103.207.36.244 port 59302 ssh2 [preauth] -#Mar 1 09:28:37 nada sshd[4919]: Postponed keyboard-interactive/pam for root from 218.65.30.43 port 23516 ssh2 [preauth] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed keyboard-interactive/pam for( invalid user)? [[:alnum:]]+ from [.:[:digit:]]+ port [[:digit:]]+ ssh2 \[preauth\] - -#Apr 22 14:23:22 nada sshd[19599]: subsystem request for sftp by user petter -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [[:alnum:]]+ - -#May 28 00:22:32 nada sshd[4355]: input_userauth_request: invalid user oliver\\r [preauth] -#Mar 4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user [preauth] -#Sep 9 06:55:41 marconi sshd[11486]: input_userauth_request: invalid user 0101 [preauth] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user ([ ._[:alnum:]]+(\\\\r| )?) \[preauth\] - -#Apr 21 16:11:24 nada sshd[20234]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.94.220.181.95.rev.numer.gy user=root -#Oct 24 06:33:25 nada sshd[10577]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-68-161-233-215.ny325.east.verizon.net user=lp -#Nov 3 00:10:37 nada sshd[29893]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=host26-153-static.37-88-b.business.telecomitalia.it user=root -#Nov 3 03:00:15 nada sshd[12808]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-200-105-158-166.acelerate.net user=root -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=[-.[:alnum:]]+ user=[[:alnum:]]+ - - -#Mar 1 03:03:26 nada sshd[28313]: fatal: Write failed: Broken pipe [preauth] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Broken pipe \[preauth\] - -#Mar 6 22:43:34 nada sshd[4306]: Disconnecting: Packet corrupt [preauth] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Packet corrupt \[preauth\] - -#Mar 6 22:43:34 nada sshd[4306]: Bad packet length 4081589265. [preauth] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad packet length [[:digit:]]+. \[preauth\] - -#Mar 8 03:17:11 nada sshd[23415]: Received disconnect from 91.195.103.166: 11: Client disconnecting normally [preauth] -#Mar 7 19:37:07 nada sshd[9647]: Received disconnect from 91.195.103.173: 11: Client disconnecting normally [preauth] -#Mar 9 15:08:55 marconi sshd[25800]: Received disconnect from 61.158.188.21 port 59944:11: ok [preauth] -#Mar 9 15:22:40 marconi sshd[29305]: Received disconnect from 202.163.123.135 port 59164:11: ok [preauth] -#Apr 16 07:45:39 nada sshd[31491]: error: Received disconnect from 37.229.184.255: 2: Handshake failed [preauth] -#Apr 13 09:47:05 marconi sshd[695]: error: Received disconnect from 37.229.184.255 port 61294:2: Handshake failed [preauth] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [.:[:digit:]]+(:)? (port [[:digit:]]+:)?(11|2): (Client disconnecting normally|ok|Handshake failed) \[preauth\] - -#Sep 9 06:55:41 marconi sshd[11486]: Invalid user 0101 from 91.197.232.109 -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user ([ -@.[:alnum:]]+)? from [.:[:digit:]]+ - -#Sep 11 11:32:09 cocacola sshd[5924]: Received disconnect from 5.189.139.2: 11: Normal Shutdown, Thank you for playing [preauth] -#Sep 8 13:32:49 marconi sshd[20127]: Received disconnect from 103.27.239.143 port 40512:11: Normal Shutdown, Thank you for playing [preauth] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.[:alnum:]]+ -(: port )?[.:[:digit:]]+: Normal Shutdown, Thank you for playing \[preauth\] - -# Apr 18 17:29:30 nada internal-sftp[9277]: session opened for local user petter from [212.16.177.66] -# Apr 18 17:29:31 nada internal-sftp[9277]: opendir "/home/petter/www.lidberg.se/mazda/Old" -# Apr 18 17:29:31 nada internal-sftp[9277]: closedir "/home/petter/www.lidberg.se/mazda/Old" -# Apr 18 17:29:38 nada internal-sftp[9277]: open "/home/petter/www.lidberg.se/mazda/Old/demo.html" flags READ mode 0666 -# Apr 18 17:29:38 nada internal-sftp[9277]: close "/home/petter/www.lidberg.se/mazda/Old/demo.html" bytes read 3754 written 0 -# Apr 18 17:33:38 nada internal-sftp[9277]: session closed for local user petter from [212.16.177.66] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ internal-sftp\[[[:digit:]]+\]: - -#May 3 18:14:45 nada sshd[30553]: error: Received disconnect from 178.215.81.7: 14: No more user authentication methods available. [preauth] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [.:[:digit:]]+: 14: No more user authentication methods available. \[preauth\] - - - - - # # SUHOSIN # diff --git a/testlog b/testlog index d70cb63..f76e225 100644 --- a/testlog +++ b/testlog @@ -1,5 +1,21 @@ första raden i loggen Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem... +Oct 28 10:01:06 nada HORDE: Guest user is not authorized for Mail (Host: msnbot-157-55-39-113.search.msn.com). [pid 30077 on line 324 of "/usr/share/php/Horde/Registry.php"] +Oct 28 10:58:51 nada HORDE: Guest user is not authorized for Horde (Host: 33.bl.bot.semrush.com). [pid 5104 on line 324 of "/usr/share/php/Horde/Registry.php"] +Oct 28 07:54:13 nada named[368]: client @0xf242cb64 104.180.184.102#80 (.): query failed (REFUSED) for ./IN/RRSIG at query.c:5498 +Oct 28 06:17:36 nada named[368]: client @0xf2443044 205.185.124.172#52570 (pizzaseo.com): query failed (REFUSED) for pizzaseo.com/IN/RRSIG at query.c:5498 +Oct 28 07:58:37 nada sshd[1041]: error: kex_exchange_identification: Connection closed by remote host +Oct 28 07:58:37 nada sshd[1041]: Connection closed by 141.98.10.82 port 40176 +Oct 28 12:23:29 nada sshd[14913]: error: kex_exchange_identification: read: Connection reset by peer +Oct 28 12:23:29 nada sshd[14913]: Connection reset by 185.73.124.100 port 12384 +Oct 28 07:09:06 nada sendmail[32544]: STARTTLS=client: file /etc/letsencrypt/live/wahlberg.se-0005/cert.pem unsafe: Permission denied +Oct 28 07:09:06 nada sendmail[32544]: STARTTLS=client: file /etc/letsencrypt/live/wahlberg.se-0005/privkey.pem unsafe: Permission denied +Oct 28 07:09:06 nada sendmail[32544]: STARTTLS=client: file /etc/letsencrypt/live/wahlberg.se-0005/chain.pem unsafe: Permission denied +Oct 28 07:09:06 nada sendmail[32544]: STARTTLS=client, error: load verify locs /etc/letsencrypt/live/wahlberg.se, /etc/letsencrypt/live/wahlberg.se-0005/chain.pem failed: 0 +Oct 28 07:09:06 nada sendmail[32544]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 +Oct 28 07:34:08 nada mod_evasive[25488]: Blacklisting address 81.228.31.170: possible DoS attack. +Oct 28 07:50:39 nada mod_evasive[25332]: Blacklisting address 217.213.70.60: possible DoS attack. +Oct 28 06:31:02 nada spamd[3181]: prefork: child states: II [... logline repeated 32 times] Oct 26 09:44:50 nada saslauthd[275]: : NULL password received Mar 16 21:43:05 kvarnen named[8896]: master 66.23.226.92#53 (source 0.0.0.0#0) deleted from unreachable cache Mar 16 21:43:05 kvarnen named[8896]: transfer of 'wahlberg.se/IN' from 66.23.226.92#53: connected using 95.170.86.14#37390