En mängd nya regler efter uppgradering till Debian 8

2017-04-02 21:43:05 +02:00
parent 9ff928d1d5
commit 40543952e4
2 changed files with 80 additions and 6 deletions
--- a/63
+++ b/63
@@ -158,6 +158,36 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected in APPEND \([[:digit:]]+ msgs, [[:digit:]]+ secs, [[:digit:]]+/[[:digit:]]+ bytes\) in=[[:digit:]]+ out=[[:digit:]]+


+
+#
+# HORDE
+#
+#Apr  2 18:34:46 nada HORDE: [horde] Login success for fredrik to horde (46.162.117.83) [pid 25921 on line 164 of "/usr/share/horde/login.php"]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[horde\] Login success for [[:alnum:]]+ to horde \([.[:digit:]]+\) \[pid [[:digit:]]+ on line 164 of "/usr/share/horde/login.php"\]
+
+#Apr  2 18:34:47 nada HORDE: [imp] Login success for fredrik (46.162.117.83) to {imap://nada.wahlberg.se:993/} [pid 25921 on line 157 of "/usr/share/horde/imp/lib/Auth.php"]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[imp\] Login success for [[:alnum:]]+ \([.[:digit:]]+\) to \{imap://nada.wahlberg.se:993\/\} \[pid [[:digit:]]+ on line 157 of "/usr/share/horde/imp/lib/Auth.php"\]
+
+#Apr  2 19:31:34 nada HORDE: [kronolith] Failed to retrieve remote calendar: url = "https://calendar.google.com/calendar/ical/wahlis%40gmail.com/private-d6b56e71ef78fa437bcb4df46aaeebad/basic.ics", status = 28 [pid 25488 on line 593 of "/usr/share/horde/kronolith/lib/Driver/Ical.php"]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: \[kronolith\] Failed to retrieve remote calendar: url = 
+
+#Apr  2 20:17:48 nada HORDE: User is not authorized for imp [pid 21121 on line 324 of "/usr/share/php/Horde/Registry.php"]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ HORDE: User is not authorized for imp 
+
+
+
+
+#
+# MILTER-GREYLIST
+#
+
+#Apr  2 18:28:04 nada milter-greylist: DKIM failed: No signature
+#Apr  2 18:34:03 nada milter-greylist: DKIM failed: Unable to verify
+#Apr  2 18:36:37 nada milter-greylist: DKIM failed: Key retrieval failed
+#Apr  2 18:36:58 nada milter-greylist: DKIM failed: Invalid parameter
+#Apr  2 20:02:18 nada milter-greylist: DKIM failed: No key
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ milter-greylist: DKIM failed: (No signature|Unable to verify|Key retrieval failed|Invalid parameter|No key)
+
 #
 #  MONIT
 #
@@ -243,8 +273,10 @@
 #Mar 11 16:27:11 nada saslauthd[1732]: do_auth         : auth failure: [user=Dr_Gonzo] [service=smtp] [realm=Challenge-UK.com] [mech=shadow] [reason=Unknown]
 #Apr 13 09:42:29 kvarnen saslauthd[620]: do_auth         : auth failure: [user=test] [service=] [realm=] [mech=pam] [reason=PAM auth error]
 #Apr 15 19:27:33 nada saslauthd[1732]: do_auth         : auth failure: [user=backuppc ] [service=smtp] [realm=wahlberg.se] [mech=shadow] [reason=Unknown]
+#Apr  2 16:58:34 nada saslauthd[619]: do_auth         : auth failure: [user=prueba] [service=smtp] [realm=] [mech=shadow] [reason=Invalid username]
+#Apr  2 19:08:45 nada saslauthd[604]: do_auth         : auth failure: [user=backup] [service=smtp] [realm=] [mech=shadow] [reason=Incorrect password]

-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([ -_.@[:alnum:]]+)?\] \[service=(smtp)?\] \[realm=([-_.@[:alnum:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error)\]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([ -_.@[:alnum:]]+)?\] \[service=(smtp)?\] \[realm=([-_.@[:alnum:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\]

 #Apr 13 09:42:28 kvarnen saslauthd[620]: pam_unix(:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: pam_(krb5|unix)\((dovecot)?:auth\): authentication failure\; logname=([-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=(dovecot)? ruser=([-.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?
@@ -307,6 +339,9 @@
 #Apr  4 01:58:18 nada sm-mta[23839]: u33Nw9KS023839: Milter: to=webmex@hotmail.com%nada.wahlberg.se, reject=451 4.7.1 Greylisting in action, please come back later
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: to=[.@%[:alnum:]]+, reject=451 4.7.1 Greylisting in action, please come back later

+#Apr  2 18:36:44 nada sm-mta[21418]: v32GagN8021418: Milter: data, reject=451 4.3.2 Please try again later
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: data, reject=451 4.3.2 Please try again later
+
 #Apr  9 09:51:26 nada sm-mta[6169]: u397pP13006169: rejecting commands from [113.240.250.156] [113.240.250.156] due to pre-greeting traffic after 1 seconds
 #Mar 23 19:07:02 nada sm-mta[20228]: v2NI71CW020228: rejecting commands from ec2-35-165-194-208.us-west-2.compute.amazonaws.com [35.165.194.208] due to pre-greeting traffic after 1 seconds
 #Mar 23 23:44:38 nada sm-mta[17761]: v2NMibVZ017761: rejecting commands from ecs-160-44-202-130.reverse.open-telekom-cloud.com [160.44.202.130] due to pre-greeting traffic after 1 seconds
@@ -386,11 +421,29 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325.

 #Mar  2 07:21:44 nada spamc[16024]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamc\[[0-9]+\]: connect to spamd on 127.0.0.1 failed, retrying \(#(1|2) of 3\): Connection refused
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamc\[[0-9]+\]: connect to spamd on (127.0.0.1|::1) failed, retrying \(#(1|2) of 3\): Connection refused
+
+#Apr  2 18:28:04 nada spamd[12078]: spamd: connection from localhost.localdomain [127.0.0.1]:57662 to port 783, fd 5
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: connection from localhost.localdomain \[127.0.0.1\]:[[:digit:]]+ to port 783, fd 5
+
+#Apr  2 18:28:06 nada spamd[12078]: dns: reply to 9869/IN/A/22211110.com truncated (EDNS 4096 bytes), 89 answer records
+#Apr  2 20:37:14 nada spamd[12078]: dns: reply to 52792/IN/TXT/freemediainternet.com truncated (EDNS 4096 bytes), 2 answer records
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: dns: reply to [[:digit:]]+\/IN\/A\/[[:alnum:]]+.com truncated \(EDNS 4096 bytes\), [[:digit:]]+ answer records
+
+#Apr  2 19:45:30 nada spamd[12078]: spamd: result: Y 17 - BAYES_50,DATE_IN_PAST_96_XX,HTML_MESSAGE,MIMEOLE_DIRECT_TO_MX,MISSING_MID,PYZOR_CHECK,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_SBL_CSS,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK scantime=1.8,size=1914,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33068,mid=(unknown),bayes=0.499958,autolearn=no autolearn_force=no
+#Apr  2 19:49:28 nada spamd[12078]: spamd: result: Y 11 - BAYES_50,DATE_IN_FUTURE_24_48,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BRBL_LASTEXT,SPF_HELO_SOFTFAIL,URIBL_DBL_SPAM,URIBL_SBL_A scantime=2.5,size=3208,user=spamass-milter,uid=111,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=39030,mid=(unknown),bayes=0.508483,autolearn=no autolearn_force=no
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: spamd: result: Y [[:digit:]]+
+
+
+
+
+
+

 #
 # SSHD
 #
+
 #Mar 10 06:59:17 nada sshd(pam_google_authenticator)[3478]: Failed to read "/bin/.google_authenticator"
 #May 19 10:39:19 nada sshd(pam_google_authenticator)[18265]: Failed to compute location of secret file
 #May 19 14:05:07 nada sshd(pam_google_authenticator)[20232]: Did not receive verification code from user
@@ -414,7 +467,8 @@
 #May 14 10:15:47 nada sshd[26005]: Received disconnect from 115.239.230.223: 11: disconnect [preauth]
 #Aug 17 10:52:11 nada sshd[24804]: Received disconnect from 89.97.55.33: 11: disconnected by user [preauth]
 #Mar 17 07:29:31 nada sshd[7692]: Received disconnect from 178.162.211.197: 13: User request [preauth]
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: (11|13): (User request|disconnect(ed by user)?|ok|Bye|Closed due to user request.) \[preauth\]
+#Apr  2 16:50:49 nada sshd[1363]: Received disconnect from 58.218.199.145: 11:  [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: (11|13): (User request|disconnect(ed by user)?|ok|Bye|Closed due to user request.)? \[preauth\]

 #Mar 24 11:06:21 kvarnen sshd[5495]: channel 4: open failed: administratively prohibited: open failed
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: channel [[:digit:]]: open failed: administratively prohibited: open failed
@@ -430,7 +484,8 @@

 #Mar 13 10:10:06 kvarnen sshd[31901]: Disconnecting: Too many authentication failures for root from 74.74.67.164 port 43335 ssh2 [preauth]
 #Feb  3 11:52:58 nada sshd[16082]: Disconnecting: Too many authentication failures for root [preauth]
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for [[:alnum:]]+ (from [.:[:digit:]]+ port [[:digit:]]+ ssh2 )?\[preauth\]
+#Apr  2 19:44:16 nada sshd[15909]: Disconnecting: Too many authentication failures for invalid user openvpn from 177.40.96.203 port 58746 ssh2 [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for (invalid user )?[[:alnum:]]+ (from [.:[:digit:]]+ port [[:digit:]]+ ssh2 )?\[preauth\]

 #Mar 12 12:26:38 kvarnen sshd[6051]: fatal: no matching cipher found: client aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client