From 4ec0ca12c36b64dc8e98568204235e2a0ce00e29 Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Tue, 6 Feb 2018 08:26:48 +0100
Subject: [PATCH] =?UTF-8?q?N=C3=A5gra=20nya=20regler?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 logcheck_debian | 6 ++++--
 logcheck_ubuntu | 4 +++-
 testlog         | 5 +++++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/logcheck_debian b/logcheck_debian
index c9c2714..5b1e913 100644
--- a/logcheck_debian
+++ b/logcheck_debian
@@ -323,8 +323,9 @@
 #Apr 15 19:27:33 nada saslauthd[1732]: do_auth         : auth failure: [user=backuppc ] [service=smtp] [realm=wahlberg.se] [mech=shadow] [reason=Unknown]
 #Apr  2 16:58:34 nada saslauthd[619]: do_auth         : auth failure: [user=prueba] [service=smtp] [realm=] [mech=shadow] [reason=Invalid username]
 #Apr  2 19:08:45 nada saslauthd[604]: do_auth         : auth failure: [user=backup] [service=smtp] [realm=] [mech=shadow] [reason=Incorrect password]
+#Feb  6 02:20:14 nada saslauthd[610]: do_auth         : auth failure: [user=Adm1n!] [service=smtp] [realm=#] [mech=shadow] [reason=Invalid username]
 
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([ -_.@[:alnum:]]+)?\] \[service=(smtp)?\] \[realm=([-_.@[:alnum:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([[:print:]]+)?\] \[service=(smtp)?\] \[realm=([[:print:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\]
 
 #Apr 13 09:42:28 kvarnen saslauthd[620]: pam_unix(:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: pam_(krb5|unix)\((dovecot)?:auth\): authentication failure\; logname=([-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=(dovecot)? ruser=([-.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?
@@ -570,7 +571,8 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]
 
 #Mar 17 09:44:38 marconi sshd[27920]: fatal: Unable to negotiate with 212.129.20.230 port 51562: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate with [.[:digit:]]+ port [[:alnum:]]+: no matching cipher found. Their offer: .* \[preauth\]
+#Feb  5 05:36:40 marconi sshd[12309]: Unable to negotiate with 36.255.159.233 port 65061: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:( fatal:)? Unable to negotiate with [.[:digit:]]+ port [[:alnum:]]+: no matching cipher found. Their offer: .* \[preauth\]
 
 #Apr 27 12:36:56 kvarnen sshd[26293]: Bad protocol version identification 'GET http://clientapi.ipip.net/echo.php?info=20160427185402 HTTP/1.1' from 106.184.2.29 port 7680
 #May 13 16:59:50 kvarnen sshd[21380]: Bad protocol version identification '' from 171.13.14.52 port 59637
diff --git a/logcheck_ubuntu b/logcheck_ubuntu
index 6095cd8..aff8592 100644
--- a/logcheck_ubuntu
+++ b/logcheck_ubuntu
@@ -90,7 +90,9 @@
 #Nov  2 11:19:59 marconi sshd[20563]: Connection closed by authenticating user root 58.214.22.74 port 6920 [preauth]
 #Nov  2 11:55:16 marconi sshd[496]: Connection closed by authenticating user root 112.29.245.145 port 2049 [preauth]
 #Nov 16 12:17:47 marconi sshd[32197]: Connection closed by invalid user cloud-user 115.47.122.242 port 6920 [preauth]
-\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by ((invalid|authenticating) user [-.@[:alnum:]]+ )?[.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
+Feb  5 07:17:24 marconi sshd[31872]: Connection closed by invalid user sap_user 47.205.250.5 port 33272 [preauth]
+Feb  5 14:59:07 marconi sshd[21801]: Connection closed by invalid user  0101 5.188.10.179 port 60847 [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by ((invalid|authenticating) user .* )?[.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
 
 #Mar  2 13:42:26 marconi sshd[25003]: Received disconnect from 155.4.131.66 port 2983:11: disconnected by user
 #Mar  2 17:00:04 marconi sshd[31419]: Received disconnect from 116.31.116.18 port 20137:11:  [preauth]
diff --git a/testlog b/testlog
index 1a6485a..a4b9af2 100644
--- a/testlog
+++ b/testlog
@@ -628,6 +628,11 @@ Nov 16 12:17:47 marconi sshd[32197]: Connection closed by invalid user cloud-use
 Nov 30 06:02:55 marconi sshd[23738]: error: Received disconnect from 103.99.0.207 port 63247:14: No more user authentication methods available. [preauth]
 Feb  5 13:02:12 nada milter-greylist: ignoring message beyond maxpeek = 0
 Feb  5 13:07:56 nada milter-greylist: ignoring message beyond maxpeek = 0
+Feb  5 05:36:40 marconi sshd[12309]: Unable to negotiate with 36.255.159.233 port 65061: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc [preauth]
+Feb  5 07:17:24 marconi sshd[31872]: Connection closed by invalid user sap_user 47.205.250.5 port 33272 [preauth]
+Feb  5 14:59:07 marconi sshd[21801]: Connection closed by invalid user  0101 5.188.10.179 port 60847 [preauth]
+Feb  6 02:20:14 nada saslauthd[610]: do_auth         : auth failure: [user=Adm1n!] [service=smtp] [realm=#] [mech=shadow] [reason=Invalid username]
+
 
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
 Aug 23 18:39:24 nada fredrik[1713]: Sista raden