From 6d904dfb42f1d4beccd0e5bd2c015e5c8b32c2e3 Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Mon, 1 Apr 2024 09:59:59 +0200
Subject: [PATCH] Fler preauth

---
 logcheck-fw-sshd | 5 ++++-
 testlog          | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/logcheck-fw-sshd b/logcheck-fw-sshd
index fd4d1bd..8c0033d 100644
--- a/logcheck-fw-sshd
+++ b/logcheck-fw-sshd
@@ -190,4 +190,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: maximum authentication attempts exceeded for invalid user [-[:alnum:]]+ from [.:[:digit:]]+ port [[:digit:]]+ ssh2 \[preauth\]
 
 #Feb  5 01:55:57 nada sshd[27887]: Disconnecting invalid user ec2-user 183.107.58.230 port 63999: Too many authentication failures [preauth]
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting invalid user [-[:alnum:]]+ [.:[:digit:]]+ port [[:digit:]]+: Too many authentication failures \[preauth\]
\ No newline at end of file
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting invalid user [-[:alnum:]]+ [.:[:digit:]]+ port [[:digit:]]+: Too many authentication failures \[preauth\]
+
+#Mar 31 19:21:30 nada sshd[18955]: Disconnected from invalid user  212.70.149.150 port 27437 [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from invalid user ([-[:alnum:]]+)? [.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
\ No newline at end of file
diff --git a/testlog b/testlog
index 7850d2c..7ed1437 100644
--- a/testlog
+++ b/testlog
@@ -787,6 +787,8 @@ Jan 21 09:45:23 nada sshd[14807]: error: kex_protocol_error: type 20 seq 2 [prea
 Mar 27 21:52:08 nada sshd[31920]: Received disconnect from 212.70.149.150 port 19201:11: Bye [preauth]
 Mar 27 23:07:45 nada sshd[951]: Received disconnect from 212.70.149.150 port 36664:11: Bye [preauth]
 Mar 31 08:57:09 nada sshd[32339]: Received disconnect from 185.224.128.34 port 38898:11: end [preauth]
+Mar 31 19:21:30 nada sshd[18955]: Disconnected from invalid user  212.70.149.150 port 27437 [preauth]
+Mar 31 20:28:36 nada sshd[21092]: Disconnected from invalid user  212.70.149.150 port 28708 [preauth]
 
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
 Aug 23 18:39:24 nada fredrik[1713]: Sista raden