From 9f97deb5ac8e61ad261ca1438eb475e98a3d6f5c Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Sun, 6 Feb 2022 09:41:02 +0100
Subject: [PATCH] Nya regeluppdateringar

---
 logcheck-fw-dovecot  |  3 +++
 logcheck-fw-named    |  9 +++++++--
 logcheck-fw-opendkim |  6 ++++++
 logcheck-fw-sshd     | 13 ++++++++++++-
 testlog              | 16 +++++++++++++++-
 5 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/logcheck-fw-dovecot b/logcheck-fw-dovecot
index 4e1f2b0..e348b5d 100644
--- a/logcheck-fw-dovecot
+++ b/logcheck-fw-dovecot
@@ -6,3 +6,6 @@
 #Oct 25 16:13:00 nada dovecot: imap(fredrik)<6240><99Nk8i3P18suOxpv>: Logged out in=2119 out=386189 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=1 body_bytes=26072
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\)<[[:alnum:]]+><[\/[:alnum:]]+>: (Connection closed|Logged out in).*
+
+
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: STARTTLS=client(:|,) 
diff --git a/logcheck-fw-named b/logcheck-fw-named
index ff86db3..e6a1bc2 100644
--- a/logcheck-fw-named
+++ b/logcheck-fw-named
@@ -8,7 +8,8 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: (Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones|sizing zone task pool based on [[:digit:]]+ zones|received control channel command 'reload( [.[:alnum:]]+)?'|reading built-in trusted keys from file '/etc/bind/bind.keys')
 
 #Mar 10 06:43:39 nada named[1771]: client 95.170.86.14#50337: received notify for zone 'happysthlm.com'
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [.:[:xdigit:]]+\#[[:digit:]]+: received notify for zone '[-.[:alnum:]]+'
+#Feb  6 01:00:04 nada named[2607]: client @0xf25c9754 46.21.104.9#50736: received notify for zone 'thulin.info'
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client( .*)? [.:[:xdigit:]]+\#[[:digit:]]+: received notify for zone '[-.[:alnum:]]+'
 
 #Mar 13 19:06:05 nada named[1771]: client 95.170.86.14#54781: transfer of 'stiy.com/IN': IXFR ended
 #Mar  3 18:45:43 nada named[31321]: client 46.21.104.9#48923: transfer of 'wahlberg.se/IN': AXFR-style IXFR started
@@ -48,6 +49,9 @@
 #Dec 19 17:32:19 nada named[5082]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone: Active key unexpectedly missing from dlv.isc.org
 
+#Feb  5 21:24:45 nada named[2607]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: managed-keys-zone: Key [[:digit:]]+ for zone . is now trusted \(acceptance timer complete\)
+
 
 #Mar 26 21:45:26 nada named[5002]: validating @0xb82ba940: . NS: got insecure response; parent indicates it should be secure
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: validating [@[:alnum:]]+: . NS: got insecure response; parent indicates it should be secure
@@ -83,4 +87,5 @@
 
 #Oct 28 07:54:13 nada named[368]: client @0xf242cb64 104.180.184.102#80 (.): query failed (REFUSED) for ./IN/RRSIG at query.c:5498
 #Oct 28 06:17:36 nada named[368]: client @0xf2443044 205.185.124.172#52570 (pizzaseo.com): query failed (REFUSED) for pizzaseo.com/IN/RRSIG at query.c:5498
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [@[:alnum:]]+ [\#.[:digit:]]+ \([.[:alnum:]]+\):
\ No newline at end of file
+#Oct 28 18:02:12 nada named[368]: client @0xf243df14 146.88.240.4#52092 (4217e25c.asert-dns-research.com): query failed (REFUSED) for 4217e25c.asert-dns-research.com/IN/A at query.c:5498
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [@[:alnum:]]+ [\#.[:digit:]]+ \([-.[:alnum:]]+\):
\ No newline at end of file
diff --git a/logcheck-fw-opendkim b/logcheck-fw-opendkim
index c91ffc0..3e859e0 100644
--- a/logcheck-fw-opendkim
+++ b/logcheck-fw-opendkim
@@ -41,3 +41,9 @@
 #Oct 26 08:07:42 nada opendkim[452]: 19Q67at9009525: s=key1 d=s8.uwentos.ru a=rsa-sha1 SSL
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: s=[-.[:alnum:]]+ d=[-.[:alnum:]]+ a=[-.[:alnum:]]+ SSL
 
+#Feb  6 05:49:41 nada opendkim[11209]: 2164nbMA007755: syntax error: missing parameter(s) in signature data
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: syntax error: missing parameter\(s\) in signature data
+
+#Feb  5 12:34:09 nada opendkim[11209]: 215BY3W7014029: can't parse From: header value ' Administrator'
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [[:alnum:]]+: can't parse From: header value
+
diff --git a/logcheck-fw-sshd b/logcheck-fw-sshd
index 2eb5d89..000bdcc 100644
--- a/logcheck-fw-sshd
+++ b/logcheck-fw-sshd
@@ -136,11 +136,22 @@
 
 #Oct 28 07:58:37 nada sshd[1041]: error: kex_exchange_identification: Connection closed by remote host
 #Oct 28 12:23:29 nada sshd[14913]: error: kex_exchange_identification: read: Connection reset by peer
-\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: (read: )?Connection (closed|reset) by (remote host|peer)
+#Feb  5 10:57:24 nada sshd[10567]: error: kex_exchange_identification: banner line contains invalid characters
+#Feb  4 12:47:13 nada sshd[8428]: error: kex_exchange_identification: client sent invalid protocol identifier "0"
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: 
 
+#Feb  5 10:57:24 nada sshd[10567]: banner exchange: Connection from 164.52.24.164 port 40043: invalid format
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: banner exchange:
+
+#Feb  5 10:57:28 nada sshd[10568]: error: kex protocol error: type 30 seq 1 [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex protocol error: 
 
 
 #Oct 28 07:58:37 nada sshd[1041]: Connection closed by 141.98.10.82 port 40176
 #Oct 28 12:23:29 nada sshd[14913]: Connection reset by 185.73.124.100 port 12384
 \w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection (closed|reset) by [.:[:digit:]]+ port [[:digit:]]+
 
+#Oct 28 19:58:35 nada sshd[12067]: Connection reset by invalid user  178.73.215.171 port 60178 [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection reset by invalid user  [.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
+
+
diff --git a/testlog b/testlog
index f76e225..ca092b1 100644
--- a/testlog
+++ b/testlog
@@ -1,5 +1,7 @@
 första raden i loggen
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
+Oct 28 19:58:35 nada sshd[12067]: Connection reset by invalid user  178.73.215.171 port 60178 [preauth]
+Oct 28 18:02:12 nada named[368]: client @0xf243df14 146.88.240.4#52092 (4217e25c.asert-dns-research.com): query failed (REFUSED) for 4217e25c.asert-dns-research.com/IN/A at query.c:5498
 Oct 28 10:01:06 nada HORDE: Guest user is not authorized for Mail (Host: msnbot-157-55-39-113.search.msn.com). [pid 30077 on line 324 of "/usr/share/php/Horde/Registry.php"]
 Oct 28 10:58:51 nada HORDE: Guest user is not authorized for Horde (Host: 33.bl.bot.semrush.com). [pid 5104 on line 324 of "/usr/share/php/Horde/Registry.php"]
 Oct 28 07:54:13 nada named[368]: client @0xf242cb64 104.180.184.102#80 (.): query failed (REFUSED) for ./IN/RRSIG at query.c:5498
@@ -718,7 +720,19 @@ Oct 26 08:02:39 nada opendkim[452]: 19Q62XN9009466: s=dk d=s6.csa2.acemsa2.com a
 Oct 26 08:03:24 nada opendkim[452]: 19Q63GTn009473: s=neolane d=email.hm.com a=rsa-sha256 SSL
 Oct 26 08:05:29 nada opendkim[452]: 19Q65Jlq009498: s=bedrock d=lrfsamkop.se a=rsa-sha1 SSL
 Oct 26 08:07:42 nada opendkim[452]: 19Q67at9009525: s=key1 d=s8.uwentos.ru a=rsa-sha1 SSL
-
+Feb  6 00:50:43 nada opendkim[11209]: 215Nodvf000505: syntax error: missing parameter(s) in signature data
+Feb  6 01:00:04 nada named[2607]: client @0xf25c9754 46.21.104.9#50736: received notify for zone 'thulin.info'
+Feb  6 01:00:04 nada named[2607]: client @0xf25d1ea4 46.21.104.9#50736: received notify for zone 'lidberg.se'
+Feb  6 03:22:50 nada opendkim[11209]: 2162MlIG003947: syntax error: missing parameter(s) in signature data
+Feb  6 03:33:13 nada opendkim[11209]: 2162XAh3004159: syntax error: missing parameter(s) in signature data
+Feb  6 05:49:41 nada opendkim[11209]: 2164nbMA007755: syntax error: missing parameter(s) in signature data
+Feb  5 21:24:45 nada named[2607]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Feb  5 10:57:24 nada sshd[10567]: error: kex_exchange_identification: banner line contains invalid characters
+Feb  5 10:57:24 nada sshd[10567]: banner exchange: Connection from 164.52.24.164 port 40043: invalid format
+Feb  5 10:57:28 nada sshd[10568]: error: kex protocol error: type 30 seq 1 [preauth]
+Feb  4 12:47:13 nada sshd[8428]: error: kex_exchange_identification: client sent invalid protocol identifier "0"
+Feb  5 12:34:09 nada opendkim[11209]: 215BY3W7014029: can't parse From: header value ' Administrator'
+Feb  4 21:20:45 nada opendkim[11209]: 214KKdrR021463: syntax error: missing parameter(s) in signature data
 
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
 Aug 23 18:39:24 nada fredrik[1713]: Sista raden