fredrik/logcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Ytterligare några fel hanterade

Browse Source
This commit is contained in:
fredrik
2016-03-24 09:51:55 +01:00
parent 0229414439
commit af17a50de9
2 changed files with 47 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
logcheck_ignore
View File

@@ -82,10 +82,12 @@
# Mar 8 14:08:09 nada dovecot: imap-login: Disconnected (no auth attempts in 28 secs): user=<>, rip=83.185.81.166, lip=66.23.226.92, TLS handshaking: Disconnected, session=<BNTkRYktuwBTuVGm>
# Mar 8 14:10:01 nada dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=155.4.128.66, lip=66.23.226.92, TLS: Disconnected, session=<bXSMTIktugCbBIBC>
# Mar 8 15:42:52 nada dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=141.212.122.129, lip=66.23.226.92, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<M0mYmIotEACN1HqB>
# Mar 22 15:00:30 kvarnen dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=188.138.1.218, lip=95.170.86.14, session=<ZMLXoqMuFwC8igHa>
# Mar 8 09:55:24 nada dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=213.153.113.1, lip=66.23.226.92, TLS, session=<tGj3vYUtSgDVmXEB>
#Mar 10 21:31:07 nada dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<katarina>, method=PLAIN, rip=66.23.226.92, lip=66.23.226.92, TLS, session=<qnd3sbctoABCF+Jc>
#Mar 10 23:23:14 kvarnen dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=85.25.43.94, lip=95.170.86.14, session=<OuW1QrktjABVGSte>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected(: Inactivity)? \((auth failed, [[:digit:]]+|no auth) attempts in [[:digit:]]+ secs\): user=<([[:alnum:]]+)?>,( method=PLAIN,)? rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS)?(, session=<[+/[:alnum:]]+>)?
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, [[:digit:]]+|no auth) attempts in [[:digit:]]+ secs\): user=<([[:alnum:]]+)?>,( method=PLAIN,)? rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS)?(, session=<[+/[:alnum:]]+>)?
#Mar 10 12:53:41 kvarnen dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=141.212.122.64, lip=95.170.86.14, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<1cA1d7AtxACN1HpA>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \(disconnected before auth was ready, waited 0 secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS handshaking: SSL_accept\(\) failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<[/+[:alnum:]]+>
@@ -98,13 +100,18 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Disconnected \(client didn\'t finish SASL auth, waited [[:digit:]]+ secs\): user=<>, method=PLAIN, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
#Mar 16 01:47:24 kvarnen dovecot: pop3-login: Aborted login (no auth attempts in 3 secs): user=<>, rip=66.240.219.146, lip=95.170.86.14, TLS, session=<bSZ62x8uaQBC8NuS>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Aborted login \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Aborted login \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
#Mar 23 19:49:52 nada dovecot: imap-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<petter@lidberg.se>, method=PLAIN, rip=187.131.22.215, lip=66.23.226.92, TLS, session=<K0NMy7sukQC7gxbX
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Aborted login \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[.@[:alnum:]]+>, method=PLAIN, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[+/[:alnum:]]>
#Mar 14 18:40:24 nada dovecot: imap(johan): Disconnected for inactivity in reading our output in=603 out=253156
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected for inactivity in reading our output in=[[:digit:]]+ out=[[:digit:]]+
#Mar 21 02:40:04 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<7uj4LIUuMQDIRGPZ>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Aborted login \(tried to use disallowed plaintext auth\): user=<>, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, session=<[+/[:alnum:]]+>
#Mar 22 13:03:22 kvarnen dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=218.29.231.21, lip=95.170.86.14, session=<zjjk/6EudwDaHecV>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: (Disconnected|Aborted login) \(tried to use disallowed plaintext auth\): user=<>, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, session=<[+/[:alnum:]]+>
#
@@ -151,7 +158,8 @@
#Mar 16 21:43:05 kvarnen named[8896]: master 66.23.226.92#53 (source 0.0.0.0#0) deleted from unreachable cache
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: master [.[:digit:]]+#[[:digit:]]+ \(source [.[:digit:]]+#[[:digit:]]+\) deleted from unreachable cache
#Mar 24 02:08:41 nada named[5002]: client 192.42.132.103#45345: notify question section contains no SOA
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: notify question section contains no SOA
#
# SASLAUTHD
@@ -180,9 +188,10 @@
#Mar 13 20:32:32 nada sm-mta[19605]: u2DJWTDv019605: h87-96-164-121.dynamic.se.alltele.net [87.96.164.121]: possible SMTP attack: command=AUTH, count=5
#Mar 13 21:08:13 nada sm-mta[22820]: u2DK8AKe022820: h87-96-164-121.dynamic.se.alltele.net [87.96.164.121]: possible SMTP attack: command=AUTH, count=5
#Mar 23 10:07:56 nada sm-mta[20809]: u2N97qjp020809: hostby.ankas-group.net [46.161.40.200] (may be forged): possible SMTP attack: command=AUTH, count=5
#Mar 19 17:55:33 nada sm-mta[7383]: q2JGtBif007383: [183.13.205.9]: possible SMTP attack: command=AUTH, count=5
#Mar 21 12:11:16 nada sm-mta[13902]: q2LBB9M2013902: [91.201.64.99]: possible SMTP attack: command=HELO/EHLO, count=3
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:xdigit:]]+\]: possible SMTP attack: command=(AUTH|HELO/EHLO), count=[[:digit:]]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:xdigit:]]+\]( \(may be forged\))?: possible SMTP attack: command=(AUTH|HELO/EHLO), count=[[:digit:]]+
#Mar 13 15:15:32 nada sm-mta[22560]: u2DEFS76022560: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=[61.190.7.133], reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name lookup failed [61.190.7.133]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=[-_.@[:alnum:]]+, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 [-_.@[:alnum:]]+ Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
@@ -190,6 +199,8 @@
#Mar 15 11:26:20 nada sm-mta[6679]: STARTTLS=client, relay=mail.compenta.se., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
#Mar 22 13:31:42 nada sendmail[24653]: gethostbyaddr(127.0.0.2) failed: 1
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: gethostbyaddr\(127.0.0.2\) failed: 1
#
# SPAMD
@@ -197,6 +208,8 @@
#Mar 9 15:31:44 nada spamd[27511]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_* R/W: lock failed: File exists
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_\* R/W: lock failed: File exists
#Mar 23 13:36:12 nada spamd[3731]: pyzor: check failed: internal error, python traceback seen in response
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: pyzor: check failed: internal error, python traceback seen in response
#
# SSHD
@@ -214,7 +227,13 @@
# Mar 10 21:31:03 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=katarina rhost=66.23.226.92 user=katarina
# Mar 8 18:05:09 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=::1
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\(dovecot:auth\): authentication failure\; logname=([[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=dovecot ruser=[[:alnum:]]+ rhost=[.:[:xdigit:]]+
# Mar 23 19:49:48 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=petter@lidberg.se uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\(dovecot:auth\): authentication failure\; logname=([.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=dovecot ruser=[.@[:alnum:]]+ rhost=[.:[:xdigit:]]+
# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): check pass; user unknown
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:auth\): check pass; user unknown
#Mar 10 11:22:52 kvarnen sshd[12813]: error: PAM: Cannot make/remove an entry for the specified session for illegal user support from 40.76.54.16
#Mar 14 01:39:26 nada sshd[14346]: error: PAM: Cannot make/remove an entry for the specified session for root from 6e.a0.caa1.ip4.static.sl-reverse.com