Ytterligare några fel hanterade

logcheck_ignore

@@ -82,10 +82,12 @@
 # Mar  8 14:08:09 nada dovecot: imap-login: Disconnected (no auth attempts in 28 secs): user=<>, rip=83.185.81.166, lip=66.23.226.92, TLS handshaking: Disconnected, session=<BNTkRYktuwBTuVGm>
 # Mar  8 14:10:01 nada dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=155.4.128.66, lip=66.23.226.92, TLS: Disconnected, session=<bXSMTIktugCbBIBC>
 # Mar  8 15:42:52 nada dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=141.212.122.129, lip=66.23.226.92, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<M0mYmIotEACN1HqB>
+# Mar 22 15:00:30 kvarnen dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=188.138.1.218, lip=95.170.86.14, session=<ZMLXoqMuFwC8igHa>
+
 # Mar  8 09:55:24 nada dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=213.153.113.1, lip=66.23.226.92, TLS, session=<tGj3vYUtSgDVmXEB>
 #Mar 10 21:31:07 nada dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<katarina>, method=PLAIN, rip=66.23.226.92, lip=66.23.226.92, TLS, session=<qnd3sbctoABCF+Jc>
 #Mar 10 23:23:14 kvarnen dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=85.25.43.94, lip=95.170.86.14, session=<OuW1QrktjABVGSte>
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected(: Inactivity)? \((auth failed, [[:digit:]]+|no auth) attempts in [[:digit:]]+ secs\): user=<([[:alnum:]]+)?>,( method=PLAIN,)? rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS)?(, session=<[+/[:alnum:]]+>)?
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: (Disconnected|Aborted login)(: Inactivity)? \((auth failed, [[:digit:]]+|no auth) attempts in [[:digit:]]+ secs\): user=<([[:alnum:]]+)?>,( method=PLAIN,)? rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS)?(, session=<[+/[:alnum:]]+>)?
 
 #Mar 10 12:53:41 kvarnen dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=141.212.122.64, lip=95.170.86.14, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<1cA1d7AtxACN1HpA>
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \(disconnected before auth was ready, waited 0 secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS handshaking: SSL_accept\(\) failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<[/+[:alnum:]]+>
@@ -98,13 +100,18 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Disconnected \(client didn\'t finish SASL auth, waited [[:digit:]]+ secs\): user=<>, method=PLAIN, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
 
 #Mar 16 01:47:24 kvarnen dovecot: pop3-login: Aborted login (no auth attempts in 3 secs): user=<>, rip=66.240.219.146, lip=95.170.86.14, TLS, session=<bSZ62x8uaQBC8NuS>
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Aborted login \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
+>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Aborted login \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[[:alnum:]]+>
+
+#Mar 23 19:49:52 nada dovecot: imap-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<petter@lidberg.se>, method=PLAIN, rip=187.131.22.215, lip=66.23.226.92, TLS, session=<K0NMy7sukQC7gxbX
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)-login: Aborted login \(auth failed, [[:digit:]]+ attempts in [[:digit:]]+ secs\): user=<[.@[:alnum:]]+>, method=PLAIN, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS, session=<[+/[:alnum:]]>
 
 #Mar 14 18:40:24 nada dovecot: imap(johan): Disconnected for inactivity in reading our output in=603 out=253156
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected for inactivity in reading our output in=[[:digit:]]+ out=[[:digit:]]+
 
 #Mar 21 02:40:04 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<7uj4LIUuMQDIRGPZ>
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: Aborted login \(tried to use disallowed plaintext auth\): user=<>, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, session=<[+/[:alnum:]]+>
+#Mar 22 13:03:22 kvarnen dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=218.29.231.21, lip=95.170.86.14, session=<zjjk/6EudwDaHecV>
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: (Disconnected|Aborted login) \(tried to use disallowed plaintext auth\): user=<>, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, session=<[+/[:alnum:]]+>
 
 
 #
@@ -151,7 +158,8 @@
 #Mar 16 21:43:05 kvarnen named[8896]: master 66.23.226.92#53 (source 0.0.0.0#0) deleted from unreachable cache
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: master [.[:digit:]]+#[[:digit:]]+ \(source [.[:digit:]]+#[[:digit:]]+\) deleted from unreachable cache
 
-
+#Mar 24 02:08:41 nada named[5002]: client 192.42.132.103#45345: notify question section contains no SOA
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [#.[:digit:]]+: notify question section contains no SOA
 
 #
 # SASLAUTHD
@@ -180,9 +188,10 @@
 
 #Mar 13 20:32:32 nada sm-mta[19605]: u2DJWTDv019605: h87-96-164-121.dynamic.se.alltele.net [87.96.164.121]: possible SMTP attack: command=AUTH, count=5
 #Mar 13 21:08:13 nada sm-mta[22820]: u2DK8AKe022820: h87-96-164-121.dynamic.se.alltele.net [87.96.164.121]: possible SMTP attack: command=AUTH, count=5
+#Mar 23 10:07:56 nada sm-mta[20809]: u2N97qjp020809: hostby.ankas-group.net [46.161.40.200] (may be forged): possible SMTP attack: command=AUTH, count=5
 #Mar 19 17:55:33 nada sm-mta[7383]: q2JGtBif007383: [183.13.205.9]: possible SMTP attack: command=AUTH, count=5
 #Mar 21 12:11:16 nada sm-mta[13902]: q2LBB9M2013902: [91.201.64.99]: possible SMTP attack: command=HELO/EHLO, count=3
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:xdigit:]]+\]: possible SMTP attack: command=(AUTH|HELO/EHLO), count=[[:digit:]]+
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:xdigit:]]+\]( \(may be forged\))?: possible SMTP attack: command=(AUTH|HELO/EHLO), count=[[:digit:]]+
 
 #Mar 13 15:15:32 nada sm-mta[22560]: u2DEFS76022560: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=[61.190.7.133], reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name lookup failed [61.190.7.133]
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=[-_.@[:alnum:]]+, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 [-_.@[:alnum:]]+ Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
@@ -190,6 +199,8 @@
 #Mar 15 11:26:20 nada sm-mta[6679]: STARTTLS=client, relay=mail.compenta.se., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA256, bits=128/128
 
+#Mar 22 13:31:42 nada sendmail[24653]: gethostbyaddr(127.0.0.2) failed: 1
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: gethostbyaddr\(127.0.0.2\) failed: 1
 
 #
 #  SPAMD
@@ -197,6 +208,8 @@
 #Mar  9 15:31:44 nada spamd[27511]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_* R/W: lock failed: File exists
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: bayes: cannot open bayes databases /var/lib/spamass-milter/.spamassassin/bayes_\* R/W: lock failed: File exists
 
+#Mar 23 13:36:12 nada spamd[3731]: pyzor: check failed: internal error, python traceback seen in response
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: pyzor: check failed: internal error, python traceback seen in response
 
 #
 # SSHD
@@ -214,7 +227,13 @@
 
 # Mar 10 21:31:03 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=katarina rhost=66.23.226.92  user=katarina
 # Mar  8 18:05:09 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=::1
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\(dovecot:auth\): authentication failure\; logname=([[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=dovecot ruser=[[:alnum:]]+ rhost=[.:[:xdigit:]]+
+# Mar 23 19:49:48 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=petter@lidberg.se uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
+# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_(krb5|unix)\(dovecot:auth\): authentication failure\; logname=([.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=dovecot ruser=[.@[:alnum:]]+ rhost=[.:[:xdigit:]]+
+
+# Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): check pass; user unknown
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth: pam_unix\(dovecot:auth\): check pass; user unknown
+
 
 #Mar 10 11:22:52 kvarnen sshd[12813]: error: PAM: Cannot make/remove an entry for the specified session for illegal user support from 40.76.54.16
 #Mar 14 01:39:26 nada sshd[14346]: error: PAM: Cannot make/remove an entry for the specified session for root from 6e.a0.caa1.ip4.static.sl-reverse.com

testlog

@@ -49,7 +49,6 @@ Mar 17 05:07:52 kvarnen freshclam[485]: ERROR: Can't download main.cvd from data
 Mar 17 05:07:52 kvarnen freshclam[485]: Giving up on database.clamav.net...
 Mar 17 05:07:52 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
 Mar 17 06:27:00 kvarnen freshclam[485]: Downloading main.cvd [100%]
-Mar 17 06:27:00 kvarnen freshclam[485]: ERROR: Verification: Can't verify database integrity
 Mar 17 06:27:06 kvarnen freshclam[485]: WARNING: getfile: Unknown response from remote server (IP: 145.58.29.83)
 Mar 17 06:30:26 kvarnen freshclam[485]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
 Mar 18 20:23:08 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<y+JQrVcuJwDIRGPZ>
@@ -65,3 +64,25 @@ Mar 21 04:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275
 Mar 21 05:52:56 kvarnen freshclam[485]: bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
 Mar 21 05:58:32 kvarnen named[8896]: zone happysthlm.se/IN: refresh: retry limit for master 66.23.226.92#53 exceeded (source 0.0.0.0#0)
 Mar 21 05:58:39 kvarnen named[8896]: transfer of 'happysthlm.se/IN' from 66.23.226.92#53: connected using 95.170.86.14#33872
+Mar 22 13:03:22 kvarnen dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=218.29.231.21, lip=95.170.86.14, session=<zjjk/6EudwDaHecV>
+Mar 22 13:03:26 kvarnen dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=218.29.231.21, lip=95.170.86.14, session=<OsoiAKIu3ADaHecV>
+Mar 22 13:03:29 kvarnen dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=218.29.231.21, lip=95.170.86.14, session=<vGlWAKIu5QDaHecV>
+Mar 22 15:00:30 kvarnen dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=188.138.1.218, lip=95.170.86.14, session=<ZMLXoqMuFwC8igHa>
+Mar 22 13:31:42 nada sendmail[24653]: gethostbyaddr(127.0.0.2) failed: 1
+Mar 22 18:05:16 nada sshd[29644]: Received disconnect from 91.193.74.7: 11: Bye [preauth]
+Mar 23 02:41:44 nada spamd[19688]: pyzor: check failed: internal error, python traceback seen in response
+Mar 23 05:48:21 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=ammis@lubcke.se uid=0 euid=0 tty=dovecot ruser=ammis@lubcke.se rhost=182.68.167.174
+Mar 23 05:48:21 nada auth: pam_unix(dovecot:auth): check pass; user unknown
+Mar 23 05:48:21 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ammis@lubcke.se rhost=182.68.167.174
+Mar 23 05:48:25 nada dovecot: imap-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<ammis@lubcke.se>, method=PLAIN, rip=182.68.167.174, lip=66.23.226.92, TLS, session=<rVEJCrAubwC2RKeu>
+Mar 23 07:01:37 nada spamd[14446]: pyzor: check failed: internal error, python traceback seen in response
+Mar 23 10:07:56 nada sm-mta[20809]: u2N97qjp020809: hostby.ankas-group.net [46.161.40.200] (may be forged): possible SMTP attack: command=AUTH, count=5
+Mar 23 07:34:37 kvarnen sshd[25479]: Disconnecting: Change of username or service not allowed: (vmware,ssh-connection) -> (a,ssh-connection) [preauth]
+Mar 23 09:24:01 kvarnen sshd[19594]: Disconnecting: Change of username or service not allowed: (suser,ssh-connection) -> (user,ssh-connection) [preauth]
+Mar 23 13:36:12 nada spamd[3731]: pyzor: check failed: internal error, python traceback seen in response
+Mar 23 19:49:48 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=petter@lidberg.se uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
+Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): check pass; user unknown
+Mar 23 19:49:48 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=petter@lidberg.se rhost=187.131.22.215
+Mar 23 19:49:52 nada dovecot: imap-login: Aborted login (auth failed, 1 attempts in 4 secs): user=<petter@lidberg.se>, method=PLAIN, rip=187.131.22.215, lip=66.23.226.92, TLS, session=<K0NMy7sukQC7gxbX>
+Mar 24 02:08:41 nada named[5002]: client 192.42.132.103#45345: notify question section contains no SOA
+