fredrik/logcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Ett år senare är det dags igen

Browse Source
This commit is contained in:
fredrik
2023-02-02 14:42:59 +01:00
parent 9f97deb5ac
commit b8f1b5456f
3 changed files with 33 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
logcheck-fw-sshd
View File

@@ -152,6 +152,21 @@
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection (closed|reset) by [.:[:digit:]]+ port [[:digit:]]+
#Oct 28 19:58:35 nada sshd[12067]: Connection reset by invalid user 178.73.215.171 port 60178 [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection reset by invalid user [.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
#Feb 2 03:18:13 nada sshd[22960]: Connection reset by invalid user admin 61.74.183.79 port 61300 [preauth]
#Feb 2 04:36:04 nada sshd[25211]: Connection reset by invalid user default 220.80.142.228 port 60384 [preauth]
#Feb 2 06:03:18 nada sshd[27153]: Connection reset by invalid user pi 175.196.231.248 port 53934 [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection reset by invalid user ([[:alnum:]]+)? [.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
#Feb 1 17:36:00 nada sshd[11797]: error: beginning MaxStartups throttling
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: beginning MaxStartups throttling
#Feb 1 17:36:00 nada sshd[11797]: drop connection #8 from [185.187.169.16]:43156 on [66.23.226.92]:22 past MaxStartups
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: drop connection #[[:digit:]] from \[[.:[:digit:]]+\]:[[:digit:]]+ on \[[.:[:digit:]]+\]:22 past MaxStartups
#Feb 1 17:38:06 nada sshd[11797]: exited MaxStartups throttling after 00:02:06, 21 connections dropped
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: exited MaxStartups throttling after [[:digit:]]+:[[:digit:]]+:[[:digit:]]+, [[:digit:]]+ connections dropped

5
logcheck_debian
View File

@@ -276,7 +276,10 @@
#Mar 30 20:47:04 nada sm-mta[9603]: STARTTLS=client, relay=mail-gw01.fsdata.se., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
#Sep 11 00:02:05 cocacola sm-mta[4678]: STARTTLS=client, relay=mail.wahlberg.se., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
#Mar 9 00:02:06 cocacola sm-mta[30768]: STARTTLS=client, relay=mail.wahlberg.se., version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, (version=TLSv1(.2)?(/SSLv3)?, verify=FAIL, cipher=[-[:alnum:]]+, bits=[/[:digit:]]+|field=cn_subject, status=failed to extract CN)
#Feb 1 22:21:52 nada sm-mta[12010]: STARTTLS=client, relay=mx.ilait.se., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
#Feb 1 14:50:24 nada sm-mta[31372]: STARTTLS=client, relay=mail2.ahrenbecks.se., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
#Feb 1 15:03:04 nada sm-mta[31865]: STARTTLS=client, relay=mx2.pub.mailpod2-cph3.one.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, relay=[-.:[:alnum:]]+, (version=TLSv1(.[[:digit:]])?(\/SSLv3)?, verify=FAIL, cipher=[-_[:alnum:]]+, bits=[/[:digit:]]+|field=cn_subject, status=failed to extract CN)
#Mar 22 13:31:42 nada sendmail[24653]: gethostbyaddr(127.0.0.2) failed: 1
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[[:digit:]]+\]: gethostbyaddr\(127.0.0.2\) failed: 1

13
testlog
View File

@@ -733,6 +733,19 @@ Feb 5 10:57:28 nada sshd[10568]: error: kex protocol error: type 30 seq 1 [prea
Feb 4 12:47:13 nada sshd[8428]: error: kex_exchange_identification: client sent invalid protocol identifier "0"
Feb 5 12:34:09 nada opendkim[11209]: 215BY3W7014029: can't parse From: header value ' Administrator'
Feb 4 21:20:45 nada opendkim[11209]: 214KKdrR021463: syntax error: missing parameter(s) in signature data
Feb 2 03:18:13 nada sshd[22960]: Connection reset by invalid user admin 61.74.183.79 port 61300 [preauth]
Feb 2 04:36:04 nada sshd[25211]: Connection reset by invalid user default 220.80.142.228 port 60384 [preauth]
Feb 2 06:03:18 nada sshd[27153]: Connection reset by invalid user pi 175.196.231.248 port 53934 [preauth]
Feb 1 22:21:52 nada sm-mta[12010]: STARTTLS=client, relay=mx.ilait.se., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Feb 1 14:50:24 nada sm-mta[31372]: STARTTLS=client, relay=mail2.ahrenbecks.se., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Feb 1 14:52:25 nada sshd[31488]: Connection reset by invalid user admin 220.133.144.131 port 53363 [preauth]
Feb 1 15:03:04 nada sm-mta[31865]: STARTTLS=client, relay=mx2.pub.mailpod2-cph3.one.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Feb 1 17:36:00 nada sshd[11797]: error: beginning MaxStartups throttling
Feb 1 17:36:00 nada sshd[11797]: drop connection #8 from [185.187.169.16]:43156 on [66.23.226.92]:22 past MaxStartups
Feb 1 17:38:06 nada sshd[11797]: exited MaxStartups throttling after 00:02:06, 21 connections dropped
Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
Aug 23 18:39:24 nada fredrik[1713]: Sista raden