fredrik/logcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Nya uppdateringar

Browse Source
This commit is contained in:
fredrik
2026-05-19 19:44:51 +02:00
parent 497e2d738a
commit bc04dc7306
6 changed files with 267 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
logcheck_debian
View File

@@ -410,3 +410,117 @@
#Jan 22 00:01:04 nada nscd: 271 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nscd: 271 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
#May 17 21:16:19 nada sm-mta[13757]: 64HJGGtv013757: Milter: data, reject=554 5.7.1 Spam message rejected
#May 17 21:16:28 nada sm-mta[13759]: 64HJGQIQ013759: Milter: data, reject=554 5.7.1 Spam message rejected
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: data, reject=451 4.3.2 Please try again later
#Apr 9 09:51:26 nada sm-mta[6169]: u397pP13006169: rejecting commands from [113.240.250.156] [113.240.250.156] due to pre-greeting traffic after 1 seconds
#Mar 23 19:07:02 nada sm-mta[20228]: v2NI71CW020228: rejecting commands from ec2-35-165-194-208.us-west-2.compute.amazonaws.com [35.165.194.208] due to pre-greeting traffic after 1 seconds
#Mar 23 23:44:38 nada sm-mta[17761]: v2NMibVZ017761: rejecting commands from ecs-160-44-202-130.reverse.open-telekom-cloud.com [160.44.202.130] due to pre-greeting traffic after 1 seconds
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: rejecting commands from (\[[.[:digit:]]+\]|[-.[:alnum:]]+) \[[.[:digit:]]+\] due to pre-greeting traffic after [[:digit:]]+ seconds
#Apr 15 10:25:06 nada sm-mta[23906]: u3F8P26J023665: u3F8P66I023906: DSN: Service unavailable
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Service unavailable
#Mar 17 11:32:29 nada sm-mta[775]: v2HAWQ2g000768: v2HAWT2f000775: DSN: Host unknown (Name server: hgadvokat.se: host not found)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Host unknown \(Name server:
#[-.[:alnum:]]+: host not found\)
#Apr 14 11:05:05 nada sm-mta[15662]: u3E955KV015662: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET http://www.ipip.net/ HTTP/1.1\r\n
#Apr 20 15:10:44 nada sm-mta[5182]: u3KDAiZT005182: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET / HTTP/1.1\r\n
#Mar 20 04:00:44 nada sm-mta[21983]: v2K30iPx021983: [180.163.2.117]: probable open proxy: command=GET / HTTP/1.1\r\n
#Apr 12 15:05:34 nada sm-mta[20644]: v3CD5WoV020644: [60.191.40.195]: probable open proxy: command=GET / HTTP/1.0\r\n
#Jan 20 20:45:31 nada sm-mta[27401]: 40KJjVOo027401: ec2-13-40-30-39.eu-west-2.compute.amazonaws.com [13.40.30.39]: probable open proxy: command=GET /logon.htm HTTP/1.1\r\n
#Jan 20 20:50:45 nada sm-mta[27482]: 40KJojHp027482: ec2-13-40-30-39.eu-west-2.compute.amazonaws.com [13.40.30.39]: probable open proxy: command=GET /login.jsp HTTP/1.1\r\n
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: .*: probable open proxy: command=GET (http://www.ipip.net)?/ HTTP/1.(0|1)\\r\\n
#Oct 24 06:04:11 nada sm-mta[7813]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1
#Oct 24 06:04:11 nada sm-mta[7813]: STARTTLS=client: 7813:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:757:
#Oct 24 17:54:12 nada sm-mta[11900]: STARTTLS=client: 11900:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:757:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS=client: [[:digit:]]+:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:757:
#Oct 24 06:04:11 nada sm-mta[7813]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.adlibris.com, reject=403 4.7.0 TLS handshake failed.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: ruleset=tls_server, arg1=SOFTWARE, relay=[.[:alnum:]]+, reject=403 4.7.0 TLS handshake failed.
#Mar 4 09:14:31 nada sm-mta[25219]: v248EUKL025219: AUTH decode64 error [-5 for "Y2FzdG9yQHdhaGxiZXJnLnNlAGNhc3RvckB3YWhsYmVyZy5zZQBwb2tlbW9uDQ==\r"], relay=[156.67.106.207]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: AUTH decode64 error \[-5 for "Y2FzdG9yQHdhaGxiZXJnLnNlAGNhc3RvckB3YWhsYmVyZy5zZQBwb2tlbW9uDQ==\\r"\], relay=\[[.:[:digit:]]+\]
#Mar 6 23:47:37 nada sm-mta[11119]: v26MlObG011113: Fixed MIME Content-Type header field (possible attack)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: Fixed MIME Content-Type header field \(possible attack\)
#Mar 8 07:31:45 nada sm-mta[16598]: v286VitB016598: AUTH decode64 error [-5 for "Y2FzdG9yAGNhc3RvcgBwb2tlbW9uDQ==\r"], relay=[156.67.106.207]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: AUTH decode64 error \[-5 for "[=\\[:alnum:]]+"\], relay=\[[.:[:digit:]]+\]
#Mar 16 03:41:06 nada sm-mta[28708]: STARTTLS: write error=syscall error (-1), errno=32, get_error=error:00000000:lib(0):func(0):reason(0), retry=99, ssl_err=5
#Sep 12 10:27:41 nada sm-mta[4522]: STARTTLS: read error=syscall error (-1), errno=104, get_error=error:00000000:lib(0):func(0):reason(0), retry=1, ssl_err=5
#Sep 8 20:49:21 nada sm-mta[14243]: STARTTLS: read error=syscall error (-1), errno=110, get_error=error:00000000:lib(0):func(0):reason(0), retry=1, ssl_err=5
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: STARTTLS: (read|write) error=syscall error \(-1\), errno=[[:digit:]]+, get_error=error:00000000:lib\(0\):func\(0\):reason\(0\), retry=(1|99), ssl_err=5
#Apr 10 19:18:06 nada sendmail[17597]: v3AHI6dq017597: Authentication-Warning: nada.wahlberg.se: www-data set sender to katarina@happysthlm.se using -f
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sendmail\[[0-9]+\]: [[:alnum:]]+: Authentication-Warning: nada.wahlberg.se: www-data set sender to [.@[:alnum:]]+ using -f
#
# SUHOSIN
#
#Mar 11 21:08:21 nada suhosin[30831]: ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker '91.121.230.152', file '/home/happysthlm/www.happysthlm.se/wp/xmlrpc.php')
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - dropped [[:digit:]]+ request variables - \([[:digit:]]+ in GET, [[:digit:]]+ in POST, [[:digit:]]+ in COOKIE\) \(attacker '[.[:digit:]]+', file '.*'\)
#Mar 11 21:10:17 nada suhosin[30832]: ALERT - configured request variable name length limit exceeded - dropped variable
#Aug 23 06:06:16 nada suhosin[4003]: ALERT - configured GET variable value length limit exceeded - dropped variable 'page' (attacker '216.172.189.152', file '/home/fredrik/www.wahlis.com/dnsupdate/man.php')
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - configured (GET|request) variable (value|name) length limit exceeded - dropped variable
#Apr 19 21:14:31 nada suhosin[28060]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' (attacker '62.210.203.159', file '/home/happysthlm/www.happysthlm.se/index.php')
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' \(attacker '[.[:digit:]]+', file '.*'\)
#
# Systemd
#
#Oct 13 08:31:17 kvarnen systemd[1]: Starting Cleanup of Temporary Directories...
#Oct 13 08:31:17 kvarnen systemd[1]: Started Cleanup of Temporary Directories.
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: (Started|Starting) Cleanup of Temporary Directories.{1,3}
#Apr 11 06:47:59 nada systemd: pam_unix(systemd-user:session): session opened for user nobody by (uid=0)
#Apr 11 06:48:04 nada systemd: pam_unix(systemd-user:session): session closed for user nobody
#Apr 18 17:29:30 nada systemd: pam_unix(systemd-user:session): session opened for user petter by (uid=0)
#Apr 18 17:33:38 nada systemd: pam_unix(systemd-user:session): session closed for user petter
#Apr 11 15:12:51 nada systemd: pam_unix(systemd-user:session): session closed for user fredrik
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user (nobody|fredrik|petter)( by \(uid=0\))?
#Apr 11 06:47:59 nada systemd-logind[306]: Existing logind session ID 264242 used by new audit session, ignoring
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Existing logind session ID [[:digit:]]+ used by new audit session, ignoring
#Apr 11 06:47:59 nada systemd-logind[306]: New session c12 of user nobody.
#Apr 11 06:47:59 nada systemd-logind[306]: Removed session c12.
#Apr 11 10:58:01 nada systemd-logind[306]: New session c14 of user fredrik.
#Apr 11 11:04:24 nada systemd-logind[306]: New session c15 of user fredrik.
#Apr 18 17:29:30 nada systemd-logind[305]: New session c36 of user petter.
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: (Removed session [[:alnum:]]+.|New session [[:alnum:]]+ of user (nobody|fredrik|petter).)
#Jan 20 08:06:05 nada dbus-daemon[240]: [system] Reloaded configuration
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dbus-daemon\[[[:digit:]]+\]: \[system\] Reloaded configuration
#Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fredrik\[[[:digit:]]+\]: Kontrollrad. Syns detta har vi problem...
#Jan 22 00:01:04 nada nscd: 271 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nscd: 271 den övervakade filen ”/etc/resolv.conf” var moved into place, lägger till vakt
#May 17 21:16:19 nada sm-mta[13757]: 64HJGGtv013757: Milter: data, reject=554 5.7.1 Spam message rejected
#May 17 21:16:28 nada sm-mta[13759]: 64HJGQIQ013759: Milter: data, reject=554 5.7.1 Spam message rejected
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: Milter: data, reject=554 5.7.1 Spam message rejected