fredrik/logcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Städar undan lite mer

Browse Source
This commit is contained in:
fredrik
2023-02-04 08:00:07 +01:00
parent ecc31e4403
commit c280394cde
4 changed files with 36 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
logcheck-fw-named
View File

@@ -88,4 +88,7 @@
#Oct 28 07:54:13 nada named[368]: client @0xf242cb64 104.180.184.102#80 (.): query failed (REFUSED) for ./IN/RRSIG at query.c:5498 #Oct 28 07:54:13 nada named[368]: client @0xf242cb64 104.180.184.102#80 (.): query failed (REFUSED) for ./IN/RRSIG at query.c:5498
#Oct 28 06:17:36 nada named[368]: client @0xf2443044 205.185.124.172#52570 (pizzaseo.com): query failed (REFUSED) for pizzaseo.com/IN/RRSIG at query.c:5498 #Oct 28 06:17:36 nada named[368]: client @0xf2443044 205.185.124.172#52570 (pizzaseo.com): query failed (REFUSED) for pizzaseo.com/IN/RRSIG at query.c:5498
#Oct 28 18:02:12 nada named[368]: client @0xf243df14 146.88.240.4#52092 (4217e25c.asert-dns-research.com): query failed (REFUSED) for 4217e25c.asert-dns-research.com/IN/A at query.c:5498 #Oct 28 18:02:12 nada named[368]: client @0xf243df14 146.88.240.4#52092 (4217e25c.asert-dns-research.com): query failed (REFUSED) for 4217e25c.asert-dns-research.com/IN/A at query.c:5498
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [@[:alnum:]]+ [\#.[:digit:]]+ \([-.[:alnum:]]+\): ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: client [@[:alnum:]]+ [\#.[:digit:]]+ \([-.[:alnum:]]+\):
#Feb 2 14:16:36 nada named[11745]: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL'
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL'

3
logcheck-fw-spam
View File

@@ -87,3 +87,6 @@
#Oct 28 06:31:02 nada spamd[3181]: prefork: child states: II [... logline repeated 32 times] #Oct 28 06:31:02 nada spamd[3181]: prefork: child states: II [... logline repeated 32 times]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: child states: II \[... logline repeated [[:digit:]]+ times\] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: prefork: child states: II \[... logline repeated [[:digit:]]+ times\]
#Feb 3 06:44:29 nada runuser: pam_unix(runuser:session): session opened for user debian-spamd(uid=119) by (uid=0)
#Feb 3 06:44:29 nada runuser: pam_unix(runuser:session): session closed for user debian-spamd
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ runuser: pam_unix\(runuser:session\): session (closed|opened) for user debian-spamd

42
logcheck-fw-sshd
View File

@@ -80,31 +80,31 @@
#Aug 16 19:28:06 nada sshd[12135]: Postponed keyboard-interactive/pam for invalid user admin from 75.149.180.141 port 65264 ssh2 [preauth] #Aug 16 19:28:06 nada sshd[12135]: Postponed keyboard-interactive/pam for invalid user admin from 75.149.180.141 port 65264 ssh2 [preauth]
#Aug 16 21:57:30 nada sshd[26976]: Postponed keyboard-interactive/pam for invalid user support from 103.207.36.244 port 59302 ssh2 [preauth] #Aug 16 21:57:30 nada sshd[26976]: Postponed keyboard-interactive/pam for invalid user support from 103.207.36.244 port 59302 ssh2 [preauth]
#Mar 1 09:28:37 nada sshd[4919]: Postponed keyboard-interactive/pam for root from 218.65.30.43 port 23516 ssh2 [preauth] #Mar 1 09:28:37 nada sshd[4919]: Postponed keyboard-interactive/pam for root from 218.65.30.43 port 23516 ssh2 [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed keyboard-interactive/pam for( invalid user)? [[:alnum:]]+ from [.:[:digit:]]+ port [[:digit:]]+ ssh2 \[preauth\] ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed keyboard-interactive/pam for( invalid user)? [[:alnum:]]+ from [.:[:digit:]]+ port [[:digit:]]+ ssh2 \[preauth\]
#Apr 22 14:23:22 nada sshd[19599]: subsystem request for sftp by user petter #Apr 22 14:23:22 nada sshd[19599]: subsystem request for sftp by user petter
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [[:alnum:]]+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [[:alnum:]]+
#May 28 00:22:32 nada sshd[4355]: input_userauth_request: invalid user oliver\\r [preauth] #May 28 00:22:32 nada sshd[4355]: input_userauth_request: invalid user oliver\\r [preauth]
#Mar 4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user [preauth] #Mar 4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user [preauth]
#Sep 9 06:55:41 marconi sshd[11486]: input_userauth_request: invalid user 0101 [preauth] #Sep 9 06:55:41 marconi sshd[11486]: input_userauth_request: invalid user 0101 [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user ([ ._[:alnum:]]+(\\\\r| )?) \[preauth\] ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user ([ ._[:alnum:]]+(\\\\r| )?) \[preauth\]
#Apr 21 16:11:24 nada sshd[20234]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.94.220.181.95.rev.numer.gy user=root #Apr 21 16:11:24 nada sshd[20234]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.94.220.181.95.rev.numer.gy user=root
#Oct 24 06:33:25 nada sshd[10577]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-68-161-233-215.ny325.east.verizon.net user=lp #Oct 24 06:33:25 nada sshd[10577]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-68-161-233-215.ny325.east.verizon.net user=lp
#Nov 3 00:10:37 nada sshd[29893]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=host26-153-static.37-88-b.business.telecomitalia.it user=root #Nov 3 00:10:37 nada sshd[29893]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=host26-153-static.37-88-b.business.telecomitalia.it user=root
#Nov 3 03:00:15 nada sshd[12808]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-200-105-158-166.acelerate.net user=root #Nov 3 03:00:15 nada sshd[12808]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-200-105-158-166.acelerate.net user=root
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=[-.[:alnum:]]+ user=[[:alnum:]]+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=[-.[:alnum:]]+ user=[[:alnum:]]+
#Mar 1 03:03:26 nada sshd[28313]: fatal: Write failed: Broken pipe [preauth] #Mar 1 03:03:26 nada sshd[28313]: fatal: Write failed: Broken pipe [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Broken pipe \[preauth\] ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: Broken pipe \[preauth\]
#Mar 6 22:43:34 nada sshd[4306]: Disconnecting: Packet corrupt [preauth] #Mar 6 22:43:34 nada sshd[4306]: Disconnecting: Packet corrupt [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Packet corrupt \[preauth\] ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Packet corrupt \[preauth\]
#Mar 6 22:43:34 nada sshd[4306]: Bad packet length 4081589265. [preauth] #Mar 6 22:43:34 nada sshd[4306]: Bad packet length 4081589265. [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad packet length [[:digit:]]+. \[preauth\] ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad packet length [[:digit:]]+. \[preauth\]
#Mar 8 03:17:11 nada sshd[23415]: Received disconnect from 91.195.103.166: 11: Client disconnecting normally [preauth] #Mar 8 03:17:11 nada sshd[23415]: Received disconnect from 91.195.103.166: 11: Client disconnecting normally [preauth]
#Mar 7 19:37:07 nada sshd[9647]: Received disconnect from 91.195.103.173: 11: Client disconnecting normally [preauth] #Mar 7 19:37:07 nada sshd[9647]: Received disconnect from 91.195.103.173: 11: Client disconnecting normally [preauth]
@@ -119,8 +119,7 @@
#Sep 11 11:32:09 cocacola sshd[5924]: Received disconnect from 5.189.139.2: 11: Normal Shutdown, Thank you for playing [preauth] #Sep 11 11:32:09 cocacola sshd[5924]: Received disconnect from 5.189.139.2: 11: Normal Shutdown, Thank you for playing [preauth]
#Sep 8 13:32:49 marconi sshd[20127]: Received disconnect from 103.27.239.143 port 40512:11: Normal Shutdown, Thank you for playing [preauth] #Sep 8 13:32:49 marconi sshd[20127]: Received disconnect from 103.27.239.143 port 40512:11: Normal Shutdown, Thank you for playing [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.[:alnum:]]+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.[:alnum:]]+( port )?[.:[:digit:]]+: Normal Shutdown, Thank you for playing \[preauth\]
(: port )?[.:[:digit:]]+: Normal Shutdown, Thank you for playing \[preauth\]
# Apr 18 17:29:30 nada internal-sftp[9277]: session opened for local user petter from [212.16.177.66] # Apr 18 17:29:30 nada internal-sftp[9277]: session opened for local user petter from [212.16.177.66]
# Apr 18 17:29:31 nada internal-sftp[9277]: opendir "/home/petter/www.lidberg.se/mazda/Old" # Apr 18 17:29:31 nada internal-sftp[9277]: opendir "/home/petter/www.lidberg.se/mazda/Old"
@@ -128,45 +127,50 @@
# Apr 18 17:29:38 nada internal-sftp[9277]: open "/home/petter/www.lidberg.se/mazda/Old/demo.html" flags READ mode 0666 # Apr 18 17:29:38 nada internal-sftp[9277]: open "/home/petter/www.lidberg.se/mazda/Old/demo.html" flags READ mode 0666
# Apr 18 17:29:38 nada internal-sftp[9277]: close "/home/petter/www.lidberg.se/mazda/Old/demo.html" bytes read 3754 written 0 # Apr 18 17:29:38 nada internal-sftp[9277]: close "/home/petter/www.lidberg.se/mazda/Old/demo.html" bytes read 3754 written 0
# Apr 18 17:33:38 nada internal-sftp[9277]: session closed for local user petter from [212.16.177.66] # Apr 18 17:33:38 nada internal-sftp[9277]: session closed for local user petter from [212.16.177.66]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ internal-sftp\[[[:digit:]]+\]: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ internal-sftp\[[[:digit:]]+\]:
#May 3 18:14:45 nada sshd[30553]: error: Received disconnect from 178.215.81.7: 14: No more user authentication methods available. [preauth] #May 3 18:14:45 nada sshd[30553]: error: Received disconnect from 178.215.81.7: 14: No more user authentication methods available. [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [.:[:digit:]]+: 14: No more user authentication methods available. \[preauth\] ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [.:[:digit:]]+: 14: No more user authentication methods available. \[preauth\]
#Oct 28 07:58:37 nada sshd[1041]: error: kex_exchange_identification: Connection closed by remote host #Oct 28 07:58:37 nada sshd[1041]: error: kex_exchange_identification: Connection closed by remote host
#Oct 28 12:23:29 nada sshd[14913]: error: kex_exchange_identification: read: Connection reset by peer #Oct 28 12:23:29 nada sshd[14913]: error: kex_exchange_identification: read: Connection reset by peer
#Feb 5 10:57:24 nada sshd[10567]: error: kex_exchange_identification: banner line contains invalid characters #Feb 5 10:57:24 nada sshd[10567]: error: kex_exchange_identification: banner line contains invalid characters
#Feb 4 12:47:13 nada sshd[8428]: error: kex_exchange_identification: client sent invalid protocol identifier "0" #Feb 4 12:47:13 nada sshd[8428]: error: kex_exchange_identification: client sent invalid protocol identifier "0"
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex_exchange_identification:
#Feb 5 10:57:24 nada sshd[10567]: banner exchange: Connection from 164.52.24.164 port 40043: invalid format #Feb 5 10:57:24 nada sshd[10567]: banner exchange: Connection from 164.52.24.164 port 40043: invalid format
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: banner exchange: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: banner exchange:
#Feb 5 10:57:28 nada sshd[10568]: error: kex protocol error: type 30 seq 1 [preauth] #Feb 5 10:57:28 nada sshd[10568]: error: kex protocol error: type 30 seq 1 [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex protocol error: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: kex protocol error:
#Oct 28 07:58:37 nada sshd[1041]: Connection closed by 141.98.10.82 port 40176 #Oct 28 07:58:37 nada sshd[1041]: Connection closed by 141.98.10.82 port 40176
#Oct 28 12:23:29 nada sshd[14913]: Connection reset by 185.73.124.100 port 12384 #Oct 28 12:23:29 nada sshd[14913]: Connection reset by 185.73.124.100 port 12384
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection (closed|reset) by [.:[:digit:]]+ port [[:digit:]]+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection (closed|reset) by [.:[:digit:]]+ port [[:digit:]]+
#Oct 28 19:58:35 nada sshd[12067]: Connection reset by invalid user 178.73.215.171 port 60178 [preauth] #Oct 28 19:58:35 nada sshd[12067]: Connection reset by invalid user 178.73.215.171 port 60178 [preauth]
#Feb 2 03:18:13 nada sshd[22960]: Connection reset by invalid user admin 61.74.183.79 port 61300 [preauth] #Feb 2 03:18:13 nada sshd[22960]: Connection reset by invalid user admin 61.74.183.79 port 61300 [preauth]
#Feb 2 04:36:04 nada sshd[25211]: Connection reset by invalid user default 220.80.142.228 port 60384 [preauth] #Feb 2 04:36:04 nada sshd[25211]: Connection reset by invalid user default 220.80.142.228 port 60384 [preauth]
#Feb 2 06:03:18 nada sshd[27153]: Connection reset by invalid user pi 175.196.231.248 port 53934 [preauth] #Feb 2 06:03:18 nada sshd[27153]: Connection reset by invalid user pi 175.196.231.248 port 53934 [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection reset by invalid user ([[:alnum:]]+)? [.:[:digit:]]+ port [[:digit:]]+ \[preauth\] ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection reset by invalid user ([[:alnum:]]+)? [.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
#Feb 1 17:36:00 nada sshd[11797]: error: beginning MaxStartups throttling #Feb 1 17:36:00 nada sshd[11797]: error: beginning MaxStartups throttling
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: beginning MaxStartups throttling ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: beginning MaxStartups throttling
#Feb 1 17:36:00 nada sshd[11797]: drop connection #8 from [185.187.169.16]:43156 on [66.23.226.92]:22 past MaxStartups #Feb 1 17:36:00 nada sshd[11797]: drop connection #8 from [185.187.169.16]:43156 on [66.23.226.92]:22 past MaxStartups
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: drop connection #[[:digit:]] from \[[.:[:digit:]]+\]:[[:digit:]]+ on \[[.:[:digit:]]+\]:22 past MaxStartups ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: drop connection #[[:digit:]] from \[[.:[:digit:]]+\]:[[:digit:]]+ on \[[.:[:digit:]]+\]:22 past MaxStartups
#Feb 1 17:38:06 nada sshd[11797]: exited MaxStartups throttling after 00:02:06, 21 connections dropped #Feb 1 17:38:06 nada sshd[11797]: exited MaxStartups throttling after 00:02:06, 21 connections dropped
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: exited MaxStartups throttling after [[:digit:]]+:[[:digit:]]+:[[:digit:]]+, [[:digit:]]+ connections dropped ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: exited MaxStartups throttling after [[:digit:]]+:[[:digit:]]+:[[:digit:]]+, [[:digit:]]+ connections dropped
#Feb 2 13:35:21 nada sshd[13048]: ssh_dispatch_run_fatal: Connection from 69.112.204.55 port 37348: Connection corrupted [preauth]
#Feb 2 22:47:21 nada sshd[21634]: ssh_dispatch_run_fatal: Connection from 70.114.119.116 port 39346: Connection corrupted [preauth]
#Jan 31 05:32:36 nada sshd[30890]: ssh_dispatch_run_fatal: Connection from 121.157.157.209 port 63506: message authentication code incorrect [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: ssh_dispatch_run_fatal: Connection from [.:[:digit:]]+ port [[:digit:]]+: (message authentication code incorrect|Connection corrupted) \[preauth\]

6
testlog
View File

@@ -760,6 +760,12 @@ Feb 2 09:40:32 nada sshd[2620]: Connection reset by invalid user admin 222.119.
Feb 2 09:45:58 nada sm-mta[2775]: STARTTLS=client, relay=edu-stockholm-se.mail.protection.outlook.com., version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256 Feb 2 09:45:58 nada sm-mta[2775]: STARTTLS=client, relay=edu-stockholm-se.mail.protection.outlook.com., version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Feb 2 09:45:59 nada sm-mta[2775]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 Feb 2 09:45:59 nada sm-mta[2775]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Feb 2 11:13:00 nada sshd[8118]: Connection reset by invalid user telnet 210.179.113.202 port 34533 [preauth] Feb 2 11:13:00 nada sshd[8118]: Connection reset by invalid user telnet 210.179.113.202 port 34533 [preauth]
Feb 3 06:44:29 nada runuser: pam_unix(runuser:session): session opened for user debian-spamd(uid=119) by (uid=0)
Feb 3 06:44:29 nada runuser: pam_unix(runuser:session): session closed for user debian-spamd
Feb 2 13:35:21 nada sshd[13048]: ssh_dispatch_run_fatal: Connection from 69.112.204.55 port 37348: Connection corrupted [preauth]
Feb 2 22:47:21 nada sshd[21634]: ssh_dispatch_run_fatal: Connection from 70.114.119.116 port 39346: Connection corrupted [preauth]
Jan 31 05:32:36 nada sshd[30890]: ssh_dispatch_run_fatal: Connection from 121.157.157.209 port 63506: message authentication code incorrect [preauth]
Feb 2 14:16:36 nada named[11745]: _default: sending trust-anchor-telemetry query '_ta-4f66/NULL'