From c73e5817671c70c3d2fcd0beec0b53509336b990 Mon Sep 17 00:00:00 2001 From: Fredrik Wahlberg Date: Tue, 12 Sep 2017 13:54:30 +0200 Subject: [PATCH] Fixade regler i logcheck. Och eftersom det ar stokigt i setupen ocksa regler for home assistant --- logcheck_debian | 10 ++++++++-- logcheck_ubuntu | 22 ++++++++++++++++++---- testlog | 12 ++++++++++-- 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/logcheck_debian b/logcheck_debian index bc6cbe9..bab3476 100644 --- a/logcheck_debian +++ b/logcheck_debian @@ -570,8 +570,9 @@ \w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [[:alnum:]]+ #May 28 00:22:32 nada sshd[4355]: input_userauth_request: invalid user oliver\\r [preauth] -Mar 4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user [preauth] -\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user ([._[:alnum:]]+(\\\\r| )?) \[preauth\] +#Mar 4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user [preauth] +#Sep 9 06:55:41 marconi sshd[11486]: input_userauth_request: invalid user 0101 [preauth] +\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: input_userauth_request: invalid user ([ ._[:alnum:]]+(\\\\r| )?) \[preauth\] #Apr 21 16:11:24 nada sshd[20234]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.94.220.181.95.rev.numer.gy user=root #Oct 24 06:33:25 nada sshd[10577]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=static-68-161-233-215.ny325.east.verizon.net user=lp @@ -597,6 +598,11 @@ Mar 4 07:38:01 nada sshd[15794]: input_userauth_request: invalid user [preauth #Apr 13 09:47:05 marconi sshd[695]: error: Received disconnect from 37.229.184.255 port 61294:2: Handshake failed [preauth] \w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: (error: )?Received disconnect from [.:[:digit:]]+(:)? (port [[:digit:]]+:)?(11|2): (Client disconnecting normally|ok|Handshake failed) \[preauth\] +#Sep 9 06:55:41 marconi sshd[11486]: Invalid user 0101 from 91.197.232.109 +\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user +#[ .[alnum]]+ from [.:[:digit:]]+ + + # Apr 18 17:29:30 nada internal-sftp[9277]: session opened for local user petter from [212.16.177.66] # Apr 18 17:29:31 nada internal-sftp[9277]: opendir "/home/petter/www.lidberg.se/mazda/Old" # Apr 18 17:29:31 nada internal-sftp[9277]: closedir "/home/petter/www.lidberg.se/mazda/Old" diff --git a/logcheck_ubuntu b/logcheck_ubuntu index 4b80f39..7eec4a1 100644 --- a/logcheck_ubuntu +++ b/logcheck_ubuntu @@ -107,8 +107,10 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+ port [.:[:digit:]]+:11: Bye Bye \[preauth\] #Mar 2 20:33:25 marconi sshd[3723]: fatal: Unable to negotiate with 103.207.39.105 port 59502: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth] -#Mar 9 05:42:53 marconi sshd[6125]: fatal: Unable to negotiate with 84.241.42.101 port 61319: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth] -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate with [.:[:digit:]]+ port [.:[:digit:]]+: no matching key exchange method found. Their offer: [-,[:alnum:]]+ \[preauth\] +#Mar 9 05:42:53 marconi sshd[6125]: fatal: Unable to negotiate with 84.241.42.101 port 61319: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman#Sep 9 10:56:11 marconi sshd[2798]: fatal: Unable to negotiate with 54.156.158.234 port 41078: no matching host key type found. Their offer: ecdsa-sha2-nistp384 [preauth] +#Sep 9 10:56:12 marconi sshd[2802]: fatal: Unable to negotiate with 54.156.158.234 port 41330: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth] +#Sep 9 10:56:14 marconi sshd[2816]: fatal: Unable to negotiate with 54.156.158.234 port 42036: no matching host key type found. Their offer: ssh-dss [preauth]-group-exchange-sha1 [preauth] +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate with [.:[:digit:]]+ port [.:[:digit:]]+: no matching (host key type|key exchange method) found. Their offer: [-,[:alnum:]]+ \[preauth\] #Mar 2 20:51:23 marconi sshd[8330]: error: maximum authentication attempts exceeded for invalid user admin from 182.45.153.221 port 54407 ssh2 [preauth] ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: maximum authentication attempts exceeded for invalid user [[:alnum:]]+ from [.:[:digit:]]+ port [.:[:digit:]]+ ssh2 \[preauth\] @@ -117,6 +119,9 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: mm_answer_moduli: bad parameters: 2048 2048 1024 + + + # # SYSTEMD # @@ -165,6 +170,17 @@ #Mar 5 00:00:01 marconi sudo: fredrik : TTY=unknown ; PWD=/home/fredrik ; USER=root ; COMMAND=/home/fredrik/bin/kdbx_backup.sh ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: fredrik : TTY=unknown \; PWD=/home/fredrik \; USER=root \; COMMAND=/home/fredrik/bin/kdbx_backup.sh +#Sep 9 03:34:14 marconi root: /etc/dhcp/dhclient-enter-hooks.d/avahi-autoipd returned non-zero exit status 1 +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ root: /etc/dhcp/dhclient-enter-hooks.d/avahi-autoipd returned non-zero exit status 1 + + +#Sep 9 03:34:14 marconi smbd[2261]: * Reloading /etc/samba/smb.conf smbd +#Sep 9 03:34:14 marconi smbd[2261]: ...done. +#Sep 10 07:35:57 marconi freeradius[3649]: * Reloading FreeRADIUS daemon freeradius +#Sep 10 07:35:58 marconi freeradius[3649]: ...done. +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (freeradius|smbd)\[[[:digit:]]+\]: \* Reloading +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (freeradius|smbd)\[[[:digit:]]+\]: ...done. + # @@ -174,8 +190,6 @@ #Mar 5 07:36:35 marconi nmbd[28262]: [2017/03/05 07:36:35.791823, 0] ../source3/nmbd/nmbd.c:169(nmbd_sig_hup_handler) ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nmbd\[[[:digit:]]+\]: \[[ .:,/[:digit:]]+ -#Mar 5 07:36:35 marconi nmbd[28262]: [2017/03/05 07:36:35.792332, 0] ../source3/nmbd/nmbd_workgroupdb.c:276(dump_workgroups) - #Jun 21 16:00:42 marconi update_daemon2.php[27565]: [14:00:42/31191] Purged 0 orphaned posts. #Jun 21 16:00:42 marconi update_daemon2.php[27565]: [14:00:42/31191] Removed 0 (feeds) 0 (cats) orphaned counter cache entries. diff --git a/testlog b/testlog index b62ccf4..5bfb966 100644 --- a/testlog +++ b/testlog @@ -570,8 +570,16 @@ Aug 22 09:00:18 marconi kernel: [737391.088869] sd 7:0:0:0: [sdd] tag#0 FAILED R Aug 22 09:00:18 marconi kernel: [737391.088892] sd 7:0:0:0: [sdd] tag#0 Sense Key : Hardware Error [current] [descriptor] Aug 22 09:00:18 marconi kernel: [737391.088904] sd 7:0:0:0: [sdd] tag#0 Add. Sense: No additional sense information Aug 22 09:00:18 marconi kernel: [737391.088919] sd 7:0:0:0: [sdd] tag#0 CDB: ATA command pass through(16) 85 06 2c 00 00 00 00 00 00 00 00 00 00 00 e5 00 - - +Sep 9 03:34:14 marconi root: /etc/dhcp/dhclient-enter-hooks.d/avahi-autoipd returned non-zero exit status 1 +Sep 9 03:34:14 marconi smbd[2261]: * Reloading /etc/samba/smb.conf smbd +Sep 9 03:34:14 marconi smbd[2261]: ...done. +Sep 9 06:55:41 marconi sshd[11486]: Invalid user 0101 from 91.197.232.109 +Sep 9 06:55:41 marconi sshd[11486]: input_userauth_request: invalid user 0101 [preauth] +Sep 9 10:56:11 marconi sshd[2798]: fatal: Unable to negotiate with 54.156.158.234 port 41078: no matching host key type found. Their offer: ecdsa-sha2-nistp384 [preauth] +Sep 9 10:56:12 marconi sshd[2802]: fatal: Unable to negotiate with 54.156.158.234 port 41330: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth] +Sep 9 10:56:14 marconi sshd[2816]: fatal: Unable to negotiate with 54.156.158.234 port 42036: no matching host key type found. Their offer: ssh-dss [preauth] +Sep 10 07:35:57 marconi freeradius[3649]: * Reloading FreeRADIUS daemon freeradius +Sep 10 07:35:58 marconi freeradius[3649]: ...done. Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...