From c975d3a48c2ea08ba2a6691bfe86fb827caf0ebe Mon Sep 17 00:00:00 2001
From: Fredrik Wahlberg <fredrik@wahlberg.se>
Date: Thu, 2 Nov 2017 13:26:11 +0100
Subject: [PATCH] Fler regler

---
 logcheck_ubuntu |  6 ++++--
 testlog         | 11 +++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/logcheck_ubuntu b/logcheck_ubuntu
index 26bd751..9db1a1c 100644
--- a/logcheck_ubuntu
+++ b/logcheck_ubuntu
@@ -79,7 +79,9 @@
 
 #Mar  2 14:16:53 marconi sshd[4282]: Connection closed by 163.172.210.106 port 56708 [preauth]
 #Nov  2 07:25:58 marconi sshd[22932]: Connection closed by invalid user foo 175.6.27.49 port 6920 [preauth]
-\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by (invalid user [[:alnum:]]+ )?[.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
+#Nov  2 11:19:59 marconi sshd[20563]: Connection closed by authenticating user root 58.214.22.74 port 6920 [preauth]
+#Nov  2 11:55:16 marconi sshd[496]: Connection closed by authenticating user root 112.29.245.145 port 2049 [preauth]
+\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by ((invalid|authenticating) user [[:alnum:]]+ )?[.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
 
 #Mar  2 13:42:26 marconi sshd[25003]: Received disconnect from 155.4.131.66 port 2983:11: disconnected by user
 #Mar  2 17:00:04 marconi sshd[31419]: Received disconnect from 116.31.116.18 port 20137:11:  [preauth]
@@ -90,7 +92,7 @@
 
 #Nov  2 07:59:27 marconi sshd[1655]: Disconnected from invalid user admin 121.156.90.110 port 46078 [preauth]
 #Nov  2 08:01:51 marconi sshd[3848]: Disconnected from authenticating user root 121.18.238.123 port 47854 [preauth]
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from (invalid|authenticating) user [[:alnum:]]+ [.:[:digit:]]+ (port [.:[:digit:]]+ )?
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from (invalid|authenticating) user [[:alnum:]]+ [.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
 
 #Mar  2 17:00:24 marconi sshd[556]: Connection reset by 119.147.115.37 port 1841 [preauth]
 #Mar  2 17:07:35 marconi sshd[2635]: Connection reset by 119.147.115.37 port 1070 [preauth]
diff --git a/testlog b/testlog
index 3d23e31..241b021 100644
--- a/testlog
+++ b/testlog
@@ -593,6 +593,17 @@ Nov  2 07:48:30 marconi sshd[30673]: Did not receive identification string from
 Nov  2 07:49:45 marconi sshd[30998]: Disconnecting authenticating user root 180.130.191.9 port 45306: Too many authentication failures [preauth]
 Nov  2 07:59:27 marconi sshd[1655]: Disconnected from invalid user admin 121.156.90.110 port 46078 [preauth]
 Nov  2 08:01:51 marconi sshd[3848]: Disconnected from authenticating user root 121.18.238.123 port 47854 [preauth]
+Nov  2 11:03:21 marconi sshd[15313]: Disconnecting authenticating user root 72.1.255.192 port 56702: Too many authentication failures [preauth]
+Nov  2 11:03:25 marconi sshd[15340]: Did not receive identification string from 212.83.136.85 port 63067
+Nov  2 11:03:44 marconi sshd[15390]: Did not receive identification string from 212.83.136.85 port 49903
+Nov  2 11:48:29 marconi sshd[30727]: Did not receive identification string from 97.79.239.20 port 43399
+Nov  2 11:03:28 marconi sshd[15354]: Disconnected from invalid user admin 212.83.136.85 port 62912 [preauth]
+Nov  2 11:05:41 marconi sshd[16346]: Disconnected from authenticating user root 121.18.238.119 port 47256 [preauth]
+Nov  2 11:55:07 marconi sshd[32705]: Disconnected from authenticating user root 221.194.47.221 port 40633 [preauth]
+Nov  2 11:19:59 marconi sshd[20563]: Connection closed by authenticating user root 58.214.22.74 port 6920 [preauth]
+Nov  2 11:28:15 marconi sshd[23379]: Connection closed by invalid user admin 218.206.69.40 port 2049 [preauth]
+Nov  2 11:29:01 marconi sshd[23537]: Connection closed by invalid user test 106.247.228.75 port 6920 [preauth]
+Nov  2 11:55:16 marconi sshd[496]: Connection closed by authenticating user root 112.29.245.145 port 2049 [preauth]
 
 
 Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...