fredrik/logcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Maj #1

Browse Source
This commit is contained in:
Fredrik Wahlberg
2016-05-14 07:51:27 +02:00
parent 93df56be25
commit ce99a8418d
2 changed files with 41 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
logcheck_ignore
View File

@@ -133,6 +133,10 @@
#Mar 14 18:40:24 nada dovecot: imap(johan): Disconnected for inactivity in reading our output in=603 out=253156
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected for inactivity in reading our output in=[[:digit:]]+ out=[[:digit:]]+
#Apr 27 14:28:26 nada dovecot: pop3(kajsa): Disconnected for inactivity top=0/0, retr=0/0, del=0/67, size=517953
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (imap|pop3)\([[:alnum:]]+\): Disconnected for inactivity top=[/[:digit:]]+, retr=[/[:digit:]]+, del=[/[:digit:]]+, size=[[:digit:]]+
#Mar 21 02:40:04 kvarnen dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=200.68.99.217, lip=95.170.86.14, session=<7uj4LIUuMQDIRGPZ>
#Mar 22 13:03:22 kvarnen dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=218.29.231.21, lip=95.170.86.14, session=<zjjk/6EudwDaHecV>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3-login: (Disconnected|Aborted login) \(tried to use disallowed plaintext auth\): user=<>, rip=[.:[:digit:]]+, lip=[.:[:digit:]]+, session=<[+/[:alnum:]]+>
@@ -147,7 +151,8 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: pop3\([[:alnum:]]+\): Connection closed top=[/[:digit:]]+, retr=[/[:digit:]]+, del=[/[:digit:]]+, size=[[:digit:]]+
#Mar 30 20:59:38 nada dovecot: imap(katarina): Disconnected: Disconnected in=139 out=8902
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected: Disconnected in=[[:digit:]]+ out=[[:digit:]]+
#Apr 20 12:25:05 nada dovecot: imap(kajsa): Disconnected: EOF while appending in=413894 out=733
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected: (EOF while appending|Disconnected) in=[[:digit:]]+ out=[[:digit:]]+
#Apr 6 17:17:53 nada dovecot: imap(gertie): Disconnected in APPEND (1 msgs, 0 secs, 0/44908 bytes) in=884034 out=368982
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([[:alnum:]]+\): Disconnected in APPEND \([[:digit:]]+ msgs, [[:digit:]]+ secs, [[:digit:]]+/[[:digit:]]+ bytes\) in=[[:digit:]]+ out=[[:digit:]]+
@@ -249,7 +254,8 @@
#Mar 9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: collect: premature EOM: Connection reset by [208.87.25.77]
#Apr 15 17:29:00 nada sm-mta[687]: u3FFSq2F000687: collect: premature EOM: Connection reset by 99-198-26-191.cust.wildblue.net
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: Connection reset by (\[)?[-.:[:alnum:]]+(\])?
#Apr 18 11:07:40 nada sm-mta[22391]: u3I87Z3E022391: collect: premature EOM: Connection timed out with rs-mta-31.anpdm.com
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: Connection (reset by|timed out with) (\[)?[-.:[:alnum:]]+(\])?
#Mar 9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: SYSERR(root): collect: I/O error on connection from [208.87.25.77], from=<noc@newwiiindows.com>
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: SYSERR\(root\): collect: I\/O error on connection from \[[.:[:digit:]]+\], from=<[-_.@[:alnum:]]+>
@@ -296,7 +302,8 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [[:alnum:]]+: DSN: Service unavailable
#Apr 14 11:05:05 nada sm-mta[15662]: u3E955KV015662: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET http://www.ipip.net/ HTTP/1.1\r\n
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [-.[:alnum:]]+ \[[.[:digit:]]+\]: probable open proxy: command=GET http://www.ipip.net/ HTTP/1.1\\r\\n
#Apr 20 15:10:44 nada sm-mta[5182]: u3KDAiZT005182: li1068-122.members.linode.com [106.184.3.122]: probable open proxy: command=GET / HTTP/1.1\r\n
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sm-mta\[[0-9]+\]: [[:alnum:]]+: [-.[:alnum:]]+ \[[.[:digit:]]+\]: probable open proxy: command=GET (http://www.ipip.net)?/ HTTP/1.1\\r\\n
#
# SPAMD
@@ -331,8 +338,8 @@
#Apr 2 06:38:03 nada spamd[16362]: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: rules: failed to run NO_DNS_FOR_FROM RBL test, skipping:
#Apr 27 00:44:20 nada spamd[23159]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ spamd\[[0-9]+\]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 185. at /usr/share/perl5/Mail/SpamAssassin/Plugin/Razor2.pm line 325.
#
# SSHD
@@ -377,9 +384,22 @@
#Apr 10 20:46:18 nada sshd[6046]: pam_unix(sshd:auth): conversation failed
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): conversation failed
#May 11 19:13:29 nada sshd[10882]: pam_krb5(sshd:auth): authentication failure; logname=ai_luat uid=0 euid=0 tty=ssh ruser= rhost=218.200.188.213
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_krb5\(sshd:auth\): authentication failure; logname=ai_luat uid=0 euid=0 tty=ssh ruser= rhost=[.:[:digit:]]+
#Apr 10 20:50:19 nada sshd(pam_google_authenticator)[6490]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Trying to reuse a previously used time-based code. Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack
#May 11 01:17:42 kvarnen sshd[14739]: fatal: Unable to negotiate a key exchange method [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]
#Apr 27 12:36:56 kvarnen sshd[26293]: Bad protocol version identification 'GET http://clientapi.ipip.net/echo.php?info=20160427185402 HTTP/1.1' from 106.184.2.29 port 7680
#May 13 16:59:50 kvarnen sshd[21380]: Bad protocol version identification '' from 171.13.14.52 port 59637
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Bad protocol version identification '.*' from [.:[:digit:]]+ port [[:digit:]]+
#May 5 10:08:49 nada sshd[4523]: fatal: no hostkey alg [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no hostkey alg \[preauth\]
#
@@ -392,3 +412,5 @@
#Mar 11 21:10:17 nada suhosin[30832]: ALERT - configured request variable name length limit exceeded - dropped variable
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - configured request variable name length limit exceeded - dropped variable
#Apr 19 21:14:31 nada suhosin[28060]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' (attacker '62.210.203.159', file '/home/happysthlm/www.happysthlm.se/index.php')
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'file' \(attacker '[.[:digit:]]+', file '.*'\)