Annu fler fixar

logcheck_ignore

@@ -45,6 +45,10 @@
 #Mar 10 12:53:41 kvarnen dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=141.212.122.64, lip=95.170.86.14, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<1cA1d7AtxACN1HpA>
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected \(disconnected before auth was ready, waited 0 secs\): user=<>, rip=[.[:digit:]]+, lip=[.[:digit:]]+, TLS handshaking: SSL_accept\(\) failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<[/+[:alnum:]]+>
 
+#Mar 13 02:55:07 nada dovecot: ssl-params: Generating SSL parameters
+#Mar 13 02:55:16 nada dovecot: ssl-params: SSL parameters regeneration completed
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-params: (Generating SSL parameters|SSL parameters regeneration completed)
+
 #
 #  MONIT
 #
@@ -77,6 +81,19 @@
 #Mar 11 06:34:44 nada named[1771]: using default UDP/IPv4 port range: [1024, 65535]
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: using default UDP/IPv(4|6) port range: \[[[:digit:]]+, [[:digit:]]+\]
 
+#Mar 13 19:02:30 kvarnen named[8896]: transfer of 'acroyoga.se/IN' from 66.23.226.92#53: Transfer completed: 0 messages, 0 records, 0 bytes, 127.193 secs (0 bytes/sec)
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: transfer of '[-.[:alnum:]]+/IN' from [.[:digit:]]+#[[:digit:]]+: Transfer completed: [[:digit:]]+ messages, [[:digit:]]+ records, [[:digit:]]+ bytes, [.[:digit:]]+ secs \([[:digit:]]+ bytes/sec\)
+
+
+#
+# SASLAUTHD
+#
+
+#Mar 11 16:25:32 nada saslauthd[1732]: do_auth         : auth failure: [user=no-reply] [service=smtp] [realm=] [mech=shadow] [reason=Unknown]
+#Mar 11 16:27:11 nada saslauthd[1732]: do_auth         : auth failure: [user=Dr_Gonzo] [service=smtp] [realm=Challenge-UK.com] [mech=shadow] [reason=Unknown]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([-_.@[:alnum:]]+)?\] \[service=smtp\] \[realm=([-_.@[:alnum:]]+)?\] \[mech=shadow\] \[reason=Unknown\]
+
+
 
 #
 # SM-MTA
@@ -84,6 +101,9 @@
 #Mar  9 07:31:29 nada sm-mta[24919]: u296VPig024919: ruleset=check_rcpt, arg1=<netshopping@sanfo.com>, relay=[75.98.154.125], reject=550 5.7.1 <netshopping@sanfo.com>... Relaying denied. IP name lookup failed [75.98.154.125]
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=<[-_.@[:alnum:]]+>, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 <[-_.@[:alnum:]]+>... Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
 
+#Mar 11 13:55:34 nada sm-mta[10612]: u2BCtW1I010612: ruleset=check_rcpt, arg1=<star.pop3@hotmail.com>, relay=rdns2.fastmkt.xyz [177.11.51.157] (may be forged), reject=550 5.7.1 <star.pop3@hotmail.com>... Relaying denied. IP name possibly forged [177.11.51.157]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=<[-_.@[:alnum:]]+>, relay=[-.[:alnum:]]+ \[[.:[:digit:]]+\] \(may be forged\), reject=550 5.7.1 <[-_.@[:alnum:]]+>... Relaying denied. IP name possibly forged \[[.:[:digit:]]+\]
+
 #Mar  9 07:33:07 nada sm-mta[24033]: u296N4QZ024033: collect: premature EOM: Connection reset by [208.87.25.77]
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: collect: premature EOM: Connection reset by \[[.:[:digit:]]+\]
 
@@ -96,7 +116,8 @@
 #Mar 21 12:11:16 nada sm-mta[13902]: q2LBB9M2013902: [91.201.64.99]: possible SMTP attack: command=HELO/EHLO, count=3
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ([-.[:alnum:]]+ )?\[[.[:xdigit:]]+\]: possible SMTP attack: command=(AUTH|HELO/EHLO), count=[[:digit:]]+
 
-
+#Mar 13 15:15:32 nada sm-mta[22560]: u2DEFS76022560: ruleset=check_rcpt, arg1=eax_64@yahoo.com, relay=[61.190.7.133], reject=550 5.7.1 eax_64@yahoo.com... Relaying denied. IP name lookup failed [61.190.7.133]
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_rcpt, arg1=[-_.@[:alnum:]]+, relay=\[[.:[:digit:]]+\], reject=550 5.7.1 [-_.@[:alnum:]]+ Relaying denied. IP name lookup failed \[[.:[:digit:]]+\]
 
 
 #
@@ -119,8 +140,9 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\(pam_google_authenticator\)\[[[:digit:]]+\]: Failed to read \"[/[:alnum:]]+\/.google_authenticator\"
 
 # Mar 10 11:12:56 nada sshd[26548]: Received disconnect from 94.102.49.198: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
+# Mar 12 04:09:09 nada sshd[23908]: Received disconnect from 195.154.52.9: 3: java.net.SocketTimeoutException: Read timed out [preauth]
 # Mar  8 12:09:30 nada sshd[26267]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 66.23.226.92 [preauth]
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 3: com.jcraft.jsch.JSchException: (reject HostKey: [.:[:digit:]]+|Auth fail) \[preauth\]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [.:[:digit:]]+: 3: (java.net.SocketTimeoutException|com.jcraft.jsch.JSchException): (reject HostKey: [.:[:digit:]]+|Auth fail|Read timed out) \[preauth\]
 
 # Mar 10 21:31:03 nada auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=katarina rhost=66.23.226.92  user=katarina
 # Mar  8 18:05:09 nada auth: pam_krb5(dovecot:auth): authentication failure; logname=fredrik uid=0 euid=0 tty=dovecot ruser=fredrik rhost=::1
@@ -133,4 +155,15 @@
 #Mar 14 02:25:08 nada sshd[18347]: fatal: Read from socket failed: Connection reset by peer [preauth]
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Read from socket failed: Connection reset by peer \[preauth\]
 
+#Mar 13 10:10:06 kvarnen sshd[31901]: Disconnecting: Too many authentication failures for root from 74.74.67.164 port 43335 ssh2 [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnecting: Too many authentication failures for root from [.:[:digit:]]+ port [[:digit:]]+ ssh2 \[preauth\]
 
+#Mar 12 12:26:38 kvarnen sshd[6051]: fatal: no matching cipher found: client aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: no matching cipher found: client 
+
+
+#Mar 11 21:08:21 nada suhosin[30831]: ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker '91.121.230.152', file '/home/happysthlm/www.happysthlm.se/wp/xmlrpc.php')
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - dropped [[:digit:]]+ request variables - \([[:digit:]]+ in GET, [[:digit:]]+ in POST, [[:digit:]]+ in COOKIE\) \(attacker '[.[:digit:]]+', file '[/.-_[:alnum:]]+'\)
+
+#Mar 11 21:10:17 nada suhosin[30832]: ALERT - configured request variable name length limit exceeded - dropped variable '
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ suhosin\[[[:digit:]]+\]: ALERT - configured request variable name length limit exceeded - dropped variable '