Logcheck: pre-ftpd, sshd, sshguard, nscd, dovecot, postfix, auth, ntpd, syslog-ng rules added/updated.

2017-07-10 16:25:06 +03:00 · 2017-07-10 16:25:06 +03:00 · 61d9d6995b
parent 596fcd0bd1
commit 61d9d6995b
1 changed files with 28 additions and 0 deletions
--- a/logcheck/ignore.d.server/backbone
+++ b/logcheck/ignore.d.server/backbone
@ -12,3 +12,31 @@
 # pure-ftpd
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pure-ftpd(\[[0-9]+\])?: [^[]*\[INFO\].*$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pure-ftpd(\[[0-9]+\])?: [^[]*\[NOTICE\].*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pure-ftpd(\[[0-9]+\])?: \([^)]+\) \[WARNING\] Authentication failed for user .*$
+
+# sshd
+#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd(\[[0-9]+\])?: .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd(\[[0-9]+\])?: (Connection closed by invalid|Invalid user|Did not receive identification|Connection closed by|Received disconnect from|Disconnecting authenticating user|error: maximum authentication|Disconnected from|Disconnecting invalid user|Unable to negotiate with|Bad protocol version identification|error: Received disconnect from).*$
+
+# sshguard
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshguard(\[[0-9]+\])?: [0-9.]+ has already been blocked$
+
+# nscd
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nscd(\[[0-9]+\])?: .*$
+
+# dovecot
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot(\[[0-9]+\])?: imap\([^)]+\): (Logged out|Connection closed|Disconnected for inactivity).*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot(\[[0-9]+\])?: imap-login: (Aborted login|Disconnected).*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot(\[[0-9]+\])?: auth: Warning: auth client [0-9]+ disconnected.*$
+
+# postfix
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/smtp|\/master)?d?(\[[0-9]+\])?: (disconnect from|warning: hostname [^ ]+ does not resolve to address|improper command pipelining|[0-9ABCDEF]+: client=|warning:|using backwards-compatible default setting).*$
+
+# auth
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth(\[[0-9]+\])?: pam_unix\(smtp:auth\): (check pass; user unknown|authentication failure).*$
+
+# ntpd
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd(\[[0-9]+\])?: .*$
+
+# syslog-ng
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ syslog-ng(\[[0-9]+\])?: .*$