From 61d9d6995bbae24a07aa194cc02c880d5bce75a8 Mon Sep 17 00:00:00 2001
From: Kolan Sh <backbone@backbone.ws>
Date: Mon, 10 Jul 2017 16:25:06 +0300
Subject: [PATCH] Logcheck: pre-ftpd, sshd, sshguard, nscd, dovecot, postfix,
 auth, ntpd, syslog-ng rules added/updated.

---
 logcheck/ignore.d.server/backbone | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/logcheck/ignore.d.server/backbone b/logcheck/ignore.d.server/backbone
index 1c167b6..362b811 100644
--- a/logcheck/ignore.d.server/backbone
+++ b/logcheck/ignore.d.server/backbone
@@ -12,3 +12,31 @@
 # pure-ftpd
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pure-ftpd(\[[0-9]+\])?: [^[]*\[INFO\].*$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pure-ftpd(\[[0-9]+\])?: [^[]*\[NOTICE\].*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ pure-ftpd(\[[0-9]+\])?: \([^)]+\) \[WARNING\] Authentication failed for user .*$
+
+# sshd
+#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd(\[[0-9]+\])?: .*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd(\[[0-9]+\])?: (Connection closed by invalid|Invalid user|Did not receive identification|Connection closed by|Received disconnect from|Disconnecting authenticating user|error: maximum authentication|Disconnected from|Disconnecting invalid user|Unable to negotiate with|Bad protocol version identification|error: Received disconnect from).*$
+
+# sshguard
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshguard(\[[0-9]+\])?: [0-9.]+ has already been blocked$
+
+# nscd
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ nscd(\[[0-9]+\])?: .*$
+
+# dovecot
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot(\[[0-9]+\])?: imap\([^)]+\): (Logged out|Connection closed|Disconnected for inactivity).*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot(\[[0-9]+\])?: imap-login: (Aborted login|Disconnected).*$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot(\[[0-9]+\])?: auth: Warning: auth client [0-9]+ disconnected.*$
+
+# postfix
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(\/smtp|\/master)?d?(\[[0-9]+\])?: (disconnect from|warning: hostname [^ ]+ does not resolve to address|improper command pipelining|[0-9ABCDEF]+: client=|warning:|using backwards-compatible default setting).*$
+
+# auth
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auth(\[[0-9]+\])?: pam_unix\(smtp:auth\): (check pass; user unknown|authentication failure).*$
+
+# ntpd
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ntpd(\[[0-9]+\])?: .*$
+
+# syslog-ng
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ syslog-ng(\[[0-9]+\])?: .*$