Package: logcheck-database Version: 1.3.15 Severity: normal Tags: patch Dear maintainer,
the rule to ignore "subsystem request for sftp" output from sshd doesn't match the actual output from sshd anymore. The openssh version in wheezy and above now also includes the username: Apr 24 14:19:28 rigel sshd[17449]: subsystem request for sftp by user sebastian The attached patch changes the rule to match the new output. Regards -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (650, 'unstable'), (601, 'testing'), (600, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Sebastian Ramacher
diff -Nru logcheck-1.3.15/rulefiles/linux/ignore.d.server/ssh logcheck-1.3.15+nmu1/rulefiles/linux/ignore.d.server/ssh
--- logcheck-1.3.15/rulefiles/linux/ignore.d.server/ssh 2012-06-30 16:30:11.000000000 +0200
+++ logcheck-1.3.15+nmu1/rulefiles/linux/ignore.d.server/ssh 2013-04-24 15:53:46.000000000 +0200
@@ -41,7 +41,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: refused connect from [:[:alnum:]._-]+ \([:[:alnum:].]+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ (\[[:.[:xdigit:]]+\] )?failed - POSSIBLE BREAK-?IN ATTEMPT!$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: scanned from [:[:xdigit:].]+ with SSH-[.[:digit:]]+-SSH_Version_Mapper\. Don't panic\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [^[:space:]]*$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: syslogin_perform_logout: logout\(\) returned an error$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: warning: /etc/hosts\.(allow|deny), line [[:digit:]]+: can't verify hostname: getaddrinfo\([._[:alnum:]-]+, AF_INET\) failed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: warning: /etc/hosts\.(allow|deny), line [[:digit:]]+: host name/(name|address) mismatch: [._[:alnum:]-]+ != [._[:alnum:]-]+$
signature.asc
Description: Digital signature
