Package: logcheck-database Version: 1.2.68 Severity: normal Tags: patch SSHD in lenny and etch emit white space at the end of ssh login authentication failure lines. It would appear that line 11 of the current /etc/logcheck/violations.ignore.d/logcheck-ssh intends to filter such lines (in fact it does manage to filter ones that include the user=username field, but not lines without), but fails to do so because of the trailing whitespace. The problematic part of the regex is the final:
rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$ replacing it with: rhost=[^[:space:]]+[[:space:]]+(user=[^[:space:]]+)?$ fixes the problem, but the following is probably less brittle: rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$ in the case that sshd gets fixed to remove the trailing whitespace at some point in the future... Thanks, Tim. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-openvz-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- no debconf information
--- /tmp/logcheck-ssh.old 2008-10-31 12:39:03.000000000 +0000 +++ /etc/logcheck/violations.ignore.d/logcheck-ssh 2008-10-31 12:40:50.000000000 +0000 @@ -8,6 +8,6 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for (i(llegal|nvalid) user )?[^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(sshd:auth\): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+)?(user=[^[:space:]]+)?$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: pam_unix\(ssh:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$