Bug 227805

Summary: New sshd logs not processed correctly
Product: Red Hat Enterprise Linux 4 Reporter: Jose Plans <jplans>
Component: logwatchAssignee: Ivana Varekova <varekova>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 4.4CC: djk, john.robinson, narora, pepper, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0750 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-24 20:01:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 139606    
Bug Blocks:    
Attachments:
Description Flags
proposed patch for 5.2.2
none
Extended patch none

Description Jose Plans 2007-02-08 10:49:47 UTC 
+++ This bug was initially created as a clone of Bug #139606 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3)
Gecko/20040913 Firefox/0.10.1

Description of problem:
FC3 uses openssh-3.9p1-7.  The logs are in a slightly different
format, so some messages are lumped into **Unmatched Entries**

Version-Release number of selected component (if applicable):
logwatch-5.2.2-1

How reproducible:
Always

Steps to Reproduce:
1.  Run logwatch against openssh-3.9p1-7 that contains Invalid user
and Failed password lines

    
Actual Results:
   **Unmatched Entries**
Invalid user test from ::ffff:220.70.167.67
Failed password for invalid user test from ::ffff:220.70.167.67 port
33205 ssh2
Invalid user guest from ::ffff:220.70.167.67
Failed password for invalid user guest from ::ffff:220.70.167.67 port
33490 ssh2

Expected Results:
Illegal users from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

Failed logins from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

-- Additional comment from djk.au on 2005-05-20 20:46 EST --
It looks like this should be fixed in logwatch 6.0.1 shipped with FC4 test3.
(I have the same problem with FC3, and get logs of unmatched entries.)

-- Additional comment from varekova on 2005-06-24 07:12 EST --
This problem is fixed in the current release.
Comment 2 John Robinson 2007-02-13 13:15:45 UTC 
Unfortunately it's not fixed in RHEL4 which still has logwatch 5.2.2.

I'm not sure but it may only have become a problem since openssh has been
updated by https://rhn.redhat.com/errata/RHSA-2006-0738.html or
https://rhn.redhat.com/errata/RHSA-2006-0697.html or a similar previous update;
I have a system with openssh 3.9p1-8.RHEL4.15 which does not appear to exhibit
this issue. I may be wrong though.
Comment 3 Jose Plans 2007-03-02 11:28:34 UTC 
Created attachment 149103 [details]
proposed patch for 5.2.2
Comment 4 John Robinson 2007-03-02 12:29:15 UTC 
That looks like a good start, but here's a sample of my logs:

Invalid user thisisnotyourexploit from ::ffff:219.224.99.234
input_userauth_request: invalid user thisisnotyourexploit
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Invalid user 2qjj4toi from ::ffff:219.224.99.234
input_userauth_request: invalid user 2qjj4toi
Failed password for invalid user 2qjj4toi from ::ffff:219.224.99.234 port 20660 ssh2

and logwatch reports all of these as unmatched, I think perhaps
s/illegal/invalid/ in the next few lines after the above patch and this may be
licked :-)
Comment 5 John Robinson 2007-04-19 10:35:23 UTC 
Created attachment 152989 [details]
Extended patch

It's been working for me since my previous message
Comment 10 Ivana Varekova 2007-10-26 09:17:52 UTC 
*** Bug 204110 has been marked as a duplicate of this bug. ***
Comment 12 RHEL Program Management 2008-01-31 08:26:14 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 15 Chris Pepper 2008-03-23 05:30:59 UTC 
I get way to many of these unmatched triplets in 5.1; updating to scripts/services/sshd from http://www2.logwatch.org:81/ cleared them up as a workaround:

Failed password for invalid user box from ::ffff:219.94.147.174 port 56608 ssh2
Invalid user ns from ::ffff:219.94.147.174
input_userauth_request: invalid user ns
Failed password for invalid user ns from ::ffff:219.94.147.174 port 56938 ssh2
Invalid user nameserver from ::ffff:219.94.147.174
input_userauth_request: invalid user nameserver
Failed password for invalid user nameserver from ::ffff:219.94.147.174 port 57287 ssh2
Invalid user hosting from ::ffff:219.94.147.174
input_userauth_request: invalid user hosting
Comment 16 Chris Pepper 2008-03-23 05:34:02 UTC 
 Sorry, the snippet for #15 was from RHEL4. The (single) recurring error line from 5.1 which was fixed with 
the CVS HEAD is:

pam_succeed_if(sshd:auth): error retrieving information about user wolfgang : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user rpargas : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user festival : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user lebedev : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user concha : 1 time(s)
Comment 19 errata-xmlrpc 2008-07-24 20:01:23 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0750.html