Bug 227805
Summary: | New sshd logs not processed correctly | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Jose Plans <jplans> | ||||||
Component: | logwatch | Assignee: | Ivana Varekova <varekova> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 4.4 | CC: | djk, john.robinson, narora, pepper, tao | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | RHBA-2008-0750 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2008-07-24 20:01:23 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 139606 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Jose Plans
2007-02-08 10:49:47 UTC
Unfortunately it's not fixed in RHEL4 which still has logwatch 5.2.2. I'm not sure but it may only have become a problem since openssh has been updated by https://rhn.redhat.com/errata/RHSA-2006-0738.html or https://rhn.redhat.com/errata/RHSA-2006-0697.html or a similar previous update; I have a system with openssh 3.9p1-8.RHEL4.15 which does not appear to exhibit this issue. I may be wrong though. Created attachment 149103 [details]
proposed patch for 5.2.2
That looks like a good start, but here's a sample of my logs: Invalid user thisisnotyourexploit from ::ffff:219.224.99.234 input_userauth_request: invalid user thisisnotyourexploit Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234 port 17487 ssh2 Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234 port 17487 ssh2 Invalid user 2qjj4toi from ::ffff:219.224.99.234 input_userauth_request: invalid user 2qjj4toi Failed password for invalid user 2qjj4toi from ::ffff:219.224.99.234 port 20660 ssh2 and logwatch reports all of these as unmatched, I think perhaps s/illegal/invalid/ in the next few lines after the above patch and this may be licked :-) Created attachment 152989 [details]
Extended patch
It's been working for me since my previous message
*** Bug 204110 has been marked as a duplicate of this bug. *** This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. I get way to many of these unmatched triplets in 5.1; updating to scripts/services/sshd from http://www2.logwatch.org:81/ cleared them up as a workaround: Failed password for invalid user box from ::ffff:219.94.147.174 port 56608 ssh2 Invalid user ns from ::ffff:219.94.147.174 input_userauth_request: invalid user ns Failed password for invalid user ns from ::ffff:219.94.147.174 port 56938 ssh2 Invalid user nameserver from ::ffff:219.94.147.174 input_userauth_request: invalid user nameserver Failed password for invalid user nameserver from ::ffff:219.94.147.174 port 57287 ssh2 Invalid user hosting from ::ffff:219.94.147.174 input_userauth_request: invalid user hosting Sorry, the snippet for #15 was from RHEL4. The (single) recurring error line from 5.1 which was fixed with the CVS HEAD is: pam_succeed_if(sshd:auth): error retrieving information about user wolfgang : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user rpargas : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user festival : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user lebedev : 1 time(s) pam_succeed_if(sshd:auth): error retrieving information about user concha : 1 time(s) An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0750.html |