Bug 783528
Summary: | reporting "undef" source for ssh illegal users | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | long | ||||||
Component: | logwatch | Assignee: | Jan Synacek <jsynacek> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 15 | CC: | frank, jsynacek, kklic, plautrba, richardfearn, varekova | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | logwatch-7.4.0-12.20120229svn100.fc16 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-05-19 06:59:12 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
long
2012-01-20 18:02:12 UTC
This still occurs in Fedora 16 as well. The cause is the match to the line: input_userauth_request: invalid user cisco In the output you should see both: Illegal users from: undef: 5 times 10.132.4.251: 5 times which are reporting the same user but two different messages by sshd. Created attachment 568280 [details]
Logwatch sshd patch
Sshd patch against logwatch packaged in F16.
Frank, could you please take a look at the patch if it makes sense to fix it like that? Jan, I'm not sure that the lines always occur sequentially in the log file. If they don't then $host may not relate to that particular message. My opinion is that we should just suppress the additional message, but again, I'm not sure if there is an issue in older versions of ssh, which may not have generated the full message. Message "Invalid user %.100s from %.100s"' is always followed by "input_userauth_request: invalid user %s" message, but not vice versa. It should be enough to count number of messages "Invalid user ..." and "input_userauth_request: invalid user...". If numbers differs, then the difference will be marked as "undef from". Created attachment 580744 [details]
Logwatch sshd patch
Another try to patch this.
This patch should be behaving correctly in all possibilities.
logwatch-7.4.0-11.20120229svn100.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/logwatch-7.4.0-11.20120229svn100.fc17 logwatch-7.4.0-12.20120229svn100.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/logwatch-7.4.0-12.20120229svn100.fc16 Package logwatch-7.4.0-12.20120229svn100.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing logwatch-7.4.0-12.20120229svn100.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7541/logwatch-7.4.0-12.20120229svn100.fc16 then log in and leave karma (feedback). logwatch-7.4.0-12.20120229svn100.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. logwatch-7.4.0-11.20120229svn100.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |