Bug 161969 - Some "incorrect password" entries not matched in the SSHD module
Some "incorrect password" entries not matched in the SSHD module
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: logwatch (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ivana Varekova
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-28 15:43 EDT by Dean Earley
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-29 10:31:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Rule correction (508 bytes, patch)
2005-06-28 15:46 EDT, Dean Earley
no flags Details | Diff

  None (edit)
Description Dean Earley 2005-06-28 15:43:43 EDT
Description of problem:
The rule for "failed login" in the ssh section does not match all entries.
This seems to be a side affect of the fix for 139606

Version-Release number of selected component (if applicable):
logwatch-6.0.1-2

How reproducible:
Always

Actual results:
 Failed logins from these:
    admin/password from ::ffff:212.12.131.2: 2 Time(s)
    guest/password from ::ffff:212.12.131.2: 2 Time(s)
    info/password from ::ffff:212.12.131.2: 1 Time(s)

 **Unmatched Entries**
 Failed password for root from ::ffff:212.12.131.2 port 44602 ssh2
 Failed password for mysql from ::ffff:212.12.131.2 port 45302 ssh2
 Failed password for ftp from ::ffff:212.12.131.2 port 54963 ssh2
 Failed password for root from ::ffff:212.12.131.2 port 55265 ssh2
(Some lines snipped)

Expected results:
Failed logins from these:
    admin/password from ::ffff:212.12.131.2: 2 Time(s)
    apache/password from ::ffff:212.12.131.2: 1 Time(s)
    ftp/password from ::ffff:212.12.131.2: 1 Time(s)
    mysql/password from ::ffff:212.12.131.2: 1 Time(s)
    root/password from ::ffff:212.12.131.2: 4 Time(s)
(Some lines snipped)

Additional info:
This patch fixes the rule:

--- ../../scripts.bak/services/sshd     2005-05-19 15:12:12.000000000 +0100
+++ sshd        2005-06-28 20:21:18.000000000 +0100
@@ -112,7 +112,7 @@
       } else {
          $Users{$2}{$3}{"(all)"}++;
       }
-   } elsif ( $ThisLine =~ m/^Failed (\S+) for (invalid user )(\S+) from ([^ ]
+) port (\d+)/ ) { #openssh
+   } elsif ( $ThisLine =~ m/^Failed (\S+) for (invalid user )?(\S+) from ([^ ]
+) port (\d+)/ ) { #openssh
       if ( $Debug >= 5 ) {
          print STDERR "DEBUG: Found -Failed login- line\n";
       }
Comment 1 Dean Earley 2005-06-28 15:46:20 EDT
Created attachment 116082 [details]
Rule correction
Comment 2 Ivana Varekova 2005-06-29 10:31:38 EDT
This bug is fixed in the last version (logwatch-6.1.2-2).


Note You need to log in before you can comment on or make changes to this bug.