Description of problem: If /var/log/secure has entries as follows: ================= Aug 21 22:46:39 host1 sshd[16318]: Postponed publickey for root from ::ffff:a.b.c.d port 35647 ssh2 Aug 21 22:47:37 host1 sshd[16318]: Postponed password for userbob from ::ffff:a.b.c.d port 35657 ssh2 ================= then, logwatch reports them as: ================= illegal users from these: root/publickey: 1 Time(s) userbob/password: 1 Time(s) Postponed authentication: root/publickey: ::ffff:a.b.c.d: 1 Time(s) userbob/password: ::ffff:a.b.c.d: 1 Time(s) ================= The "illegal users" lines above is a bug. Note also that these lines lack the remote host from which it is reporting the illegal user. The "Postponed authentication" lines above is what is expected. This bug has been triggered by illegal postponed messages in /var/log/secure (see bug #203671). Version-Release number of selected component (if applicable): logwatch-5.2.2-1.EL4.1 How reproducible: Always Steps to Reproduce: 1. Install logwatch-5.2.2-1.EL4.1 and openssh version 3.9p1-8.RHEL4.15 on hostA 2. Login as root from a remote host to hostA, or manually add a "Postponed" entry to /var/log/secure 3. Run logwatch report Actual results: Logwatch reports Illegal users, in addition to Postponed authentication Expected results: "Postponed" messages should be reported as such, not as illegal users. Additional info:
This bug is easy to fix/test.
*** This bug has been marked as a duplicate of 227805 ***