Bug 227805 - New sshd logs not processed correctly
Summary: New sshd logs not processed correctly
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: logwatch
Version: 4.4
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
: ---
Assignee: Ivana Varekova
QA Contact:
URL:
Whiteboard:
Keywords:
: 204110 (view as bug list)
Depends On: 139606
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-08 10:49 UTC by Jose Plans
Modified: 2018-10-19 21:07 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-07-24 20:01:23 UTC


Attachments (Terms of Use)
proposed patch for 5.2.2 (582 bytes, patch)
2007-03-02 11:28 UTC, Jose Plans
no flags Details | Diff
Extended patch (1.24 KB, patch)
2007-04-19 10:35 UTC, John Robinson
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0750 normal SHIPPED_LIVE logwatch bug fix and enhancement update 2008-07-23 16:49:48 UTC

Description Jose Plans 2007-02-08 10:49:47 UTC
+++ This bug was initially created as a clone of Bug #139606 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3)
Gecko/20040913 Firefox/0.10.1

Description of problem:
FC3 uses openssh-3.9p1-7.  The logs are in a slightly different
format, so some messages are lumped into **Unmatched Entries**

Version-Release number of selected component (if applicable):
logwatch-5.2.2-1

How reproducible:
Always

Steps to Reproduce:
1.  Run logwatch against openssh-3.9p1-7 that contains Invalid user
and Failed password lines

    
Actual Results:
   **Unmatched Entries**
Invalid user test from ::ffff:220.70.167.67
Failed password for invalid user test from ::ffff:220.70.167.67 port
33205 ssh2
Invalid user guest from ::ffff:220.70.167.67
Failed password for invalid user guest from ::ffff:220.70.167.67 port
33490 ssh2

Expected Results:
Illegal users from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

Failed logins from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

-- Additional comment from djk@cyber.com.au on 2005-05-20 20:46 EST --
It looks like this should be fixed in logwatch 6.0.1 shipped with FC4 test3.
(I have the same problem with FC3, and get logs of unmatched entries.)

-- Additional comment from varekova@redhat.com on 2005-06-24 07:12 EST --
This problem is fixed in the current release.

Comment 2 John Robinson 2007-02-13 13:15:45 UTC
Unfortunately it's not fixed in RHEL4 which still has logwatch 5.2.2.

I'm not sure but it may only have become a problem since openssh has been
updated by https://rhn.redhat.com/errata/RHSA-2006-0738.html or
https://rhn.redhat.com/errata/RHSA-2006-0697.html or a similar previous update;
I have a system with openssh 3.9p1-8.RHEL4.15 which does not appear to exhibit
this issue. I may be wrong though.

Comment 3 Jose Plans 2007-03-02 11:28:34 UTC
Created attachment 149103 [details]
proposed patch for 5.2.2

Comment 4 John Robinson 2007-03-02 12:29:15 UTC
That looks like a good start, but here's a sample of my logs:

Invalid user thisisnotyourexploit from ::ffff:219.224.99.234
input_userauth_request: invalid user thisisnotyourexploit
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Invalid user 2qjj4toi from ::ffff:219.224.99.234
input_userauth_request: invalid user 2qjj4toi
Failed password for invalid user 2qjj4toi from ::ffff:219.224.99.234 port 20660 ssh2

and logwatch reports all of these as unmatched, I think perhaps
s/illegal/invalid/ in the next few lines after the above patch and this may be
licked :-)

Comment 5 John Robinson 2007-04-19 10:35:23 UTC
Created attachment 152989 [details]
Extended patch

It's been working for me since my previous message

Comment 10 Ivana Varekova 2007-10-26 09:17:52 UTC
*** Bug 204110 has been marked as a duplicate of this bug. ***

Comment 12 RHEL Product and Program Management 2008-01-31 08:26:14 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 15 Chris Pepper 2008-03-23 05:30:59 UTC
I get way to many of these unmatched triplets in 5.1; updating to scripts/services/sshd from http://www2.logwatch.org:81/ cleared them up as a workaround:

Failed password for invalid user box from ::ffff:219.94.147.174 port 56608 ssh2
Invalid user ns from ::ffff:219.94.147.174
input_userauth_request: invalid user ns
Failed password for invalid user ns from ::ffff:219.94.147.174 port 56938 ssh2
Invalid user nameserver from ::ffff:219.94.147.174
input_userauth_request: invalid user nameserver
Failed password for invalid user nameserver from ::ffff:219.94.147.174 port 57287 ssh2
Invalid user hosting from ::ffff:219.94.147.174
input_userauth_request: invalid user hosting



Comment 16 Chris Pepper 2008-03-23 05:34:02 UTC
 Sorry, the snippet for #15 was from RHEL4. The (single) recurring error line from 5.1 which was fixed with 
the CVS HEAD is:

pam_succeed_if(sshd:auth): error retrieving information about user wolfgang : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user rpargas : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user festival : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user lebedev : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user concha : 1 time(s)



Comment 19 errata-xmlrpc 2008-07-24 20:01:23 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0750.html


Note You need to log in before you can comment on or make changes to this bug.