Bug 227805 - New sshd logs not processed correctly
New sshd logs not processed correctly
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: logwatch (Show other bugs)
4.4
All Linux
medium Severity low
: ---
: ---
Assigned To: Ivana Varekova
:
: 204110 (view as bug list)
Depends On: 139606
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-08 05:49 EST by Jose Plans
Modified: 2010-10-22 08:54 EDT (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2008-0750
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-24 16:01:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch for 5.2.2 (582 bytes, patch)
2007-03-02 06:28 EST, Jose Plans
no flags Details | Diff
Extended patch (1.24 KB, patch)
2007-04-19 06:35 EDT, John Robinson
no flags Details | Diff

  None (edit)
Description Jose Plans 2007-02-08 05:49:47 EST
+++ This bug was initially created as a clone of Bug #139606 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3)
Gecko/20040913 Firefox/0.10.1

Description of problem:
FC3 uses openssh-3.9p1-7.  The logs are in a slightly different
format, so some messages are lumped into **Unmatched Entries**

Version-Release number of selected component (if applicable):
logwatch-5.2.2-1

How reproducible:
Always

Steps to Reproduce:
1.  Run logwatch against openssh-3.9p1-7 that contains Invalid user
and Failed password lines

    
Actual Results:
   **Unmatched Entries**
Invalid user test from ::ffff:220.70.167.67
Failed password for invalid user test from ::ffff:220.70.167.67 port
33205 ssh2
Invalid user guest from ::ffff:220.70.167.67
Failed password for invalid user guest from ::ffff:220.70.167.67 port
33490 ssh2

Expected Results:
Illegal users from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

Failed logins from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

-- Additional comment from djk@cyber.com.au on 2005-05-20 20:46 EST --
It looks like this should be fixed in logwatch 6.0.1 shipped with FC4 test3.
(I have the same problem with FC3, and get logs of unmatched entries.)

-- Additional comment from varekova@redhat.com on 2005-06-24 07:12 EST --
This problem is fixed in the current release.
Comment 2 John Robinson 2007-02-13 08:15:45 EST
Unfortunately it's not fixed in RHEL4 which still has logwatch 5.2.2.

I'm not sure but it may only have become a problem since openssh has been
updated by https://rhn.redhat.com/errata/RHSA-2006-0738.html or
https://rhn.redhat.com/errata/RHSA-2006-0697.html or a similar previous update;
I have a system with openssh 3.9p1-8.RHEL4.15 which does not appear to exhibit
this issue. I may be wrong though.
Comment 3 Jose Plans 2007-03-02 06:28:34 EST
Created attachment 149103 [details]
proposed patch for 5.2.2
Comment 4 John Robinson 2007-03-02 07:29:15 EST
That looks like a good start, but here's a sample of my logs:

Invalid user thisisnotyourexploit from ::ffff:219.224.99.234
input_userauth_request: invalid user thisisnotyourexploit
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Invalid user 2qjj4toi from ::ffff:219.224.99.234
input_userauth_request: invalid user 2qjj4toi
Failed password for invalid user 2qjj4toi from ::ffff:219.224.99.234 port 20660 ssh2

and logwatch reports all of these as unmatched, I think perhaps
s/illegal/invalid/ in the next few lines after the above patch and this may be
licked :-)
Comment 5 John Robinson 2007-04-19 06:35:23 EDT
Created attachment 152989 [details]
Extended patch

It's been working for me since my previous message
Comment 10 Ivana Varekova 2007-10-26 05:17:52 EDT
*** Bug 204110 has been marked as a duplicate of this bug. ***
Comment 12 RHEL Product and Program Management 2008-01-31 03:26:14 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 15 Chris Pepper 2008-03-23 01:30:59 EDT
I get way to many of these unmatched triplets in 5.1; updating to scripts/services/sshd from http://www2.logwatch.org:81/ cleared them up as a workaround:

Failed password for invalid user box from ::ffff:219.94.147.174 port 56608 ssh2
Invalid user ns from ::ffff:219.94.147.174
input_userauth_request: invalid user ns
Failed password for invalid user ns from ::ffff:219.94.147.174 port 56938 ssh2
Invalid user nameserver from ::ffff:219.94.147.174
input_userauth_request: invalid user nameserver
Failed password for invalid user nameserver from ::ffff:219.94.147.174 port 57287 ssh2
Invalid user hosting from ::ffff:219.94.147.174
input_userauth_request: invalid user hosting

Comment 16 Chris Pepper 2008-03-23 01:34:02 EDT
 Sorry, the snippet for #15 was from RHEL4. The (single) recurring error line from 5.1 which was fixed with 
the CVS HEAD is:

pam_succeed_if(sshd:auth): error retrieving information about user wolfgang : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user rpargas : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user festival : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user lebedev : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user concha : 1 time(s)

Comment 19 errata-xmlrpc 2008-07-24 16:01:23 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0750.html

Note You need to log in before you can comment on or make changes to this bug.