Bug 227805 – New sshd logs not processed correctly

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 227805 - New sshd logs not processed correctly

Summary:	New sshd logs not processed correctly

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	logwatch (Show other bugs)
Sub Component:
Version:	4.4
Hardware:	All Linux

Priority	medium Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Ivana Varekova
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	204110 (view as bug list)
Depends On:	139606
Blocks:
	Show dependency tree / graph

Reported:	2007-02-08 05:49 EST by Jose Plans
Modified:	2018-10-19 17:07 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	RHBA-2008-0750
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-07-24 16:01:23 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
proposed patch for 5.2.2 (582 bytes, patch) 2007-03-02 06:28 EST, Jose Plans	no flags	Details \| Diff
Extended patch (1.24 KB, patch) 2007-04-19 06:35 EDT, John Robinson	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2008:0750	normal	SHIPPED_LIVE	logwatch bug fix and enhancement update	2008-07-23 12:49:48 EDT

Groups: None (edit)

Description Jose Plans 2007-02-08 05:49:47 EST

+++ This bug was initially created as a clone of Bug #139606 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3)
Gecko/20040913 Firefox/0.10.1

Description of problem:
FC3 uses openssh-3.9p1-7.  The logs are in a slightly different
format, so some messages are lumped into **Unmatched Entries**

Version-Release number of selected component (if applicable):
logwatch-5.2.2-1

How reproducible:
Always

Steps to Reproduce:
1.  Run logwatch against openssh-3.9p1-7 that contains Invalid user
and Failed password lines

    
Actual Results:
   **Unmatched Entries**
Invalid user test from ::ffff:220.70.167.67
Failed password for invalid user test from ::ffff:220.70.167.67 port
33205 ssh2
Invalid user guest from ::ffff:220.70.167.67
Failed password for invalid user guest from ::ffff:220.70.167.67 port
33490 ssh2

Expected Results:
Illegal users from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

Failed logins from these:
   test/password from ::ffff:220.70.167.67: 1 Time(s)
   guest/password from ::ffff:220.70.167.67: 1 Time(s)

-- Additional comment from djk@cyber.com.au on 2005-05-20 20:46 EST --
It looks like this should be fixed in logwatch 6.0.1 shipped with FC4 test3.
(I have the same problem with FC3, and get logs of unmatched entries.)

-- Additional comment from varekova@redhat.com on 2005-06-24 07:12 EST --
This problem is fixed in the current release.

Comment 2 John Robinson 2007-02-13 08:15:45 EST

Unfortunately it's not fixed in RHEL4 which still has logwatch 5.2.2.

I'm not sure but it may only have become a problem since openssh has been
updated by https://rhn.redhat.com/errata/RHSA-2006-0738.html or
https://rhn.redhat.com/errata/RHSA-2006-0697.html or a similar previous update;
I have a system with openssh 3.9p1-8.RHEL4.15 which does not appear to exhibit
this issue. I may be wrong though.

Comment 3 Jose Plans 2007-03-02 06:28:34 EST

Created attachment 149103 [details]
proposed patch for 5.2.2

Comment 4 John Robinson 2007-03-02 07:29:15 EST

That looks like a good start, but here's a sample of my logs:

Invalid user thisisnotyourexploit from ::ffff:219.224.99.234
input_userauth_request: invalid user thisisnotyourexploit
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Failed password for invalid user thisisnotyourexploit from ::ffff:219.224.99.234
port 17487 ssh2
Invalid user 2qjj4toi from ::ffff:219.224.99.234
input_userauth_request: invalid user 2qjj4toi
Failed password for invalid user 2qjj4toi from ::ffff:219.224.99.234 port 20660 ssh2

and logwatch reports all of these as unmatched, I think perhaps
s/illegal/invalid/ in the next few lines after the above patch and this may be
licked :-)

Comment 5 John Robinson 2007-04-19 06:35:23 EDT

Created attachment 152989 [details]
Extended patch

It's been working for me since my previous message

Comment 10 Ivana Varekova 2007-10-26 05:17:52 EDT

*** Bug 204110 has been marked as a duplicate of this bug. ***

Comment 12 RHEL Product and Program Management 2008-01-31 03:26:14 EST

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 15 Chris Pepper 2008-03-23 01:30:59 EDT

I get way to many of these unmatched triplets in 5.1; updating to scripts/services/sshd from http://www2.logwatch.org:81/ cleared them up as a workaround:

Failed password for invalid user box from ::ffff:219.94.147.174 port 56608 ssh2
Invalid user ns from ::ffff:219.94.147.174
input_userauth_request: invalid user ns
Failed password for invalid user ns from ::ffff:219.94.147.174 port 56938 ssh2
Invalid user nameserver from ::ffff:219.94.147.174
input_userauth_request: invalid user nameserver
Failed password for invalid user nameserver from ::ffff:219.94.147.174 port 57287 ssh2
Invalid user hosting from ::ffff:219.94.147.174
input_userauth_request: invalid user hosting

Comment 16 Chris Pepper 2008-03-23 01:34:02 EDT

 Sorry, the snippet for #15 was from RHEL4. The (single) recurring error line from 5.1 which was fixed with 
the CVS HEAD is:

pam_succeed_if(sshd:auth): error retrieving information about user wolfgang : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user rpargas : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user festival : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user lebedev : 1 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user concha : 1 time(s)

Comment 19 errata-xmlrpc 2008-07-24 16:01:23 EDT

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0750.html

Note You need to log in before you can comment on or make changes to this bug.